Bug 1201439

Summary: [GSS] (6.4.z) RemotingContext should be copied for async EJB calls
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: Derek Horton <dehort>
Component: EJBAssignee: baranowb <bbaranow>
Status: CLOSED CURRENTRELEASE QA Contact: Jan Martiska <jmartisk>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4.0CC: bbaranow, cdewolf, istudens, jawilson, rsvoboda
Target Milestone: CR2   
Target Release: EAP 6.4.1   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-17 09:57:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1207953    

Description Derek Horton 2015-03-12 17:23:35 UTC 
Description of problem:

The RemotingContext should be copied for async EJB calls.

This can cause Asynchronous EJB invocations to fail when the EJB is protected by a security-domain that uses the RemotingLoginModule for authentication.


client --> nodeX --- (remoting) --> nodeY (Asyc Method)


The asynch ejb calls are started by a stateless ejb on nodeY.  The RemotingLoginModule is handling the authentication for the node X to node Y EJB invocations.

This normally works fine.

However, this appears to fail when there is a JAAS cache miss by the thread that is carrying out the asynchronous invocation.  At that point, the login module stack will be invoked again, but the RemotingLoginModule will fail to authenticate the user since the async thread doesn't have the context to authenticate the user (SecurityActions.remotingContextGetConnection() returns null which causes the login module to return false from the login() method).  This authentication failure will result in the Invalid User error when the call reaches the EJB layer.
Comment 1 Derek Horton 2015-03-12 18:16:04 UTC 
PR:  https://github.com/jbossas/jboss-eap/pull/2350
Comment 2 Derek Horton 2015-03-13 14:54:31 UTC 
I updated the pull request:
PR:  https://github.com/jbossas/jboss-eap/pull/2350

I tested this change on EAP 6.3.3 and it resolves the issue.
Comment 4 Rostislav Svoboda 2015-04-23 13:42:07 UTC 
Please provide test (as discussed with Carlo) to include this in CP01 payload.
I will qa_ack afterwards.
Comment 5 Ivo Studensky 2015-04-24 12:22:33 UTC 
PR with a test-case:
https://github.com/jbossas/jboss-eap/pull/2402
Comment 6 Ivo Studensky 2015-04-24 12:31:35 UTC 
Created another PR, the previous one was filed against a wrong target branch.

https://github.com/jbossas/jboss-eap/pull/2403
Comment 7 Rostislav Svoboda 2015-04-27 11:20:05 UTC 
qa_acking, thank you for the test
Comment 9 Jan Martiska 2015-05-15 08:14:51 UTC 
Verified in EAP 6.4.1.CR2.
Comment 10 Petr Penicka 2017-01-17 09:57:53 UTC 
Retroactively bulk-closing issues from released EAP 6.4 cummulative patches.