Bug 1288670

Summary: [GSS] (6.4.z) Improve error message for EJBs with restricted access permission but no security-domain
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: dhorton
Component: EJBAssignee: Radovan STANCEL <rstancel>
Status: CLOSED EOL QA Contact: Jan Martiska <jmartisk>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4.4CC: bbaranow, bmaxwell, david.lloyd, dhorton, egonzale, istudens, msochure, rstancel
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-19 12:46:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description dhorton 2015-12-04 23:19:05 UTC 
Description of problem:
Improve error the message for EJBs that have restricted access permission but are not assigned to a security-domain.

In this situation, the EJB security will fallback to the "other" security-domain which will most likely end up with an "Invalid User" error message getting logged.

In this situation, it might be better to log something like: "No security domain associated to this enterprise bean"
Comment 1 Enrique Gonzalez Martinez 2015-12-11 11:21:39 UTC 
Not really sure if changing the message would make sense as the logic of the security manager is to say if the user is valid or not. 

Regarding the "other" as the default security-domain, this is the current behaviour of the app server.

Not sure if this change is a good idea. 

PS: Maybe adding some debug info about which security domain is being used could help in this sort of use case :?
Comment 9 dhorton 2017-03-13 15:40:09 UTC 
To reproduce:

- build an application with a secured web application, assign the web application to a valid security-domain
- make the servlet invoke a secured EJB
  - the ejb should use the @RolesAllowed annotation
  - the ejb should _not_ be assigned to a security-domain
  - it will fallback to using "other" by default

There isn't a good warning in the logs about this behavior.  You will see the servlet get authenticated using the security-domain that is assigned to it, but when the servlet invokes the secured EJB you will see that it "falls back" to the "other" security-domain which cannot authenticate the user...leading to an error.




10:17:34,664 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000200: Begin isValid, principal: admin, cache entry: null
10:17:34,664 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000209: defaultLogin, principal: admin
10:17:34,665 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000221: Begin getAppConfigurationEntry(other), size: 4
10:17:34,665 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000224: End getAppConfigurationEntry(other), AuthInfo: AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.as.security.remoting.RemotingLoginModule
ControlFlag: LoginModuleControlFlag: optional
Options:
name=password-stacking, value=useFirstPass
[1]
LoginModule Class: org.jboss.as.security.RealmDirectLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=password-stacking, value=useFirstPass

10:17:34,665 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000236: Begin initialize method
10:17:34,665 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000240: Begin login method
10:17:34,666 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000236: Begin initialize method
10:17:34,666 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000240: Begin login method
10:17:34,676 DEBUG [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000283: Bad password for username admin
10:17:34,677 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000244: Begin abort method
10:17:34,677 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000244: Begin abort method
10:17:34,677 DEBUG [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required
        at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286) [picketbox-4.1.3.Final-redhat-1.jar:4.1.3.Final-redhat-1]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_111]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_111]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_111]
        at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_111]
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) [rt.jar:1.8.0_111]
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) [rt.jar:1.8.0_111]