Bug 1403939

Summary: [GSS] (6.4.z) @javax.jws.Oneway causes security-context to be lost
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: dhorton
Component: Web ServicesAssignee: Radovan Netuka <rnetuka>
Status: CLOSED CURRENTRELEASE QA Contact: Jiří Bílek <jbilek>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4.11CC: asoldano, bmaxwell, dosoudil, jbilek, rnetuka
Target Milestone: CR1   
Target Release: EAP 6.4.19   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-16 11:06:15 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1498153, 1509804    

Description dhorton 2016-12-12 16:35:42 UTC 
Description of problem:
I am working with a customer that is running into an issue with security-context propagation when using the @Oneway annotation.

Using the @javax.jws.Oneway annotation on a web service ejb causes the request to be handled by a new thread.  Unfortunately, the security-context does not appear to be getting copied to the new thread that handles the request.  This results in calls to secured EJBs failing.
Comment 1 dhorton 2016-12-13 14:51:35 UTC 
To reproduce this issue, build a secured EJB3 web service and annotate a method with @RolesAllowed and @Oneway.  The thread that starts the request will be authenticated and assigned roles correctly, but the security-context is not copied to the thread that handles the oneway call.  This will result in an invalid user / permission denied issue.
Comment 11 Jiří Bílek 2018-01-10 12:11:47 UTC 
Verified with EAP 6.4.19.CP.CR1