Bug 1460347

Summary: [GSS] (6.4.z) EJB run-as identity gets lost if an unsecured ejb in the call stack
Product: [JBoss] JBoss Enterprise Application Platform 6 Reporter: dhorton
Component: EJB, SecurityAssignee: Jiri Ondrusek <jondruse>
Status: CLOSED CURRENTRELEASE QA Contact: Jan Martiska <jmartisk>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.4.15CC: bmaxwell, david.lloyd, dosoudil, jbilek, jondruse
Target Milestone: CR1   
Target Release: EAP 6.4.19   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-16 11:04:24 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1498153    
Attachments:
Description Flags
reproducer none

Description dhorton 2017-06-09 19:28:33 UTC
Created attachment 1286513 [details]
reproducer

Description of problem:


Having an unsecured EJB in the call stack will cause the RunAs identity to get lost.

An example might look like this:
unsecured web app (RunAs: JBossAdmin) -> unsecured HelloBean EJB -> secured GoodBye EJB (RolesAllowed: JBossAdmin)

This will fail as the unsecured ejb causes the RunAs identity to get dropped/lost.


Steps to Reproduce:

- copy "other" security-domain to "jmx-console" 
- deploy SimpleEAR_EJB3.ear
- hit http://localhost:8080/SimpleWar/Hello


Actual results:

Access is denied on GoodBye EJB


Expected results:


Additional info:

Comment 1 dhorton 2017-06-16 14:13:17 UTC
Upstream (with PR):  https://issues.jboss.org/browse/WFLY-8917

Comment 4 Vladimir Dosoudil 2017-11-28 05:38:33 UTC
Upstream EAP 7.1: https://issues.jboss.org/browse/JBEAP-11462
Upstream EAP 7.0: https://issues.jboss.org/browse/JBEAP-11632
Upstream WildFly: https://issues.jboss.org/browse/WFLY-8917

Comment 5 Jiří Bílek 2018-01-05 15:43:11 UTC
Verified with EAP 6.4.19.CP.CR1