Bug 952518
| Summary: | run-as does not work for Servlet init() and destroy() methods | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [JBoss] JBoss Enterprise Application Platform 6 | Reporter: | Josef Cacek <jcacek> | ||||||
| Component: | Security, Web | Assignee: | Chao Wang <chaowan> | ||||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Pavel Slavicek <pslavice> | ||||||
| Severity: | urgent | Docs Contact: | |||||||
| Priority: | urgent | ||||||||
| Version: | 6.3.0 | CC: | anil.saldhana, anmiller, bdawidow, cdewolf, chaowan, dandread, dehort, jason.greene, jawilson, jsightle, kkhan, okotek, rmaucher | ||||||
| Target Milestone: | DR13 | ||||||||
| Target Release: | EAP 6.4.0 | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||
| Doc Text: |
Previous versions of JBoss EAP 6 carried an issue where the `run-as` identity was not being used for `Servlet.init()`, which was contrary to the Java Servlet 2.4 specification.
This was caused by the `RunAsListener` not existing in JBoss EAP 6 as it had previously in JBoss EAP 5.
This issue has been addressed in this release and the product now adheres to the specification in this regard.
|
Story Points: | --- | ||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | Type: | Bug | |||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | 1131810 | ||||||||
| Bug Blocks: | |||||||||
| Attachments: |
|
||||||||
|
Description
Josef Cacek
2013-04-16 06:15:13 UTC
Peter - could you triage this with Josef? We should fix this issue with Stefan's help. Updating status, the issue is still present in 6.3.0.ER10 Requesting blocker flag for 6.4 because customers hit this issue and we don't follow the servlet specification. Reproducer ========== I'm attaching also the reproducer for this issue. The test application has 1 protected EJB and 3 servlets annotated with @RunAs. The first and second servlets use correct role to access the protected EJB, the second uses also loadOnStartup flag. The third servlet uses role name for which is access not allowed. The servlets print to the server console the method name, from which the protected EJB is called - e.g. 14:02:30,575 INFO [stdout] (http-/127.0.0.1:8080-1) >>> org.jboss.test.RunAsServletPermit.init() and then either a message returned from protected EJB 14:02:30,607 INFO [stdout] (http-/127.0.0.1:8080-1) >>> Hello world! or a stacktrace in case of failure 14:19:17,070 ERROR [org.jboss.as.ejb3.invocation] (http-/127.0.0.1:8080-1) JBAS014134: EJB Invocation failed on component HelloBean for method public abstract java.lang.String org.jboss.test.ejb.Hello.sayHello(): javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public abstract java.lang.String org.jboss.test.ejb.Hello.sayHello() of bean: HelloBean is not allowed ... Steps to reproduce: =================== 1. set JBOSS_HOME environment variable and run the EAP: `$JBOSS_HOME/bin/standalone.sh` 2. deploy the application: `$JBOSS_HOME/bin/jboss-cli.sh -c "deploy target/run-as.war"` 3. check the server console for deployment results (e.g. Servlet.init() call for loadOnStartup enabled servlet) 4. test servlets under: [http://localhost:8080/run-as/](http://localhost:8080/run-as/) 5. check the server console for servlets calls (doGet() method) 6. undeploy the application: `$JBOSS_HOME/bin/jboss-cli.sh -c "undeploy run-as.war"` 7. check the server console for servlets undeploy results Test results ============ The test results are the same in both tested versions - 6.1.0.GA and 6.3.0.ER10. * run-as works for Servlet.init() method when loadOnStartup is not used * run-as doesn't work for Servlet.init() when loadOnStartup is used * run-as doesn't work for Servlet.destroy() method Created attachment 920105 [details]
run-as.war reproducer
Created attachment 920106 [details]
run-as-src.zip reproducer sources
Chao Wang <chaowan> updated the status of jira WFLY-998 to Reopened Remy Maucherat <rmaucher> updated the status of jira JBWEB-304 to Resolved There are still TCK failures following merge of https://github.com/jbossas/jboss-eap/pull/1877 which was opened to fix TCK regressions introduced by https://github.com/jbossas/jboss-eap/pull/1848 for https://bugzilla.redhat.com/show_bug.cgi?id=1160368. The changes introduced by both pull requests will be reverted in https://github.com/jbossas/jboss-eap/pull/1883 Revert https://github.com/jbossas/jboss-eap/pull/1883 was merged, setting this back to assigned. Once this BZ is properly fixed, perhaps https://bugzilla.redhat.com/show_bug.cgi?id=1160368 can be closed After attempting to implement it, this caused supposed regressions in the TCK, which Chao Wang has been unable to reproduce. So progress seems stalled. Also, this is not a blocker, and does not prevent testing of the app server Hey Remy, do you want to take a look or help Chao? Servlet 3.0 specification says in section "A.8 Changes Since Servlet 2.3" (pg 202): Clarification: "run-as" identity must apply to all calls from a servlet including init() and destroy() (12.7) Am rerunning the TCK for the original PR and fix, opened as https://github.com/jbossas/jboss-eap/pull/2064 against 6.x-ignore. Once the test-for-merge 6.x-ignore run passes I think I will merge it, and then decide what to do depending on the outcome of the TCK. It passed on 6.x-ignore, and TCK is looking good although not complete yet. The TCK passes with this fix Verified in JBoss EAP 6.4.0.DR13. Chao Wang <chaowan> updated the status of jira JBWEB-308 to Resolved |