Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1152477 - Annotation @RolesAllowed doesn't work for generic types in EJBs
Annotation @RolesAllowed doesn't work for generic types in EJBs
Status: VERIFIED
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: EJB, Security (Show other bugs)
6.3.2
Unspecified Unspecified
unspecified Severity high
: DR10
: EAP 6.4.0
Assigned To: Stuart Douglas
Pavel Slavicek
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2014-10-14 04:58 EDT by Josef Cacek
Modified: 2018-07-31 17:49 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
RolesAllowed-reproducer.zip (11.70 KB, application/zip)
2014-10-14 04:58 EDT, Josef Cacek 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Josef Cacek 2014-10-14 04:58:45 EDT 
Created attachment 946764 [details]
RolesAllowed-reproducer.zip

If generic types are used, the AuthorizationInterceptor is not correctly configured. The problem is the MethodPermissionsMergingProcessor adds permission based on the type parameter, but EJBSecurityViewConfigurator checks a base type for the parameter 

Example:

public class BaseObject {
...
}

public class TestItem extends BaseObject {
...
}

@Local
public interface TestInterface<T extends BaseObject> {
  public void testMethodWithArgs(T t) throws Exception;
}


@Stateless
@Local
@SecurityDomain("test")
public class TestImplementation implements TestInterface<TestItem> {

  @RolesAllowed("JBossAdmin")
  public void testMethodWithArgs(TestItem t) throws Exception {
	// whatever
  }
}

When deploying the TestImplementation bean, it does following:

1)
The MethodPermissionsMergingProcessor.handleAnnotations() method sets AnnotationMethodPermissions attribute for:

className: jboss.example.ejb.TestImplementation
methodName: testMethodWithArgs
methodParams: ["jboss.example.ejb.TestItem"]

2)
The org.jboss.as.ejb3.security.EJBSecurityViewConfigurator.handlePermissions() method reads permission for:

className: jboss.example.ejb.TestImplementation
methodName: testMethodWithArgs
methodParams: ["jboss.example.ejb.BaseObject"]


==================
Attaching also original reproducer from Derek Horton. Usage:
- configure a "jmx-console" security domain with a user in role "JBossAdmin"
- deploy the EAR
- go to http://localhost:8080/SimpleWar/Hello
- check log files
Comment 1 David M. Lloyd 2014-10-20 14:01:17 EDT 
Looking at the code, I suspect this problem also exists in upstream?
Comment 4 Stuart Douglas 2014-11-09 20:30:00 EST 
I think this was fixed upstream by https://github.com/wildfly/wildfly/commit/233075c
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.