Bug 1288670 - [GSS] (6.4.z) Improve error message for EJBs with restricted access permission but no security-domain [NEEDINFO]
[GSS] (6.4.z) Improve error message for EJBs with restricted access permissio...
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: EJB (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Radovan STANCEL
Jan Martiska
Depends On:
  Show dependency treegraph
Reported: 2015-12-04 18:19 EST by dhorton
Modified: 2017-07-03 01:41 EDT (History)
8 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
rstancel: needinfo? (dhorton)

Attachments (Terms of Use)

  None (edit)
Description dhorton 2015-12-04 18:19:05 EST
Description of problem:
Improve error the message for EJBs that have restricted access permission but are not assigned to a security-domain.

In this situation, the EJB security will fallback to the "other" security-domain which will most likely end up with an "Invalid User" error message getting logged.

In this situation, it might be better to log something like: "No security domain associated to this enterprise bean"
Comment 1 Enrique Gonzalez Martinez 2015-12-11 06:21:39 EST
Not really sure if changing the message would make sense as the logic of the security manager is to say if the user is valid or not. 

Regarding the "other" as the default security-domain, this is the current behaviour of the app server.

Not sure if this change is a good idea. 

PS: Maybe adding some debug info about which security domain is being used could help in this sort of use case :?
Comment 9 dhorton 2017-03-13 11:40:09 EDT
To reproduce:

- build an application with a secured web application, assign the web application to a valid security-domain
- make the servlet invoke a secured EJB
  - the ejb should use the @RolesAllowed annotation
  - the ejb should _not_ be assigned to a security-domain
  - it will fallback to using "other" by default

There isn't a good warning in the logs about this behavior.  You will see the servlet get authenticated using the security-domain that is assigned to it, but when the servlet invokes the secured EJB you will see that it "falls back" to the "other" security-domain which cannot authenticate the user...leading to an error.

10:17:34,664 TRACE [org.jboss.security] (http- PBOX000200: Begin isValid, principal: admin, cache entry: null
10:17:34,664 TRACE [org.jboss.security] (http- PBOX000209: defaultLogin, principal: admin
10:17:34,665 TRACE [org.jboss.security] (http- PBOX000221: Begin getAppConfigurationEntry(other), size: 4
10:17:34,665 TRACE [org.jboss.security] (http- PBOX000224: End getAppConfigurationEntry(other), AuthInfo: AppConfigurationEntry[]:
LoginModule Class: org.jboss.as.security.remoting.RemotingLoginModule
ControlFlag: LoginModuleControlFlag: optional
name=password-stacking, value=useFirstPass
LoginModule Class: org.jboss.as.security.RealmDirectLoginModule
ControlFlag: LoginModuleControlFlag: required
name=password-stacking, value=useFirstPass

10:17:34,665 TRACE [org.jboss.security] (http- PBOX000236: Begin initialize method
10:17:34,665 TRACE [org.jboss.security] (http- PBOX000240: Begin login method
10:17:34,666 TRACE [org.jboss.security] (http- PBOX000236: Begin initialize method
10:17:34,666 TRACE [org.jboss.security] (http- PBOX000240: Begin login method
10:17:34,676 DEBUG [org.jboss.security] (http- PBOX000283: Bad password for username admin
10:17:34,677 TRACE [org.jboss.security] (http- PBOX000244: Begin abort method
10:17:34,677 TRACE [org.jboss.security] (http- PBOX000244: Begin abort method
10:17:34,677 DEBUG [org.jboss.security] (http- PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required
        at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286) [picketbox-4.1.3.Final-redhat-1.jar:4.1.3.Final-redhat-1]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_111]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_111]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_111]
        at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_111]
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) [rt.jar:1.8.0_111]
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) [rt.jar:1.8.0_111]

Note You need to log in before you can comment on or make changes to this bug.