Bug 1403939 - [GSS] (6.4.z) @javax.jws.Oneway causes security-context to be lost
Summary: [GSS] (6.4.z) @javax.jws.Oneway causes security-context to be lost
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web Services
Version: 6.4.11
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: CR1
: EAP 6.4.19
Assignee: Radovan Netuka
QA Contact: Jiří Bílek
URL:
Whiteboard:
Depends On:
Blocks: eap6419-payload 1509804
TreeView+ depends on / blocked
 
Reported: 2016-12-12 16:35 UTC by dhorton
Modified: 2020-01-17 16:19 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-16 11:06:15 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker JBWS-3905 0 Major Closed Use original thread for ejb webservice oneway operation to avoid authorization failure 2018-04-13 12:30:34 UTC
Red Hat Issue Tracker JBWS-3920 0 Major Closed Default to using original thread for processing one-way messages 2018-04-13 12:30:34 UTC
Red Hat Knowledge Base (Solution) 2803341 0 None None None 2017-11-06 19:25:15 UTC

Description dhorton 2016-12-12 16:35:42 UTC 
Description of problem:
I am working with a customer that is running into an issue with security-context propagation when using the @Oneway annotation.

Using the @javax.jws.Oneway annotation on a web service ejb causes the request to be handled by a new thread.  Unfortunately, the security-context does not appear to be getting copied to the new thread that handles the request.  This results in calls to secured EJBs failing.
Comment 1 dhorton 2016-12-13 14:51:35 UTC 
To reproduce this issue, build a secured EJB3 web service and annotate a method with @RolesAllowed and @Oneway.  The thread that starts the request will be authenticated and assigned roles correctly, but the security-context is not copied to the thread that handles the oneway call.  This will result in an invalid user / permission denied issue.
Comment 11 Jiří Bílek 2018-01-10 12:11:47 UTC 
Verified with EAP 6.4.19.CP.CR1
Note You need to log in before you can comment on or make changes to this bug.