1460347 – [GSS] (6.4.z) EJB run-as identity gets lost if an unsecured ejb in the call stack

Bug 1460347 - [GSS] (6.4.z) EJB run-as identity gets lost if an unsecured ejb in the call stack

Summary: [GSS] (6.4.z) EJB run-as identity gets lost if an unsecured ejb in the call s...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Enterprise Application Platform 6
Classification:	JBoss
Component:	EJB, Security
Sub Component:
Version:	6.4.15
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	CR1
Target Release:	EAP 6.4.19
Assignee:	Jiri Ondrusek
QA Contact:	Jan Martiska
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	eap6419-payload
TreeView+	depends on / blocked

Reported:	2017-06-09 19:28 UTC by dhorton
Modified:	2021-03-11 15:18 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-04-16 11:04:24 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)
reproducer (9.84 KB, application/zip) 2017-06-09 19:28 UTC, dhorton	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	JBEAP-11462	Critical	Verified	[GSS] (7.1.x) EJB run-as identity gets lost if an unsecured ejb in the call stack	2018-04-18 10:52:53 UTC
Red Hat Issue Tracker	JBEAP-11632	Critical	Pull Request Sent	[GSS] (7.0.z) EJB run-as identity gets lost if an unsecured ejb in the call stack	2018-04-18 10:52:53 UTC
Red Hat Issue Tracker	WFLY-8917	Major	Closed	EJB run-as identity gets lost if an unsecured ejb in the call stack	2018-04-18 10:52:53 UTC

Description dhorton 2017-06-09 19:28:33 UTC

Created attachment 1286513 [details]
reproducer

Description of problem:


Having an unsecured EJB in the call stack will cause the RunAs identity to get lost.

An example might look like this:
unsecured web app (RunAs: JBossAdmin) -> unsecured HelloBean EJB -> secured GoodBye EJB (RolesAllowed: JBossAdmin)

This will fail as the unsecured ejb causes the RunAs identity to get dropped/lost.


Steps to Reproduce:

- copy "other" security-domain to "jmx-console" 
- deploy SimpleEAR_EJB3.ear
- hit http://localhost:8080/SimpleWar/Hello


Actual results:

Access is denied on GoodBye EJB


Expected results:


Additional info:

Comment 1 dhorton 2017-06-16 14:13:17 UTC

Upstream (with PR):  https://issues.jboss.org/browse/WFLY-8917

Comment 4 Vladimir Dosoudil 2017-11-28 05:38:33 UTC

Upstream EAP 7.1: https://issues.jboss.org/browse/JBEAP-11462
Upstream EAP 7.0: https://issues.jboss.org/browse/JBEAP-11632
Upstream WildFly: https://issues.jboss.org/browse/WFLY-8917

Comment 5 Jiří Bílek 2018-01-05 15:43:11 UTC

Verified with EAP 6.4.19.CP.CR1

Note You need to log in before you can comment on or make changes to this bug.