Bug 1460347 - [GSS] (6.4.z) EJB run-as identity gets lost if an unsecured ejb in the call stack
Summary: [GSS] (6.4.z) EJB run-as identity gets lost if an unsecured ejb in the call s...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: EJB, Security
Version: 6.4.15
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: CR1
: EAP 6.4.19
Assignee: Jiri Ondrusek
QA Contact: Jan Martiska
URL:
Whiteboard:
Depends On:
Blocks: eap6419-payload
TreeView+ depends on / blocked
 
Reported: 2017-06-09 19:28 UTC by dhorton
Modified: 2018-04-16 11:04 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-16 11:04:24 UTC
Type: Bug


Attachments (Terms of Use)
reproducer (9.84 KB, application/zip)
2017-06-09 19:28 UTC, dhorton
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Issue Tracker JBEAP-11462 Critical Verified [GSS] (7.1.x) EJB run-as identity gets lost if an unsecured ejb in the call stack 2018-04-18 10:52:53 UTC
Red Hat Issue Tracker JBEAP-11632 Critical Pull Request Sent [GSS] (7.0.z) EJB run-as identity gets lost if an unsecured ejb in the call stack 2018-04-18 10:52:53 UTC
Red Hat Issue Tracker WFLY-8917 Major Closed EJB run-as identity gets lost if an unsecured ejb in the call stack 2018-04-18 10:52:53 UTC

Description dhorton 2017-06-09 19:28:33 UTC
Created attachment 1286513 [details]
reproducer

Description of problem:


Having an unsecured EJB in the call stack will cause the RunAs identity to get lost.

An example might look like this:
unsecured web app (RunAs: JBossAdmin) -> unsecured HelloBean EJB -> secured GoodBye EJB (RolesAllowed: JBossAdmin)

This will fail as the unsecured ejb causes the RunAs identity to get dropped/lost.


Steps to Reproduce:

- copy "other" security-domain to "jmx-console" 
- deploy SimpleEAR_EJB3.ear
- hit http://localhost:8080/SimpleWar/Hello


Actual results:

Access is denied on GoodBye EJB


Expected results:


Additional info:

Comment 1 dhorton 2017-06-16 14:13:17 UTC
Upstream (with PR):  https://issues.jboss.org/browse/WFLY-8917

Comment 4 Vladimir Dosoudil 2017-11-28 05:38:33 UTC
Upstream EAP 7.1: https://issues.jboss.org/browse/JBEAP-11462
Upstream EAP 7.0: https://issues.jboss.org/browse/JBEAP-11632
Upstream WildFly: https://issues.jboss.org/browse/WFLY-8917

Comment 5 Jiří Bílek 2018-01-05 15:43:11 UTC
Verified with EAP 6.4.19.CP.CR1


Note You need to log in before you can comment on or make changes to this bug.