Bug 1460347 - [GSS] (6.4.z) EJB run-as identity gets lost if an unsecured ejb in the call stack
[GSS] (6.4.z) EJB run-as identity gets lost if an unsecured ejb in the call s...
Status: CLOSED CURRENTRELEASE
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: EJB, Security (Show other bugs)
6.4.15
Unspecified Unspecified
unspecified Severity unspecified
: CR1
: EAP 6.4.19
Assigned To: Jiri Ondrusek
Jan Martiska
:
Depends On:
Blocks: eap6419-payload
  Show dependency treegraph
 
Reported: 2017-06-09 15:28 EDT by dhorton
Modified: 2018-04-16 07:04 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-04-16 07:04:24 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
reproducer (9.84 KB, application/zip)
2017-06-09 15:28 EDT, dhorton
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker JBEAP-11462 Critical Verified [GSS] (7.1.x) EJB run-as identity gets lost if an unsecured ejb in the call stack 2018-04-18 06:52 EDT
JBoss Issue Tracker JBEAP-11632 Critical Pull Request Sent [GSS] (7.0.z) EJB run-as identity gets lost if an unsecured ejb in the call stack 2018-04-18 06:52 EDT
JBoss Issue Tracker WFLY-8917 Major Closed EJB run-as identity gets lost if an unsecured ejb in the call stack 2018-04-18 06:52 EDT

  None (edit)
Description dhorton 2017-06-09 15:28:33 EDT
Created attachment 1286513 [details]
reproducer

Description of problem:


Having an unsecured EJB in the call stack will cause the RunAs identity to get lost.

An example might look like this:
unsecured web app (RunAs: JBossAdmin) -> unsecured HelloBean EJB -> secured GoodBye EJB (RolesAllowed: JBossAdmin)

This will fail as the unsecured ejb causes the RunAs identity to get dropped/lost.


Steps to Reproduce:

- copy "other" security-domain to "jmx-console" 
- deploy SimpleEAR_EJB3.ear
- hit http://localhost:8080/SimpleWar/Hello


Actual results:

Access is denied on GoodBye EJB


Expected results:


Additional info:
Comment 1 dhorton 2017-06-16 10:13:17 EDT
Upstream (with PR):  https://issues.jboss.org/browse/WFLY-8917
Comment 4 Vladimir Dosoudil 2017-11-28 00:38:33 EST
Upstream EAP 7.1: https://issues.jboss.org/browse/JBEAP-11462
Upstream EAP 7.0: https://issues.jboss.org/browse/JBEAP-11632
Upstream WildFly: https://issues.jboss.org/browse/WFLY-8917
Comment 5 Jiří Bílek 2018-01-05 10:43:11 EST
Verified with EAP 6.4.19.CP.CR1

Note You need to log in before you can comment on or make changes to this bug.