According to the Servlet specification (2.4 and later), the run-as should be used for Servlet.init() "Clarification: run-as identity must apply to all calls from a servlet including init() and destroy()" This isn't working in EAP 6.x
Peter - could you triage this with Josef? We should fix this issue with Stefan's help.
Updating status, the issue is still present in 6.3.0.ER10 Requesting blocker flag for 6.4 because customers hit this issue and we don't follow the servlet specification. Reproducer ========== I'm attaching also the reproducer for this issue. The test application has 1 protected EJB and 3 servlets annotated with @RunAs. The first and second servlets use correct role to access the protected EJB, the second uses also loadOnStartup flag. The third servlet uses role name for which is access not allowed. The servlets print to the server console the method name, from which the protected EJB is called - e.g. 14:02:30,575 INFO [stdout] (http-/127.0.0.1:8080-1) >>> org.jboss.test.RunAsServletPermit.init() and then either a message returned from protected EJB 14:02:30,607 INFO [stdout] (http-/127.0.0.1:8080-1) >>> Hello world! or a stacktrace in case of failure 14:19:17,070 ERROR [org.jboss.as.ejb3.invocation] (http-/127.0.0.1:8080-1) JBAS014134: EJB Invocation failed on component HelloBean for method public abstract java.lang.String org.jboss.test.ejb.Hello.sayHello(): javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public abstract java.lang.String org.jboss.test.ejb.Hello.sayHello() of bean: HelloBean is not allowed ... Steps to reproduce: =================== 1. set JBOSS_HOME environment variable and run the EAP: `$JBOSS_HOME/bin/standalone.sh` 2. deploy the application: `$JBOSS_HOME/bin/jboss-cli.sh -c "deploy target/run-as.war"` 3. check the server console for deployment results (e.g. Servlet.init() call for loadOnStartup enabled servlet) 4. test servlets under: [http://localhost:8080/run-as/](http://localhost:8080/run-as/) 5. check the server console for servlets calls (doGet() method) 6. undeploy the application: `$JBOSS_HOME/bin/jboss-cli.sh -c "undeploy run-as.war"` 7. check the server console for servlets undeploy results Test results ============ The test results are the same in both tested versions - 6.1.0.GA and 6.3.0.ER10. * run-as works for Servlet.init() method when loadOnStartup is not used * run-as doesn't work for Servlet.init() when loadOnStartup is used * run-as doesn't work for Servlet.destroy() method
Created attachment 920105 [details] run-as.war reproducer
Created attachment 920106 [details] run-as-src.zip reproducer sources
Chao Wang <chaowan> updated the status of jira WFLY-998 to Reopened
Remy Maucherat <rmaucher> updated the status of jira JBWEB-304 to Resolved
There are still TCK failures following merge of https://github.com/jbossas/jboss-eap/pull/1877 which was opened to fix TCK regressions introduced by https://github.com/jbossas/jboss-eap/pull/1848 for https://bugzilla.redhat.com/show_bug.cgi?id=1160368. The changes introduced by both pull requests will be reverted in https://github.com/jbossas/jboss-eap/pull/1883
Revert https://github.com/jbossas/jboss-eap/pull/1883 was merged, setting this back to assigned. Once this BZ is properly fixed, perhaps https://bugzilla.redhat.com/show_bug.cgi?id=1160368 can be closed
After attempting to implement it, this caused supposed regressions in the TCK, which Chao Wang has been unable to reproduce. So progress seems stalled.
Also, this is not a blocker, and does not prevent testing of the app server
Hey Remy, do you want to take a look or help Chao?
Servlet 3.0 specification says in section "A.8 Changes Since Servlet 2.3" (pg 202): Clarification: "run-as" identity must apply to all calls from a servlet including init() and destroy() (12.7)
Am rerunning the TCK for the original PR and fix, opened as https://github.com/jbossas/jboss-eap/pull/2064 against 6.x-ignore. Once the test-for-merge 6.x-ignore run passes I think I will merge it, and then decide what to do depending on the outcome of the TCK.
It passed on 6.x-ignore, and TCK is looking good although not complete yet.
The TCK passes with this fix
Verified in JBoss EAP 6.4.0.DR13.
Chao Wang <chaowan> updated the status of jira JBWEB-308 to Resolved