Bug 952518 - run-as does not work for Servlet init() and destroy() methods
Summary: run-as does not work for Servlet init() and destroy() methods
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security, Web
Version: 6.3.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: DR13
: EAP 6.4.0
Assignee: Chao Wang
QA Contact: Pavel Slavicek
Depends On: 1131810
TreeView+ depends on / blocked
Reported: 2013-04-16 06:15 UTC by Josef Cacek
Modified: 2019-08-19 12:43 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previous versions of JBoss EAP 6 carried an issue where the `run-as` identity was not being used for `Servlet.init()`, which was contrary to the Java Servlet 2.4 specification. This was caused by the `RunAsListener` not existing in JBoss EAP 6 as it had previously in JBoss EAP 5. This issue has been addressed in this release and the product now adheres to the specification in this regard.
Clone Of:
Last Closed:
Type: Bug

Attachments (Terms of Use)
run-as.war reproducer (13.54 KB, application/octet-stream)
2014-07-23 06:40 UTC, Josef Cacek
no flags Details
run-as-src.zip reproducer sources (9.90 KB, application/zip)
2014-07-23 06:41 UTC, Josef Cacek
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker JBWEB-304 0 Major Resolved Add Lifecycle events BEFORE_LOAD_ON_STARTUP_EVENT and AFTER_LOAD_ON_STARTUP_EVENT to associate security context during S... 2017-08-28 01:51:50 UTC
Red Hat Issue Tracker JBWEB-308 0 Major Resolved Add Lifecycle events BEFORE_UNLOAD_EVENT and AFTER_UNLOAD_EVENT to associate security context for Servlet unloading 2017-08-28 01:51:50 UTC

Description Josef Cacek 2013-04-16 06:15:13 UTC
According to the Servlet specification (2.4 and later), the run-as should be used for Servlet.init()
"Clarification:  run-as  identity must apply to all calls from a servlet including init() and destroy()"

This isn't working in EAP 6.x

Comment 2 Anil Saldhana 2013-08-01 18:42:41 UTC
Peter - could you triage this with Josef? We should fix this issue with Stefan's help.

Comment 6 Josef Cacek 2014-07-23 06:39:53 UTC
Updating status, the issue is still present in 6.3.0.ER10
Requesting blocker flag for 6.4 because customers hit this issue and we don't follow the servlet specification.

I'm attaching also the reproducer for this issue.

The test application has 1 protected EJB and 3 servlets annotated with @RunAs. The first and second servlets use correct role to access the protected EJB, the second uses also loadOnStartup flag. The third servlet uses role name for which is access not allowed.

The servlets print to the server console the method name, from which the protected EJB is called - e.g.
14:02:30,575 INFO  [stdout] (http-/ >>> org.jboss.test.RunAsServletPermit.init()

and then either a message returned from protected EJB 
14:02:30,607 INFO  [stdout] (http-/ >>> Hello world!

or a stacktrace in case of failure
14:19:17,070 ERROR [org.jboss.as.ejb3.invocation] (http-/ JBAS014134: EJB Invocation failed on component HelloBean for method public abstract java.lang.String org.jboss.test.ejb.Hello.sayHello(): javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public abstract java.lang.String org.jboss.test.ejb.Hello.sayHello() of bean: HelloBean is not allowed

Steps to reproduce:
 1. set JBOSS_HOME environment variable and run the EAP: `$JBOSS_HOME/bin/standalone.sh`
 2. deploy the application: `$JBOSS_HOME/bin/jboss-cli.sh -c "deploy target/run-as.war"`
 3. check the server console for deployment results (e.g. Servlet.init() call for loadOnStartup enabled servlet)
 4. test servlets under: [http://localhost:8080/run-as/](http://localhost:8080/run-as/)
 5. check the server console for servlets calls (doGet() method)
 6. undeploy the application: `$JBOSS_HOME/bin/jboss-cli.sh -c "undeploy run-as.war"`
 7. check the server console for servlets undeploy results

Test results
The test results are the same in both tested versions - 6.1.0.GA and 6.3.0.ER10.

* run-as works for Servlet.init() method when loadOnStartup is not used
* run-as doesn't work for Servlet.init() when loadOnStartup is used
* run-as doesn't work for Servlet.destroy() method

Comment 7 Josef Cacek 2014-07-23 06:40:55 UTC
Created attachment 920105 [details]
run-as.war reproducer

Comment 8 Josef Cacek 2014-07-23 06:41:29 UTC
Created attachment 920106 [details]
run-as-src.zip reproducer sources

Comment 13 JBoss JIRA Server 2014-09-23 05:27:01 UTC
Chao Wang <chaowan@redhat.com> updated the status of jira WFLY-998 to Reopened

Comment 14 JBoss JIRA Server 2014-10-09 14:56:43 UTC
Remy Maucherat <rmaucher@redhat.com> updated the status of jira JBWEB-304 to Resolved

Comment 19 Kabir Khan 2014-11-05 11:16:07 UTC
There are still TCK failures following merge of https://github.com/jbossas/jboss-eap/pull/1877 which was opened to fix TCK regressions introduced by https://github.com/jbossas/jboss-eap/pull/1848 for https://bugzilla.redhat.com/show_bug.cgi?id=1160368. The changes introduced by both pull requests will be reverted in

Comment 20 Kabir Khan 2014-11-05 13:51:08 UTC
Revert https://github.com/jbossas/jboss-eap/pull/1883 was merged, setting this back to assigned. Once this BZ is properly fixed, perhaps https://bugzilla.redhat.com/show_bug.cgi?id=1160368 can be closed

Comment 22 Rémy Maucherat 2014-11-10 08:48:56 UTC
After attempting to implement it, this caused supposed regressions in the TCK, which Chao Wang has been unable to reproduce. So progress seems stalled.

Comment 23 Jason T. Greene 2014-11-19 17:39:48 UTC
Also, this is not a blocker, and does not prevent testing of the app server

Comment 24 Dimitris Andreadis 2014-11-20 11:06:32 UTC
Hey Remy, do you want to take a look or help Chao?

Comment 26 Josef Cacek 2014-11-21 08:57:18 UTC
Servlet 3.0 specification says in section "A.8 Changes Since Servlet 2.3" (pg 202):

Clarification: "run-as" identity must apply to all calls from a servlet including init() and destroy() (12.7)

Comment 33 Kabir Khan 2014-11-25 12:19:52 UTC
Am rerunning the TCK for the original PR and fix, opened as https://github.com/jbossas/jboss-eap/pull/2064 against 6.x-ignore. Once the test-for-merge 6.x-ignore run passes I think I will merge it, and then decide what to do depending on the outcome of the TCK.

Comment 34 Kabir Khan 2014-11-25 15:16:39 UTC
It passed on 6.x-ignore, and TCK is looking good although not complete yet.

Comment 35 Kabir Khan 2014-11-26 08:48:03 UTC
The TCK passes with this fix

Comment 38 Ondrej Kotek 2014-12-11 08:02:13 UTC
Verified in JBoss EAP 6.4.0.DR13.

Comment 39 JBoss JIRA Server 2014-12-11 08:06:46 UTC
Chao Wang <chaowan@redhat.com> updated the status of jira JBWEB-308 to Resolved

Note You need to log in before you can comment on or make changes to this bug.