Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 952518 - run-as does not work for Servlet init() and destroy() methods
run-as does not work for Servlet init() and destroy() methods
Status: VERIFIED
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Security, Web (Show other bugs)
6.3.0
Unspecified Unspecified
urgent Severity urgent
: DR13
: EAP 6.4.0
Assigned To: Chao Wang
Pavel Slavicek
:
Depends On: 1131810
Blocks:
  Show dependency treegraph
 
Reported: 2013-04-16 02:15 EDT by Josef Cacek
Modified: 2018-06-07 17:29 EDT (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Previous versions of JBoss EAP 6 carried an issue where the `run-as` identity was not being used for `Servlet.init()`, which was contrary to the Java Servlet 2.4 specification. This was caused by the `RunAsListener` not existing in JBoss EAP 6 as it had previously in JBoss EAP 5. This issue has been addressed in this release and the product now adheres to the specification in this regard.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
run-as.war reproducer (13.54 KB, application/octet-stream)
2014-07-23 02:40 EDT, Josef Cacek 		no flags Details
run-as-src.zip reproducer sources (9.90 KB, application/zip)
2014-07-23 02:41 EDT, Josef Cacek 		no flags Details
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
JBoss Issue Tracker JBWEB-304 Major Resolved Add Lifecycle events BEFORE_LOAD_ON_STARTUP_EVENT and AFTER_LOAD_ON_STARTUP_EVENT to associate security context during S... 2017-08-27 21:51 EDT
JBoss Issue Tracker JBWEB-308 Major Resolved Add Lifecycle events BEFORE_UNLOAD_EVENT and AFTER_UNLOAD_EVENT to associate security context for Servlet unloading 2017-08-27 21:51 EDT

  None (edit)
Description Josef Cacek 2013-04-16 02:15:13 EDT 
According to the Servlet specification (2.4 and later), the run-as should be used for Servlet.init()
"Clarification:  run-as  identity must apply to all calls from a servlet including init() and destroy()"

This isn't working in EAP 6.x
Comment 2 Anil Saldhana 2013-08-01 14:42:41 EDT 
Peter - could you triage this with Josef? We should fix this issue with Stefan's help.
Comment 6 Josef Cacek 2014-07-23 02:39:53 EDT 
Updating status, the issue is still present in 6.3.0.ER10
Requesting blocker flag for 6.4 because customers hit this issue and we don't follow the servlet specification.

Reproducer
==========
I'm attaching also the reproducer for this issue.

The test application has 1 protected EJB and 3 servlets annotated with @RunAs. The first and second servlets use correct role to access the protected EJB, the second uses also loadOnStartup flag. The third servlet uses role name for which is access not allowed.

The servlets print to the server console the method name, from which the protected EJB is called - e.g.
14:02:30,575 INFO  [stdout] (http-/127.0.0.1:8080-1) >>> org.jboss.test.RunAsServletPermit.init()

and then either a message returned from protected EJB 
14:02:30,607 INFO  [stdout] (http-/127.0.0.1:8080-1) >>> Hello world!

or a stacktrace in case of failure
14:19:17,070 ERROR [org.jboss.as.ejb3.invocation] (http-/127.0.0.1:8080-1) JBAS014134: EJB Invocation failed on component HelloBean for method public abstract java.lang.String org.jboss.test.ejb.Hello.sayHello(): javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public abstract java.lang.String org.jboss.test.ejb.Hello.sayHello() of bean: HelloBean is not allowed
...

Steps to reproduce:
===================
 1. set JBOSS_HOME environment variable and run the EAP: `$JBOSS_HOME/bin/standalone.sh`
 2. deploy the application: `$JBOSS_HOME/bin/jboss-cli.sh -c "deploy target/run-as.war"`
 3. check the server console for deployment results (e.g. Servlet.init() call for loadOnStartup enabled servlet)
 4. test servlets under: [http://localhost:8080/run-as/](http://localhost:8080/run-as/)
 5. check the server console for servlets calls (doGet() method)
 6. undeploy the application: `$JBOSS_HOME/bin/jboss-cli.sh -c "undeploy run-as.war"`
 7. check the server console for servlets undeploy results

Test results
============
The test results are the same in both tested versions - 6.1.0.GA and 6.3.0.ER10.

* run-as works for Servlet.init() method when loadOnStartup is not used
* run-as doesn't work for Servlet.init() when loadOnStartup is used
* run-as doesn't work for Servlet.destroy() method
Comment 7 Josef Cacek 2014-07-23 02:40:55 EDT 
Created attachment 920105 [details]
run-as.war reproducer
Comment 8 Josef Cacek 2014-07-23 02:41:29 EDT 
Created attachment 920106 [details]
run-as-src.zip reproducer sources
Comment 13 JBoss JIRA Server 2014-09-23 01:27:01 EDT 
Chao Wang <chaowan@redhat.com> updated the status of jira WFLY-998 to Reopened
Comment 14 JBoss JIRA Server 2014-10-09 10:56:43 EDT 
Remy Maucherat <rmaucher@redhat.com> updated the status of jira JBWEB-304 to Resolved
Comment 19 Kabir Khan 2014-11-05 06:16:07 EST 
There are still TCK failures following merge of https://github.com/jbossas/jboss-eap/pull/1877 which was opened to fix TCK regressions introduced by https://github.com/jbossas/jboss-eap/pull/1848 for https://bugzilla.redhat.com/show_bug.cgi?id=1160368. The changes introduced by both pull requests will be reverted in
https://github.com/jbossas/jboss-eap/pull/1883
Comment 20 Kabir Khan 2014-11-05 08:51:08 EST 
Revert https://github.com/jbossas/jboss-eap/pull/1883 was merged, setting this back to assigned. Once this BZ is properly fixed, perhaps https://bugzilla.redhat.com/show_bug.cgi?id=1160368 can be closed
Comment 22 Rémy Maucherat 2014-11-10 03:48:56 EST 
After attempting to implement it, this caused supposed regressions in the TCK, which Chao Wang has been unable to reproduce. So progress seems stalled.
Comment 23 Jason T. Greene 2014-11-19 12:39:48 EST 
Also, this is not a blocker, and does not prevent testing of the app server
Comment 24 Dimitris Andreadis 2014-11-20 06:06:32 EST 
Hey Remy, do you want to take a look or help Chao?
Comment 26 Josef Cacek 2014-11-21 03:57:18 EST 
Servlet 3.0 specification says in section "A.8 Changes Since Servlet 2.3" (pg 202):

Clarification: "run-as" identity must apply to all calls from a servlet including init() and destroy() (12.7)
Comment 33 Kabir Khan 2014-11-25 07:19:52 EST 
Am rerunning the TCK for the original PR and fix, opened as https://github.com/jbossas/jboss-eap/pull/2064 against 6.x-ignore. Once the test-for-merge 6.x-ignore run passes I think I will merge it, and then decide what to do depending on the outcome of the TCK.
Comment 34 Kabir Khan 2014-11-25 10:16:39 EST 
It passed on 6.x-ignore, and TCK is looking good although not complete yet.
Comment 35 Kabir Khan 2014-11-26 03:48:03 EST 
The TCK passes with this fix
Comment 38 Ondrej Kotek 2014-12-11 03:02:13 EST 
Verified in JBoss EAP 6.4.0.DR13.
Comment 39 JBoss JIRA Server 2014-12-11 03:06:46 EST 
Chao Wang <chaowan@redhat.com> updated the status of jira JBWEB-308 to Resolved
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.