I have modified a policy-security-basic quickstart to contain one more service BackEndService that is called from WorkService. If the BackEnd service does not contain a security policy, everything works fine. I set a policy to require authorization and then the example broken. According to enabled message trace there is a security context present in IN phase of WorkService ------- Begin Message Trace ------- Consumer -> {urn:switchyard-quickstart-demo:policy-security-basic:0.1.0}WorkService Provider -> [unassigned] Operation -> doWork MEP -> IN_OUT Phase -> IN State -> OK Exchange Context -> org.switchyard.exchangeInitiatedNS.start : 27373040619054 org.switchyard.bus.camel.replyHandler : org.switchyard.SynchronousInOutHandler@12028316 org.switchyard.bus.camel.phase : IN org.switchyard.bus.camel.dispatcher : org.switchyard.bus.camel.ExchangeDispatcher@25bcdbcd org.switchyard.bus.camel.consumer : ServiceReference [name={urn:switchyard-quickstart-demo:policy-security-basic:0.1.0}WorkService, interface=BaseServiceInterface [type=wsdl, operations=[doWork : IN_OUT : [{urn:switchyard-quickstart-demo:policy-security-basic:0.1.0}doWork, {urn:switchyard-quickstart-demo:policy-security-basic:0.1.0}doWorkResponse, null]]], domain=ServiceDomain [name=null]] org.switchyard.bus.camel.securityContext : SecurityContext[credentials=[NameCredentialImpl [name=kermit], ConfidentialityCredential [confidential=true], PasswordCredentialImpl [password=**********]], securityDomainsToSubjects={}] org.switchyard.bus.camel.contract : org.switchyard.metadata.BaseExchangeContract@1cb6ceb5 CamelCreatedTimestamp : Fri Jul 12 12:54:11 CEST 2013 CamelToEndpoint : direct://%7Burn:switchyard-quickstart-demo:policy-security-basic:0.1.0%7DWorkService Message Context -> org.switchyard.bus.camel.labels : {org.switchyard.contentType=[org.switchyard.label.behavior.transient], org.switchyard.bus.camel.messageSent=[TRANSIENT]} org.switchyard.bus.camel.messageSent : true org.switchyard.messageId : ID-jpechane-44660-1373621375570-11-1 org.switchyard.soap.messageName : doWork breadcrumbId : ID-jpechane-44660-1373621375570-11-1 org.switchyard.contentType : {urn:switchyard-quickstart-demo:policy-security-basic:0.1.0}doWork Message Content -> <?xml version="1.0" encoding="UTF-8"?><policy-security-basic:doWork xmlns:policy-security-basic="urn:switchyard-quickstart-demo:policy-security-basic:0.1.0"> <work> <command>CMD-1373626451247</command> </work> </policy-security-basic:doWork> ------ End Message Trace ------- But when the BackEnd service is called then the security context is already missing ------- Begin Message Trace ------- Consumer -> {urn:switchyard-quickstart-demo:policy-security-basic:0.1.0}BackEndService Provider -> [unassigned] Operation -> process MEP -> IN_OUT Phase -> IN State -> OK Exchange Context -> org.switchyard.bus.camel.dispatcher : org.switchyard.bus.camel.ExchangeDispatcher@69c99f97 org.switchyard.bus.camel.phase : IN CamelCreatedTimestamp : Fri Jul 12 12:54:11 CEST 2013 org.switchyard.bus.camel.labels : {org.switchyard.policy.required=[org.switchyard.label.behavior.transient]} CamelToEndpoint : direct://%7Burn:switchyard-quickstart-demo:policy-security-basic:0.1.0%7DBackEndService org.switchyard.bus.camel.contract : org.switchyard.metadata.BaseExchangeContract@455f2645 org.switchyard.bus.camel.consumer : ServiceReference [name={urn:switchyard-quickstart-demo:policy-security-basic:0.1.0}BackEndService, interface=BaseServiceInterface [type=java, operations=[process : IN_OUT : [java:java.lang.String, java:java.lang.String, null]]], domain=ServiceDomain [name=null]] org.switchyard.exchangeInitiatedNS.start : 27373047075956 org.switchyard.bus.camel.replyHandler : org.switchyard.SynchronousInOutHandler@340ca8c3 org.switchyard.policy.required : [authorization] Message Context -> org.switchyard.contentType : java:java.lang.String org.switchyard.bus.camel.labels : {org.switchyard.contentType=[org.switchyard.label.behavior.transient], org.switchyard.bus.camel.messageSent=[TRANSIENT]} org.switchyard.bus.camel.messageSent : true org.switchyard.messageId : ID-jpechane-44660-1373621375570-11-3 breadcrumbId : ID-jpechane-44660-1373621375570-11-3 Message Content -> First ------ End Message Trace ------- 12:54:11,466 INFO [org.switchyard.handlers.MessageTrace] (http-/127.0.0.1:8443-1)
Created attachment 772642 [details] modified example
David - there are actually a number of things in play here: 1) Access to the security context itself in downstream services. 2) Interpretation of policy requirements for downstream services. That second one is tricky since the downstream service could be a reference binding. We should probably meet up on this and discuss some options to pull it all together.
I'm not saying this is desired behavior moving forward, but I will say this is EXPECTED behavior currently. Specifically, the SecurityContext is not propagated across Service boundaries. Because I didn't know what people wanted originally, I went with the "more safe" option. I can foresee, though, some kind of flag saying "propagate" the SecurityContext. Yes, we should meet to talk about this.
David Ward <dward> made a comment on jira SWITCHYARD-1729 https://github.com/jboss-switchyard/parent/pull/182 https://github.com/jboss-switchyard/core/pull/578 https://github.com/jboss-switchyard/components/pull/607 https://github.com/jboss-switchyard/quickstarts/pull/274 https://github.com/jboss-switchyard/release/pull/304
Keith Babo <kbabo> made a comment on jira SWITCHYARD-1729 pushed
Verified in ER7
Keith Babo <kbabo> updated the status of jira SWITCHYARD-1729 to Closed