You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@tomee.apache.org by "Yakushev Mikhail (Jira)" <ji...@apache.org> on 2020/05/18 07:18:00 UTC
[jira] [Updated] (TOMEE-2763) Security Principal is lost after
calling a method from ejb with @RunAs annotation
[ https://issues.apache.org/jira/browse/TOMEE-2763?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Yakushev Mikhail updated TOMEE-2763:
------------------------------------
Affects Version/s: 8.0.1
> Security Principal is lost after calling a method from ejb with @RunAs annotation
> ---------------------------------------------------------------------------------
>
> Key: TOMEE-2763
> URL: https://issues.apache.org/jira/browse/TOMEE-2763
> Project: TomEE
> Issue Type: Bug
> Affects Versions: 8.0.1
> Reporter: Yakushev Mikhail
> Priority: Major
> Attachments: tomee-runas.zip
>
>
> Sample application: [^tomee-runas.zip]
>
> EJB 1
> {code:java}
> @LocalBean
> @Stateless(name = "MyStateless")
> public class MyStatelessBean {
> @Resource
> private SessionContext sessionContext;
> @EJB
> private UserBean userBean;
>
> public MyStatelessBean() {
> }
>
> public void test() {
> System.out.println("ejb WITHOUT @RunAs, username from sessionContext 1: " + sessionContext.getCallerPrincipal().getName());
> System.out.println("ejb WITHOUT @RunAs, username from another ejb: " + userBean.currentUserName());
> System.out.println("ejb WITHOUT @RunAs, username from sessionContext 2: " + sessionContext.getCallerPrincipal().getName());
> }
> }{code}
> EJB 2
> {code:java}
> @LocalBean
> @RunAs("admin")
> @Stateless(name = "MyStatelessRunAsBean")
> public class MyStatelessRunAsBean {
> @Resource
> private SessionContext sessionContext;
> @EJB
> private UserBean userBean;
> public MyStatelessRunAsBean() {
> }
> public void test() {
> System.out.println("ejb WITH @RunAs, username from sessionContext 1: " + sessionContext.getCallerPrincipal().getName());
> System.out.println("ejb WITH @RunAs, username from another ejb: " + userBean.currentUserName());
> System.out.println("ejb WITH @RunAs, username from sessionContext 2: " + sessionContext.getCallerPrincipal().getName());
> }
> }{code}
> EJB 3
> {code:java}
> @LocalBean
> @Stateless(name = "UserBean")
> public class UserBean {
> @Resource
> private SessionContext sessionContext;
> public UserBean() {
> }
> public String currentUserName() {
> return sessionContext.getCallerPrincipal().getName();
> }
> }{code}
> Backing bean for jsf page
> {code:java}
> @Model
> public class IndexMB {
> @EJB
> private MyStatelessBean myStatelessBean;
> @EJB
> private MyStatelessRunAsBean myStatelessRunAsBean;
> public void test(ActionEvent event) {
> myStatelessBean.test();
> myStatelessRunAsBean.test();
> myStatelessBean.test();
> }
> }
> {code}
> Expected output:
> ejb WITHOUT @RunAs, username from sessionContext 1: *ymn*
> ejb WITHOUT @RunAs, username from another ejb: *ymn*
> ejb WITHOUT @RunAs, username from sessionContext 2: *ymn*
> ejb WITH @RunAs, username from sessionContext 1: *ymn*
> ejb WITH @RunAs, username from another ejb: *admin*
> ejb WITH @RunAs, username from sessionContext 2: *ymn*
> ejb WITHOUT @RunAs, username from sessionContext 1: *ymn*
> ejb WITHOUT @RunAs, username from another ejb: *ymn*
> ejb WITHOUT @RunAs, username from sessionContext 2: *ymn*
>
> Real output:
> ejb WITHOUT @RunAs, username from sessionContext 1: *ymn*
> ejb WITHOUT @RunAs, username from another ejb: *ymn*
> ejb WITHOUT @RunAs, username from sessionContext 2: *ymn*
> ejb WITH @RunAs, username from sessionContext 1: *ymn*
> ejb WITH @RunAs, username from another ejb: *admin*
> ejb WITH @RunAs, username from sessionContext 2: *ymn*
> ejb WITHOUT @RunAs, username from sessionContext 1: *guest*
> ejb WITHOUT @RunAs, username from another ejb: *guest*
> ejb WITHOUT @RunAs, username from sessionContext 2: *guest*
> In method *enterWebApp* of class *TomcatSecurityService* token is null:
> {code:java}
> newIdentity = new Identity(newSubject, null);{code}
> Because of this block of code in *StatelessContainer* class do nothing (runAs is null)
> {code:java}
> } finally {
> if (runAs != null) {
> try {
> securityService.associate(runAs);
> } catch (final LoginException e) {
> // no-op
> }
> }
> {code}
> I fixed it for my app in that way:
> {code:java}
> public Object enterWebApp(final Realm realm, final Principal principal, final String runAs) {
> final Identity oldIdentity = clientIdentity.get();
> if (principal != null) {
> final Subject newSubject = createSubject(realm, principal);
> try {
> associate(registerSubject(newSubject));
> } catch (LoginException e) {
> }
> }
> final WebAppState webAppState = new WebAppState(oldIdentity, runAs != null);
> if (runAs != null) {
> final Subject runAsSubject = createRunAsSubject(runAs);
> RUN_AS_STACK.get().addFirst(runAsSubject);
> }
> return webAppState;
> }
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)