Merge pull request #15543 from fjuma/WFLY-15998

[WFLY-15998] Change EJBComponent#incomingRunAsIdentity to a ThreadLocal to fix CVE-2022-0866
wildfly · May 13, 2022 · 6096ea6 · 6096ea6
2 parents 63136e4 + 3d92593
commit 6096ea6
Showing 1 changed file with 11 additions and 7 deletions.
diff --git a/ejb3/src/main/java/org/jboss/as/ejb3/component/EJBComponent.java b/ejb3/src/main/java/org/jboss/as/ejb3/component/EJBComponent.java
@@ -126,7 +126,7 @@ public abstract class EJBComponent extends BasicComponent implements ServerActiv
 
     private final SecurityDomain securityDomain;
     private final boolean enableJacc;
-    private SecurityIdentity incomingRunAsIdentity;
+    private ThreadLocal<SecurityIdentity> incomingRunAsIdentity;
     private final Function<SecurityIdentity, Set<SecurityIdentity>> identityOutflowFunction;
     private final boolean securityRequired;
     private final EJBComponentDescription componentDescription;
@@ -181,7 +181,7 @@ protected EJBComponent(final EJBComponentCreateService ejbComponentCreateService
         this.securityDomain = ejbComponentCreateService.getSecurityDomain();
         this.enableJacc = ejbComponentCreateService.isEnableJacc();
         this.legacyCompliantPrincipalPropagation = ejbComponentCreateService.isLegacyCompliantPrincipalPropagation();
-        this.incomingRunAsIdentity = null;
+        this.incomingRunAsIdentity = new ThreadLocal<>();
         this.identityOutflowFunction = ejbComponentCreateService.getIdentityOutflowFunction();
         this.securityRequired = ejbComponentCreateService.isSecurityRequired();
         this.componentDescription = ejbComponentCreateService.getComponentDescription();
@@ -275,11 +275,15 @@ public Principal getCallerPrincipal() {
     }
 
     public SecurityIdentity getIncomingRunAsIdentity() {
-        return incomingRunAsIdentity;
+        return incomingRunAsIdentity.get();
     }
 
     public void setIncomingRunAsIdentity(SecurityIdentity identity) {
-        this.incomingRunAsIdentity = identity;
+        if (identity == null) {
+            incomingRunAsIdentity.remove();
+        } else {
+            incomingRunAsIdentity.set(identity);
+        }
     }
 
     protected TransactionAttributeType getCurrentTransactionAttribute() {
@@ -634,10 +638,10 @@ private SecurityIdentity getCallerSecurityIdentity() {
         InvocationType invocationType = CurrentInvocationContext.get().getPrivateData(InvocationType.class);
         boolean isRemote = invocationType != null && invocationType.equals(InvocationType.REMOTE);
         if (legacyCompliantPrincipalPropagation && !isRemote) {
-            return (incomingRunAsIdentity == null) ? securityDomain.getCurrentSecurityIdentity() : incomingRunAsIdentity;
+            return (getIncomingRunAsIdentity() == null) ? securityDomain.getCurrentSecurityIdentity() : getIncomingRunAsIdentity();
         } else {
-            if (incomingRunAsIdentity != null) {
-                return incomingRunAsIdentity;
+            if (getIncomingRunAsIdentity() != null) {
+                return getIncomingRunAsIdentity();
             } else if (securityRequired) {
                 return securityDomain.getCurrentSecurityIdentity();
             } else {