[WFLY-12537] Incoming RunAsPrincipal is not being propagated to an unsecured EJB #12626
Conversation
wildfly-ci
added
the
deps-ok
| @@ -643,14 +641,7 @@ private boolean checkCallerSecurityIdentityRole(String roleName) { | |||
| } | |||
|
|
|||
| private SecurityIdentity getCallerSecurityIdentity() { | |||
| if (incomingRunAsIdentity != null) { | |||
There was a problem hiding this comment.
This just reverts the fix for JBEAP-9744. This is now handled by RunAsPrincipalInterceptor.
| interceptorFactories.put(InterceptorOrder.View.RUN_AS_PRINCIPAL, new ImmediateInterceptorFactory(new RunAsPrincipalInterceptor(RunAsPrincipalInterceptor.ANONYMOUS_PRINCIPAL, false))); | ||
| } else { | ||
| // Switch users (set new incoming) | ||
| interceptorFactories.put(InterceptorOrder.View.RUN_AS_PRINCIPAL, new ImmediateInterceptorFactory(new RunAsPrincipalInterceptor(runAsPrincipal, isSecurityRequired()))); |
There was a problem hiding this comment.
@darranl We have to add RunAsPrincipalInterceptor to beans that do not have RunAsPrincipal annotation and propagate security. This is to be able to propagate incoming runas identity further. It should behave the same as legacy.
| this.securityRequired = securityRequired; | ||
| } | ||
|
|
||
| private boolean remotingContextIsSet (){ |
There was a problem hiding this comment.
@darranl Not sure if I should leave this method here or I should create for example SecurityActions class helper for this package or reuse some existing ones (i.e. make them public)?
| // run as a user with the given name or if the caller has sufficient permission | ||
| if (runAsPrincipal.equals(ANONYMOUS_PRINCIPAL)) { | ||
| boolean remotingContextIsSet = remotingContextIsSet(); | ||
| boolean isRemoteStatelessSecurityDisabled = !(ejbComponent instanceof StatefulSessionComponent) && remotingContextIsSet && !securityRequired; |
There was a problem hiding this comment.
make principal anonymous and incoming identity null if isRemoteStatelessSecurityDisabled
There was a problem hiding this comment.
not sure if this is the best way to identify stateless bean
There was a problem hiding this comment.
Hello @Skyllarr, you can use a instanceof check against org.jboss.as.ejb3.component.stateless.StatelessSessionComponent to be sure if it's a stateless EJB. In its current form, the above code in the PR, even singleton session bean component will pass this check. I don't know if you want that to happen.
Having said that, I'm just curious - is there a reason why this (security) logic is only applicable for stateless beans?
There was a problem hiding this comment.
@jaikiran Hello, thanks for review! I changed it to StatelessSessionComponent. This way the identity will not be propagated if the bean is a stateless unsecured remote bean. I did not find any reference for this, but failing tests lead me this way and it also made sense to me that I should not propagate identity for such a bean.
| @@ -99,12 +99,4 @@ public void testSwitched() throws Exception { | |||
| assertEquals("user1", targetBean.getPrincipalName("user1", "password1")); | |||
| } | |||
|
|
|||
| @Test | |||
There was a problem hiding this comment.
@darranl I don't think this test has valid objective. EntryBean is unsecured stateless remote bean, so its principal is anonymous. This bean should not propagate guest identity to the injected SecurityInformation EJB in my opinion. The returned identity should be anonymous and not guest IMO. I do not think this test should be present for Elytron if the test objective is invalid.
There was a problem hiding this comment.
@Skyllarr I think it is correct that the injected bean is making use of the identity from the Remoting connection since it is a secured bean.
There was a problem hiding this comment.
@fjuma I see, after reading #12626 (comment) it probably makes sense to keep it here.
There was a problem hiding this comment.
@fjuma I see, after reading #12626 (comment) it probably makes sense to keep it here.
| @Test | ||
| public void testNonAnonymousPrincipalInjected(CallerWithIdentity callerWithIdentity) throws Exception { | ||
| try { | ||
| // Assert.assertEquals(NON_ANONYMOUS_PRINCIPAL, callerWithIdentity.getCallerPrincipalInjected()); TODO see issue WFLY-12538 |
There was a problem hiding this comment.
@nziakova I added your test cases from issue WFLY-11604. I commented out this one because it still needs to be addressed (see https://issues.jboss.org/browse/WFLY-12538)
Skyllarr
force-pushed
the
WFLY-12537
branch
from
0e2545c
to
94e1667
Compare
|
Retest this please |
|
@tadamski / @chengfang / @fjuma Looks like this one could use some additional review, I am not overly familiar myself with the EJB integration to answer Diana's questions. |
|
Retest this please |
| if(WildFlySecurityManager.isChecking()) { | ||
| remoteConnection = WildFlySecurityManager.doUnchecked((PrivilegedAction<RemoteConnection>) () -> RemotingContext.getRemoteConnection()); | ||
| } else { | ||
| remoteConnection = RemotingContext.getRemoteConnection(); |
There was a problem hiding this comment.
The RemotingContext class is meant to be used for legacy security, I don't think we should be using it for Elytron.
There was a problem hiding this comment.
Ok it might not be needed
There was a problem hiding this comment.
@fjuma Ok it might not be needed
| if (securityRequired) { | ||
| ejbComponentDescription.setSecurityRequired(securityRequired); | ||
| } | ||
| ejbComponentDescription.setSecurityRequired(securityRequired); |
There was a problem hiding this comment.
setSecurityRequired should only be called if securityRequired is true (see https://issues.redhat.com/browse/WFLY-12301).
There was a problem hiding this comment.
@fjuma Ok reverted
|
@Skyllarr I think we should take a step back and see if there is another way to solve this problem. One thing to note is that the meaning of the Taking a look at
The tricky part is that we do want the anonymous identity to be returned for the Remoting -> unsecured EJB case (as per https://issues.redhat.com/browse/WFLY-8414). So it seems like we only want the "non-anonymous" identity to be returned for the EJB -> unsecured EJB case. Perhaps you could try to see if there is a way to differentiate between these two cases in |
Is it okay that this would not match the behaviour of legacy? If I understand it correctly legacy would reauthenticate from remoting to unsecured bean and return non-anonymous:
So it is important to distinguish if the caller was from EJB or not. I do not see a way to lookup this information in the current code. So maybe we could add it to the security identity (something like |
For the Remoting -> unsecured EJB case, the anonymous identity was returned when using legacy security. There's a description of why the anonymous identity gets returned here: |
@fjuma Yes sorry you're right.
@fjuma Do you think it would be good to do it this way? |
I don't think this should be set in |
Skyllarr
force-pushed
the
WFLY-12537
branch
3 times, most recently
from
c03642b
to
971855c
Compare
|
@fjuma I have updated the PR accordingly. Thanks! |
|
Thanks @Skyllarr, this fix looks good to me. I think it would be good to check if the new tests being added here along with the existing test cases now cover the different scenarios (i.e., Remoting -> unsecured EJB, Remoting -> secured EJB, EJB -> unsecured EJB, EJB -> secured EJB) to make sure these are all working properly. |
@fjuma Remoting -> secured or unsecured EJB are covered in |
|
Thanks @Skyllarr. |
wildfly-ci
added
deps-changed
|
rebased |
wildfly-ci
added
deps-ok
|
Thanks @Skyllarr |
https://issues.jboss.org/browse/WFLY-12537