-
Notifications
You must be signed in to change notification settings - Fork 2.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WFLY-12537] Incoming RunAsPrincipal is not being propagated to an unsecured EJB #12626
Conversation
@@ -643,14 +641,7 @@ private boolean checkCallerSecurityIdentityRole(String roleName) { | |||
} | |||
|
|||
private SecurityIdentity getCallerSecurityIdentity() { | |||
if (incomingRunAsIdentity != null) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This just reverts the fix for JBEAP-9744. This is now handled by RunAsPrincipalInterceptor.
interceptorFactories.put(InterceptorOrder.View.RUN_AS_PRINCIPAL, new ImmediateInterceptorFactory(new RunAsPrincipalInterceptor(RunAsPrincipalInterceptor.ANONYMOUS_PRINCIPAL, false))); | ||
} else { | ||
// Switch users (set new incoming) | ||
interceptorFactories.put(InterceptorOrder.View.RUN_AS_PRINCIPAL, new ImmediateInterceptorFactory(new RunAsPrincipalInterceptor(runAsPrincipal, isSecurityRequired()))); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@darranl We have to add RunAsPrincipalInterceptor to beans that do not have RunAsPrincipal annotation and propagate security. This is to be able to propagate incoming runas identity further. It should behave the same as legacy.
this.securityRequired = securityRequired; | ||
} | ||
|
||
private boolean remotingContextIsSet (){ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@darranl Not sure if I should leave this method here or I should create for example SecurityActions class helper for this package or reuse some existing ones (i.e. make them public)?
// run as a user with the given name or if the caller has sufficient permission | ||
if (runAsPrincipal.equals(ANONYMOUS_PRINCIPAL)) { | ||
boolean remotingContextIsSet = remotingContextIsSet(); | ||
boolean isRemoteStatelessSecurityDisabled = !(ejbComponent instanceof StatefulSessionComponent) && remotingContextIsSet && !securityRequired; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
make principal anonymous and incoming identity null if isRemoteStatelessSecurityDisabled
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure if this is the best way to identify stateless bean
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello @Skyllarr, you can use a instanceof check against org.jboss.as.ejb3.component.stateless.StatelessSessionComponent
to be sure if it's a stateless EJB. In its current form, the above code in the PR, even singleton session bean component will pass this check. I don't know if you want that to happen.
Having said that, I'm just curious - is there a reason why this (security) logic is only applicable for stateless beans?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jaikiran Hello, thanks for review! I changed it to StatelessSessionComponent. This way the identity will not be propagated if the bean is a stateless unsecured remote bean. I did not find any reference for this, but failing tests lead me this way and it also made sense to me that I should not propagate identity for such a bean.
@@ -99,12 +99,4 @@ public void testSwitched() throws Exception { | |||
assertEquals("user1", targetBean.getPrincipalName("user1", "password1")); | |||
} | |||
|
|||
@Test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@darranl I don't think this test has valid objective. EntryBean is unsecured stateless remote bean, so its principal is anonymous. This bean should not propagate guest identity to the injected SecurityInformation EJB in my opinion. The returned identity should be anonymous and not guest IMO. I do not think this test should be present for Elytron if the test objective is invalid.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Skyllarr I think it is correct that the injected bean is making use of the identity from the Remoting connection since it is a secured bean.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fjuma I see, after reading #12626 (comment) it probably makes sense to keep it here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fjuma I see, after reading #12626 (comment) it probably makes sense to keep it here.
@Test | ||
public void testNonAnonymousPrincipalInjected(CallerWithIdentity callerWithIdentity) throws Exception { | ||
try { | ||
// Assert.assertEquals(NON_ANONYMOUS_PRINCIPAL, callerWithIdentity.getCallerPrincipalInjected()); TODO see issue WFLY-12538 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@nziakova I added your test cases from issue WFLY-11604. I commented out this one because it still needs to be addressed (see https://issues.jboss.org/browse/WFLY-12538)
0e2545c
to
94e1667
Compare
Retest this please |
@tadamski / @chengfang / @fjuma Looks like this one could use some additional review, I am not overly familiar myself with the EJB integration to answer Diana's questions. |
Retest this please |
if(WildFlySecurityManager.isChecking()) { | ||
remoteConnection = WildFlySecurityManager.doUnchecked((PrivilegedAction<RemoteConnection>) () -> RemotingContext.getRemoteConnection()); | ||
} else { | ||
remoteConnection = RemotingContext.getRemoteConnection(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The RemotingContext
class is meant to be used for legacy security, I don't think we should be using it for Elytron.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok it might not be needed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fjuma Ok it might not be needed
if (securityRequired) { | ||
ejbComponentDescription.setSecurityRequired(securityRequired); | ||
} | ||
ejbComponentDescription.setSecurityRequired(securityRequired); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
setSecurityRequired
should only be called if securityRequired
is true
(see https://issues.redhat.com/browse/WFLY-12301).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fjuma Ok reverted
@Skyllarr I think we should take a step back and see if there is another way to solve this problem. One thing to note is that the meaning of the Taking a look at
The tricky part is that we do want the anonymous identity to be returned for the Remoting -> unsecured EJB case (as per https://issues.redhat.com/browse/WFLY-8414). So it seems like we only want the "non-anonymous" identity to be returned for the EJB -> unsecured EJB case. Perhaps you could try to see if there is a way to differentiate between these two cases in |
Is it okay that this would not match the behaviour of legacy? If I understand it correctly legacy would reauthenticate from remoting to unsecured bean and return non-anonymous:
So it is important to distinguish if the caller was from EJB or not. I do not see a way to lookup this information in the current code. So maybe we could add it to the security identity (something like |
For the Remoting -> unsecured EJB case, the anonymous identity was returned when using legacy security. There's a description of why the anonymous identity gets returned here: |
@fjuma Yes sorry you're right.
@fjuma Do you think it would be good to do it this way? |
I don't think this should be set in |
c03642b
to
971855c
Compare
@fjuma I have updated the PR accordingly. Thanks! |
Thanks @Skyllarr, this fix looks good to me. I think it would be good to check if the new tests being added here along with the existing test cases now cover the different scenarios (i.e., Remoting -> unsecured EJB, Remoting -> secured EJB, EJB -> unsecured EJB, EJB -> secured EJB) to make sure these are all working properly. |
@fjuma Remoting -> secured or unsecured EJB are covered in |
Thanks @Skyllarr. |
rebased |
Thanks @Skyllarr |
https://issues.jboss.org/browse/WFLY-12537