[jira] [Updated] (TOMEE-2763) Security Principal is lost after calling a method from ejb with @RunAs annotation

Tue, 21 Jan 2020 01:32:35 -0800 


     [ 
https://issues.apache.org/jira/browse/TOMEE-2763?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Yakushev Mikhail updated TOMEE-2763:
------------------------------------
    Description: 
Sample application: [^tomee-runas.zip]

 

EJB 1
{code:java}
@LocalBean
@Stateless(name = "MyStateless")
public class MyStatelessBean {
    @Resource
    private SessionContext sessionContext;
    @EJB
    private UserBean userBean;    public MyStatelessBean() {
    }    public void test() {
        System.out.println("ejb WITHOUT @RunAs, username from sessionContext 1: 
" + sessionContext.getCallerPrincipal().getName());
        System.out.println("ejb WITHOUT @RunAs, username from another ejb: " + 
userBean.currentUserName());
        System.out.println("ejb WITHOUT @RunAs, username from sessionContext 2: 
" + sessionContext.getCallerPrincipal().getName());
    }
}{code}
EJB 2
{code:java}
@LocalBean
@RunAs("admin")
@Stateless(name = "MyStatelessRunAsBean")
public class MyStatelessRunAsBean {
    @Resource
    private SessionContext sessionContext;

    @EJB
    private UserBean userBean;

    public MyStatelessRunAsBean() {
    }

    public void test() {
        System.out.println("ejb WITH @RunAs, username from sessionContext 1: " 
+ sessionContext.getCallerPrincipal().getName());
        System.out.println("ejb WITH @RunAs, username from another ejb: " + 
userBean.currentUserName());
        System.out.println("ejb WITH @RunAs, username from sessionContext 2: " 
+ sessionContext.getCallerPrincipal().getName());
    }
}{code}
 EJB 3
{code:java}
@LocalBean
@Stateless(name = "UserBean")
public class UserBean {
    @Resource
    private SessionContext sessionContext;

    public UserBean() {
    }

    public String currentUserName() {
        return sessionContext.getCallerPrincipal().getName();
    }
}{code}
Backing bean for jsf page
{code:java}
@Model
public class IndexMB {
    @EJB
    private MyStatelessBean myStatelessBean;
    @EJB
    private MyStatelessRunAsBean myStatelessRunAsBean;

    public void test(ActionEvent event) {
        myStatelessBean.test();
        myStatelessRunAsBean.test();
        myStatelessBean.test();
    }
}
{code}
Expected output:
 ejb WITHOUT @RunAs, username from sessionContext 1: *ymn*
 ejb WITHOUT @RunAs, username from another ejb: *ymn*
 ejb WITHOUT @RunAs, username from sessionContext 2: *ymn*
 ejb WITH @RunAs, username from sessionContext 1: *ymn*
 ejb WITH @RunAs, username from another ejb: *admin*
 ejb WITH @RunAs, username from sessionContext 2: *ymn*
 ejb WITHOUT @RunAs, username from sessionContext 1: *ymn*
 ejb WITHOUT @RunAs, username from another ejb: *ymn*
 ejb WITHOUT @RunAs, username from sessionContext 2: *ymn*
  
 Real output:
 ejb WITHOUT @RunAs, username from sessionContext 1: *ymn*
 ejb WITHOUT @RunAs, username from another ejb: *ymn*
 ejb WITHOUT @RunAs, username from sessionContext 2: *ymn*
 ejb WITH @RunAs, username from sessionContext 1: *ymn*
 ejb WITH @RunAs, username from another ejb: *admin*
 ejb WITH @RunAs, username from sessionContext 2: *ymn*
 ejb WITHOUT @RunAs, username from sessionContext 1: *guest*
 ejb WITHOUT @RunAs, username from another ejb: *guest*
 ejb WITHOUT @RunAs, username from sessionContext 2: *guest*

In method *enterWebApp* of class *TomcatSecurityService* token is null:
{code:java}
newIdentity = new Identity(newSubject, null);{code}
Because of this block of code in *StatelessContainer* class do nothing
{code:java}
        } finally {
            if (runAs != null) {
                try {
                    securityService.associate(runAs);
                } catch (final LoginException e) {
                    // no-op
                }
            }
{code}

  was:
Sample application: [^tomee-runas.zip]

 

EJB 1
{code:java}
@LocalBean
@Stateless(name = "MyStateless")
public class MyStatelessBean {
    @Resource
    private SessionContext sessionContext;
    @EJB
    private UserBean userBean;    public MyStatelessBean() {
    }    public void test() {
        System.out.println("ejb WITHOUT @RunAs, username from sessionContext 1: 
" + sessionContext.getCallerPrincipal().getName());
        System.out.println("ejb WITHOUT @RunAs, username from another ejb: " + 
userBean.currentUserName());
        System.out.println("ejb WITHOUT @RunAs, username from sessionContext 2: 
" + sessionContext.getCallerPrincipal().getName());
    }
}{code}
EJB 2
{code:java}
@LocalBean
@RunAs("admin")
@Stateless(name = "MyStatelessRunAsBean")
public class MyStatelessRunAsBean {
    @Resource
    private SessionContext sessionContext;

    @EJB
    private UserBean userBean;

    public MyStatelessRunAsBean() {
    }

    public void test() {
        System.out.println("ejb WITH @RunAs, username from sessionContext 1: " 
+ sessionContext.getCallerPrincipal().getName());
        System.out.println("ejb WITH @RunAs, username from another ejb: " + 
userBean.currentUserName());
        System.out.println("ejb WITH @RunAs, username from sessionContext 2: " 
+ sessionContext.getCallerPrincipal().getName());
    }
}{code}
 EJB 3
{code:java}
@LocalBean
@Stateless(name = "UserBean")
public class UserBean {
    @Resource
    private SessionContext sessionContext;

    public UserBean() {
    }

    public String currentUserName() {
        return sessionContext.getCallerPrincipal().getName();
    }
}{code}
Backing bean for jsf page
{code:java}
@Model
public class IndexMB {
    @EJB
    private MyStatelessBean myStatelessBean;
    @EJB
    private MyStatelessRunAsBean myStatelessRunAsBean;

    public void test(ActionEvent event) {
        myStatelessBean.test();
        myStatelessRunAsBean.test();
        myStatelessBean.test();
    }
}
{code}
Expected output:
 ejb WITHOUT @RunAs, username from sessionContext 1: *ymn*
 ejb WITHOUT @RunAs, username from another ejb: *ymn*
 ejb WITHOUT @RunAs, username from sessionContext 2: *ymn*
 ejb WITH @RunAs, username from sessionContext 1: *ymn*
 ejb WITH @RunAs, username from another ejb: *admin*
 ejb WITH @RunAs, username from sessionContext 2: *ymn*
 ejb WITHOUT @RunAs, username from sessionContext 1: *ymn*
 ejb WITHOUT @RunAs, username from another ejb: *ymn*
 ejb WITHOUT @RunAs, username from sessionContext 2: *ymn*
  
Real output:
ejb WITHOUT @RunAs, username from sessionContext 1: *ymn*
ejb WITHOUT @RunAs, username from another ejb: *ymn*
ejb WITHOUT @RunAs, username from sessionContext 2: *ymn*
ejb WITH @RunAs, username from sessionContext 1: *ymn*
ejb WITH @RunAs, username from another ejb: *admin*
ejb WITH @RunAs, username from sessionContext 2: *ymn*
ejb WITHOUT @RunAs, username from sessionContext 1: *guest*
ejb WITHOUT @RunAs, username from another ejb: *guest*
ejb WITHOUT @RunAs, username from sessionContext 2: *guest*

In method *enterWebApp* of class *TomcatSecurityService* token is null: 
{code:java}newIdentity = new Identity(newSubject, null);{code}
Because of this block of code in *StatelessContainer* container do nothing
{code:java}
        } finally {
            if (runAs != null) {
                try {
                    securityService.associate(runAs);
                } catch (final LoginException e) {
                    // no-op
                }
            }
{code}


> Security Principal is lost after calling a method from ejb with @RunAs 
> annotation
> ---------------------------------------------------------------------------------
>
>                 Key: TOMEE-2763
>                 URL: https://issues.apache.org/jira/browse/TOMEE-2763
>             Project: TomEE
>          Issue Type: Bug
>            Reporter: Yakushev Mikhail
>            Priority: Major
>         Attachments: tomee-runas.zip
>
>
> Sample application: [^tomee-runas.zip]
>  
> EJB 1
> {code:java}
> @LocalBean
> @Stateless(name = "MyStateless")
> public class MyStatelessBean {
>     @Resource
>     private SessionContext sessionContext;
>     @EJB
>     private UserBean userBean;    public MyStatelessBean() {
>     }    public void test() {
>         System.out.println("ejb WITHOUT @RunAs, username from sessionContext 
> 1: " + sessionContext.getCallerPrincipal().getName());
>         System.out.println("ejb WITHOUT @RunAs, username from another ejb: " 
> + userBean.currentUserName());
>         System.out.println("ejb WITHOUT @RunAs, username from sessionContext 
> 2: " + sessionContext.getCallerPrincipal().getName());
>     }
> }{code}
> EJB 2
> {code:java}
> @LocalBean
> @RunAs("admin")
> @Stateless(name = "MyStatelessRunAsBean")
> public class MyStatelessRunAsBean {
>     @Resource
>     private SessionContext sessionContext;
>     @EJB
>     private UserBean userBean;
>     public MyStatelessRunAsBean() {
>     }
>     public void test() {
>         System.out.println("ejb WITH @RunAs, username from sessionContext 1: 
> " + sessionContext.getCallerPrincipal().getName());
>         System.out.println("ejb WITH @RunAs, username from another ejb: " + 
> userBean.currentUserName());
>         System.out.println("ejb WITH @RunAs, username from sessionContext 2: 
> " + sessionContext.getCallerPrincipal().getName());
>     }
> }{code}
>  EJB 3
> {code:java}
> @LocalBean
> @Stateless(name = "UserBean")
> public class UserBean {
>     @Resource
>     private SessionContext sessionContext;
>     public UserBean() {
>     }
>     public String currentUserName() {
>         return sessionContext.getCallerPrincipal().getName();
>     }
> }{code}
> Backing bean for jsf page
> {code:java}
> @Model
> public class IndexMB {
>     @EJB
>     private MyStatelessBean myStatelessBean;
>     @EJB
>     private MyStatelessRunAsBean myStatelessRunAsBean;
>     public void test(ActionEvent event) {
>         myStatelessBean.test();
>         myStatelessRunAsBean.test();
>         myStatelessBean.test();
>     }
> }
> {code}
> Expected output:
>  ejb WITHOUT @RunAs, username from sessionContext 1: *ymn*
>  ejb WITHOUT @RunAs, username from another ejb: *ymn*
>  ejb WITHOUT @RunAs, username from sessionContext 2: *ymn*
>  ejb WITH @RunAs, username from sessionContext 1: *ymn*
>  ejb WITH @RunAs, username from another ejb: *admin*
>  ejb WITH @RunAs, username from sessionContext 2: *ymn*
>  ejb WITHOUT @RunAs, username from sessionContext 1: *ymn*
>  ejb WITHOUT @RunAs, username from another ejb: *ymn*
>  ejb WITHOUT @RunAs, username from sessionContext 2: *ymn*
>   
>  Real output:
>  ejb WITHOUT @RunAs, username from sessionContext 1: *ymn*
>  ejb WITHOUT @RunAs, username from another ejb: *ymn*
>  ejb WITHOUT @RunAs, username from sessionContext 2: *ymn*
>  ejb WITH @RunAs, username from sessionContext 1: *ymn*
>  ejb WITH @RunAs, username from another ejb: *admin*
>  ejb WITH @RunAs, username from sessionContext 2: *ymn*
>  ejb WITHOUT @RunAs, username from sessionContext 1: *guest*
>  ejb WITHOUT @RunAs, username from another ejb: *guest*
>  ejb WITHOUT @RunAs, username from sessionContext 2: *guest*
> In method *enterWebApp* of class *TomcatSecurityService* token is null:
> {code:java}
> newIdentity = new Identity(newSubject, null);{code}
> Because of this block of code in *StatelessContainer* class do nothing
> {code:java}
>         } finally {
>             if (runAs != null) {
>                 try {
>                     securityService.associate(runAs);
>                 } catch (final LoginException e) {
>                     // no-op
>                 }
>             }
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to