[
https://issues.apache.org/jira/browse/TOMEE-2763?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Yakushev Mikhail updated TOMEE-2763:
------------------------------------
Description:
Sample application: [^tomee-runas.zip]
EJB 1
{code:java}
@LocalBean
@Stateless(name = "MyStateless")
public class MyStatelessBean {
@Resource
private SessionContext sessionContext;
@EJB
private UserBean userBean;
public MyStatelessBean() {
}
public void test() {
System.out.println("ejb WITHOUT @RunAs, username from sessionContext 1:
" + sessionContext.getCallerPrincipal().getName());
System.out.println("ejb WITHOUT @RunAs, username from another ejb: " +
userBean.currentUserName());
System.out.println("ejb WITHOUT @RunAs, username from sessionContext 2:
" + sessionContext.getCallerPrincipal().getName());
}
}{code}
EJB 2
{code:java}
@LocalBean
@RunAs("admin")
@Stateless(name = "MyStatelessRunAsBean")
public class MyStatelessRunAsBean {
@Resource
private SessionContext sessionContext;
@EJB
private UserBean userBean;
public MyStatelessRunAsBean() {
}
public void test() {
System.out.println("ejb WITH @RunAs, username from sessionContext 1: "
+ sessionContext.getCallerPrincipal().getName());
System.out.println("ejb WITH @RunAs, username from another ejb: " +
userBean.currentUserName());
System.out.println("ejb WITH @RunAs, username from sessionContext 2: "
+ sessionContext.getCallerPrincipal().getName());
}
}{code}
EJB 3
{code:java}
@LocalBean
@Stateless(name = "UserBean")
public class UserBean {
@Resource
private SessionContext sessionContext;
public UserBean() {
}
public String currentUserName() {
return sessionContext.getCallerPrincipal().getName();
}
}{code}
Backing bean for jsf page
{code:java}
@Model
public class IndexMB {
@EJB
private MyStatelessBean myStatelessBean;
@EJB
private MyStatelessRunAsBean myStatelessRunAsBean;
public void test(ActionEvent event) {
myStatelessBean.test();
myStatelessRunAsBean.test();
myStatelessBean.test();
}
}
{code}
Expected output:
ejb WITHOUT @RunAs, username from sessionContext 1: *ymn*
ejb WITHOUT @RunAs, username from another ejb: *ymn*
ejb WITHOUT @RunAs, username from sessionContext 2: *ymn*
ejb WITH @RunAs, username from sessionContext 1: *ymn*
ejb WITH @RunAs, username from another ejb: *admin*
ejb WITH @RunAs, username from sessionContext 2: *ymn*
ejb WITHOUT @RunAs, username from sessionContext 1: *ymn*
ejb WITHOUT @RunAs, username from another ejb: *ymn*
ejb WITHOUT @RunAs, username from sessionContext 2: *ymn*
Real output:
ejb WITHOUT @RunAs, username from sessionContext 1: *ymn*
ejb WITHOUT @RunAs, username from another ejb: *ymn*
ejb WITHOUT @RunAs, username from sessionContext 2: *ymn*
ejb WITH @RunAs, username from sessionContext 1: *ymn*
ejb WITH @RunAs, username from another ejb: *admin*
ejb WITH @RunAs, username from sessionContext 2: *ymn*
ejb WITHOUT @RunAs, username from sessionContext 1: *guest*
ejb WITHOUT @RunAs, username from another ejb: *guest*
ejb WITHOUT @RunAs, username from sessionContext 2: *guest*
In method *enterWebApp* of class *TomcatSecurityService* token is null:
{code:java}
newIdentity = new Identity(newSubject, null);{code}
Because of this block of code in *StatelessContainer* class do nothing (runAs
is null)
{code:java}
} finally {
if (runAs != null) {
try {
securityService.associate(runAs);
} catch (final LoginException e) {
// no-op
}
}
{code}
I fixed it for my app in that way:
{code:java}
public Object enterWebApp(final Realm realm, final Principal principal,
final String runAs) {
final Identity oldIdentity = clientIdentity.get();
if (principal != null) {
final Subject newSubject = createSubject(realm, principal);
try {
associate(registerSubject(newSubject));
} catch (LoginException e) {
}
}
final WebAppState webAppState = new WebAppState(oldIdentity, runAs !=
null);
if (runAs != null) {
final Subject runAsSubject = createRunAsSubject(runAs);
RUN_AS_STACK.get().addFirst(runAsSubject);
}
return webAppState;
}
{code}
was:
Sample application: [^tomee-runas.zip]
EJB 1
{code:java}
@LocalBean
@Stateless(name = "MyStateless")
public class MyStatelessBean {
@Resource
private SessionContext sessionContext;
@EJB
private UserBean userBean;
public MyStatelessBean() {
}
public void test() {
System.out.println("ejb WITHOUT @RunAs, username from sessionContext 1:
" + sessionContext.getCallerPrincipal().getName());
System.out.println("ejb WITHOUT @RunAs, username from another ejb: " +
userBean.currentUserName());
System.out.println("ejb WITHOUT @RunAs, username from sessionContext 2:
" + sessionContext.getCallerPrincipal().getName());
}
}{code}
EJB 2
{code:java}
@LocalBean
@RunAs("admin")
@Stateless(name = "MyStatelessRunAsBean")
public class MyStatelessRunAsBean {
@Resource
private SessionContext sessionContext;
@EJB
private UserBean userBean;
public MyStatelessRunAsBean() {
}
public void test() {
System.out.println("ejb WITH @RunAs, username from sessionContext 1: "
+ sessionContext.getCallerPrincipal().getName());
System.out.println("ejb WITH @RunAs, username from another ejb: " +
userBean.currentUserName());
System.out.println("ejb WITH @RunAs, username from sessionContext 2: "
+ sessionContext.getCallerPrincipal().getName());
}
}{code}
EJB 3
{code:java}
@LocalBean
@Stateless(name = "UserBean")
public class UserBean {
@Resource
private SessionContext sessionContext;
public UserBean() {
}
public String currentUserName() {
return sessionContext.getCallerPrincipal().getName();
}
}{code}
Backing bean for jsf page
{code:java}
@Model
public class IndexMB {
@EJB
private MyStatelessBean myStatelessBean;
@EJB
private MyStatelessRunAsBean myStatelessRunAsBean;
public void test(ActionEvent event) {
myStatelessBean.test();
myStatelessRunAsBean.test();
myStatelessBean.test();
}
}
{code}
Expected output:
ejb WITHOUT @RunAs, username from sessionContext 1: *ymn*
ejb WITHOUT @RunAs, username from another ejb: *ymn*
ejb WITHOUT @RunAs, username from sessionContext 2: *ymn*
ejb WITH @RunAs, username from sessionContext 1: *ymn*
ejb WITH @RunAs, username from another ejb: *admin*
ejb WITH @RunAs, username from sessionContext 2: *ymn*
ejb WITHOUT @RunAs, username from sessionContext 1: *ymn*
ejb WITHOUT @RunAs, username from another ejb: *ymn*
ejb WITHOUT @RunAs, username from sessionContext 2: *ymn*
Real output:
ejb WITHOUT @RunAs, username from sessionContext 1: *ymn*
ejb WITHOUT @RunAs, username from another ejb: *ymn*
ejb WITHOUT @RunAs, username from sessionContext 2: *ymn*
ejb WITH @RunAs, username from sessionContext 1: *ymn*
ejb WITH @RunAs, username from another ejb: *admin*
ejb WITH @RunAs, username from sessionContext 2: *ymn*
ejb WITHOUT @RunAs, username from sessionContext 1: *guest*
ejb WITHOUT @RunAs, username from another ejb: *guest*
ejb WITHOUT @RunAs, username from sessionContext 2: *guest*
In method *enterWebApp* of class *TomcatSecurityService* token is null:
{code:java}
newIdentity = new Identity(newSubject, null);{code}
Because of this block of code in *StatelessContainer* class do nothing
{code:java}
} finally {
if (runAs != null) {
try {
securityService.associate(runAs);
} catch (final LoginException e) {
// no-op
}
}
{code}
I fixed it for my app in that way:
{code:java}
public Object enterWebApp(final Realm realm, final Principal principal,
final String runAs) {
final Identity oldIdentity = clientIdentity.get();
if (principal != null) {
final Subject newSubject = createSubject(realm, principal);
try {
associate(registerSubject(newSubject));
} catch (LoginException e) {
}
}
final WebAppState webAppState = new WebAppState(oldIdentity, runAs !=
null);
if (runAs != null) {
final Subject runAsSubject = createRunAsSubject(runAs);
RUN_AS_STACK.get().addFirst(runAsSubject);
}
return webAppState;
}
{code}
> Security Principal is lost after calling a method from ejb with @RunAs
> annotation
> ---------------------------------------------------------------------------------
>
> Key: TOMEE-2763
> URL: https://issues.apache.org/jira/browse/TOMEE-2763
> Project: TomEE
> Issue Type: Bug
> Reporter: Yakushev Mikhail
> Priority: Major
> Attachments: tomee-runas.zip
>
>
> Sample application: [^tomee-runas.zip]
>
> EJB 1
> {code:java}
> @LocalBean
> @Stateless(name = "MyStateless")
> public class MyStatelessBean {
> @Resource
> private SessionContext sessionContext;
> @EJB
> private UserBean userBean;
>
> public MyStatelessBean() {
> }
>
> public void test() {
> System.out.println("ejb WITHOUT @RunAs, username from sessionContext
> 1: " + sessionContext.getCallerPrincipal().getName());
> System.out.println("ejb WITHOUT @RunAs, username from another ejb: "
> + userBean.currentUserName());
> System.out.println("ejb WITHOUT @RunAs, username from sessionContext
> 2: " + sessionContext.getCallerPrincipal().getName());
> }
> }{code}
> EJB 2
> {code:java}
> @LocalBean
> @RunAs("admin")
> @Stateless(name = "MyStatelessRunAsBean")
> public class MyStatelessRunAsBean {
> @Resource
> private SessionContext sessionContext;
> @EJB
> private UserBean userBean;
> public MyStatelessRunAsBean() {
> }
> public void test() {
> System.out.println("ejb WITH @RunAs, username from sessionContext 1:
> " + sessionContext.getCallerPrincipal().getName());
> System.out.println("ejb WITH @RunAs, username from another ejb: " +
> userBean.currentUserName());
> System.out.println("ejb WITH @RunAs, username from sessionContext 2:
> " + sessionContext.getCallerPrincipal().getName());
> }
> }{code}
> EJB 3
> {code:java}
> @LocalBean
> @Stateless(name = "UserBean")
> public class UserBean {
> @Resource
> private SessionContext sessionContext;
> public UserBean() {
> }
> public String currentUserName() {
> return sessionContext.getCallerPrincipal().getName();
> }
> }{code}
> Backing bean for jsf page
> {code:java}
> @Model
> public class IndexMB {
> @EJB
> private MyStatelessBean myStatelessBean;
> @EJB
> private MyStatelessRunAsBean myStatelessRunAsBean;
> public void test(ActionEvent event) {
> myStatelessBean.test();
> myStatelessRunAsBean.test();
> myStatelessBean.test();
> }
> }
> {code}
> Expected output:
> ejb WITHOUT @RunAs, username from sessionContext 1: *ymn*
> ejb WITHOUT @RunAs, username from another ejb: *ymn*
> ejb WITHOUT @RunAs, username from sessionContext 2: *ymn*
> ejb WITH @RunAs, username from sessionContext 1: *ymn*
> ejb WITH @RunAs, username from another ejb: *admin*
> ejb WITH @RunAs, username from sessionContext 2: *ymn*
> ejb WITHOUT @RunAs, username from sessionContext 1: *ymn*
> ejb WITHOUT @RunAs, username from another ejb: *ymn*
> ejb WITHOUT @RunAs, username from sessionContext 2: *ymn*
>
> Real output:
> ejb WITHOUT @RunAs, username from sessionContext 1: *ymn*
> ejb WITHOUT @RunAs, username from another ejb: *ymn*
> ejb WITHOUT @RunAs, username from sessionContext 2: *ymn*
> ejb WITH @RunAs, username from sessionContext 1: *ymn*
> ejb WITH @RunAs, username from another ejb: *admin*
> ejb WITH @RunAs, username from sessionContext 2: *ymn*
> ejb WITHOUT @RunAs, username from sessionContext 1: *guest*
> ejb WITHOUT @RunAs, username from another ejb: *guest*
> ejb WITHOUT @RunAs, username from sessionContext 2: *guest*
> In method *enterWebApp* of class *TomcatSecurityService* token is null:
> {code:java}
> newIdentity = new Identity(newSubject, null);{code}
> Because of this block of code in *StatelessContainer* class do nothing (runAs
> is null)
> {code:java}
> } finally {
> if (runAs != null) {
> try {
> securityService.associate(runAs);
> } catch (final LoginException e) {
> // no-op
> }
> }
> {code}
> I fixed it for my app in that way:
> {code:java}
> public Object enterWebApp(final Realm realm, final Principal principal,
> final String runAs) {
> final Identity oldIdentity = clientIdentity.get();
> if (principal != null) {
> final Subject newSubject = createSubject(realm, principal);
> try {
> associate(registerSubject(newSubject));
> } catch (LoginException e) {
> }
> }
> final WebAppState webAppState = new WebAppState(oldIdentity, runAs !=
> null);
> if (runAs != null) {
> final Subject runAsSubject = createRunAsSubject(runAs);
> RUN_AS_STACK.get().addFirst(runAsSubject);
> }
> return webAppState;
> }
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
