glassfish
  1. glassfish
  2. GLASSFISH-20847

Principal propagation not working when calling EJB from remote client

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Works as designed
    • Affects Version/s: 4.0
    • Fix Version/s: 4.1
    • Component/s: security
    • Labels:
      None

      Description

      I am not sure whether this is a bug or some kind of misconfiguration.

      Let's assume the following scenario:

      Two session beans with a simple method that returns the name of the current caller principal, whereas one of the methods is secured and the other one is not.

      public class UnsecuredBean implements Unsecured {
      @Resource
      private SessionContext ctx;

      public String getCaller()

      { return ctx.getCallerPrincipal() != null ? ctx.getCallerPrincipal().getName() : null; }

      }

      public class SecuredBean implements Secured {
      @Resource
      private SessionContext ctx;

      @RolesAllowed("AuthenticatedUser")
      public String getCaller()

      { return ctx.getCallerPrincipal() != null ? ctx.getCallerPrincipal().getName() : null; }

      }

      When the two beans are called after a programmatic login from within the container, e.g. from a Servlet or JSP, the authenticated principal is correctly propagated across the calls.

      ProgrammaticLogin plogin = new ProgrammaticLogin();
      plogin.login(...);

      Secured secured = (Secured) ctx.lookup("Secured");
      System.out.println(secured.getCaller());

      Unsecured unsecured = (Unsecured) ctx.lookup("Unsecured");
      System.out.println(unsecured.getCaller());

      The result would be something like:

      john
      john

      When the same code is executed from a remote client the principal is not propagated and the result is something like:

      john
      ANONYMOUS

      Could you please fix this inconsistent behavior. I already tried to adjust the security configuration of the EJBs using the <ior-security-config> tag in glassfish-ejb-jar.xml, but without success.

        Activity

        Hide
        rtaugerbeck added a comment -

        The @PermitAll annotation has no effect. When called from a remote client (after programmatic login) a call to SecuredBean#getCaller() still returns the user name whereas UnsecuredBean#getCaller() returns ANONYMOUS.
        When I try to use a glassfish-ejb-jar.xml deployment descriptor with <auth-method>USERNAME_PASSWORD</auth-method> the behavior of UnsecuredBean#getCaller() is unchanged. Calling SecuredBean then results in a "Client not authorized for this invocation" exception, but that is obviously a different configuration problem and is not related to my original problem.

        Show
        rtaugerbeck added a comment - The @PermitAll annotation has no effect. When called from a remote client (after programmatic login) a call to SecuredBean#getCaller() still returns the user name whereas UnsecuredBean#getCaller() returns ANONYMOUS. When I try to use a glassfish-ejb-jar.xml deployment descriptor with <auth-method>USERNAME_PASSWORD</auth-method> the behavior of UnsecuredBean#getCaller() is unchanged. Calling SecuredBean then results in a "Client not authorized for this invocation" exception, but that is obviously a different configuration problem and is not related to my original problem.
        Hide
        rtaugerbeck added a comment -

        Content of the login.conf file for the application client:

        default

        { com.sun.enterprise.security.auth.login.ClientPasswordLoginModule required debug=true; }

        ;

        Show
        rtaugerbeck added a comment - Content of the login.conf file for the application client: default { com.sun.enterprise.security.auth.login.ClientPasswordLoginModule required debug=true; } ;
        Hide
        rtaugerbeck added a comment -

        Content of glassfish-ejb-jar.xml deployment descriptor:

        <?xml version="1.0" encoding="UTF-8"?>
        <!DOCTYPE glassfish-ejb-jar PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 EJB 3.1//EN" "http://glassfish.org/dtds/glassfish-ejb-jar_3_1-1.dtd">
        <glassfish-ejb-jar>
        <enterprise-beans>
        <ejb>
        <ejb-name>SecuredBean</ejb-name>
        <jndi-name>myproject.Secured</jndi-name>
        <ior-security-config>
        <transport-config>
        <establish-trust-in-target>SUPPORTED</establish-trust-in-target>
        <establish-trust-in-client>NONE</establish-trust-in-client>
        </transport-config>
        <as-context>
        <auth-method>USERNAME_PASSWORD</auth-method>
        </as-context>
        <sas-context>
        <caller-propagation>supported</caller-propagation>
        </sas-context>
        </ior-security-config>
        </ejb>
        <ejb>
        <ejb-name>UnsecuredBean</ejb-name>
        <jndi-name>myproject.Unsecured</jndi-name>
        <ior-security-config>
        <transport-config>
        <establish-trust-in-target>SUPPORTED</establish-trust-in-target>
        <establish-trust-in-client>NONE</establish-trust-in-client>
        </transport-config>
        <as-context>
        <auth-method>USERNAME_PASSWORD</auth-method>
        </as-context>
        <sas-context>
        <caller-propagation>supported</caller-propagation>
        </sas-context>
        </ior-security-config>
        </ejb>
        </enterprise-beans>
        </glassfish-ejb-jar>

        Show
        rtaugerbeck added a comment - Content of glassfish-ejb-jar.xml deployment descriptor: <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE glassfish-ejb-jar PUBLIC "-//GlassFish.org//DTD GlassFish Application Server 3.1 EJB 3.1//EN" "http://glassfish.org/dtds/glassfish-ejb-jar_3_1-1.dtd"> <glassfish-ejb-jar> <enterprise-beans> <ejb> <ejb-name>SecuredBean</ejb-name> <jndi-name>myproject.Secured</jndi-name> <ior-security-config> <transport-config> <establish-trust-in-target>SUPPORTED</establish-trust-in-target> <establish-trust-in-client>NONE</establish-trust-in-client> </transport-config> <as-context> <auth-method>USERNAME_PASSWORD</auth-method> </as-context> <sas-context> <caller-propagation>supported</caller-propagation> </sas-context> </ior-security-config> </ejb> <ejb> <ejb-name>UnsecuredBean</ejb-name> <jndi-name>myproject.Unsecured</jndi-name> <ior-security-config> <transport-config> <establish-trust-in-target>SUPPORTED</establish-trust-in-target> <establish-trust-in-client>NONE</establish-trust-in-client> </transport-config> <as-context> <auth-method>USERNAME_PASSWORD</auth-method> </as-context> <sas-context> <caller-propagation>supported</caller-propagation> </sas-context> </ior-security-config> </ejb> </enterprise-beans> </glassfish-ejb-jar>
        Hide
        Nithya Ramakrishnan added a comment -

        "When I try to use a glassfish-ejb-jar.xml deployment descriptor with <auth-method>USERNAME_PASSWORD</auth-method> the behavior of UnsecuredBean#getCaller() is unchanged.

        Calling SecuredBean then results in a "Client not authorized for this invocation" exception, but that is obviously a different configuration problem and is not related to my original problem."

        The exception happens because you have specified both USERNAME_PASSWORD in the auth-method and caller propogation as supported in the ior-config for the SecuredBean. Glassfish does not support alternative security mechanisms at this stage - both caller propogation and client authentication for eg.

        When specifying the USERNAME_PASSWORD for the Unsecured bean, could you pls try with the required flag in as-context ? Caller authentication, can only be expected to occur, if it is "required" by the ejb.

        Show
        Nithya Ramakrishnan added a comment - "When I try to use a glassfish-ejb-jar.xml deployment descriptor with <auth-method>USERNAME_PASSWORD</auth-method> the behavior of UnsecuredBean#getCaller() is unchanged. Calling SecuredBean then results in a "Client not authorized for this invocation" exception, but that is obviously a different configuration problem and is not related to my original problem." The exception happens because you have specified both USERNAME_PASSWORD in the auth-method and caller propogation as supported in the ior-config for the SecuredBean. Glassfish does not support alternative security mechanisms at this stage - both caller propogation and client authentication for eg. When specifying the USERNAME_PASSWORD for the Unsecured bean, could you pls try with the required flag in as-context ? Caller authentication, can only be expected to occur, if it is "required" by the ejb.
        Hide
        Nithya Ramakrishnan added a comment -

        Closing the issue as it is a configuration problem.
        There is no way to make the glassfish appclient container / POJO client invoke the unsecured ejb using a non-anoymous caller principal.

        Show
        Nithya Ramakrishnan added a comment - Closing the issue as it is a configuration problem. There is no way to make the glassfish appclient container / POJO client invoke the unsecured ejb using a non-anoymous caller principal.

          People

          • Assignee:
            Nithya Ramakrishnan
            Reporter:
            rtaugerbeck
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: