@RunAs does not work properly when it is used in servlet

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

@RunAs does not work properly when it is used in servlet

Kaloyan Spiridonov
Hello,

I have the following scenario:

Servlet -> EjbOne -> EjbTwo
My expectation is that @RunAs of the servlet will be propagated to EjbOne
and the @RunAs of the EjbOne will be propagated to @EjbTwo.
But this does not happen - see the output below. When i remove @RunAs
annotation from the servlet the @RunAs of EjbOne is propagated correctly.

Actual output:

EjbOne (Before EjbTwo) expected role: Manager, isCallerInRole("Manager"):
false
EjbOne (Before EjbTwo) expected role: Manager, isCallerInRole("VP"): false
EjbOne (Before EjbTwo) expected role: Manager,)
isCallerInRole("Administrator"): false
EjbTwo expected role: VP, isCallerInRole("Manager"): false
EjbTwo expected role: VP, isCallerInRole("VP"): false
EjbTwo expected role: VP, isCallerInRole("Administrator"): false
EjbOne (After EjbTwo) expected role: Manager, isCallerInRole("Manager"):
false
EjbOne (After EjbTwo) expected role: Manager, isCallerInRole("VP"): false
EjbOne (After EjbTwo) expected role: Manager,
isCallerInRole("Administrator"): false


Expected output:

EjbOne (Before EjbTwo) expected role: Manager, isCallerInRole("Manager"):
true
EjbOne (Before EjbTwo) expected role: Manager, isCallerInRole("VP"): false
EjbOne (Before EjbTwo) expected role: Manager,)
isCallerInRole("Administrator"): false
EjbTwo expected role: VP, isCallerInRole("Manager"): false
EjbTwo expected role: VP, isCallerInRole("VP"): true
EjbTwo expected role: VP, isCallerInRole("Administrator"): false
EjbOne (After EjbTwo) expected role: Manager, isCallerInRole("Manager"):
true
EjbOne (After EjbTwo) expected role: Manager, isCallerInRole("VP"): false
EjbOne (After EjbTwo) expected role: Manager,
isCallerInRole("Administrator"): false

Here is the source of the application: https://github.com/kal0ian/Examples

Regards,
Kaloyan
Reply | Threaded
Open this post in threaded view
|

Re: @RunAs does not work properly when it is used in servlet

jgallimore
Hi

Thanks for your mail! I'll grab you example later today and take a look.

Thanks

Jon

On Tue, Aug 15, 2017 at 2:20 PM, Kaloyan Spiridonov <
[hidden email]> wrote:

> Hello,
>
> I have the following scenario:
>
> Servlet -> EjbOne -> EjbTwo
> My expectation is that @RunAs of the servlet will be propagated to EjbOne
> and the @RunAs of the EjbOne will be propagated to @EjbTwo.
> But this does not happen - see the output below. When i remove @RunAs
> annotation from the servlet the @RunAs of EjbOne is propagated correctly.
>
> Actual output:
>
> EjbOne (Before EjbTwo) expected role: Manager, isCallerInRole("Manager"):
> false
> EjbOne (Before EjbTwo) expected role: Manager, isCallerInRole("VP"): false
> EjbOne (Before EjbTwo) expected role: Manager,)
> isCallerInRole("Administrator"): false
> EjbTwo expected role: VP, isCallerInRole("Manager"): false
> EjbTwo expected role: VP, isCallerInRole("VP"): false
> EjbTwo expected role: VP, isCallerInRole("Administrator"): false
> EjbOne (After EjbTwo) expected role: Manager, isCallerInRole("Manager"):
> false
> EjbOne (After EjbTwo) expected role: Manager, isCallerInRole("VP"): false
> EjbOne (After EjbTwo) expected role: Manager,
> isCallerInRole("Administrator"): false
>
>
> Expected output:
>
> EjbOne (Before EjbTwo) expected role: Manager, isCallerInRole("Manager"):
> true
> EjbOne (Before EjbTwo) expected role: Manager, isCallerInRole("VP"): false
> EjbOne (Before EjbTwo) expected role: Manager,)
> isCallerInRole("Administrator"): false
> EjbTwo expected role: VP, isCallerInRole("Manager"): false
> EjbTwo expected role: VP, isCallerInRole("VP"): true
> EjbTwo expected role: VP, isCallerInRole("Administrator"): false
> EjbOne (After EjbTwo) expected role: Manager, isCallerInRole("Manager"):
> true
> EjbOne (After EjbTwo) expected role: Manager, isCallerInRole("VP"): false
> EjbOne (After EjbTwo) expected role: Manager,
> isCallerInRole("Administrator"): false
>
> Here is the source of the application: https://github.com/kal0ian/Examples
>
> Regards,
> Kaloyan
>
Reply | Threaded
Open this post in threaded view
|

Re: @RunAs does not work properly when it is used in servlet

jgallimore
That looks like a bug. Looks like the role check doesn't work with the
RunAsRole that the TomcatSecurityService creates, and the @RunAs for EjbOne
doesn't seem to make it onto the stack. I haven't tried, but I suspect this
would work in an embedded fashion, i.e. like this example:
https://github.com/apache/tomee/tree/master/examples/testing-security.

Can you file a JIRA ticket, and I'll attempt to patch that up?

Many thanks

Jon

On Tue, Aug 15, 2017 at 2:49 PM, Jonathan Gallimore <
[hidden email]> wrote:

> Hi
>
> Thanks for your mail! I'll grab you example later today and take a look.
>
> Thanks
>
> Jon
>
> On Tue, Aug 15, 2017 at 2:20 PM, Kaloyan Spiridonov <
> [hidden email]> wrote:
>
>> Hello,
>>
>> I have the following scenario:
>>
>> Servlet -> EjbOne -> EjbTwo
>> My expectation is that @RunAs of the servlet will be propagated to EjbOne
>> and the @RunAs of the EjbOne will be propagated to @EjbTwo.
>> But this does not happen - see the output below. When i remove @RunAs
>> annotation from the servlet the @RunAs of EjbOne is propagated correctly.
>>
>> Actual output:
>>
>> EjbOne (Before EjbTwo) expected role: Manager, isCallerInRole("Manager"):
>> false
>> EjbOne (Before EjbTwo) expected role: Manager, isCallerInRole("VP"): false
>> EjbOne (Before EjbTwo) expected role: Manager,)
>> isCallerInRole("Administrator"): false
>> EjbTwo expected role: VP, isCallerInRole("Manager"): false
>> EjbTwo expected role: VP, isCallerInRole("VP"): false
>> EjbTwo expected role: VP, isCallerInRole("Administrator"): false
>> EjbOne (After EjbTwo) expected role: Manager, isCallerInRole("Manager"):
>> false
>> EjbOne (After EjbTwo) expected role: Manager, isCallerInRole("VP"): false
>> EjbOne (After EjbTwo) expected role: Manager,
>> isCallerInRole("Administrator"): false
>>
>>
>> Expected output:
>>
>> EjbOne (Before EjbTwo) expected role: Manager, isCallerInRole("Manager"):
>> true
>> EjbOne (Before EjbTwo) expected role: Manager, isCallerInRole("VP"): false
>> EjbOne (Before EjbTwo) expected role: Manager,)
>> isCallerInRole("Administrator"): false
>> EjbTwo expected role: VP, isCallerInRole("Manager"): false
>> EjbTwo expected role: VP, isCallerInRole("VP"): true
>> EjbTwo expected role: VP, isCallerInRole("Administrator"): false
>> EjbOne (After EjbTwo) expected role: Manager, isCallerInRole("Manager"):
>> true
>> EjbOne (After EjbTwo) expected role: Manager, isCallerInRole("VP"): false
>> EjbOne (After EjbTwo) expected role: Manager,
>> isCallerInRole("Administrator"): false
>>
>> Here is the source of the application: https://github.com/kal0ian/Exa
>> mples
>>
>> Regards,
>> Kaloyan
>>
>
>
Reply | Threaded
Open this post in threaded view
|

Re: @RunAs does not work properly when it is used in servlet

Kaloyan Spiridonov
Here is the ticket: https://issues.apache.org/jira/browse/TOMEE-2118
Thank you for looking into this.

Regards,
Kaloyan

On Thu, Aug 17, 2017 at 1:16 PM, Jonathan Gallimore <
[hidden email]> wrote:

> That looks like a bug. Looks like the role check doesn't work with the
> RunAsRole that the TomcatSecurityService creates, and the @RunAs for EjbOne
> doesn't seem to make it onto the stack. I haven't tried, but I suspect this
> would work in an embedded fashion, i.e. like this example:
> https://github.com/apache/tomee/tree/master/examples/testing-security.
>
> Can you file a JIRA ticket, and I'll attempt to patch that up?
>
> Many thanks
>
> Jon
>
> On Tue, Aug 15, 2017 at 2:49 PM, Jonathan Gallimore <
> [hidden email]> wrote:
>
> > Hi
> >
> > Thanks for your mail! I'll grab you example later today and take a look.
> >
> > Thanks
> >
> > Jon
> >
> > On Tue, Aug 15, 2017 at 2:20 PM, Kaloyan Spiridonov <
> > [hidden email]> wrote:
> >
> >> Hello,
> >>
> >> I have the following scenario:
> >>
> >> Servlet -> EjbOne -> EjbTwo
> >> My expectation is that @RunAs of the servlet will be propagated to
> EjbOne
> >> and the @RunAs of the EjbOne will be propagated to @EjbTwo.
> >> But this does not happen - see the output below. When i remove @RunAs
> >> annotation from the servlet the @RunAs of EjbOne is propagated
> correctly.
> >>
> >> Actual output:
> >>
> >> EjbOne (Before EjbTwo) expected role: Manager,
> isCallerInRole("Manager"):
> >> false
> >> EjbOne (Before EjbTwo) expected role: Manager, isCallerInRole("VP"):
> false
> >> EjbOne (Before EjbTwo) expected role: Manager,)
> >> isCallerInRole("Administrator"): false
> >> EjbTwo expected role: VP, isCallerInRole("Manager"): false
> >> EjbTwo expected role: VP, isCallerInRole("VP"): false
> >> EjbTwo expected role: VP, isCallerInRole("Administrator"): false
> >> EjbOne (After EjbTwo) expected role: Manager, isCallerInRole("Manager"):
> >> false
> >> EjbOne (After EjbTwo) expected role: Manager, isCallerInRole("VP"):
> false
> >> EjbOne (After EjbTwo) expected role: Manager,
> >> isCallerInRole("Administrator"): false
> >>
> >>
> >> Expected output:
> >>
> >> EjbOne (Before EjbTwo) expected role: Manager,
> isCallerInRole("Manager"):
> >> true
> >> EjbOne (Before EjbTwo) expected role: Manager, isCallerInRole("VP"):
> false
> >> EjbOne (Before EjbTwo) expected role: Manager,)
> >> isCallerInRole("Administrator"): false
> >> EjbTwo expected role: VP, isCallerInRole("Manager"): false
> >> EjbTwo expected role: VP, isCallerInRole("VP"): true
> >> EjbTwo expected role: VP, isCallerInRole("Administrator"): false
> >> EjbOne (After EjbTwo) expected role: Manager, isCallerInRole("Manager"):
> >> true
> >> EjbOne (After EjbTwo) expected role: Manager, isCallerInRole("VP"):
> false
> >> EjbOne (After EjbTwo) expected role: Manager,
> >> isCallerInRole("Administrator"): false
> >>
> >> Here is the source of the application: https://github.com/kal0ian/Exa
> >> mples
> >>
> >> Regards,
> >> Kaloyan
> >>
> >
> >
>