1

I am trying to send an object over a queue. The object is wrapped in the createContextualProxy of the ContextService. But if I am unwrap the object, the securityIdentity is null. The object is a correct Proxy.

Sender:

@Resource(name = "DefaultContextService")
private ContextService cs;

public void sendMessage() {
    ObjectMessage objectMessage = context.createObjectMessage();
    objectMessage.setObject((Serializable) cs.createContextualProxy(<ObjectToSend>, 
            Runnable.class));            
    context.createProducer().send(queue, objectMessage);
}

Receiver:

ObjectMessage message = (ObjectMessage) msg;                
Runnable myObject = (Runnable) message.getObject();
myObject.run();

The runnable myObject is a Proxy. But the securityIdentity=null.

Did anyone had this issue before?

Alain Merigot
  • 10,667
  • 3
  • 18
  • 31
Auryn
  • 1,117
  • 1
  • 13
  • 37

1 Answers1

1

The only way to do this is to incorporate the security identity of the user directly into the object that you are sending.

Security context information is not retained in the contextual proxy because WildFly (up to 15.0.1) is broken.

JMS requires ObjectMessage payloads to be Serializable. However the security identity object retained in the proxy (a org.wildfly.security.auth.server.SecurityIdentity object) is not Serializable, so it is declared transient in the org.jboss.as.ee.concurrent.IdentityAwareProxyInvocationHandler proxy implementation.

Consequently it does not survive the subsequent JMS message serialisation/deserialization process.

There is an old WildFly issue that has been closed, but I know that the security implementation has been completely replaced since then...

Steve C
  • 18,876
  • 5
  • 34
  • 37
  • But I thought this ContextualProxy is exactly for this. After create the ContextualProxy the securityIdentity is correctly set, but after reading it from the queue, its null. **Thanks a lot** – Auryn Jan 25 '19 at 10:16