1

Since we found out that it is not possible to put the SecurityIdentity into an ContextualProxy as described here we try to find some kind of workaround.

We make a programmatic login on the the security subsystem of wildfly and run a Runnable with the returning Subject. The runnable should then be able to run certain EJBs depending on the Roles of the Subject, but the EJBContext or SessionContext is always "anonymous".

Code:

The login

public class RunnableHandlerImpl implements RunnableHandler {

@Override
public void runAsPrivileged(final ContextRunnable runnable) throws LoginException {
    LoginContext ctx;
    ctx = new LoginContext("myDomain",  new MyCallbackHandler(runnable.getAuthToken()));
    ctx.login();
    Subject subject = ctx.getSubject();
    Subject.doAs(subject, new PrivilegedExceptionAction() { 
            @Override
            public Object run() throws Exception {
                runnable.run();
                return null;
            }
        });
}

call from mdb:

@Inject
MySingleton bean;
public void onMessage(Message msg) {
    ContextRunnable contextRunnable = (ContextRunnable) message.getObject();
    contextRunnable.setSingletonBean(bean);

    RunnableHandler handler = new RunnableHandlerImpl();
    handler.runAsPrivileged(contextRunnable);
}

The Runnable:

public class ContextRunnable implements Serializable, Runnable {
    private MySingleton bean;
    public void run() {
        bean.printText("hello");
    }
    public void setSingletonBean(MySingleton bean) {
        this.bean = bean;
    }
}

The Singleton:

@Singleton
@SecurityDomain("DemoApplicationDomain")
@PermitAll
public class MySingleton {
    @Resource EJBContext context;
    @Resource SessionContext sessionCtx;
    public void printText(String text) throws EJBAccessException {
        System.out.println("ejbcontext: " + context.getCallerPrincipal().getName());
        System.out.println("SessionContext: " + sessionCtx.getCallerPrincipal().getName());
        System.out.println("text: " + text);
    }
}

the login works just fine and I always get the right name from the principal but the ejbcontext and the sessioncontext are always 'anonymous'. My guess is that the legacy security system of wildfly is not 'connected' with the ejb-container anymore since Elytron will be used.

Is there a way to fix this?

Also I tried to use the Elytron system as described here but with the same result:

AuthenticationConfiguration config = AuthenticationConfiguration.empty().useName("admin").usePassword("admin");
AuthenticationContext.empty().with(MatchRule.ALL, config)
                     .run(contextRunnable);

please ask if you need more code or information

jlange
  • 11
  • 3
  • FWIW, I have raised [WFLY-11665](https://issues.jboss.org/browse/WFLY-11665) regarding this problem – Steve C Feb 20 '19 at 00:45
  • Thank you very much! Do you maybe have a clue how I can take effect on the EJB-/SessionContext in the meanwhile? – jlange Feb 20 '19 at 12:27

0 Answers0