Why does switching users between local ejb calls not work when the call originates from a remote client?

Solution Unverified - Updated -

Issue

Why does switching users between local ejb calls not work when the call originates from a remote client? Both ejbs are on the same JBoss instance.

The use case looks like the following:

  remote standalone client  --->  unsecured ejb3 (switch user here) -> secured ejb3

I tried to use both approaches outlined in Q10/A10 of the JBoss Security FAQ [1] in order to establish a security context in the unsecured ejb that should be used to invoke the secured ejb. Neither approach worked in my testing.

When the same unsecured ejb is called from a web application (secured or unsecured), then the user switching works correctly.

The ejb security code appears to work differently based on the client type (standalone remote ejb client vs a web application).

I believe this is happening because the org.jboss.as.security.service.SimpleSecurityManager.push method (called by the SecurityContextInterceptor) is checking for an existing RemotingContext and grabbing the security context from there even though the security context that should be used appears to be getting
propagated correctly.

Environment

  • JBoss Enterprise Application Platform (EAP)
    • 6.x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content