Uploaded image for project: 'TomEE'
  1. TomEE
  2. TOMEE-3725

Returns invalid principal - Java EE Security - Inject javax.security.enterprise.SecurityContext

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 8.0.6
    • Fix Version/s: None
    • Component/s: TomEE Core Server
    • Labels:
      None

      Description

      We used apache-tomee-plume-8.0.6 for this issue reproduce.

      We use our own JASPIC implementation for security, which works fine so far. It creates a CallerPrincipalCallback with subject and our own AuthenticatedUser principal. But if we call in an EJB ctx.getCallerPrincipal we get "GenericPrincipal"

      "getCallerPrincipal >[TomcatUser: GenericPrincipal[XXXXX(JFOXXXST.administrator,JFOXXXST.users,)]]"

       

      & NOT AuthenticatedUser principal- It seems our REQUIRED principal is not propagated correctly from servlet container to EJB container, the same works fine in OpenLiberty 21.0.0.X

       

      After spending some more check in security - looks like tomee-security-8.0.6.jar has below implementation which is returning empty set - is this expected? or future implementation will be provided?

       public Principal getCallerPrincipal()

      { return this.securityService.getCallerPrincipal(); }

      public <T extends Principal> Set<T> getPrincipalsByType(Class<T> pType)

      { return Collections.emptySet(); }

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              Sangur Pramod
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: