0 Replies Latest reply on May 4, 2015 4:35 PM by hojothum

    WildFly 8.2 PicketLink 2.7.0.Final SAML2 Authentication - Principal & Roles Missing

    hojothum
    hojothum May 4, 2015 4:35 PM

      We've been trying to migrate our existing JBoss 7.2 EAR application to WildFly 8.2.  I'm repeat this next paragraph from another post as it sums up what we're doing:

       

      ---

      We're migrating our JBoss 7.2 application to Wildfly 8.2 and have successfully migrated the app and our security domain configuration.  We're using picketlink and our own login module extending SAML2LoginModule to do SAML2 authentication via the "org.picketlink.identity.federation.bindings.wildfly.sp.SPServletExtension" as described here "WildFly Configuration - PicketLink - Project Documentation Editor" in the "Service Provider Configuration" section. - See more at: https://developer.jboss.org/message/916759#sthash.ebs7FMjV.dpuf

      ---

       

      Again, the SAML2 assertion seems to get processed just fine, our custom login code works as it did it JBoss 7.2, and at least initially we can get a principal out of the EJBContext and verify it's name and roles.  However, that is only true for the thread that is initially responsible for the authentication. Any other thread seems to have no principal and no roles so all protected EJBs get access denied exceptions.  Here's a snippet from the log at the DEBUG level that illustrates what we're seeing:

       

      2015-05-04 20:15:15,609 DEBUG [org.jboss.security] (default task-1) PBOX000292: Insufficient method permissions [principal: org.picketlink.identity.federation.core.SerializablePrincipal@34e785b7, EJB name: MyBean, method: isGroupAdminUser, interface: Local, required roles: Roles(ROOT,ADMIN,USER,), principal roles: Roles(Test1,Test1@test.com,Testing,), run-as roles: null]

      2015-05-04 20:15:16,091 DEBUG [org.jboss.security] (default task-2) PBOX000292: Insufficient method permissions [principal: null, EJB name: MyBean, method: isGroupAdminUser, interface: Local, required roles: Roles(ROOT,ADMIN,USER,), principal roles: Roles(), run-as roles: null]

      2015-05-04 20:15:16,464 DEBUG [org.jboss.security] (default task-3) PBOX000292: Insufficient method permissions [principal: null, EJB name: MyBean, method: isGroupAdminUser, interface: Local, required roles: Roles(ROOT,ADMIN,USER,), principal roles: Roles(), run-as roles: null]

      2015-05-04 20:15:16,902 DEBUG [org.jboss.security] (default task-4) PBOX000292: Insufficient method permissions [principal: null, EJB name: MyBean, method: isGroupAdminUser, interface: Local, required roles: Roles(ROOT,ADMIN,USER,), principal roles: Roles(), run-as roles: null]

      2015-05-04 20:15:17,325 DEBUG [org.jboss.security] (default task-5) PBOX000292: Insufficient method permissions [principal: null, EJB name: MyBean, method: isGroupAdminUser, interface: Local, required roles: Roles(ROOT,ADMIN,USER,), principal roles: Roles(), run-as roles: null]

      2015-05-04 20:15:17,739 DEBUG [org.jboss.security] (default task-6) PBOX000292: Insufficient method permissions [principal: null, EJB name: MyBean, method: isGroupAdminUser, interface: Local, required roles: Roles(ROOT,ADMIN,USER,), principal roles: Roles(), run-as roles: null]

      2015-05-04 20:15:18,045 DEBUG [org.jboss.security] (default task-7) PBOX000292: Insufficient method permissions [principal: null, EJB name: MyBean, method: isGroupAdminUser, interface: Local, required roles: Roles(ROOT,ADMIN,USER,), principal roles: Roles(), run-as roles: null]

      2015-05-04 20:15:18,387 DEBUG [org.jboss.security] (default task-8) PBOX000292: Insufficient method permissions [principal: null, EJB name: MyBean, method: isGroupAdminUser, interface: Local, required roles: Roles(ROOT,ADMIN,USER,), principal roles: Roles(), run-as roles: null]

      2015-05-04 20:15:19,479 DEBUG [org.jboss.security] (default task-9) PBOX000292: Insufficient method permissions [principal: null, EJB name: MyBean, method: isGroupAdminUser, interface: Local, required roles: Roles(ROOT,ADMIN,USER,), principal roles: Roles(), run-as roles: null]

      2015-05-04 20:15:19,922 DEBUG [org.jboss.security] (default task-10) PBOX000292: Insufficient method permissions [principal: null, EJB name: MyBean, method: isGroupAdminUser, interface: Local, required roles: Roles(ROOT,ADMIN,USER,), principal roles: Roles(), run-as roles: null]

      2015-05-04 20:15:20,285 DEBUG [org.jboss.security] (default task-11) PBOX000292: Insufficient method permissions [principal: null, EJB name: MyBean, method: isGroupAdminUser, interface: Local, required roles: Roles(ROOT,ADMIN,USER,), principal roles: Roles(), run-as roles: null]

      2015-05-04 20:15:20,918 DEBUG [org.jboss.security] (default task-12) PBOX000292: Insufficient method permissions [principal: null, EJB name: MyBean, method: isGroupAdminUser, interface: Local, required roles: Roles(ROOT,ADMIN,USER,), principal roles: Roles(), run-as roles: null]

      2015-05-04 20:15:21,309 DEBUG [org.jboss.security] (default task-13) PBOX000292: Insufficient method permissions [principal: null, EJB name: MyBean, method: isGroupAdminUser, interface: Local, required roles: Roles(ROOT,ADMIN,USER,), principal roles: Roles(), run-as roles: null]

      2015-05-04 20:15:21,681 DEBUG [org.jboss.security] (default task-14) PBOX000292: Insufficient method permissions [principal: null, EJB name: MyBean, method: isGroupAdminUser, interface: Local, required roles: Roles(ROOT,ADMIN,USER,), principal roles: Roles(), run-as roles: null]

      2015-05-04 20:15:22,661 DEBUG [org.jboss.security] (default task-15) PBOX000292: Insufficient method permissions [principal: null, EJB name: MyBean, method: isGroupAdminUser, interface: Local, required roles: Roles(ROOT,ADMIN,USER,), principal roles: Roles(), run-as roles: null]

      2015-05-04 20:15:28,177 DEBUG [org.jboss.security] (default task-16) PBOX000292: Insufficient method permissions [principal: null, EJB name: MyBean, method: isGroupAdminUser, interface: Local, required roles: Roles(ROOT,ADMIN,USER,), principal roles: Roles(), run-as roles: null]

      2015-05-04 20:15:28,565 DEBUG [org.jboss.security] (default task-1) PBOX000292: Insufficient method permissions [principal: null, EJB name: MyBean, method: isGroupAdminUser, interface: Local, required roles: Roles(ROOT,ADMIN,USER,), principal roles: Roles(), run-as roles: null]

       

      Has anyone seen this behavior before?  We've tried a lot of different approaches to solving the problem and we're out of ideas.

       

      Thank you!

      • 284 Views
      • Tags: