-
Notifications
You must be signed in to change notification settings - Fork 43
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Java EE Security alignment #238
Comments
@glassfishrobot Commented |
@glassfishrobot Commented |
@glassfishrobot Commented |
@glassfishrobot Commented The answer is No. I only need call proprietary API to workaround the problem because spec doesn't cover Websocket vs CDI/EJB integration. Containers should care about websocket integration with Java EE, not the implementations (Tyrus / Undertow). |
@glassfishrobot Commented |
@glassfishrobot Commented I have a test case attached with the issue. |
@glassfishrobot Commented
Note that JAAS is not the universal Java EE security framework. In fact, almost nothing in Java EE refers to JAAS, which is itself a Java SE framework from which Java EE only uses a minimal number of types. What you're probably looking for here is the integration of WebSocket with the native security internals of Servlet, EJB and JCA, such that the authenticated identity (the native, vendor specific implementation of it) propagates to WebSocklet. Servlet, EJB and JCA may use something JAAS based for the initial authentication, but there is no requirement for that and its just an implementation detail. JASPIC does define a bridge profile for JAAS LoginModules, but that is fully optional. As we're planning to define a (injectable) SecurityContext in the Java EE security EG that is intended to be used "everywhere", it would be great if we could somehow include WebSockets here. One thing to take into account here is that establishing an authenticated identity is only really specified for Servlet and SOAP, and is primarily per request. The authentication mechanism (e.g FORM or BASIC) has to be aware of the session. In other words, the authenticated identity doesn't automatically stick to the HTTP session. |
@glassfishrobot Commented |
|
A Websocket call from a properly-authenticated user should be able to call a secured EJB. The spec does say that Websockets is built off of the "Servlet defined security mechanism" in 8.1 and 8.2. When I define a security-constraint for my Servlet with a role and a Basic login-config, my identity is propagated to the EJBs. However, when I define an identical security-constraint for my Websocket, the identity is not propagated to the EJB, although I do get a password challenge. I think the identity should survive the initial upgrade and carry over to all subsequent post-open calls. My Servlet and Websocket observations have been on WildFly. |
Once upgraded you are no longer HTTP or within the scope of a Servlet, so there's that to contend with. |
Are these the only options for using EJBs with Websockets?
|
When this was originally discussed in the WebSocket EG the concern was that the life cycle of the HTTP session was separate from that of the WebSocket session. What if the app expires the HTTP session? What impact does that have on any authenticated identity in WebSocket? Does termination of the HTTP session imply termination of the WebSocket session? And so on. There didn't seem to be a solution that was appropriate for all use cases.
In terms of implementation my expectation is that the WebSocket retains a copy of the HTTP session ID, looks up the HTTP session on a call to |
I don't like the idea of polluting the client Session with server / servlet specific concepts. Perhaps a new Since these are very "Servlet" specific, would it make sense to have a Alternatively we could have In Eclipse Jetty we have the following exposed (currently) in the websocket api:
With a |
Good point re the client |
#219 also requested |
Is anything being done in JakartaEE 9 to resolve this issue? It has recently come up again in a question in stackoverflow. |
|
I was speaking specifically about the initial post in this issue referring to calling ejbs on web socket method calls. |
Issue #197 would need to be solved for that. The current problem has to do with scope, as in websocket connection scope, it's length (in time) complicates a lot of things. |
and now, when I am reading is we have this issue 5 years open and the other 7 years. |
@VGerris HTTP overlaps with WebSocket only during the handshake. So that means all behaviors that come from HTTP (be it Authentication, Authorization, Cookies, HttpSession, etc) can only apply during the WebSocket Handshake. Once you are upgraded fully into WebSocket, there's no longer any "live" information from HTTP.
To fix the behaviors on HttpSession would require a dramatic change on the Servlet spec for HttpSession, likely rendering the HttpSession API no longer backward compatible with older versions of the Servlet spec. The HttpSession would essentially have to be a "live" object where changes from other threads would need to be represented in the HttpSession object whereever it may be. This is very problematic for clustered environments, and it one of the reasons this isn't done currently. I question if we would even still be able to use the standard In short, this is not an easy thing to fix, to support what you are looking for would requires changes in a half dozen or more Jakarta EE specs outside of WebSocket, and those change would be dramatic. |
Thank you for the quick reply. I have found some posts on StackOverflow from you too I think, thanks for that. |
While I completely understand the argument for HttpSession, I don't see it for ServletContext. ServletContext and ServerContainer represent essentially the same thing when run in an engine that supports both. The ServletContext is responsible for loading the classes implementing my WebSocket Endpoints, and I can get a reference for the WebSocketContainer from the ServletContext by calling What I can't do is get a reference from the There are obviously ways around this, but they shouldn't be necessary. The addition of a |
The The HTTP/1.1 upgrade to websocket is the overlap with the Servlet world. From To me, where we are now is a historical side effect of how the Servlet spec was written. Meanwhile, the JSP spec comes along and identifies a hierarchy of the behaviors in the servlet context, creating a few JSP scopes: application, session, request. page. Next, CDI comes along and identifies a few scopes on the servlet spec (application, session, request, etc) for it's own purposes. Now you have WebSocket, which is very long lived. Note: I've seen folks have some success with the websocket authn/authz angle by controlling things on the non-websocket components (like the chat component, or data component, or pubsub component, etc), tossing exceptions when the authn/authz changes in specific ways (rejecting the action that the websocket message triggered) so that the websocket component can identify when to start the websocket close handshake. Don't ask me how they did that, I'm just aware that they solved their issue in this general way. There is a lot of people interested, a few aborted starts, and a realization that its going to take a significant effort on the parts of many people, and jakarta specs, to pull off successfully. Stay tuned, it will likely happen, and this specific issue (focused on just the security angle) is just one small part of the bigger picture to make it happen. |
In JavaEE 7 we have some security problems with WebSocket.
An authenticated session, with a valid Session.getUserPrincipal()
doesn't authenticates in the container on websocket events, so EJB / CDI calls are unauthenticated.
I've tested with WildFly 8.2.0 and GlassFish 4.1, with a sample app
which calls EJB methods from @onopen, @onclose and @OnMessage.
Although we can workaround these issues with interceptors and vendor
specific security managers, it's a common use case for JavaEE applications and an important requirement for cloud/SaaS applications.
I've created an open-source library to get workaround these problems in
JBoss/WildFly. It's called "JBoss Security Extended" and is available on maven central with GAV "com.github.panga:jboss-security-extended:1.0.0".
Library source and docs:
https://github.com/panga/jboss-security-extended
WebSocket sample app source using library:
https://github.com/panga/websocket-auth
The text was updated successfully, but these errors were encountered: