[WFLY-8414] Update EJBComponent.getCallerPrincipal() so that the Anon…

…ymousPrincipal is returned when called from an unsecured EJB in an Elytron deployment

ejb3/src/main/java/org/jboss/as/ejb3/component/EJBComponent.java

@@ -135,6 +135,7 @@ public Principal run() {
     private final boolean enableJacc;
     private SecurityIdentity incomingRunAsIdentity;
     private final Function<SecurityIdentity, Set<SecurityIdentity>> identityOutflowFunction;
+    private final boolean securityRequired;
 
     /**
      * Construct a new instance.
@@ -191,6 +192,7 @@ protected EJBComponent(final EJBComponentCreateService ejbComponentCreateService
         this.enableJacc = ejbComponentCreateService.isEnableJacc();
         this.incomingRunAsIdentity = null;
         this.identityOutflowFunction = ejbComponentCreateService.getIdentityOutflowFunction();
+        this.securityRequired = ejbComponentCreateService.isSecurityRequired();
     }
 
     protected <T> T createViewInstanceProxy(final Class<T> viewInterface, final Map<Object, Object> contextData) {
@@ -275,7 +277,7 @@ public ApplicationExceptionDetails getApplicationException(Class<?> exceptionCla
 
     public Principal getCallerPrincipal() {
         if (isSecurityDomainKnown()) {
-            return (incomingRunAsIdentity == null) ? securityDomain.getCurrentSecurityIdentity().getPrincipal() : incomingRunAsIdentity.getPrincipal();
+            return getCallerSecurityIdentity().getPrincipal();
         } else if (WildFlySecurityManager.isChecking()) {
             return WildFlySecurityManager.doUnchecked(getCaller);
         } else {
@@ -634,7 +636,14 @@ private boolean checkCallerSecurityIdentityRole(String roleName) {
     }
 
     private SecurityIdentity getCallerSecurityIdentity() {
-        return (incomingRunAsIdentity == null) ? securityDomain.getCurrentSecurityIdentity() : incomingRunAsIdentity;
+        if (incomingRunAsIdentity != null) {
+            return incomingRunAsIdentity;
+        } else if (securityRequired) {
+            return securityDomain.getCurrentSecurityIdentity();
+        } else {
+            // unsecured EJB
+            return securityDomain.getAnonymousSecurityIdentity();
+        }
     }
 
     public EJBSuspendHandlerService getEjbSuspendHandlerService() {

ejb3/src/main/java/org/jboss/as/ejb3/component/EJBComponentCreateService.java

@@ -110,6 +110,8 @@ public class EJBComponentCreateService extends BasicComponentCreateService {
 
     private final ShutDownInterceptorFactory shutDownInterceptorFactory;
 
+    private final boolean securityRequired;
+
     /**
      * Construct a new instance.
      *
@@ -208,6 +210,7 @@ public EJBComponentCreateService(final ComponentConfiguration componentConfigura
         this.moduleName = componentConfiguration.getModuleName();
         this.distinctName = componentConfiguration.getComponentDescription().getModuleDescription().getDistinctName();
         this.shutDownInterceptorFactory = ejbComponentDescription.getShutDownInterceptorFactory();
+        this.securityRequired = ejbComponentDescription.isSecurityRequired();
     }
 
     @Override
@@ -417,4 +420,8 @@ public Function getIdentityOutflowFunction() {
     public ShutDownInterceptorFactory getShutDownInterceptorFactory() {
         return shutDownInterceptorFactory;
     }
+
+    public boolean isSecurityRequired() {
+        return securityRequired;
+    }
 }

ejb3/src/main/java/org/jboss/as/ejb3/component/EJBComponentDescription.java

@@ -277,6 +277,8 @@ public abstract class EJBComponentDescription extends ComponentDescription {
 
     private BooleanSupplier outflowSecurityDomainsConfigured;
 
+    private boolean securityRequired;
+
     /**
      * Construct a new instance.
      *
@@ -345,11 +347,13 @@ public void configure(final DeploymentPhaseContext context, final ComponentDescr
                     configuration.addTimeoutViewInterceptor(configuration.getNamespaceContextInterceptorFactory(), InterceptorOrder.View.JNDI_NAMESPACE_INTERCEPTOR);
                     configuration.addTimeoutViewInterceptor(CurrentInvocationContextInterceptor.FACTORY, InterceptorOrder.View.INVOCATION_CONTEXT_INTERCEPTOR);
                     EJBComponentDescription ejbComponentDescription = (EJBComponentDescription) description;
+                    final boolean securityRequired = hasBeanLevelSecurityMetadata();
+                    ejbComponentDescription.setSecurityRequired(securityRequired);
                     if (ejbComponentDescription.isSecurityDomainKnown()) {
                         final HashMap<Integer, InterceptorFactory> elytronInterceptorFactories = getElytronInterceptorFactories(policyContextID, ejbComponentDescription.isEnableJacc());
                         elytronInterceptorFactories.forEach((priority, elytronInterceptorFactory) -> configuration.addTimeoutViewInterceptor(elytronInterceptorFactory, priority));
                     } else if (deploymentUnit.hasAttachment(SecurityAttachments.SECURITY_ENABLED)) {
-                        configuration.addTimeoutViewInterceptor(new SecurityContextInterceptorFactory(hasBeanLevelSecurityMetadata(), policyContextID), InterceptorOrder.View.SECURITY_CONTEXT);
+                        configuration.addTimeoutViewInterceptor(new SecurityContextInterceptorFactory(securityRequired, policyContextID), InterceptorOrder.View.SECURITY_CONTEXT);
                     }
                     final Set<Method> classMethods = configuration.getClassIndex().getClassMethods();
                     for (final Method method : classMethods) {
@@ -1188,4 +1192,13 @@ public HashMap<Integer, InterceptorFactory> getElytronInterceptorFactories(Strin
 
         return interceptorFactories;
     }
+
+    public void setSecurityRequired(final boolean securityRequired) {
+        this.securityRequired = securityRequired;
+    }
+
+    public boolean isSecurityRequired() {
+        return securityRequired;
+    }
+
 }

ejb3/src/main/java/org/jboss/as/ejb3/component/singleton/SingletonComponentDescription.java

@@ -123,11 +123,13 @@ public void configure(final DeploymentPhaseContext context, final ComponentDescr
                             contextID = deploymentUnit.getParent().getName() + "!" + contextID;
                         }
                         EJBComponentDescription ejbComponentDescription = (EJBComponentDescription) description;
+                        final boolean securityRequired = isExplicitSecurityDomainConfigured();
+                        ejbComponentDescription.setSecurityRequired(securityRequired);
                         if (isSecurityDomainKnown()) {
                             final HashMap<Integer, InterceptorFactory> elytronInterceptorFactories = getElytronInterceptorFactories(contextID, ejbComponentDescription.isEnableJacc());
                             elytronInterceptorFactories.forEach((priority, elytronInterceptorFactory) -> configuration.addPostConstructInterceptor(elytronInterceptorFactory, priority));
                         } else {
-                            configuration.addPostConstructInterceptor(new SecurityContextInterceptorFactory(isExplicitSecurityDomainConfigured(), false, contextID), InterceptorOrder.View.SECURITY_CONTEXT);
+                            configuration.addPostConstructInterceptor(new SecurityContextInterceptorFactory(securityRequired, false, contextID), InterceptorOrder.View.SECURITY_CONTEXT);
                         }
                     }
                 });

ejb3/src/main/java/org/jboss/as/ejb3/security/EJBSecurityViewConfigurator.java

@@ -140,6 +140,7 @@ public void configure(DeploymentPhaseContext context, ComponentConfiguration com
         }
 
         final boolean securityRequired = beanHasMethodLevelSecurityMetadata || ejbComponentDescription.hasBeanLevelSecurityMetadata();
+        ejbComponentDescription.setSecurityRequired(securityRequired);
         // setup the security context interceptor
         if (isSecurityDomainKnown) {
             final HashMap<Integer, InterceptorFactory> elytronInterceptorFactories = ejbComponentDescription.getElytronInterceptorFactories(contextID, ejbComponentDescription.isEnableJacc());