I have an EAR that contains a WAR within. A JAAS based security domain is configured for the EAR (inside jboss-app.xml) and a JASPIC based one for the WAR (inside jboss-web.xml). The EAR contains EJBs that I wanted to be protected using JAAS. The WAR was added recently to provide JAX-RS endpoints for the EJBs for which I have JASPIC mechanism implemented. This setup works as expected with Weblogic 12c but getting the following error with JBoss EAP.
19:59:41,914 ERROR [org.jboss.as.ejb3.invocation] (default task-1) WFLYEJB0034: EJB Invocation failed on component CommonService for method public abstract boolean
com.abc.xyz.method1(com.abc.xyz.UserVO) throws java.rmi.RemoteException: javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User
at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:69)
at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:49)
at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:97)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.as.ejb3.deployment.processors.EjbSuspendInterceptor.processInvocation(EjbSuspendInterceptor.java:44)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:66)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.as.ejb3.component.interceptors.EjbExceptionTransformingInterceptorFactories$1.processInvocation(EjbExceptionTransformingInterceptorFactorie
s.java:75)
I think, even though the JASPIC authentication was succesful, the SecurityContextInterceptor couldnt recognise it or did not get the right principals. Also, one important observation that came out while debugging is that, my JAAS login module gets invoked and fails as credentials are not available to it.
The Jboss desciptors used in the EAR is given below.
jboss-app.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss-app PUBLIC "-//JBoss//DTD J2EE Application 4.2//EN" "http://www.jboss.org/j2ee/dtd/jboss-app_4_2.dtd">
<jboss-app>
<security-domain>AppClient</security-domain>
</jboss-app>
jboss-web.xml
<jboss-web version="10.0"
xmlns="http://www.jboss.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-web_10_0.xsd">
<security-domain>jaspitest</security-domain>
</jboss-web>
I have already tried the work-around in SAM mentioned @ Jaspic module not propagating principal to local EJB in JBoss 7.4 but it didnt make any difference. Any help on debugging and fixing this is greatly appreciated.
