Description
Having a PicketLink STS application and application with EJB secured by SAML2STSLoginModule, when an EJB client requests the EJB using SAML token (from the STS) as credentials the request fails with:
DEBUG [org.jboss.security] (default task-7) PBOX00206: Login failure: javax.security.auth.login.LoginException: Error handling callback. at org.picketlink.common.DefaultPicketLinkLogger.authErrorHandlingCallback(DefaultPicketLinkLogger.java:1729) at org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSCommonLoginModule.login(SAML2STSCommonLoginModule.java:329) ... Caused by: javax.security.auth.login.LoginException: PL00095: Wrong type:SAML2STSLoginModule: Shared credential is not a SAML credential. Got org.jboss.as.security.remoting.RemotingConnectionCredential at org.picketlink.common.DefaultPicketLinkLogger.authSharedCredentialIsNotSAMLCredential(DefaultPicketLinkLogger.java:1708) at org.picketlink.identity.federation.bindings.jboss.auth.SAML2STSCommonLoginModule.login(SAML2STSCommonLoginModule.java:324) ... 48 more ERROR [org.jboss.as.ejb3.invocation] (default task-7) WFLYEJB0034: EJB Invocation failed on component SecuredEjbBean for method public abstract java.lang.String org.picketlink.test.eap.deployment.sts.client.ejb.SecuredEjb.echoRoleFromStsNeeded(java.lang.String): javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:69) ...
Regression against EAP 7.0. Setting priority to Blocker.