-
Bug
-
Resolution: Done
-
Major
-
7.3.0.GA
-
None
For EJB over remote+http / http-remoting , removing the security-realm from the http-connector disables security and allows any remote client to connect to the endpoint without authenticating.
<subsystem xmlns="urn:jboss:domain:remoting:4.0"> <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/> </subsystem>
For EJB over Http it goes over the http-invoker in undertow, removing the ApplicationRealm
<subsystem xmlns="urn:jboss:domain:undertow:7.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other"> ... <host name="default-host" alias="localhost"> <location name="/" handler="welcome-content"/> <http-invoker security-realm="ApplicationRealm"/> </host> </server>
It fails with:
18:10:16,660 ERROR [org.jboss.as.ejb3.invocation] (default task-1) WFLYEJB0034: EJB Invocation failed on component Hello for method public abstract java.lang.String com.jboss.examples.ejb.Hello.sayHello(java.lang.String): java.lang.IllegalArgumentException: Parameter 'identity' may not be null at org.wildfly.common.Assert.checkNotNullParamChecked(Assert.java:71) at org.wildfly.common.Assert.checkNotNullParam(Assert.java:49) at org.wildfly.security.auth.server.SecurityDomain.forIdentity(SecurityDomain.java:187) at org.jboss.as.security.service.SimpleSecurityManager.push(SimpleSecurityManager.java:313) at org.jboss.as.ejb3.security.SecurityContextInterceptor.run(SecurityContextInterceptor.java:52) at org.jboss.as.ejb3.security.SecurityContextInterceptor.run(SecurityContextInterceptor.java:49) at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:97) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory.processInvocation(ShutDownInterceptorFactory.java:64) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3.deployment.processors.EjbSuspendInterceptor.processInvocation(EjbSuspendInterceptor.java:57) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438) at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:619) at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53) at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198) at org.jboss.as.ejb3.remote.AssociationImpl.invokeWithIdentity(AssociationImpl.java:556) at org.jboss.as.ejb3.remote.AssociationImpl.invokeMethod(AssociationImpl.java:537) at org.jboss.as.ejb3.remote.AssociationImpl.lambda$receiveInvocationRequest(AssociationImpl.java:195) at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487) at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378) at java.lang.Thread.run(Thread.java:748)
- clones
-
WFLY-13381 Unable to disable security on EJB over Http endpoint
- Closed
- is cloned by
-
JBEAP-16383 [GSS](7.2.z) WFLY-13381 - Unable to disable security on EJB over Http endpoint
- Closed