Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-8970

EJB client is unable to invoke beans secured by Elytron

XMLWordPrintable

      The client always gets the invocation is not allowed error.

      TRACE logs:

      17:17:01,075 TRACE [org.wildfly.security] (default I/O-5) Handling MechanismInformationCallback
      17:17:01,077 TRACE [org.wildfly.security] (default I/O-5) Handling MechanismInformationCallback
      17:17:01,078 TRACE [org.wildfly.security] (default I/O-5) Handling AvailableRealmsCallback: realms = [ApplicationRealm]
      17:17:01,300 TRACE [org.wildfly.security] (default task-2) Handling RealmCallback: selected = [ApplicationRealm]
      17:17:01,300 TRACE [org.wildfly.security] (default task-2) Handling NameCallback: authenticationName = joe
      17:17:01,301 TRACE [org.wildfly.security] (default task-2) Principal assigning: [joe], pre-realm rewritten: [joe], realm name: [ApplicationRealm], post realm rewritten: [joe], realm rewritten: [joe]
      17:17:01,309 TRACE [org.wildfly.security] (default task-2) Handling CredentialCallback: obtained successfully
      17:17:01,311 TRACE [org.wildfly.security] (default task-2) Role mapping: principal [joe] -> decoded roles [users] -> realm mapped roles [users] -> domain mapped roles [users]
      17:17:01,311 TRACE [org.wildfly.security] (default task-2) Authorizing principal joe.
      17:17:01,312 TRACE [org.wildfly.security] (default task-2) Authorizing against the following attributes: [groups] => [users]
      17:17:01,313 TRACE [org.wildfly.security] (default task-2) Permission mapping: identity [joe] with roles [users] implies ("org.wildfly.security.auth.permission.LoginPermission" "") = true
      17:17:01,326 TRACE [org.wildfly.security] (default task-2) Authorization succeed
      17:17:01,329 TRACE [org.wildfly.security] (default task-2) RunAs authorization succeed - the same identity
      17:17:01,329 TRACE [org.wildfly.security] (default task-2) Handling AuthorizeCallback: authenticationID = joe  authorizationID = joe  authorized = true
      17:17:01,329 TRACE [org.wildfly.security] (default task-2) Handling AuthenticationCompleteCallback: succeed
      17:17:01,332 TRACE [org.wildfly.security] (default task-2) Handling SecurityIdentityCallback: identity = org.wildfly.security.auth.server.SecurityIdentity@719b1c62
      17:17:01,543 TRACE [org.wildfly.security] (default task-6) Role mapping: principal [anonymous] -> decoded roles [] -> realm mapped roles [] -> domain mapped roles []
      17:17:01,544 ERROR [org.jboss.as.ejb3.invocation] (default task-6) WFLYEJB0034: EJB Invocation failed on component HelloBean for method public abstract java.lang.String ejb.HelloBeanRemote.hello(): javax.ejb.EJBAccessException: WFLYEJB0364: Invocation on method: public abstract java.lang.String ejb.HelloBeanRemote.hello() of bean: HelloBean is not allowed
      

      From the log it looks like the DIGEST authentication succeeds and the client is linked to a principal, but at 17:17:01,543 the principal is lost and the EJB is invoked as anonymous, which fails.

      Attaching a project which reproduces this.

        1. standalone-elytron.xml
          26 kB
          Jan Martiska

              fjuma1@redhat.com Farah Juma
              jmartisk@redhat.com Jan Martiska
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: