Description
When MP-JWT is activated for a war using `'@LoginConfig', then the security context is correctly set in the jax-rs container and @RoleAllowed annotations can be used to protect resources.
However, if the war is part of an ear, the context is not propagated to a sibling ejb subdeployment.
I have a test case on github that compares the principal name from the jac-rs SecurityContext; an ejb Stateless bean SessionContext, and the JACC PolicContext subject principal. Only the jax-rs context whithin the war deployment contains the JsonWebToken, while an "anonymous" subject is returned from within the EJB.
The JsonWebToken is correctly provided by CDI in the ejb submodule as well though, and claims can be injected.correctly. However @RoleAllowed annotations don't work.
Following the reproduction steps, I obtain:
{ "jaxRsUser": "admin", "jaxRsAdmin": true, "ejbServiceUser": "anonymous - SimplePrincipal", "ejbServiceAdmin": false, "ejbServiceJwtGroupsClaim": [ "admin", "offline_access", "uma_authorization", "user" ], "ejbServiceJaccSubjectName": "No principal found" }
using wildfly 20, 21, or 22.
I found the resolved issue WFLY-13319.