Why does the JASPI authentication module fail to propagate the principal to from the web layer to the EJB layer in JBoss EAP 6?
Issue
I have a custom, JSR-196 module, that basically delagates to a service that delegates roles to a OAuth "grants" call.
It does work from a servlet: request.getUserPrincipal() works fine.
It does not propagate to local EJB calls, where SessionContext.getCallerPrincipal() returns a SimplePrincipal with "anonymous" instead of expected username / roles.
MycompanyPrincipal is a simple class, with a simple getName() and some custom properties.
It seems that SubjectInfo.getAuthenticatedSubject() has no principal.
Here is where I define my security domain in standalone.xml:
<security-domain name="mycompany" cache-type="default">
<authentication-jaspi>
<login-module-stack name="lm-stack">
<login-module code="UsersRoles" flag="required">
<module-option name="usersProperties" value="../standalone/configuration/jaspi-users.properties"></module>
<module-option name="rolesProperties" value="../standalone/configuration/jaspi-roles.properties"></module>
</login-module>
</login-module-stack>
<auth-module code="be.mycompany.api.authentication.jaspi.MycompanyAuthModule" flag="required" login-module-stack-ref="lm-stack"></auth>
</authentication-jaspi>
</security-domain>
And here is my jboss-web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<context-root>myapp</context-root>
<security-domain>mycompany</security-domain>
<valve>
<class-name>org.jboss.as.web.security.jaspi.WebJASPIAuthenticator</class-name>
</valve>
</jboss-web>
Environment
- Red Hat JBoss Enterprise Application Platform (EAP)
- 6.x
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
