Why does my web application get an Invalid User exception from the ejb layer after the user's Jaas cache entry has timed out in JBoss?

Solution Unverified - Updated -

Issue

  • Why does my web application get an Invalid User exception from the ejb layer after the user's Jaas cache entry has timed out in JBoss?
  • JBoss Negotiation (SPNEGO authentication) is used by the web application for user authentication.  This setup works well except for one situation.  If the user does not hit the web application until after their Jaas cache entry has timed out (>30 minutes), then a "javax.ejb.EJBAccessException: Invalid User" exception will be generated by the EJB layer:
09:13:45,570 ERROR [[HelloServlet]] Servlet.service() for servlet HelloServlet threw exception
javax.ejb.EJBAccessException: Invalid User
        at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:161)
        at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
        at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
        at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
        at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
        at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
        at org.jboss.ejb3.core.context.CurrentInvocationContextInterceptor.invoke(CurrentInvocationContextInterceptor.java:47)
        at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
  • User changed their password while being logged in. Later a failure occured at the EJB layer of our application, not the web layer

  • There is an application deployed in JBoss EAP 6 that consists of an EJB JAR as well as the war which uses a security domain configured with a combination of SPNEGOLoginModule and LDAPLoginModule. Getting into the application works just fine, but for each call a JSF Backing Bean makes call to one of the secured EJBs (@RolesAllowed) where the application will throw "EJBAccessException: Invalid User".

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 5.x
    • 6.x
  • JBoss Negotiation

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content