EJBAccessException .. WFLYEJB0364: Invocation on ... is not allowed authorization issue when client calling clustered EJB tries to use the local-receiver
Issue
- We have an EJB with @SecurityDomain and @RolesAllowed to secure an EJB that is deployed in a cluster and a client running on node1 that invokes the EJB. As it load balances, it will call node1, node2, etc. If the client specifies node1's host:port (ie. localhost:8080), it will call node1, node1 and then fail with the exception below. If the client on node1 specifies node2 (localhost:8180), it will invoke node2, node1 and then fail with the error below.
It works when it is calling the remote+http destination, but it then tries to call the local-receiver since it does not need to go over the network when the client & ejb are on the same node, so it is making a remote interface call but invoking on the local-receiver and then it fails because there is no principal any more.
DEBUG [org.jboss.ejb.client.invocation] (default task-1) sendRequest: setting receiver, strong affinity = Cluster "ejb", weak affinity = None, remote destination is: remote+http://127.0.0.1:8080
...
DEBUG [org.jboss.ejb.client.invocation] (default task-1) sendRequest: setting receiver, strong affinity = Cluster "ejb", weak affinity = None, remote destination is: local:-
...
ERROR [stderr] (default task-1) javax.ejb.EJBAccessException: WFLYEJB0364: Invocation on method: public abstract org.jboss.as.quickstart.ejb.api.Response org.jboss.as.quickstart.ejb.api.StatelessRemote.invoke(org.jboss.as.quickstart.ejb.api.Request) of bean: StatelessEJB is not allowed
ERROR [stderr] (default task-1) at org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:134)
...
Environment
Red Hat JBoss Enterprise Application Platform (EAP) 7.4 Update 7
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.