Why does the JASPI authentication module fail to propagate the principal to from the web layer to the EJB layer in JBoss EAP 6?
Issue
I have a custom, JSR-196 module, that basically delagates to a service that delegates roles to a OAuth "grants" call.
It does work from a servlet: request.getUserPrincipal() works fine.
It does not propagate to local EJB calls, where SessionContext.getCallerPrincipal() returns a SimplePrincipal with "anonymous" instead of expected username / roles.
MycompanyPrincipal is a simple class, with a simple getName() and some custom properties.
It seems that SubjectInfo.getAuthenticatedSubject() has no principal.
Here is where I define my security domain in standalone.xml:
<security-domain name="mycompany" cache-type="default">
<authentication-jaspi>
<login-module-stack name="lm-stack">
<login-module code="UsersRoles" flag="required">
<module-option name="usersProperties" value="../standalone/configuration/jaspi-users.properties"></module>
<module-option name="rolesProperties" value="../standalone/configuration/jaspi-roles.properties"></module>
</login-module>
</login-module-stack>
<auth-module code="be.mycompany.api.authentication.jaspi.MycompanyAuthModule" flag="required" login-module-stack-ref="lm-stack"></auth>
</authentication-jaspi>
</security-domain>
And here is my jboss-web.xml:
<?xml version="1.0" encoding="UTF-8"?>
<jboss-web>
<context-root>myapp</context-root>
<security-domain>mycompany</security-domain>
<valve>
<class-name>org.jboss.as.web.security.jaspi.WebJASPIAuthenticator</class-name>
</valve>
</jboss-web>
Environment
- Red Hat JBoss Enterprise Application Platform (EAP)
- 6.x
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.