@RunAs/@RunAsPrincipal does not work when multiple security domains are involved in JBoss EAP 6.4 and 7

Solution Verified - Updated -

Issue

  • When one EJB calls the other, the following error is logged:

    15:18:07,394 ERROR [invocation] [] (default task-28) WFLYEJB0034: EJB Invocation failed on component <ComponentName>
    15:18:07,390 INFO  [ActiveDirectoryLoginModule] [] (default task-28) login for <UserName> failed [FAILED_SYSTEM_USER_ACCOUNT_NOT_FOUND]
    15:18:07,392 TRACE [audit] [] (default task-28) [Failure]principal=<UserName>;Action=authentication;Source=org.jboss.as.security.service.SimpleSecurityManager;
    15:18:07,393 TRACE [security] [] (default task-28) PBOX00354: Setting security roles ThreadLocal: null
    15:18:07,394 ERROR [invocation] [] (default task-28) WFLYEJB0034: EJB Invocation failed on component <ComponentName>Bean for method public java.lang.String com.example.ExampleBean.sayHello(java.lang.String): javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User
    

    Or

    javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User
        at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:69)
        at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:49)
        at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:97)
        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
        at org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:437)
        at org.wada.adams.sso.keycloak.KeycloakSecurityInterceptor.aroundInvoke(KeycloakSecurityInterceptor.java:112)
        at sun.reflect.GeneratedMethodAccessor265.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:45005)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at 
    

Environment

  • Red Hat JBoss Enterprise Application Platform (EAP)
    • 6.4.6 and later
    • 7.0
  • EJBs with different security domains calling each other
  • Using @RunAs or @RunAsPrincipal to change domains

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In