@RunAs/@RunAsPrincipal does not work when multiple security domains are involved in JBoss EAP 6.4 and 7
Issue
When EJB-A and EJB-B are secured separately by different security domains and there is an invocation on EJB-B from inside EJB-A, using @RunAs and @RunAsPrincipal in EJB-A don't pass on correct user credential to EJB-B. @RunAs and @RunAsPrincipal don't work as expected.
This scenario was working on EAP 6.4.5 and before, but is not working on JBoss EAP 6.4.6+ and EAP 7.0.x.
The error looks like below:
15:18:07,394 ERROR [invocation] [] (default task-28) WFLYEJB0034: EJB Invocation failed on component <ComponentName>
15:18:07,390 INFO [ActiveDirectoryLoginModule] [] (default task-28) login for <UserName> failed [FAILED_SYSTEM_USER_ACCOUNT_NOT_FOUND]
15:18:07,392 TRACE [audit] [] (default task-28) [Failure]principal=<UserName>;Action=authentication;Source=org.jboss.as.security.service.SimpleSecurityManager;
15:18:07,393 TRACE [security] [] (default task-28) PBOX00354: Setting security roles ThreadLocal: null
15:18:07,394 ERROR [invocation] [] (default task-28) WFLYEJB0034: EJB Invocation failed on component <ComponentName>Bean for method public java.lang.String com.example.ExampleBean.sayHello(java.lang.String): javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User
Environment
- Red Hat JBoss Enterprise Application Platform (EAP)
- 6.4.6+
- 7.0.x
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
