@RunAs @RunAsPrincipal are ignored for @Startup @Singleton bean in EAP6

Solution Unverified - Updated -

Environment

  • JBoss Enterprise Application Platform (EAP)
    • 6.1

Issue

  • While trying to access a Secured EJB deployed on the same JBoss instance from a @Startup/@Singleton bean fails with the following exception:
15:08:41,956 INFO  [test.SingletonServiceBean] (RMI TCP Connection(2)-10.65.223.76) SingletonServiceBean performOperationsOnInjectedEJB() invoked.
15:08:41,957 INFO  [stdout] (RMI TCP Connection(2)-10.65.223.76) [SingletonServiceBean] invokeEJBMethod("RedHat!!!") method invoked.
15:08:41,958 TRACE [org.jboss.security.audit] (RMI TCP Connection(2)-10.65.223.76) [Success]Source=org.jboss.as.security.service.SimpleSecurityManager;Action=authentication;principal=anonymous;
15:08:41,958 TRACE [org.jboss.security] (RMI TCP Connection(2)-10.65.223.76) PBOX000354: Setting security roles ThreadLocal: {}
15:08:41,960 DEBUG [org.jboss.security] (RMI TCP Connection(2)-10.65.223.76) PBOX000293: Exception caught: javax.naming.NameNotFoundException: policyRegistration -- service jboss.naming.context.java.policyRegistration
    at org.jboss.as.naming.ServiceBasedNamingStore.lookup(ServiceBasedNamingStore.java:103)
    at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:197)
    at org.jboss.as.naming.InitialContext.lookup(InitialContext.java:120)
    at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:183)
    at org.jboss.as.naming.NamingContext.lookup(NamingContext.java:179)
    at javax.naming.InitialContext.lookup(InitialContext.java:392) [rt.jar:1.6.0_21]
    at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.getPolicyRegistrationFromJNDI(EJBAuthorizationHelper.java:353) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
    at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.authorize(EJBAuthorizationHelper.java:303) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
    at org.jboss.as.security.service.SimpleSecurityManager.authorize(SimpleSecurityManager.java:255) [jboss-as-security-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
    at org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:112) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]
    at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:76) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]
    at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]
    at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]
    at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) [jboss-as-ee-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]
    at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]
    at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) [jboss-as-ee-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]
    at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]
    at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165) [jboss-as-ee-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
    at org.jboss.as.ejb3.remote.LocalEjbReceiver.processInvocation(LocalEjbReceiver.java:222) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
    at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:181) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
    at org.jboss.ejb.client.EJBObjectInterceptor.handleInvocation(EJBObjectInterceptor.java:58) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
    at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
    at org.jboss.ejb.client.EJBHomeInterceptor.handleInvocation(EJBHomeInterceptor.java:83) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
    at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
    at org.jboss.ejb.client.TransactionInterceptor.handleInvocation(TransactionInterceptor.java:42) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
    at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
    at org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(ReceiverInterceptor.java:125) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
    at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
    at org.jboss.ejb.client.EJBInvocationHandler.sendRequestWithPossibleRetries(EJBInvocationHandler.java:253) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
    at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:198) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
    at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:181) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
    at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:144) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
    at $Proxy35.sayHello(Unknown Source)    at test.SingletonServiceBean.performOperationsOnInjectedEJB(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_21]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_21]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_21]
    at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_21]
    at com.sun.jmx.mbeanserver.ConvertingMethod.invokeWithOpenReturn(ConvertingMethod.java:167) [rt.jar:1.6.0_21]
    at com.sun.jmx.mbeanserver.MXBeanIntrospector.invokeM2(MXBeanIntrospector.java:96) [rt.jar:1.6.0_21]
    at com.sun.jmx.mbeanserver.MXBeanIntrospector.invokeM2(MXBeanIntrospector.java:33) [rt.jar:1.6.0_21]
    at com.sun.jmx.mbeanserver.MBeanIntrospector.invokeM(MBeanIntrospector.java:208) [rt.jar:1.6.0_21]
    at com.sun.jmx.mbeanserver.PerInterface.invoke(PerInterface.java:120) [rt.jar:1.6.0_21]
    at com.sun.jmx.mbeanserver.MBeanSupport.invoke(MBeanSupport.java:262) [rt.jar:1.6.0_21]
    at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836) [rt.jar:1.6.0_21]
    at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761) [rt.jar:1.6.0_21]
    at org.jboss.as.jmx.PluggableMBeanServerImpl$TcclMBeanServer.invoke(PluggableMBeanServerImpl.java:527)
    at org.jboss.as.jmx.PluggableMBeanServerImpl.invoke(PluggableMBeanServerImpl.java:263)
    at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1427) [rt.jar:1.6.0_21]
    at javax.management.remote.rmi.RMIConnectionImpl.access$200(RMIConnectionImpl.java:72) [rt.jar:1.6.0_21]
    at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1265) [rt.jar:1.6.0_21]
    at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1360) [rt.jar:1.6.0_21]
    at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788) [rt.jar:1.6.0_21]
    at sun.reflect.GeneratedMethodAccessor8.invoke(Unknown Source) [:1.6.0_21]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_21]
    at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_21]
    at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:305) [rt.jar:1.6.0_21]
    at sun.rmi.transport.Transport$1.run(Transport.java:159) [rt.jar:1.6.0_21]
    at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_21]
    at sun.rmi.transport.Transport.serviceCall(Transport.java:155) [rt.jar:1.6.0_21]
    at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:535) [rt.jar:1.6.0_21]
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:790) [rt.jar:1.6.0_21]
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:649) [rt.jar:1.6.0_21]
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [rt.jar:1.6.0_21]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [rt.jar:1.6.0_21]
    at java.lang.Thread.run(Thread.java:619) [rt.jar:1.6.0_21]

15:08:41,973 DEBUG [org.jboss.security] (RMI TCP Connection(2)-10.65.223.76) PBOX000291: Method: sayHello, interface: Remote, required roles: Roles(ejbRole,)
15:08:41,974 DEBUG [org.jboss.security] (RMI TCP Connection(2)-10.65.223.76) PBOX000292: Insufficient method permissions [principal: null, EJB name: EJBOneBean, method: sayHello, interface: Remote, required roles: Roles(ejbRole,), principal roles: Roles(), run-as roles: null]
15:08:41,974 DEBUG [org.jboss.security] (RMI TCP Connection(2)-10.65.223.76) PBOX000299: Required module org.jboss.security.authorization.modules.DelegatingAuthorizationModule failed
15:08:41,975 DEBUG [org.jboss.security] (RMI TCP Connection(2)-10.65.223.76) PBOX000325: Authorization processing error: org.jboss.security.authorization.AuthorizationException: PBOX000017: Acces denied: authorization failed 
    at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:268) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
    at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:71) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
    at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:147) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
    at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_21]
    at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:143) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
    at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:429) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
    at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:115) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
    at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.authorize(EJBAuthorizationHelper.java:318) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
    at org.jboss.as.security.service.SimpleSecurityManager.authorize(SimpleSecurityManager.java:255) [jboss-as-security-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
    at org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:112) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]
    at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:76) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]
    at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]
    at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]
    at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) [jboss-as-ee-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]
    at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]
    at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) [jboss-as-ee-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]
    at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]
    at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165) [jboss-as-ee-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
    at org.jboss.as.ejb3.remote.LocalEjbReceiver.processInvocation(LocalEjbReceiver.java:222) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
    at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:181) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
    at org.jboss.ejb.client.EJBObjectInterceptor.handleInvocation(EJBObjectInterceptor.java:58) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
    at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
    at org.jboss.ejb.client.EJBHomeInterceptor.handleInvocation(EJBHomeInterceptor.java:83) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
    at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
    at org.jboss.ejb.client.TransactionInterceptor.handleInvocation(TransactionInterceptor.java:42) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
    at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
    at org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(ReceiverInterceptor.java:125) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
    at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
    at org.jboss.ejb.client.EJBInvocationHandler.sendRequestWithPossibleRetries(EJBInvocationHandler.java:253) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
    at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:198) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
    at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:181) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
    at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:144) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
    at $Proxy35.sayHello(Unknown Source)    at test.SingletonServiceBean.performOperationsOnInjectedEJB(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.6.0_21]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [rt.jar:1.6.0_21]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_21]
    at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_21]
    at com.sun.jmx.mbeanserver.ConvertingMethod.invokeWithOpenReturn(ConvertingMethod.java:167) [rt.jar:1.6.0_21]
    at com.sun.jmx.mbeanserver.MXBeanIntrospector.invokeM2(MXBeanIntrospector.java:96) [rt.jar:1.6.0_21]
    at com.sun.jmx.mbeanserver.MXBeanIntrospector.invokeM2(MXBeanIntrospector.java:33) [rt.jar:1.6.0_21]
    at com.sun.jmx.mbeanserver.MBeanIntrospector.invokeM(MBeanIntrospector.java:208) [rt.jar:1.6.0_21]
    at com.sun.jmx.mbeanserver.PerInterface.invoke(PerInterface.java:120) [rt.jar:1.6.0_21]
    at com.sun.jmx.mbeanserver.MBeanSupport.invoke(MBeanSupport.java:262) [rt.jar:1.6.0_21]
    at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836) [rt.jar:1.6.0_21]
    at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761) [rt.jar:1.6.0_21]
    at org.jboss.as.jmx.PluggableMBeanServerImpl$TcclMBeanServer.invoke(PluggableMBeanServerImpl.java:527)
    at org.jboss.as.jmx.PluggableMBeanServerImpl.invoke(PluggableMBeanServerImpl.java:263)
    at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1427) [rt.jar:1.6.0_21]
    at javax.management.remote.rmi.RMIConnectionImpl.access$200(RMIConnectionImpl.java:72) [rt.jar:1.6.0_21]
    at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1265) [rt.jar:1.6.0_21]
    at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1360) [rt.jar:1.6.0_21]
    at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788) [rt.jar:1.6.0_21]
    at sun.reflect.GeneratedMethodAccessor8.invoke(Unknown Source) [:1.6.0_21]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [rt.jar:1.6.0_21]
    at java.lang.reflect.Method.invoke(Method.java:597) [rt.jar:1.6.0_21]
    at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:305) [rt.jar:1.6.0_21]
    at sun.rmi.transport.Transport$1.run(Transport.java:159) [rt.jar:1.6.0_21]
    at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_21]
    at sun.rmi.transport.Transport.serviceCall(Transport.java:155) [rt.jar:1.6.0_21]
    at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:535) [rt.jar:1.6.0_21]
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:790) [rt.jar:1.6.0_21]
    at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:649) [rt.jar:1.6.0_21]
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [rt.jar:1.6.0_21]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [rt.jar:1.6.0_21]
    at java.lang.Thread.run(Thread.java:619) [rt.jar:1.6.0_21]

15:08:41,988 TRACE [org.jboss.security.audit] (RMI TCP Connection(2)-10.65.223.76) [Failure]Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Action=authorization;Exception:=PBOX000017: Acces denied: authorization failed ;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=null}:method=public abstract java.lang.String ejb3.EJBOneRemote.sayHello(java.lang.String):ejbMethodInterface=Remote:ejbName=EJBOneBean:ejbPrincipal=null:MethodRoles=Roles(ejbRole,):securityRoleReferences=null:callerSubject=Subject:
    Principal: anonymous
:callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=2.0];policyRegistration=null;
15:08:41,989 TRACE [org.jboss.security] (RMI TCP Connection(2)-10.65.223.76) PBOX000354: Setting security roles ThreadLocal: null
  • In the stack trace it is observed that the Principal is always "anonymous".

Resolution

The workaround is to programmatically establish a security context within the beans methods which are invoking the secured EJB. This can be accomplished using the approaches described in A10 and A23 of the JBoss Security FAQ.

The SecurityClient.setJAAS() approach shown in A10 and the approach described in A23 depend on a "client-login" security-domain existing that is configured to use the ClientLoginModule. Here is what the "client-login" security-domain would look like:

<security-domain name="client-login" cache-type="default">
  <authentication>
    <login-module code="org.jboss.security.ClientLoginModule" flag="required"/>
  </authentication>
</security-domain>

The ClientLoginModule will not verify the user's credentials, it will simply create a security context using those credentials. The credentials will be verified when the secured EJB is invoked.

Root Cause

  • The spec does not specify that a security context is required by these beans. As a result, JBoss does not apply a run-as identity to @Singleton/@Startup beans. This issue (WFLY-981) has been raised as a feature request for future versions of JBoss.

  • The "@RunAs/@RunAsPrincipal" annotations get ignored when used on a singleton bean that is annotated with "@Startup". This means the the Singleton bean is not able to call protected EJBs. If the protected EJB is annotated with "@PermitAll", then the singleton is able to invoke the method because the AuthorizationInterceptor create an "anonymous" user that is treated as authenticated. However, the "RunAsPrincipal" is ignored as the "getCallerPrincipal()" returns anonymous instead of the "@RunAsPrincipal".

  • This issue was resolved in EAP 6.2.0.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments