Why does security propagation not work between EJB 2 beans on JBoss 5.x?

Issue

Why does security propagation not work between EJB 2 beans on JBoss 5.x?
Our application looks like the following:

servlet (run as) --> Example EJB 2 (secured)  --> SecondExample EJB 2 (secured)

The servlet can call the Example bean, but the Example bean is not able to call the SecondExample bean. The following exception is logged:

2012-04-10 16:20:06,149 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] (http-127.0.0.1-8080-1) Error in Security Interceptor
java.lang.SecurityException: Authentication exception, principal=null
    at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityContext(SecurityInterceptor.java:322)
    at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:243)
    at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:205)
    at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:169)
    at org.jboss.ejb.plugins.security.PreSecurityInterceptor.invokeHome(PreSecurityInterceptor.java:91)
    at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:132)
    at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:107)
    at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:639)
    at org.jboss.ejb.Container.invoke(Container.java:1109)
    at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invokeHome(BaseLocalProxyFactory.java:362)
    at org.jboss.ejb.plugins.local.LocalHomeProxy.invoke(LocalHomeProxy.java:133)
    at $Proxy133.create(Unknown Source)

Not able to use RUNAS feature in JBoss EAP 5.1, We have configured the jboss-web.xml, but a null is passed as the user for authentication.

<jboss-web>
  <security-domain>java:/jaas/example-domain</security-domain>
  <security-role>
    <role-name>JBossAdmin</role-name>
    <principal-name>Admin</principal-name>
  </security-role>

  <servlet>
    <servlet-name>exampleServlet</servlet-name>
    <run-as-principal>Admin</run-as-principal>
  </servlet>
</jboss-web>

When trying to connect from an EJB Client on TIBCO to an EJB deployed on JBoss server, the following exception is encountered:-

ERROR [SecurityInterceptor] Error in Security Interceptor
java.lang.SecurityException: Authentication exception, principal=null
        at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityContext(SecurityInterceptor.java:321)
        at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:243)
        at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:205)
        at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:142)
        at org.jboss.ejb.plugins.security.PreSecurityInterceptor.invokeHome(PreSecurityInterceptor.java:88)
        at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:132)
        at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:107)
        at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:639)
        at org.jboss.ejb.Container.invoke(Container.java:1109)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:157)
        at org.jboss.mx.server.Invocation.dispatch(Invocation.java:96)
        at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
        at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
        at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)
        at org.jboss.invocation.unified.server.UnifiedInvoker.invoke(UnifiedInvoker.java:232)
        at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:930)
        at org.jboss.remoting.transport.socket.ServerThread.completeInvocation(ServerThread.java:791)
        at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:744)
        at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:548)
        at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:234)

Environment

JBoss Enterprise Application Platform (EAP)
- 5.1.0
- 5.1.2

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

New to Red Hat?

Learn more about Red Hat subscriptions

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories