File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes JBoss/WildFly and the fly likes problem calling ejb: SecurityActions.getContextSubject() returns null Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "problem calling ejb: SecurityActions.getContextSubject() returns null" Watch "problem calling ejb: SecurityActions.getContextSubject() returns null" New topic

problem calling ejb: SecurityActions.getContextSubject() returns null

Hub Fel

Joined: Oct 21, 2009
Posts: 10
Hi all,
I try to migrate a working app from JBoss 4.2.2 to JBoss 5.1. I have an EJB 2.0 with some "unchecked" Methods and some that requires a authenticated user.
For the "unchecked" methods I established a "RunAsIdentity" via ejb-jar.xml and jboss.xml and I see it pushedAs to EJB context. From a MBean that runs as service, I created that EJB "unchecked" with a "RunAsId" and call "unchecked" methods.
Now the Problem:
In the EJB I make a context.IsCallerInRole("role") that produces error messages in the form of:
ERROR [EnterpriseContext] Subject is null for isCallerInRole Check with role=PeV
The context.IsCallerInRole("role") calls
SubjectPolicyContextHandler.getAuthenticatedSubject(); which returns NULL
SecurityContext.getIncomingRunsAs() also returns null
But when I do a

Then I get a valid principal, the one I defined in jboss.xml
I do not understand this, since I explicitly do a login before creating / calling the EJB.
In 4.2.2 I did not log on for the unchecked methods and it worked fine. I have tried many things, without success.
This is my l appliaction-policy:

The EJB 2.0 runs in MyRealm, and both login-module succeed.
I quadruplechecked every thing, debugged through every Interceptor but still have no clue about the cause.
It would be great if anybody could give me a hint.
jboss.xml has a

ejb-jar.xml has a

Why doesn't my EJB context have a valid authenticatedSubject()?
Any hint could definitively save my day!

Thank you
One more thing: The SessionContext used by the EJB on IsCallerInRole is set during the myEjb.create() invocation.
Jaikiran Pai

Joined: Jul 20, 2005
Posts: 10441

I have seen similar posts related to JBoss AS-5, but I haven't been able to look into the details. In your login-module, try adding unauthenticatedIdentity as follows:

See if that works.

[My Blog] [JavaRanch Journal]
Hub Fel

Joined: Oct 21, 2009
Posts: 10
Thank you very much, but unfortunately this did not help.
thnx anyway
Hub Fel

Joined: Oct 21, 2009
Posts: 10

Well, I think I have an idea what's going on.
On creation of the EJB:
InvokeHome calls SecurityInterceptor to create EJB. During this process the EJB receives a SessionContext with a authenticated subject.

in SecurityInterceptorJBoss does a

The PopSubjectContext() destroys my SubjectIfno.authenticatedSubject by setting it to NULL.
This looks strange to me.
Is this correct? If yes, how should the EJB get another authenticated Subject? There is no authentication anymore.

Thank you
Hub Fel

Joined: Oct 21, 2009
Posts: 10
Ok, I think I isolated the problem.

What I described in previous post is working correct.
SecurityActions.popSubjectContext() is called after every call and an authenticated subject is pushed before every call.

So when I arrive at my ejb method, the context is good and context.IsCallerInRole("role") works fine.
But I call several other EJB's with unchecked security / local view (BYPASS_SECURITY). When calling these EJB's the authenticated subject is set to NULL and left to NULL.
After return of the EJB calls the authenticated subject is still null and that's why my further context.isCallerInRole() fail.

Does anybody have an idea how to work arround this?

Thank you
Hub Fel

Joined: Oct 21, 2009
Posts: 10
Ok, I fixed my problem.

As mentioned I lost my authenticated subject .
In my EJB I call other EJBs. After such a call my subject was NULL. I figured out which EJB caused the loss of this.

I edited the corresponding jboss.xml and added a

In login-config.xml I added:

note the "restore-login-identity".
That was it, the specific EJB runs in the "EjbRealm" domain and my security association is restored after the call, so that context.isUserInRole("test") from my own EJB has a valid authenticated subject.

Before my changes this EJB run in "BYPASSED-SECURITY" domain. I tried to create a <application-policy name="BYPASSED-SECURITY"> but this was never picked up.

Hope this help others.
I agree. Here's the link:
subject: problem calling ejb: SecurityActions.getContextSubject() returns null
It's not a secret anymore!