File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes JBoss/WildFly and the fly likes Security principal propagation accross ejb3 modules Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of REST with Spring (video course) this week in the Spring forum!
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "Security principal propagation accross ejb3 modules" Watch "Security principal propagation accross ejb3 modules" New topic

Security principal propagation accross ejb3 modules

davide tabarelli

Joined: May 20, 2010
Posts: 4
Hello to everyone,

I'm developing an enterprise application within JBoss 5.

I have multiple EJB3 modules in a single ear, each one under the same security domain.

Authentication works properly and the ClientLoginModule is required in the application policy.

My question is the following: if the client (or the web tier) calls EJB 1 that in turns call EJB 2 (both secured) is the security Principal propagated correctly?

It is giving me a principal: null exception when the second EJB is called in the stack ..

Where I'm wrong ?

Thanks in advance.

davide tabarelli

Joined: May 20, 2010
Posts: 4
No one is answering me ... maybe my question is too newbie/stupid or ill-posed ??

I suppose the last (ill-posed) and therefore I try to explain it again better.

As far as I know, credential/principal has to be propagated within ejb modules in the same JVM/JBoss instance, but it seems this doesn't happen in my system (JBoss 5.1.0 GA).

The situation:

- Two EJB modules in an EAR. Same security realm.
- A client (web or standalone ... doesn't matter) calls a method A inside a session bean in EJB A.
- The client is authenticated as Principal="SomeOne", Role="MyRole".
- The method requires role "MyRole" by means of @RolesAllowed("MyRole")
- The method A in turns calls a method B, that is inside another session bean in EJB B.
- Also the method B is marked with @RolesAllowed("MyRole").
- Resulting exception: "javax.ejb.EJBAccessException: Caller unauthorized"

Looking into the logs (TRACE level) it points out that:

1) The call to the method A is succerssfully authenticated (Principal="SomeOne", Role="MyRole").
2) The principal/credentials get lost in the subsequent call to method B (Principal=anonymous).

Someone faced this issue before? Please help me!

Thanking you in advance.

Vikram Saxena
Ranch Hand

Joined: Dec 16, 2008
Posts: 53
I faced a similar situation where I used the JbossLoginContext to resolve it.

This depends on how you are accessing the EJB methods. I for example, used to create a LoginContext where I passed the role (mentioned in the auth.conf) and the security credentials.
Then called the method login() before invoking the business method and logout() on the LoginCOntext object.

You can have a look here.

SCJP 5 , SCBCD [Prep Started ] , WLS 8.1 Server Admin
davide tabarelli

Joined: May 20, 2010
Posts: 4
I've found out the problem ...

I have a JMS connection in the session bean that "loose" the authentication ...
.. and it seems that there are bugs in JBoss 5.1 together with JMS 1.4 (look

Solved by updating to JMS 2.

Thanks to everyone.

I agree. Here's the link:
subject: Security principal propagation accross ejb3 modules
It's not a secret anymore!