I've been trying, unsuccessfully, to get MDBs running in JBoss 2.4.4 under a security domain, whilst disallowing unauthenticated access to the server.

I've seen several threads here about how to get MDBs running but they all have solutions that involve using unauthenticatedIdentity entries in the server login module config. This works OK but then allows the user to access the server remotely without authentication since the same configuration is used for the MDB and remote clients. I can't have unauthenticated access allowed.

All my EJBs run as unchecked - since we're not planning to use the declarative security model in our product, but we still require authentication to access the server at all.

I tried to make MDBs use a different security domain to entity/session beans, and add an unauthenticatedIdentity there (so remote users can never authenticate against the MDB login module), but the principal never makes it across when the MDB calls a session/entity bean (presumably since they are in different domains?). A null principal then causes security exceptions on the called bean.

As a drastic solution, I wrote an interceptor for the MDB container-configuration. This interceptor sits in front of the normal SecurityInterceptor and just hard-codes a valid principal and credential into the MethodInvocation and SecurityAssociation.

This works brilliantly 99.99% of the time. The other 0.01% of the time I get the following error:

java.lang.SecurityException: Insufficient method permissions, principal=guest, method=create, requir
edRoles=[], principalRoles=[guest]

This seems to happen at random places in the code, at random times, and is not repeatable (hence the lack of a stack trace). I'm really confused here since it's quite possible to get thousands of method invocations happening with this configuration and then get this error randomly occurring. I can re-run the same code and it will succeed a second time.

Is there some kind of threading issue in caching the roleset for a principal? Is my interceptor mucking up this caching? It's hard to tell.

Has anyone else experience intermittent errors with user Roles?