Hello.

JBAS-2025 was something of a showstopper for us when we came across it, so we're trying out 4.0.3RC2 to confirm that the problem is fixed (we expect we can wait long enough for 4.0.3 to be finalized, so its RC status doesn't pose a problem).

Background:

We're using JACC so that web and ejb security can play nicely with our custom LoginModule that talks to our custom AuthN/AuthZ system. We have two apps; essentially a web front-end talking to an ejb back-end (separate .ears because real deployments will have the two deployed separately, though for development purposes we're running within the same JBoss/VM). Presently only our web app is secured (using declarations in web.xml and occasional isUserInRole type stuff); none of the ejb descriptors contain any security stuff at all.

In 4.0.2 this all appeared to work fine; the web app could make whatever EJB calls it needed, and its various URLs were properly secured. However, when some CMP beans were updated to use CMRs we ran into the aforementioned bug (NPEs when checking the security of CMR methods). So we're trying out 4.0.3RC2 to see if that fares any better.

Which leads to the problem:

The web app, upon being deployed (using a ServletContextListener, so at a time when there's no user logged in or anything like that), attempts to retrieve some data from the back-end EJB app. This is meant to be unsecured, and in 4.0.2 that's exactly what it was; unsecured. The call worked.

However, the same call in 4.0.3RC2 yields a security exception. The caller subject, and hence the principals array, are both null, and the ProtectionDomain is deemed to not imply the permission.

What can I do to remedy this? I'm at a bit of a loss to even know where to start, to be honest.