Hi, Jaikiran. Thanks again.
I just don't know where to dig my head into right now.
I was sure I was using JBoss' specific @SecurityDomain, and actually I am, but this is legacy code which was running on JBoss 4.2.2, and it was importing @org.jboss.annotation.security.SecurityDomain from dependency jboss:jboss-annotations-ejb3:4.2.2.GA
While migrating to EAP I hadn't noticed that the package had changed. After reading your post, I updated the dependency to org.jboss.ejb3:jboss-ejb3-ext-api:2.1.0 and imported @org.jboss.ejb3.annotation.SecurityDomain as you mentioned and now JBoss is respecting the security-domain configured in such annotation, as expected. So.. the bug I suspected was... myself.
Unfortunately, I was really happy while running the application in my local environment, but in the enterprise environment I'm now facing a weard problem.
In local machine I configure and start JBoss in standalone mode, and everything regarding security is working as expected. But when I deploy to the enterprise environment, where JBoss runs on domain mode, authorization is failing for methods annotated with @RolesAllowed.
What is more weard about it is that the same role required to call the secured EJB method is also required to allow access to the page in WEB module that contains a button that triggers the method calls that will end in the secured method in EJB module.
Digging to find a solution, I enabled TRACE log level for some JBoss components and found a little difference in the log entries displayed between standalone mode environment and domain mode environment.
In standalone mode, I had this:
11:10:37,194 DEBUG [org.jboss.security] (http-/0.0.0.0:8080-4) PBOX000291: Method: doSomething, interface: Remote, required roles: Roles(ROLE_FOR_DOSOMETHING,)
11:10:37,197 TRACE [org.jboss.security.audit] (http-/0.0.0.0:8080-4) [Success]Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Action=authorization;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=null}:method=public abstract void xxx.xxx.MyEJB.doSomething():ejbMethodInterface=Remote:ejbName=MyEJBName:ejbPrincipal={my_custom_principal_details}:MethodRoles=Roles(ROLE_FOR_DOSOMETHING,):securityRoleReferences=null:callerSubject=Subject:...:callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=2.0];policyRegistration=null;
While in domain mode, I had this:
10:31:01,472 DEBUG [org.jboss.security] (ajp-/10.0.148.99:8609-4) PBOX000291: Method: doSomething, interface: Remote, required roles: Roles(ROLE_FOR_DOSOMETHING,)
10:31:01,473 DEBUG [org.jboss.security] (ajp-/10.0.148.99:8609-4) PBOX000292: Insufficient method permissions [principal: { my_custom_principal_details }, EJB name: MyEJBName, method: doSomething, interface: Remote, required roles: Roles(ROLE_FOR_DOSOMETHING,), principal roles: Roles(), run-as roles: null]
10:31:01,473 DEBUG [org.jboss.security] (ajp-/10.0.148.99:8609-4) PBOX000299: Required module org.jboss.security.authorization.modules.DelegatingAuthorizationModule failed
10:31:01,482 DEBUG [org.jboss.security] (ajp-/10.0.148.99:8609-4) PBOX000325: Authorization processing error: org.jboss.security.authorization.AuthorizationException: PBOX000017: Acces denied: authorization failed
at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:268) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:71) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:147) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_31]
at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:143) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:429) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:115) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.authorize(EJBAuthorizationHelper.java:318) [picketbox-4.0.17.Final-redhat-1.jar:4.0.17.Final-redhat-1]
at org.jboss.as.security.service.SimpleSecurityManager.authorize(SimpleSecurityManager.java:255) [jboss-as-security-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
at org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:112) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]
at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:76) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]
at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]
at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]
at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) [jboss-as-ee-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]
at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]
at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) [jboss-as-ee-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]
at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]
at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165) [jboss-as-ee-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
at org.jboss.as.ejb3.remote.LocalEjbReceiver.processInvocation(LocalEjbReceiver.java:222) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]
at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:181) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
at org.jboss.ejb.client.EJBObjectInterceptor.handleInvocation(EJBObjectInterceptor.java:58) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
at org.jboss.ejb.client.EJBHomeInterceptor.handleInvocation(EJBHomeInterceptor.java:83) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
at org.jboss.ejb.client.TransactionInterceptor.handleInvocation(TransactionInterceptor.java:42) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
at org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(ReceiverInterceptor.java:125) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
at org.jboss.ejb.client.EJBInvocationHandler.sendRequestWithPossibleRetries(EJBInvocationHandler.java:253) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:198) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:181) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:144) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]
at $Proxy82.doSomething(Unknown Source) at xxxxx.SomeClassInWebModule.doSomethingWeb(SomeOtherClassInWebModule.java:80)
10:31:01,492 TRACE [org.jboss.security.audit] (ajp-/10.0.148.99:8609-4) [Failure]Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Action=authorization;Exception:=PBOX000017: Acces denied: authorization failed ;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=null}:method=public abstract void xxx.xxx.MyEJB.doSomething():ejbMethodInterface=Remote:ejbName=MyEJBName:ejbPrincipal={my_custom_principal_details}:MethodRoles=Roles(ROLE_FOR_DOSOMETHING,):securityRoleReferences=null:callerSubject=Subject:...:callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=2.0];policyRegistration=null;
The line I highlighted gives a tip about a required module failing, but it only happens in domain mode. Is there something else I must configure in domain mode to get authorization working? I don't know where to look at to fix it.
Any help on this would be really appreciated.