5 Replies Latest reply on Oct 4, 2013 7:14 AM by ejb3workshop

JBAS013323: Invalid User on JBoss 7.2

ejb3workshop Sep 3, 2013 5:58 AM

For some time I have been struggling against the "Invalid User" error.

application.xml

<?xml version="1.0" encoding="UTF-8"?>
<application version="6" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
           xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/application_6.xsd">
  <display-name>SimpleBean</display-name>
  <module>
    <ejb>SimpleBean-ejb.jar</ejb>
  </module>
  <security-role>
    <description>ABCAdmin</description>
    <role-name>ABCAdmin</role-name>
  </security-role>   
</application>

jboss-app.xml

<?xml version="1.0" encoding="UTF-8"?>
<jboss-app>
  <security-domain>ABCAdmin</security-domain>
</jboss-app>

ejb-jar.xml

<?xml version="1.0" encoding="UTF-8"?>
<ejb-jar xmlns = "http://java.sun.com/xml/ns/javaee" 
         version = "3.1"
         xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance" 
         xsi:schemaLocation = "http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_1.xsd">
  <description>ABC EJB</description>
  <display-name>ABCEJB</display-name>
  <enterprise-beans>     
    <message-driven>
      <ejb-name>TransactionJobListener</ejb-name>
      <ejb-class>com.abc.messagebean.TransactionJobListener</ejb-class>
      <message-destination-link>TransactionJobs</message-destination-link>
      <resource-ref>
        <res-ref-name>ConnectionFactory</res-ref-name>
        <res-type>javax.jms.ConnectionFactory</res-type>
        <res-auth>Container</res-auth>
      </resource-ref>    
      <message-destination-ref>
        <message-destination-ref-name>queue/abc/TransactionJobs</message-destination-ref-name>
        <message-destination-type>javax.jms.Queue</message-destination-type>
        <message-destination-usage>Produces</message-destination-usage>
        <message-destination-link>TransactionJobs</message-destination-link>
      </message-destination-ref>
    </message-driven>
  </enterprise-beans>         
</ejb-jar>

jboss-ejb3.xml

<?xml version="1.1" encoding="UTF-8"?>
<jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
               xmlns="http://java.sun.com/xml/ns/javaee"
               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xmlns:c="urn:clustering:1.0"
               xmlns:s="urn:security"
               xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_1.xsd"
               version="3.1"
               impl-version="2.0">
  <assembly-descriptor>
    <s:security>
      <ejb-name>*</ejb-name>
      <s:security-domain>ABCAdmin</s:security-domain>
    </s:security>
  </assembly-descriptor>   
  <enterprise-beans>
    <message-driven>
      <ejb-name>TransactionJobListener</ejb-name>
      <activation-config>
        <activation-config-property>
          <activation-config-property-name>destination</activation-config-property-name>
          <activation-config-property-value>java:/queue/abc/TransactionJobs</activation-config-property-value>
        </activation-config-property>
      </activation-config>     
      <resource-ref>
        <res-ref-name>ConnectionFactory</res-ref-name>
        <jndi-name>java:/jms/ABCJMSConnectionFactory</jndi-name>
      </resource-ref>
      <message-destination-ref>
        <message-destination-ref-name>queue/abc/TransactionJobs</message-destination-ref-name>
        <message-destination-type>javax.jms.Topic</message-destination-type>
        <message-destination-usage>Produces</message-destination-usage>
        <message-destination-link>TransactionJobs</message-destination-link>
        <jndi-name>java:/queue/abc/TransactionJobs</jndi-name>
      </message-destination-ref>
    </message-driven>
  </enterprise-beans>
</jboss:ejb-jar>

Bean Implementation

...
@Stateless
@RolesAllowed("ABCAdmin")
@PermitAll
@RunAs("ABCAdmin")
public class CalculatorBean implements CalculatorRemote, CalculatorLocal
{
  private transient Logger logger = Logger.getLogger(CalculatorBean.class.getName());

  @PermitAll     
  public double add(double a, double b)
  {
    logger.info("ADDING");
    return a+b;
  }
...

Client

Properties properties = new Properties();
properties.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");
properties.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
properties.put("java.naming.provider.url", "remote://localhost:4447");
properties.put(Context.SECURITY_PRINCIPAL, "user");
properties.put(Context.SECURITY_CREDENTIALS, "password");
properties.put("jboss.naming.client.ejb.context", true);
InitialContext ctx = new InitialContext(properties);
System.out.println("Got Naming Service");

CalculatorServices calculator = (CalculatorServices) ctx.lookup("SimpleBean/SimpleBean-ejb/CalculatorBean!com.abc.sessionbean.CalculatorRemote");
System.out.println("Got Calculator : "+calculator);
System.out.println("ADD      : " + calculator.add(5, 4));

Since adding the security-domain to the application the client stopped working and I am now getting : javax.ejb.EJBAccessException: JBAS013323: Invalid User

I can't understand what part I missed or where my mistake is without this security domain being specified the client is working.

Beside this issue I also have some other questions:

When I remove jboss.naming.client.ejb.context from the JNDI properties the client also does not work. Why is this required and what does this do?
Is there a simple way to disabled security on JBoss 7.2?
I tried using the ejb-client method as well but couldn't get this working either. Using ejb:SimpleBean/SimpleBean-ejb//CalculatorBean!com.abc.sessionbean.CalculatorRemote as the JNDI name resulted in other errors.

Thanks for all your help and support.

1. Re: JBAS013323: Invalid User on JBoss 7.2

wdfink Sep 3, 2013 7:56 AM (in response to ejb3workshop)
To answer your questions:
The property jboss.naming.client.ejb.context force the creation of the ejb-client context to invoke EJB's with remote-naming.
you can remove the security-realm attribute from the remoting connector, in that case you will run complete without security
if you use the ejb-client approach you need to set the correct environment, see this documentation

Could you show what you change for "adding the security-domain"?
Actions
2. Re: Re: JBAS013323: Invalid User on JBoss 7.2

ejb3workshop Sep 3, 2013 11:58 AM (in response to wdfink)
I added the security-domain to the jboss-app.xml file.

<?xml version="1.0" encoding="UTF-8"?> <jboss-app> <security-domain>ABCAdmin</security-domain> </jboss-app>

I will try to disable security as you suggested and see if I can get the application working in this configuration.
Actions
3. Re: Re: JBAS013323: Invalid User on JBoss 7.2

wdfink Sep 3, 2013 12:27 PM (in response to ejb3workshop)

How do you add this security-domain in the configuration?
Actions

4. Re: Re: Re: JBAS013323: Invalid User on JBoss 7.2

ejb3workshop Sep 4, 2013 12:38 AM (in response to wdfink)

In my standalone.xml file I specify it using:

...
<management>
    <security-realms>
        <security-realm name="ManagementRealm">
            <authentication>
                <local default-user="$local"/>
                <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
            </authentication>
        </security-realm>
        <security-realm name="ApplicationRealm">
            <authentication>
                <local default-user="$local" allowed-users="*"/>
                <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
            </authentication>
            <authorization>
                <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
            </authorization>
        </security-realm>
        <security-realm name="ABCAdmin">
            <authentication>
                <local default-user="$local" allowed-users="*"/>
                <properties path="abczone-users.properties" relative-to="jboss.server.config.dir"/>
            </authentication>
            <authorization>
                <properties path="abczone-roles.properties" relative-to="jboss.server.config.dir"/>
            </authorization>
        </security-realm>
    </security-realms>
    <management-interfaces>
        <native-interface security-realm="ManagementRealm">
            <socket-binding native="management-native"/>
        </native-interface>
        <http-interface security-realm="ManagementRealm">
            <socket-binding http="management-http"/>
        </http-interface>
    </management-interfaces>
</management>
...
<subsystem xmlns="urn:jboss:domain:remoting:1.1">
    <connector name="remoting-connector" socket-binding="remoting" security-realm="ABCAdmin"/>
</subsystem>
....
<security-domain name="ABCAdmin">
    <authentication>
        <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="requisite">
            <module-option name="password-stacking" value="useFirstPass"/>
            <module-option name="usersProperties" value="file:${jboss.server.config.dir}/abczone-users.properties"/>
            <module-option name="rolesProperties" value="file:${jboss.server.config.dir}/abczone-roles.properties"/>
        </login-module>
    </authentication>
</security-domain>

I also tried specifying different realms on the remoting-connector, this however did not resolve the issue.

5. Re: JBAS013323: Invalid User on JBoss 7.2

ejb3workshop Oct 4, 2013 7:14 AM (in response to ejb3workshop)

Updating the standalone-full-ha.xml file as shown below allow the application to run without any need for security realms / domains.

Changes are :

Comment out : <default-security-domain value="other"/>

Set default-missing-method-permissions-deny-access to false

<subsystem xmlns="urn:jboss:domain:ejb3:1.4">
    <session-bean>
        <stateless>
            <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
        </stateless>
        <stateful default-access-timeout="5000" cache-ref="simple" clustered-cache-ref="clustered"/>
        <singleton default-access-timeout="5000"/>
    </session-bean>
    <mdb>
        <resource-adapter-ref resource-adapter-name="hornetq-ra"/>
        <bean-instance-pool-ref pool-name="mdb-strict-max-pool"/>
    </mdb>
    <pools>
        <bean-instance-pools>
            <strict-max-pool name="slsb-strict-max-pool" max-pool-size="20" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
            <strict-max-pool name="mdb-strict-max-pool" max-pool-size="20" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
        </bean-instance-pools>
    </pools>
    <caches>
        <cache name="simple" aliases="NoPassivationCache"/>
        <cache name="passivating" passivation-store-ref="file" aliases="SimpleStatefulCache"/>
        <cache name="clustered" passivation-store-ref="infinispan" aliases="StatefulTreeCache"/>
    </caches>
    <passivation-stores>
        <file-passivation-store name="file"/>
        <cluster-passivation-store name="infinispan" cache-container="ejb"/>
    </passivation-stores>
    <async thread-pool-name="default"/>
    <timer-service thread-pool-name="default">
        <data-store path="timer-service-data" relative-to="jboss.server.data.dir"/>
    </timer-service>
    <remote connector-ref="remoting-connector" thread-pool-name="default"/>
    <thread-pools>
        <thread-pool name="default">
            <max-threads count="10"/>
            <keepalive-time time="100" unit="milliseconds"/>
        </thread-pool>
    </thread-pools>
    <iiop enable-by-default="false" use-qualified-name="false"/>
<!--            <default-security-domain value="other"/>-->
    <default-missing-method-permissions-deny-access value="false"/>
</subsystem>

Go to original post