Here's a code snippet:

Properties properties = new Properties();

properties.put(SECURITY_PRINCIPAL, username);

properties.put(SECURITY_CREDENTIALS, credentials);

Context context = new InitialContext(properties);

RemoteEJB ejb = (RemoteEJB) context.lookup(remoteName);

ejb.doSomething();

And here's what I see in the log after the call to doSomething():

2015-04-22 09:12:26,664 TRACE [org.jboss.security.audit] (default task-17) [Failure]Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Action=authorization;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=null}:method=public abstract void com.test.RemoteEJB.doSomething():ejbMethodInterface=Remote:ejbName=RemoteEJB:ejbPrincipal=null:MethodRoles=Roles(guest):securityRoleReferences=null:callerSubject=Subject:

    Principal: anonymous

:callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=2.0];Exception:=PBOX000017: Acces denied: authorization failed ;policyRegistration=null;

Does invoking a secured bean from a web application change the manner in which credentials must be presented?  I've got a class inside a war file which is neither an EJB or a servlet, that attempts to invoke a secured bean.  I've attempted passing in credentials in a number of ways, and the TRACE level logging in org.jboss.security indicates that the user is validated, but the principal information that is passed to the secured bean is always "null".  This causes an EJBAccessException to be thrown.

I'm seeing this behavior in both WildFly 8.2.0 and WildFly 9.0.0 Beta 2.

Any help would be appreciated.  This has been a very frustrating few weeks with security issues.

I've verified that the Subject contained in my LoginContext is correct.  It has the correct username and all roles assigned that account.  When I make the following call sequence:

PasswordClientCallbackHandler handler = new PasswordClientCallbackHandler(username, "TestRealm", password.toCharArray());

LoginContext loginContext = new LoginContext("TestAuth", handler);

loginContext.login();

Subject subject = loginContext.getSubject();

Subject.doAs(subject, new PrivilegedAction<Object>() {

    public Object run() {

        InitialContext ic = new InitialContext();

        TestBean ejb = (TestBean) ic.lookup(beanName);

        return ejb.doSomething();

    }

});

It appears as if the subject being passed into the call is null.  Here's the message that I see in the log:

2015-04-28 10:41:42,344 DEBUG [org.jboss.security] (default task-17) PBOX000292: Insufficient method permissions [principal: null, EJB name: TestBean, method: doSomething, interface: Remote, required roles: Roles(AUTHORIZED_USER), principal roles: Roles(), run-as roles: null]

As I mentioned previously, this code is being executed inside a Web context.  I don't know if that matters.

I *may* have found the solution.  It appears that the security context is intentionally not being propagated between the web context and the ejb context.  I discovered this article:

https://docs.jboss.org/author/display/WFLY8/EE+Concurrency+Utilities

which suggests using the new concurrent utilities that are part of Java EE 7.  I'll give them a shot tomorrow...

I suppose I shouldn't be surprised, but using the concurrency utilities yielded the exact same results.  Here's the relevant code:

The eventual call to future.get() shows another EJBAccessException, and the TRACE level logging in org.jboss.security shows that the principal passed is null rather than the principal used in the LoginContext.login() call.

Does anybody at RedHat actually look at these forums?  I'm getting very frustrated with this because I've been struggling with it for almost two weeks now, and there hasn't been a single response.  Am I doing something wrong?  Is WildFly security just broken?  I don't even know whether I should submit a bug report because nobody seems to be able to tell me if I'm doing something wrong.