4 Replies Latest reply on Apr 21, 2010 1:05 PM by Hubert Felber

    problem calling ejb: "Subject is null for isCallerInRole ...."

    Hubert Felber Newbie

      Hi all,


      I am porting an app from JBoss 4.2.2 to Jboss 5.1


      I have an MBean that calls an EJB 2.0  method in the same  JBoss instance. There when I do a isCallerInRole("testRole") I always get:
      [EnterpriseContext] Subject is null for isCallerInRole Check with  role=testRole
      The EJB 2.0 method has following definition in ejb-jar.xml
      and in the corresponding jboss.xml we defined
      This worked fine in Jboss 4.2.2 but gives  the mentioned error above in Jboss 5.2.
      Could anybody please help me how to solve this?
      Thank you very much
        • 1. problem calling ejb: SecurityActions.getContextSubject() returns null
          Hubert Felber Newbie



          I have some additional info, maybe anybody has a clue what I don't see.


          I went through all interceptors when invoking a method on the EJB.

          I have an authenticated subject, a valid runAsIdentity consisting of princpal and role.

          I saw that "SecurityActions.pushRunAsIdentity(runAsIdentity);" pushed the correct runAsIdendity assembled from ejb-jar.xml and jboss.xml


          -With the SessionContext in the Ejb I can successfully call


          and get a valid Principal back as defined in RunAs.

          -SecurityRoleRefMetaData.getRoleName() called by EnterpriseContext returns the correct roleName.



          But SecurityActions.getContextSubject() returns NULL


          Does anybody have a clue what I can do?


          Thanks for helping




          • 2. SubjectPolicyContextHandler.getAuthenticatedSubject() returns NULL
            Hubert Felber Newbie



            When I do a IsCallerInRole("role") it calls

            SubjectPolicyContextHandler.getAuthenticatedSubject();  which returns NULL


            SecurityContext.getIncomingRunsAs() also returns null


            I do not understand this, since I explicitly do a login before creating / calling the EJB.

            This is my l appliaction-policy:


            <application-policy name="MyRealm">
                        <login-module code="ch.abacus.flow.jboss.security.auth.SystemLogingModule" flag="required"/>
                        <login-module code="org.jboss.security.ClientLoginModule" flag="required"/>


            The EJB 2.0 runs in MyRealm, and both login-module succeed.


            Still hope for any hints.


            Thank you

            • 3. Re: SubjectPolicyContextHandler.getAuthenticatedSubject() returns NULL
              Hubert Felber Newbie

              Ok, I think I isolated the problem.

              SecurityActions.popSubjectContext() is called after every call and  an authenticated subject is pushed before every call.

              So when I arrive at my ejb method, the context is good and   context.IsCallerInRole("role") works fine.
              But I call several other EJB's with unchecked security / local view  (BYPASS_SECURITY). When calling these EJB's the authenticated subject  is set to NULL and left to NULL.
              After return of these EJB calls the authenticated subject is still  null and that's why my further context.isCallerInRole() from my current EJB fail.

              Does anybody have an idea how to work arround this?

              Thank you

              • 4. Re: SubjectPolicyContextHandler.getAuthenticatedSubject() returns NULL
                Hubert Felber Newbie

                Ok, I fixed my problem.


                As mentioned I lost my authenticated subject .
                In my EJB I call other EJBs. After such a call my subject was NULL. I figured out which EJB caused the loss of this.


                I edited the corresponding jboss.xml and added a


                   1. <security-domain>java:/jaas/EjbRealm</security-domain>



                In login-config.xml I added:


                   1.     <application-policy name="EjbRealm"> 
                   2.         <authentication> 
                   3.             <login-module code="org.jboss.security.ClientLoginModule" flag="required"> 
                   4.                 <module-option name="restore-login-identity">true</module-option> 
                   5.             </login-module> 
                   6.         </authentication> 
                   7.     </application-policy>



                note the "restore-login-identity".
                That was it, the specific EJB runs in the "EjbRealm" domain and my security association is restored after the call, so that context.isUserInRole("test") from my own EJB has a valid authenticated subject.


                Before my changes this EJB run in "BYPASSED-SECURITY" domain. I tried to create a <application-policy name="BYPASSED-SECURITY"> but this was never picked up.


                Hope this help others.