7 Replies Latest reply on Sep 6, 2010 4:59 AM by Davide Tabarelli

    Security principal propagation accross ejb3 modules

    Davide Tabarelli Newbie

      Hi,

       

      I'm developing an enterprise application within JBoss 5.

       

      I have multiple EJB3 modules in a single ear, each one under the same security domain.

      Authentication works properly and the ClientLoginModule is required in the application policy.

       

      My question is the following: if the client (or the web tier) calls EJB 1 that in turns call EJB 2 (both secured) is the security Principal propagated correctly?

       

      It is giving me a principal: null exception when the second EJB is called in the stack ..

       

      Where I'm wrong?

       

      Thanks in advance.

       

      D.

        • 1. Re: Security principal propagation accross ejb3 modules
          Davide Tabarelli Newbie

          No one is answering me ... maybe my question is too newbie/stupid or ill-posed ??

           

          I suppose the last (ill-posed) and therefore I try to explain it again better.

           

          As far as I know, credential/principal has to be propagated within ejb modules in the same JVM/JBoss instance, but it seems this doesn't happen in my system (JBoss 5.1.0 GA).

           

          The situation:

          - Two EJB modules in an EAR. Same security realm.

          - A client (web or standalone ... doesn't matter) calls a method A inside a session bean in EJB A.

          - The client is authenticated as Principal="SomeOne", Role="MyRole".

          - The method requires role "MyRole" by means of @RolesAllowed("MyRole")

          - The method A in turns calls a method B, that is inside another session bean in EJB B.

          - Also the method B is marked with @RolesAllowed("MyRole").

          - Resulting exception: "javax.ejb.EJBAccessException: Caller unauthorized"

           

          Looking into the logs (TRACE level) it points out that:

          1) The call to the method A is succerssfully authenticated (Principal="SomeOne", Role="MyRole").

          2) The principal/credentials get lost in the subsequent call to method B (Principal=anonymous).

           

          Someone faced this issue before?

           

           

           

          Thanking you in advance.

           

          D.

          • 2. Re: Security principal propagation accross ejb3 modules
            jaikiran pai Master

            For the sake of completeness and better understanding, can you post the TRACE logs, the relevant code and the config files?

             

            P.S: Although I don't expect it to fix this issue, I would recommend that you apply our latest EJB3 plugin http://www.jboss.org/ejb3/ejb3plugin.html  against JBoss AS 5.1.0

            • 3. Re: Security principal propagation accross ejb3 modules
              Davide Tabarelli Newbie

              Of course ...

               

              I forgot to mention that I've already patched JBoss with the EJB3 Plugin 1.0.19.

               

              Here the security realm configuration in login-config.xml:

               

              <application-policy  name="cdrms-realm">
                   <authentication>           
                        <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
                             <module-option name="dsJndiName">java:cimecDS</module-option>
                             <module-option name="principalsQuery">SELECT CDRMS_JBOSS_USER(?)</module-option>
                             <module-option name="rolesQuery">SELECT 'CDRMSRealmUser', 'Roles' FROM RESOURCES_LIST WHERE NAME=?</module-option>
                             <module-option name="hashAlgorithm">MD5</module-option>
                             <module-option name="hashEncoding">HEX</module-option>
                             <module-option name="ignorePasswordCase">true</module-option>
                             <module-option name="debug">true</module-option>
                        </login-module>
                        <login-module code="org.jboss.security.ClientLoginModule" flag="required">
                             <module-option name="debug">true</module-option>
                        </login-module>
                   </authentication>
              </application-policy>
              

               

              The Bean A in EJB A:

               

              import ...
              
              @Stateless
              @RemoteBinding(jndiBinding = "CDRMS/AuditMessageManager/remote")
              @LocalBinding(jndiBinding = "CDRMS/AuditMessageManager/local")
              @SecurityDomain("cdrms-realm")
              @RolesAllowed({"CDRMSRealmUser"})
              public class AuditMessageManagerBean implements AuditMessageManagerRemote, AuditMessageManagerLocal {
                   @EJB(mappedName = "CDRMS/AuditEventManager/local")
                   private AuditEventManager pm;
                   @Resource
                   private SessionContext sctx;
              
                   // ... business and lifecycle methods ...
              
                   public int count() {          
                        log.info( "------------------> Principal = " + this.sctx.getCallerPrincipal().getName());
                        return pm.count(); // (1)
                  }
              }
              
              

               

              The bean B in EJB B:

               

              import ...
              
              @Stateless
              @RemoteBinding(jndiBinding = "CDRMS/AuditEventManager/remote")
              @LocalBinding(jndiBinding = "CDRMS/AuditEventManager/local")
              @SecurityDomain("cdrms-realm")
              @RolesAllowed({"CDRMSRealmUser"})
              public class AuditEventManagerBean implements AuditEventManagerLocal, AuditEventManagerRemote {
                   @PersistenceContext(unitName = "cimecPU")
                   private EntityManager em;
                   @Resource
                   private SessionContext sctx;
              
                   // ... business and lifecycle methods ...
              
                   public int count() { //(2)
                        log.info( "------------------> Principal = " + this.sctx.getCallerPrincipal().getName());
                        return ((Long) em.createQuery("select count(o) from AuditEvent as o").getSingleResult()).intValue();
                  }
              

               

              The standalone client main method:

               

              import ...
              
              public static void main(String[] args) {
                   try {
                        SecurityClient client = SecurityClientFactory.getSecurityClient();
                        client.setSimple("vera.aloe", "***");
                        client.login();
              
                        Properties env = new Properties();
                        env.setProperty(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory");
                        env.setProperty(Context.URL_PKG_PREFIXES, "org.jnp.interfaces.NamingContextFactory");
                        env.setProperty(Context.PROVIDER_URL, "jnp://mybindinghost:1099/");
              
                        InitialContext ic = new InitialContext(env);
              
                        // This ok
                        AuditEventManager aem = (AuditEventManager) ic.lookup("CDRMS/AuditEventManager/remote");
                        System.out.println(aem.count());
              
                        // This gives the exception below
                        AuditMessageManager am = (AuditMessageManager) ic.lookup("CDRMS/AuditMessageManager/remote");
                        System.out.println(am.count());
              
                        // The same results by using LoginContext & CallbackHandler instead of SecurityClient
                        // and from the web tier
                      } catch (Exception ex) {
                          Logger.getLogger(SecurityTest.class.getName()).log(Level.SEVERE, null, ex);
                      }
                  }
              

               

              The principal is correct in (2) but is anonymous in (1) ... here the exception trace:

               

              17:51:56,691 DEBUG [ManagerBase](ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1274802716691 sessioncount 0
              17:51:56,692 DEBUG [ManagerBase](ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 1 expired sessions: 0
              17:51:56,692 DEBUG [ManagerBase](ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1274802716692 sessioncount 0
              17:51:56,692 DEBUG [ManagerBase](ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 0 expired sessions: 0
              17:51:59,082 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56746]) Begin isValid, principal:vera.aloe, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@42d31a[Subject(17610996).principals=org.jboss.security.SimplePrincipal@2853698(vera.aloe)org.jboss.security.SimpleGroup@32834360(Roles(members:CDRMSRealmUser)),credential.class=java.lang.String@27845948,expirationTime=1274802911126]
              17:51:59,083 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56746]) Begin validateCache, info=org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@42d31a[Subject(17610996).principals=org.jboss.security.SimplePrincipal@2853698(vera.aloe)org.jboss.security.SimpleGroup@32834360(Roles(members:CDRMSRealmUser)),credential.class=java.lang.String@27845948,expirationTime=1274802911126];credential.class=java.lang.String@27845948
              17:51:59,083 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56746]) End validateCache, isValid=true
              17:51:59,083 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56746]) End isValid, true
              17:51:59,083 TRACE [LogAuditProvider](WorkerThread#0[192.168.185.16:56746]) [Success]Source=org.jboss.security.javaee.EJBAuthenticationHelper;principal=vera.aloe;method=count;
              17:51:59,083 TRACE [SecurityRolesAssociation](WorkerThread#0[192.168.185.16:56746]) Setting threadlocal:{}
              17:51:59,083 TRACE [JBossAuthorizationContext](WorkerThread#0[192.168.185.16:56746]) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
              17:51:59,083 TRACE [EJBPolicyModuleDelegate](WorkerThread#0[192.168.185.16:56746]) method=public int org.cdrms.jpa.managers.AuditEventManagerBean.count(), interface=Remote, requiredRoles=Roles(CDRMSRealmUser,)
              17:51:59,084 TRACE [LogAuditProvider](WorkerThread#0[192.168.185.16:56746]) [Success]Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Exception:=;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1fb2e99}:method=public int org.cdrms.jpa.managers.AuditEventManagerBean.count():ejbMethodInterface=Remote:ejbName=AuditEventManagerBean:ejbPrincipal=vera.aloe:MethodRoles=Roles(CDRMSRealmUser,):securityRoleReferences=null:callerSubject=Subject:
                  Principal: vera.aloe
                  Principal: Roles(members:CDRMSRealmUser)
              :callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=null];policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1fb2e99;
              17:51:59,084 INFO  [AuditEventManagerBean](WorkerThread#0[192.168.185.16:56746]) ------------------> Principal = vera.aloe
              17:51:59,132 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56748]) Begin isValid, principal:vera.aloe, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@42d31a[Subject(17610996).principals=org.jboss.security.SimplePrincipal@2853698(vera.aloe)org.jboss.security.SimpleGroup@32834360(Roles(members:CDRMSRealmUser)),credential.class=java.lang.String@27845948,expirationTime=1274802911126]
              17:51:59,132 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56748]) Begin validateCache, info=org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@42d31a[Subject(17610996).principals=org.jboss.security.SimplePrincipal@2853698(vera.aloe)org.jboss.security.SimpleGroup@32834360(Roles(members:CDRMSRealmUser)),credential.class=java.lang.String@27845948,expirationTime=1274802911126];credential.class=java.lang.String@27845948
              17:51:59,132 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56748]) End validateCache, isValid=true
              17:51:59,132 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56748]) End isValid, true
              17:51:59,133 TRACE [LogAuditProvider](WorkerThread#0[192.168.185.16:56748]) [Success]Source=org.jboss.security.javaee.EJBAuthenticationHelper;principal=vera.aloe;method=count;
              17:51:59,133 TRACE [SecurityRolesAssociation](WorkerThread#0[192.168.185.16:56748]) Setting threadlocal:{}
              17:51:59,133 TRACE [JBossAuthorizationContext](WorkerThread#0[192.168.185.16:56748]) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
              17:51:59,133 TRACE [EJBPolicyModuleDelegate](WorkerThread#0[192.168.185.16:56748]) method=public int org.cdrms.audit.AuditMessageManagerBean.count(), interface=Remote, requiredRoles=Roles(CDRMSRealmUser,)
              17:51:59,133 TRACE [LogAuditProvider](WorkerThread#0[192.168.185.16:56748]) [Success]Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Exception:=;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1fb2e99}:method=public int org.cdrms.audit.AuditMessageManagerBean.count():ejbMethodInterface=Remote:ejbName=AuditMessageManagerBean:ejbPrincipal=vera.aloe:MethodRoles=Roles(CDRMSRealmUser,):securityRoleReferences=null:callerSubject=Subject:
                  Principal: vera.aloe
                  Principal: Roles(members:CDRMSRealmUser)
              :callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=null];policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1fb2e99;
              17:51:59,139 TRACE [messaging](WorkerThread#0[192.168.185.16:56748]) Begin isValid, principal:null, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@11603fa[Subject(29654441).principals=org.jboss.security.SimplePrincipal@2853698(guest)org.jboss.security.SimpleGroup@32834360(Roles(members:john,guest,j2ee)),credential.class=null,expirationTime=1274802858447]
              17:51:59,140 TRACE [messaging](WorkerThread#0[192.168.185.16:56748]) Begin validateCache, info=org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@11603fa[Subject(29654441).principals=org.jboss.security.SimplePrincipal@2853698(guest)org.jboss.security.SimpleGroup@32834360(Roles(members:john,guest,j2ee)),credential.class=null,expirationTime=1274802858447];credential.class=null
              17:51:59,140 TRACE [messaging](WorkerThread#0[192.168.185.16:56748]) End validateCache, isValid=true
              17:51:59,140 TRACE [messaging](WorkerThread#0[192.168.185.16:56748]) End isValid, true
              17:51:59,140 TRACE [SecurityAssociation](WorkerThread#0[192.168.185.16:56748]) popSubjectContext, sc=null
              17:51:59,140 TRACE [SecurityAssociation](WorkerThread#0[192.168.185.16:56748]) WARN::Deprecated usage of SecurityAssociation. Use SecurityContext
              17:51:59,141 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56748]) getPrincipal, cache info: null
              17:51:59,141 INFO  [AuditMessageManagerBean](WorkerThread#0[192.168.185.16:56748]) ------------------> Principal = anonymous
              17:51:59,141 TRACE [SecurityRolesAssociation](WorkerThread#0[192.168.185.16:56748]) Setting threadlocal:{}
              17:51:59,142 TRACE [JBossAuthorizationContext](WorkerThread#0[192.168.185.16:56748]) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
              17:51:59,142 TRACE [EJBPolicyModuleDelegate](WorkerThread#0[192.168.185.16:56748]) method=public int org.cdrms.jpa.managers.AuditEventManagerBean.count(), interface=Local, requiredRoles=Roles(CDRMSRealmUser,)
              17:51:59,142 TRACE [EJBPolicyModuleDelegate](WorkerThread#0[192.168.185.16:56748]) Exception:Insufficient method permissions, principal=null, ejbName=AuditEventManagerBean, method=count, interface=Local, requiredRoles=Roles(CDRMSRealmUser,), principalRoles=Roles()
              17:51:59,144 TRACE [JBossAuthorizationContext](WorkerThread#0[192.168.185.16:56748]) REQUIRED failed for Name=org.jboss.security.authorization.modules.DelegatingAuthorizationModule:subject=Subject:
                  Principal: anonymous
              :role=Roles()
              17:51:59,144 TRACE [JBossAuthorizationContext](WorkerThread#0[192.168.185.16:56748]) Error in authorize:
              org.jboss.security.authorization.AuthorizationException: Authorization Failed: 
                  at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:263)
                  at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:67)
                  at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:152)
                  at java.security.AccessController.doPrivileged(Native Method)
                  at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:148)
                  at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:474)
                  at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:124)
                  at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.authorize(EJBAuthorizationHelper.java:116)
                  at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:189)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:182)
                  at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:240)
                  at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:188)
                  at $Proxy786.count(Unknown Source)
                  at org.cdrms.audit.AuditMessageManagerBean.count(AuditMessageManagerBean.java:303)
                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                  at java.lang.reflect.Method.invoke(Method.java:597)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111)
                  at org.jboss.ejb3.EJBContainerInvocationWrapper.invokeNext(EJBContainerInvocationWrapper.java:69)
                  at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:76)
                  at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:62)
                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                  at java.lang.reflect.Method.invoke(Method.java:597)
                  at org.jboss.aop.advice.PerJoinpointAdvice.invoke(PerJoinpointAdvice.java:174)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.fillMethod(InvocationContextInterceptor.java:72)
                  at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_fillMethod_6749397.invoke(InvocationContextInterceptor_z_fillMethod_6749397.java)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.setup(InvocationContextInterceptor.java:88)
                  at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_setup_6749397.invoke(InvocationContextInterceptor_z_setup_6749397.java)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:62)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:56)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:68)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:79)
                  at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:190)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.security.RunAsSecurityInterceptorv2.invoke(RunAsSecurityInterceptorv2.java:94)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:201)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:438)
                  at org.jboss.ejb3.session.InvokableContextClassProxyHack._dynamicInvoke(InvokableContextClassProxyHack.java:53)
                  at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:91)
                  at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
                  at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:891)
                  at org.jboss.remoting.transport.socket.ServerThread.completeInvocation(ServerThread.java:744)
                  at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:697)
                  at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:524)
                  at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:232)
              17:51:59,147 TRACE [EJBAuthorizationHelper](WorkerThread#0[192.168.185.16:56748]) Error in authorization:
              org.jboss.security.authorization.AuthorizationException: Authorization Failed: 
                  at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:263)
                  at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:67)
                  at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:152)
                  at java.security.AccessController.doPrivileged(Native Method)
                  at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:148)
                  at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:474)
                  at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:124)
                  at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.authorize(EJBAuthorizationHelper.java:116)
                  at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:189)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:182)
                  at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:240)
                  at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:188)
                  at $Proxy786.count(Unknown Source)
                  at org.cdrms.audit.AuditMessageManagerBean.count(AuditMessageManagerBean.java:303)
                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                  at java.lang.reflect.Method.invoke(Method.java:597)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111)
                  at org.jboss.ejb3.EJBContainerInvocationWrapper.invokeNext(EJBContainerInvocationWrapper.java:69)
                  at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:76)
                  at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:62)
                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                  at java.lang.reflect.Method.invoke(Method.java:597)
                  at org.jboss.aop.advice.PerJoinpointAdvice.invoke(PerJoinpointAdvice.java:174)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.fillMethod(InvocationContextInterceptor.java:72)
                  at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_fillMethod_6749397.invoke(InvocationContextInterceptor_z_fillMethod_6749397.java)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.setup(InvocationContextInterceptor.java:88)
                  at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_setup_6749397.invoke(InvocationContextInterceptor_z_setup_6749397.java)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:62)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:56)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:68)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:79)
                  at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:190)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.security.RunAsSecurityInterceptorv2.invoke(RunAsSecurityInterceptorv2.java:94)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:201)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:438)
                  at org.jboss.ejb3.session.InvokableContextClassProxyHack._dynamicInvoke(InvokableContextClassProxyHack.java:53)
                  at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:91)
                  at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
                  at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:891)
                  at org.jboss.remoting.transport.socket.ServerThread.completeInvocation(ServerThread.java:744)
                  at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:697)
                  at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:524)
                  at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:232)
              17:51:59,149 TRACE [LogAuditProvider](WorkerThread#0[192.168.185.16:56748]) [Error]Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Exception:=Authorization Failed: ;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1fb2e99}:method=public int org.cdrms.jpa.managers.AuditEventManagerBean.count():ejbMethodInterface=Local:ejbName=AuditEventManagerBean:ejbPrincipal=null:MethodRoles=Roles(CDRMSRealmUser,):securityRoleReferences=null:callerSubject=Subject:
                  Principal: anonymous
              :callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=null];policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1fb2e99;

               

              I addition: I've tried both with and without specifying to use caller identity in ejb-jar.xml descriptors as follows:

               

              EJB A:

               

              <ejb-jar xmlns = "http://java.sun.com/xml/ns/javaee" 
                       version = "3.0"
                       xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance"
                       xsi:schemaLocation = "http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd">
                  <enterprise-beans>
                      <session>
                          <ejb-name>AuditEventManagerBean</ejb-name>
                          <security-identity>
                              <use-caller-identity/>
                          </security-identity>
                      </session>
                  </enterprise-beans>
              </ejb-jar>

               

              EJB B:

              <ejb-jar xmlns = "http://java.sun.com/xml/ns/javaee" 
                       version = "3.0"
                       xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance"
                       xsi:schemaLocation = "http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd">
                  <enterprise-beans>
                      <session>
                          <ejb-name>AuditMessageManagerBean</ejb-name>
                          <security-identity>
                              <use-caller-identity/>
                          </security-identity>
                      </session>
                  </enterprise-beans>
              </ejb-jar>
              

               

              Thank you very much in advance.

               

              D.

              • 4. Re: Security principal propagation accross ejb3 modules
                Davide Tabarelli Newbie

                ... sorry I've inverted the naming (EJB A vs EJB B) with respect to the first post) ...

                • 5. Re: Security principal propagation accross ejb3 modules
                  Davide Tabarelli Newbie

                  I've found out the problem ...

                   

                  I have a JMS connection in the session bean that "loose" the authentication ...
                  .. and it seems that there are bugs in JBoss 5.1 together with JMS 1.4 (look [url]http://community.jboss.org/thread/44409?tstart=0[/url])

                   

                  Solved by updating to JMS 2.

                   

                  Thanks to everyone.

                   

                  D.

                  • 6. Re: Security principal propagation accross ejb3 modules
                    Kobi Ianko Apprentice

                    Hi Davide,

                    how did you updated ro jms 2.0, could you help me with the steps needed to perform the upgrade?

                     

                    10x, Kobi

                    • 7. Re: Security principal propagation accross ejb3 modules
                      Davide Tabarelli Newbie

                      Hi Kobi.

                       

                      I simply install on JBoss 5 the HornetQ module following instructions at http://www.jboss.org/hornetq/docs.html

                       

                      Bye.