5 Replies Latest reply on Nov 14, 2014 3:32 PM by Wolf-Dieter Fink

    EJB invocation denied on Wildfly 8.0 & 8.1

    Ricardo Veloso Newbie

      Hello,

       

      I'm facing a problem when invoking a protected EJB 2 from a thread launched by a servlet, with the exception

      javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public abstract java.lang.String net.example.ejb.Greeter.greet(java.lang.String) of bean: GreeterBean is not allowed

       

      Attatched to this message is a functional simple ear project that can simulate this situation. In the zip file is included a security-domain.xml that is the piece of xml to add to security-domain section of standalone-full.xml configuration.

      Is also included the source code. I have been trying some combinations with InitialContext properties with no success.

       

      Is this a Wildfly bug or is something I'm doing wrong?

       

      I have a functional application with this behaviour working in JBoss 6 (with specific InitialContext configuration at the time).

        • 1. Re: EJB invocation denied on Wildfly 8.0 & 8.1
          jaikiran pai Master

          Take a look at the section "Access to methods without explicit security metadata, on a secured bean" in this documentation Securing EJBs - WildFly 8 - Project Documentation Editor. It explains what's going on and how to fix it.

          • 2. Re: EJB invocation denied on Wildfly 8.0 & 8.1
            Wolf-Dieter Fink Master

            You might set the global configuration missing-method-permission-deny-access of the servers ejb subsystem to false

            • 3. Re: EJB invocation denied on Wildfly 8.0 & 8.1
              Ricardo Veloso Newbie

              Hi guys, thanks for the help.

               

              That work pretty well a simple EJB 3 example project.

              It doesn't work with EJB2 project with method permission defined in ejb-jar.xml. Any help?

               

              But the problem here is that we open the security for bean invocation.

              In my real project, in Jboss 6 for now, we have a property file where we set the username and password to access the bean, then the authentication and authorization is responsability of JBoss himself, base on LDAP or property files authentication models.

              I can't figure out how to set up this model in Wildfly.

              • 4. Re: EJB invocation denied on Wildfly 8.0 & 8.1
                Ricardo Veloso Newbie

                I found a way to do this in Wildfly series, a few months ago, after a couple weeks investigating.

                 

                I follow some examples, and the strategy is to use a ClientLoginModule and use de LoginContext helper.

                 

                <security-domain name="clm" cache-type="default">

                     <authentication>

                          <login-module code="Client" flag="required">

                               <module-option name="multi-threaded" value="true"/>

                               <module-option name="restore-login-identity" value="true"/>

                          </login-module>

                     </authentication>

                </security-domain>

                <security-domain name="appdomain" cache-type="default">

                     <authentication>

                          <login-module code="UsersRoles" flag="required">

                               <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>

                               <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>

                               <module-option name="password-stacking" value="useFirstPass"/>

                          </login-module>

                     </authentication>

                </security-domain>

                 

                EJBs are secured by a domain (appdomain in the example), but to accessing them from a thread we need a manual authentication as follows:

                new LoginContext("clm", new Subject(), new UsernamePasswordCallbackHandler(username, password))

                 

                That works like a sharm, BUT I don't understand the link between the ClientLoginModule and the application security domain.

                 

                Can anyone have the kindness to tell me how this works ? Appreciated.

                • 5. Re: EJB invocation denied on Wildfly 8.0 & 8.1
                  Wolf-Dieter Fink Master

                  If security is enabled for the remoting connector the client need to have user/passwd to establish the connection. This can be done by properties file jboss-ejb-client.properties or as you did with the JAAS CallbackHandler.