2 Replies Latest reply on Mar 23, 2015 11:01 AM by virchete

Secure EJB: javax.ejb.EJBAccessException: JBAS013323: Invalid User

virchete Mar 16, 2015 7:30 AM

Hi,

A switchyard quickstart that was working in EAP 4, is failing in wildfly 8.0.0-Final.

This is the error stacktrace:

https://gist.github.com/dvirgiln/055ed02ed8a897bf2be3

A user kermit has been added with group friend, before starting wildfly.

In the first line of the previous link you can see the roles that the caller contains:

12:08:35,342 INFO [org.switchyard.quickstarts.demo.security.propagation.basic.WorkServiceBean] (default task-1) :: WorkService :: Received work command => CMD-1426504115037 (caller principal=kermit, in roles? 'friend'=true 'enemy'=false)

This is the standalone.xml used:

https://gist.github.com/dvirgiln/f7544f8e88def36ac47f

The only difference with the standard standanole.xml is that it contains the switchyard modules installed and as well for making this quickstart working, these actions have been applied:

	/core-service=management/security-realm=https:add()
	/core-service=management/security-realm=https/server-identity=ssl:add(keystore-path=${jboss.home.dir}/quickstarts/demos/security-propagation/basic/connector.jks, keystore-password=changeit)
	/subsystem=undertow/server=default-server/https-listener=https:add(socket-binding=https, security-realm=https)

The EJB that is failing is this:

quickstarts/TestEJBBean.java at master · dvirgiln/quickstarts · GitHub

1. Re: Secure EJB: javax.ejb.EJBAccessException: JBAS013323: Invalid User

virchete Mar 16, 2015 10:35 AM (in response to virchete)

The problem is in this line:
https://github.com/wildfly/wildfly/blob/8.0.0.Final/ejb3/src/main/java/org/jboss/as/ejb3/security/SecurityContextInterceptor.java#L52

The problem is in the SimpleSecurityManager that is inside of wildfly-security:

public void authenticate(final String runAs, final String runAsPrincipal, final Set<String> extraRoles) {
        SecurityContext context = SecurityContextAssociation.getSecurityContext();
        SecurityContextUtil util = context.getUtil();

        Object credential = util.getCredential();
        Subject subject = null;
        if (credential instanceof RemotingConnectionCredential) {
            subject = ((RemotingConnectionCredential) credential).getSubject();
        }

        if (authenticate(context, subject) == false) {
            throw SecurityMessages.MESSAGES.invalidUserException();
        }
The Credential object is null. Then the subject is null and the authenticate(context,subject) fails.

I checked the identity object created and this is the content:

I checked how the Identity was created and it was created using:
Set<Object> credentials = subject.getPrivateCredentials();
Object credential = !credentials.isEmpty() ? credentials.iterator().next() : null;
Identity identity = CredentialIdentityFactory.createIdentity(principal, credential, roleGroup);

The credential object is null in the creation. It is read from the privateCredentials from the subject. The subject is created like this:

final Subject subject = securityContext.getSubject(securityDomain);

This is the identity object created initially, that later on fails on the authentication. It fails because the privateCredentials from the subject are null.
Identity identity = CredentialIdentityFactory.createIdentity(principal, credential, roleGroup);
identity    CredentialIdentityFactory$1 (id=12643)
    val$cred    null
    val$principal    SimplePrincipal (id=12625)     -->Contains kermit
    val$roles    SimpleRoleGroup (id=12642)       -->
Actions
2. Re: Secure EJB: javax.ejb.EJBAccessException: JBAS013323: Invalid User

virchete Mar 23, 2015 11:01 AM (in response to virchete)

Any idea??
Actions

Go to original post