2 Replies Latest reply on Mar 23, 2015 11:01 AM by David virgil naranjo

    Secure EJB: javax.ejb.EJBAccessException: JBAS013323: Invalid User

    David virgil naranjo Novice



      A switchyard quickstart that was working in EAP 4, is failing in wildfly 8.0.0-Final.


      This is the error stacktrace:



      A user kermit has been added with group friend, before starting wildfly.


      In the first line of the previous link you can see the roles that the caller contains:

      12:08:35,342 INFO [org.switchyard.quickstarts.demo.security.propagation.basic.WorkServiceBean] (default task-1) :: WorkService :: Received work command => CMD-1426504115037 (caller principal=kermit, in roles? 'friend'=true 'enemy'=false)


      This is the standalone.xml used:



      The only difference with the standard standanole.xml is that it contains the switchyard modules installed and as well for making this quickstart working, these actions have been applied:

      /core-service=management/security-realm=https/server-identity=ssl:add(keystore-path=${jboss.home.dir}/quickstarts/demos/security-propagation/basic/connector.jks, keystore-password=changeit)
      /subsystem=undertow/server=default-server/https-listener=https:add(socket-binding=https, security-realm=https)


      The EJB that is failing is this:


      quickstarts/TestEJBBean.java at master · dvirgiln/quickstarts · GitHub

        • 1. Re: Secure EJB: javax.ejb.EJBAccessException: JBAS013323: Invalid User
          David virgil naranjo Novice

          The problem is in this line:



          The problem is in the SimpleSecurityManager that is inside of wildfly-security:


          public void authenticate(final String runAs, final String runAsPrincipal, final Set<String> extraRoles) {

                  SecurityContext context = SecurityContextAssociation.getSecurityContext();

                  SecurityContextUtil util = context.getUtil();


                  Object credential = util.getCredential();

                  Subject subject = null;

                  if (credential instanceof RemotingConnectionCredential) {

                      subject = ((RemotingConnectionCredential) credential).getSubject();



                  if (authenticate(context, subject) == false) {

                      throw SecurityMessages.MESSAGES.invalidUserException();


          The Credential object is null. Then the subject is null and the authenticate(context,subject) fails.


          I checked the identity object created and this is the content:


          I checked how the Identity was created and it was created using:

          Set<Object> credentials = subject.getPrivateCredentials();
          Object credential = !credentials.isEmpty() ? credentials.iterator().next() : null;

          Identity identity = CredentialIdentityFactory.createIdentity(principal, credential, roleGroup);


          The credential object is null in the creation. It is read from the privateCredentials from the subject. The subject is created like this:


          final Subject subject = securityContext.getSubject(securityDomain);


          This is the identity object created initially, that later on fails on the authentication. It fails because the privateCredentials from the subject are null.

          Identity identity = CredentialIdentityFactory.createIdentity(principal, credential, roleGroup);

          identity    CredentialIdentityFactory$1  (id=12643)   

              val$cred    null   

              val$principal    SimplePrincipal  (id=12625)     -->Contains kermit

              val$roles    SimpleRoleGroup  (id=12642)       -->