2 Replies Latest reply on Mar 23, 2015 11:01 AM by David virgil naranjo

    Secure EJB: javax.ejb.EJBAccessException: JBAS013323: Invalid User

    David virgil naranjo Novice

      Hi,

       

      A switchyard quickstart that was working in EAP 4, is failing in wildfly 8.0.0-Final.

       

      This is the error stacktrace:

      https://gist.github.com/dvirgiln/055ed02ed8a897bf2be3

       

      A user kermit has been added with group friend, before starting wildfly.

       

      In the first line of the previous link you can see the roles that the caller contains:

      12:08:35,342 INFO [org.switchyard.quickstarts.demo.security.propagation.basic.WorkServiceBean] (default task-1) :: WorkService :: Received work command => CMD-1426504115037 (caller principal=kermit, in roles? 'friend'=true 'enemy'=false)

       

      This is the standalone.xml used:

      https://gist.github.com/dvirgiln/f7544f8e88def36ac47f

       

      The only difference with the standard standanole.xml is that it contains the switchyard modules installed and as well for making this quickstart working, these actions have been applied:

      /core-service=management/security-realm=https:add()
      /core-service=management/security-realm=https/server-identity=ssl:add(keystore-path=${jboss.home.dir}/quickstarts/demos/security-propagation/basic/connector.jks, keystore-password=changeit)
      /subsystem=undertow/server=default-server/https-listener=https:add(socket-binding=https, security-realm=https)

       

      The EJB that is failing is this:

       

      quickstarts/TestEJBBean.java at master · dvirgiln/quickstarts · GitHub

        • 1. Re: Secure EJB: javax.ejb.EJBAccessException: JBAS013323: Invalid User
          David virgil naranjo Novice

          The problem is in this line:

          https://github.com/wildfly/wildfly/blob/8.0.0.Final/ejb3/src/main/java/org/jboss/as/ejb3/security/SecurityContextInterceptor.java#L52

           

          The problem is in the SimpleSecurityManager that is inside of wildfly-security:

           

          public void authenticate(final String runAs, final String runAsPrincipal, final Set<String> extraRoles) {

                  SecurityContext context = SecurityContextAssociation.getSecurityContext();

                  SecurityContextUtil util = context.getUtil();

           

                  Object credential = util.getCredential();

                  Subject subject = null;

                  if (credential instanceof RemotingConnectionCredential) {

                      subject = ((RemotingConnectionCredential) credential).getSubject();

                  }

           

                  if (authenticate(context, subject) == false) {

                      throw SecurityMessages.MESSAGES.invalidUserException();

                  }

          The Credential object is null. Then the subject is null and the authenticate(context,subject) fails.

           

          I checked the identity object created and this is the content:

           

          I checked how the Identity was created and it was created using:

          Set<Object> credentials = subject.getPrivateCredentials();
          Object credential = !credentials.isEmpty() ? credentials.iterator().next() : null;

          Identity identity = CredentialIdentityFactory.createIdentity(principal, credential, roleGroup);

           

          The credential object is null in the creation. It is read from the privateCredentials from the subject. The subject is created like this:

           

          final Subject subject = securityContext.getSubject(securityDomain);

           

          This is the identity object created initially, that later on fails on the authentication. It fails because the privateCredentials from the subject are null.

          Identity identity = CredentialIdentityFactory.createIdentity(principal, credential, roleGroup);

          identity    CredentialIdentityFactory$1  (id=12643)   

              val$cred    null   

              val$principal    SimplePrincipal  (id=12625)     -->Contains kermit

              val$roles    SimpleRoleGroup  (id=12642)       -->