WFLYSEC0027: Invalid User when using two security domains
grischa.paul Feb 20, 2018 8:17 AMHello,
error "WFLYSEC0027: Invalid User occurs" in Wildfly 10.1 (and probably other versions) if a web application, running in a security domain named for example "kubusdomain", calls an EJB in the domain "default", for which method-permission "unchecked" is set in the assembly-descriptor of the ejb-jar.xml. When removing this (obsolete) method permission setting from ejb-jar.xml it works. It seems that with method-permission setting Wildfly gets an empty user without some domain-user-mapping (if this is possible to be configured at all) between both domains.
To reproduce it you can add the following security domain to the standallone-full.xml:
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
...
<security-domain name="kubusdomain" cache-type="default">
<authentication>
<login-module code="Simple" flag="required"/>
</authentication>
</security-domain>
To be able to authenticate the web session, add to the wars' web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name></web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>user</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>default</realm-name>
</login-config>
and add also a jboss-web.xml to the wars' WEB-INF folder with element
<security-domain>kubusdomain</security-domain>
In ejb-jar.xml, insert the following assembly-descriptor
<assembly-descriptor>
<method-permission>
<unchecked/>
<method>
<ejb-name>MyEJB</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
</assembly-descriptor>
In the Browsers login panel you can insert the same arbitrary value for user and password to get authenticated by login-module "simple" configured in the security domain.
I solved by removing the method-permission, but probably there are better ways to handle this, or it might be a bug.
Thank you.