1 Reply Latest reply on Feb 21, 2018 3:37 AM by Anup Dey

    WFLYSEC0027: Invalid User when using two security domains

    Grischa Paul Newbie



      error "WFLYSEC0027: Invalid User occurs" in Wildfly 10.1 (and probably other versions) if a web application, running in a security domain named for example "kubusdomain", calls an EJB in the domain "default", for which method-permission "unchecked" is set in the assembly-descriptor of the ejb-jar.xml. When removing this (obsolete) method permission setting from ejb-jar.xml it works. It seems that with method-permission setting Wildfly gets an empty user without some domain-user-mapping (if this is possible to be configured at all) between both domains.


      To reproduce it you can add the following security domain to the standallone-full.xml:


      <subsystem xmlns="urn:jboss:domain:security:1.2">



              <security-domain name="kubusdomain" cache-type="default">


                      <login-module code="Simple" flag="required"/>




      To be able to authenticate the web session, add to the wars' web.xml

















      and add also a jboss-web.xml to the wars' WEB-INF folder with element




      In ejb-jar.xml, insert the following assembly-descriptor












      In the Browsers login panel you can insert the same arbitrary value for user and password to get authenticated by login-module "simple" configured in the security domain.    

      I solved by removing the method-permission, but probably there are better ways to handle this, or it might be a bug.    

      Thank you.