1 Reply Latest reply on Feb 21, 2018 3:37 AM by Anup Dey

    WFLYSEC0027: Invalid User when using two security domains

    Grischa Paul Newbie

      Hello,

       

      error "WFLYSEC0027: Invalid User occurs" in Wildfly 10.1 (and probably other versions) if a web application, running in a security domain named for example "kubusdomain", calls an EJB in the domain "default", for which method-permission "unchecked" is set in the assembly-descriptor of the ejb-jar.xml. When removing this (obsolete) method permission setting from ejb-jar.xml it works. It seems that with method-permission setting Wildfly gets an empty user without some domain-user-mapping (if this is possible to be configured at all) between both domains.

       

      To reproduce it you can add the following security domain to the standallone-full.xml:

       

      <subsystem xmlns="urn:jboss:domain:security:1.2">

          <security-domains>

              ...

              <security-domain name="kubusdomain" cache-type="default">

                  <authentication>

                      <login-module code="Simple" flag="required"/>

                  </authentication>

              </security-domain>

       

      To be able to authenticate the web session, add to the wars' web.xml

       

          <security-constraint>

              <web-resource-collection>

                  <web-resource-name></web-resource-name>

                  <url-pattern>/*</url-pattern>

              </web-resource-collection>

              <auth-constraint>

                  <role-name>user</role-name>

              </auth-constraint>

          </security-constraint>

       

          <login-config>

              <auth-method>BASIC</auth-method>

              <realm-name>default</realm-name>

          </login-config>

       

      and add also a jboss-web.xml to the wars' WEB-INF folder with element

       

          <security-domain>kubusdomain</security-domain>

       

      In ejb-jar.xml, insert the following assembly-descriptor

       

           <assembly-descriptor>

              <method-permission>

                    <unchecked/>

                  <method>

                      <ejb-name>MyEJB</ejb-name>

                      <method-name>*</method-name>

                  </method>

              </method-permission>

           </assembly-descriptor>

          

      In the Browsers login panel you can insert the same arbitrary value for user and password to get authenticated by login-module "simple" configured in the security domain.    

      I solved by removing the method-permission, but probably there are better ways to handle this, or it might be a bug.    

      Thank you.