Does EJB security propagation work between servers in JBoss EAP 7.0 / 6.x

Environment

• JBoss Enterprise Application Platform (EAP)
  • 6.x

Issue

• Does EJB security propagation work between servers in JBoss EAP 6?
• We noticed that security principal is not propagated with EJB calls between different JBoss instances
• Is there any workaround for this?
• Are there any plans for this to be fixed and can we get the date?
• Does EJB security propagation work between servers in JBoss EAP 7.0 / 6.x

Resolution

Unfortunately, JBoss EAP 6.x does not support propagating the user's security context between EAP 6 instances. The security context that is propagated is that of the server that is defined in the standalone.xml file.

This does not violate the spec as the spec does not require security context propagation chaining between servers.

A possible workaround is to implement the approach shown in the Content from www.jboss.org is not included.ejb-security-interceptors quick start. This approach will work when either an EJB or a web application needs to propagate the security context from one JBoss instance to an EJB on another JBoss instance. This approach will work on JBoss EAP >= 6.1.0.

Note: JBoss EAP 7.1 includes a feature with Elytron to configure this at the server level, see How to configure server to server EJB security propagation in EAP 7.1.

Related Solutions

• How to configure an EJB client in JBoss EAP 6 / 7.0
• How configure an EJB client in EAP 7.1
• How to configure server to server EJB security propagation in EAP 7.1

Root Cause

The authentication is statically configured as part of the Content from docs.jboss.org is not included.outbound configuration.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.