@RunAs/@RunAsPrincipal does not work when multiple security domains are involved in JBoss EAP 6.4 and 7

Solution Verified - Updated 14 Jun 2024

---

Environment

• Red Hat JBoss Enterprise Application Platform (EAP)
  • 6.4.6 and later
  • 7.0
• EJBs with different security domains calling each other
• Using @RunAs or @RunAsPrincipal to change domains

Issue

• When one EJB calls the other, the following error is logged:

    15:18:07,394 ERROR [invocation] [] (default task-28) WFLYEJB0034: EJB Invocation failed on component <ComponentName>
    15:18:07,390 INFO  [ActiveDirectoryLoginModule] [] (default task-28) login for <UserName> failed [FAILED_SYSTEM_USER_ACCOUNT_NOT_FOUND]
    15:18:07,392 TRACE [audit] [] (default task-28) [Failure]principal=<UserName>;Action=authentication;Source=org.jboss.as.security.service.SimpleSecurityManager;
    15:18:07,393 TRACE [security] [] (default task-28) PBOX00354: Setting security roles ThreadLocal: null
    15:18:07,394 ERROR [invocation] [] (default task-28) WFLYEJB0034: EJB Invocation failed on component <ComponentName>Bean for method public java.lang.String com.example.ExampleBean.sayHello(java.lang.String): javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User
  

  Or

    javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User
        at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:69)
        at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:49)
        at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:97)
        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
        at org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:437)
        at org.wada.adams.sso.keycloak.KeycloakSecurityInterceptor.aroundInvoke(KeycloakSecurityInterceptor.java:112)
        at sun.reflect.GeneratedMethodAccessor265.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:45005)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at 
  

Resolution

This issue was fixed in JBoss EAP 7.0 CP8 and 7.1.0GA.

There is a workaround for JBoss EAP 6.4. It also works in 7.0, but it's recommended to patch rather than implement this.

Temporary workaround

A custom login module can be implemented and configured after "Remoting" login module (which is used for EJB invocation) and before the next login module.
An example of this custom login module, `IncomingRunAsIdentityLoginModule.java`, is attached to this article.
Security domain configuration will look like below:

<security-domain name="mysecuritydomain" cache-type="infinispan">
    <authentication>
        <login-module code="com.example.MyFirstLoginModule" flag="optional" module="deployment.MyEAR.ear">
            <module-option name="password-stacking" value="useFirstPass"/>
        </login-module>
        <login-module code="Remoting" flag="optional">
            <module-option name="password-stacking" value="useFirstPass"/>
        </login-module>
        <login-module code="org.jboss.security.auth.spi.IncomingRunAsIdentityLoginModule" flag="optional">
            <module-option name="password-stacking" value="useFirstPass"/>
        </login-module>
        <login-module code="com.example.MySecondLoginModule" flag="required" module="deployment.MyEAR.ear">
                ... ...
        </login-module>
        ... ...
    </authentication>
</security-domain>

Please be informed this is marked as temporary workaround as the example IncomingRunAsIdentityLoginModule.java uses some private JBoss API which might not work in the future releases. And this implementation is an example only to show how to workaround the issue, should NOT be used in any production environment before being tested.

Root Cause

The @RunAs/@RunAsPrincipal behavior was broken by another bug fix Content from issues.jboss.org is not included.WFLY-140 which was introduced in JBoss EAP 6.4.6

This was also reported in Wildfly and JBoss EAP 7 as Content from issues.jboss.org is not included.WFLY-8997 , Content from issues.jboss.org is not included.JBEAP-11779 and Content from issues.jboss.org is not included.JBEAP-11778. The issue these reports track has been fixed in JBoss EAP 7.0.8 and 7.1.0.

SBR

• JBoss Security

Product(s)

• Red Hat JBoss Enterprise Application Platform

Category

• Developer

Tags

• eap
• ejb
• security_domain

---

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.