WFTXN0088: User anonymous does not have permission ("org.wildfly.transaction.client.RemoteTransactionPermission" "") in JBoss EAP 7
Environment
- Red Hat JBoss Enterprise Application Platform (EAP)
- 7.1+
Issue
Caused by: Remote exception java.lang.SecurityException: WFTXN0088: User anonymous does not have permission ("org.wildfly.transaction.client.RemoteTransactionPermission" "")
at org.wildfly.transaction.client.provider.remoting.TransactionServerChannel.getSecurityIdentity(TransactionServerChannel.java:745)
at org.wildfly.transaction.client.provider.remoting.TransactionServerChannel.handleXaTxnRollbackOnly(TransactionServerChannel.java:390)
at org.wildfly.transaction.client.provider.remoting.TransactionServerChannel$ReceiverImpl.handleMessage(TransactionServerChannel.java:132)
at org.jboss.remoting3.remote.RemoteConnectionChannel.lambda$handleMessageData$3(RemoteConnectionChannel.java:430)
at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:926)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
- We are getting this error when our client invokes EJB1 on server1 that invokes EJB2 on server2 :
Caused by: javax.transaction.xa.XAException: WFTXN0034: Failed to acquire a connection for this operation
at org.wildfly.transaction.client.provider.remoting.RemotingRemoteTransactionPeer.getPeerIdentityXA(RemotingRemoteTransactionPeer.java:94)
at org.wildfly.transaction.client.provider.remoting.RemotingRemoteTransactionPeer$1.beforeCompletion(RemotingRemoteTransactionPeer.java:166)
at org.wildfly.transaction.client.SubordinateXAResource.beforeCompletion(SubordinateXAResource.java:135)
at org.wildfly.transaction.client.XAOutflowedResources$1.beforeCompletion(XAOutflowedResources.java:70)
... 56 more
Caused by: org.wildfly.security.auth.AuthenticationException: JBREM000308: Authentication failed (no mechanisms left), tried:
JBOSS-LOCAL-USER: org.wildfly.security.auth.AuthenticationException: JBREM000300: Authentication failed due to I/O error
at org.jboss.remoting3.ConnectionPeerIdentityContext.doAuthenticate(ConnectionPeerIdentityContext.java:368)
at org.jboss.remoting3.ConnectionPeerIdentityContext.authenticate(ConnectionPeerIdentityContext.java:174)
at org.jboss.remoting3.EndpointImpl$3.handleDone(EndpointImpl.java:505)
at org.jboss.remoting3.EndpointImpl$3.handleDone(EndpointImpl.java:494)
at org.xnio.IoFuture$HandlingNotifier.notify(IoFuture.java:208)
at org.xnio.AbstractIoFuture$NotifierRunnable.run(AbstractIoFuture.java:720)
at org.xnio.IoUtils$2.execute(IoUtils.java:71)
at org.xnio.AbstractIoFuture.runNotifier(AbstractIoFuture.java:693)
at org.xnio.AbstractIoFuture$CompleteState.withNotifier(AbstractIoFuture.java:132)
at org.xnio.AbstractIoFuture.addNotifier(AbstractIoFuture.java:570)
at org.jboss.remoting3.EndpointImpl.doGetConnection(EndpointImpl.java:494)
at org.jboss.remoting3.EndpointImpl.getConnectedIdentity(EndpointImpl.java:433)
at org.wildfly.transaction.client.provider.remoting.RemotingRemoteTransactionPeer.getPeerIdentity(RemotingRemoteTransactionPeer.java:87)
at org.wildfly.transaction.client.provider.remoting.RemotingRemoteTransactionPeer.getPeerIdentityXA(RemotingRemoteTransactionPeer.java:92)
... 59 more
Resolution
Apply EAP 7.3 CP6 (Update 6) or later when available.
If your application is doing XA transactions across servers and using the programatic configuration where the username/password are passed into the InitialContext, then you will still need to configure the server level user below because if a server crashes and has some XA transactions that need to be recovered, then the recovery manager will not have connection credentials when the server starts.
Workaround:
- Create a user on the target server for example username: 'txn-user', password: 'txn-user-paSsw0rd1'
Note: if there's already an application user, use it for theauthentication-name, just make sure to use its password in thecredential-reference.
$JBOSS_HOME/bin/add-user.sh -a -u txn-user -p txn-user-paSsw0rd1
- Add an
authentication-clientto theElytronsubsystem EAP instance, see these CLI commands:
Make sure the authentication-name makes the user added with add-user.sh and the credential-reference matches the password specified with add-user.sh
/subsystem=elytron/authentication-configuration=ejb-auth:add(authentication-name="txn-user", credential-reference={clear-text="txn-user-paSsw0rd1"})
/subsystem=elytron/authentication-context=default:add(match-rules=[{authentication-configuration=ejb-auth}])
/subsystem=elytron:write-attribute(name=default-authentication-context,value=default)
This would result in an elytron configuration like this:
...
<subsystem xmlns="urn:wildfly:elytron:1.2" default-authentication-context="default" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
<authentication-client>
<authentication-configuration name="ejb-auth" authentication-name="txn-user">
<credential-reference clear-text="txn-user-paSsw0rd1"/>
</authentication-configuration>
<authentication-context name="default">
<match-rule authentication-configuration="ejb-auth"/>
</authentication-context>
</authentication-client>
...
Root Cause
There are two Jiras already open for this issue:
Content from issues.jboss.org is not included.JBEAP-16149 / Content from issues.jboss.org is not included.JBEAP-13963
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.