Authentication not propagated to EJBs

May 5, 2011 at 8:40 PM

I have Waffle running in Mixed SSO authentication mode under JBoss 5.1.0.  The SSO works fine when accessing pages in the application.  However, when I try to perform an operation that requires an EJB to be used, I get a "Caller not authorized" exception.  I am thinking it has to do with the security domain.  My jboss-web.xml specifies:


My ejb-jar.xml files specify the same thing.  However, I do not think there is a context for this security domain.

This is my context.xml:

<?xml version='1.0' encoding='utf-8'?>

<Valve className="waffle.apache.NegotiateAuthenticator" />

<Realm className="waffle.apache.WindowsRealm" />



Is there something that I have to add to context.xml or web.xml so that my security domain is recognized and therefore be able to use my EJBs?  Thanks.

May 10, 2011 at 12:52 AM

I would dig deeper at what EJB means and how it related to all this security staff. Where does the caller not authorized error come from? How does it figure out what the caller is? .. .that type of questions.

May 11, 2011 at 2:54 AM

The EJB is a stateless session bean that performs some business logic.  The EJB's method is called from the web layer.  The web layer recognizes the roles the user is a member of.  The EJB has a @SecurityDomain annotation (this is a JBoss specific annotation) as in the following:

@SecurityDomain( "mySecurityDomain" )

The EJB's method that is called by the web layer has the following annotation:

@RolesAllowed( "ADMIN_ROLE" )

Therefore, the user must be a member of the ADMIN_ROLE in order to call the method.  The user in fact is a member of this role as I see the role present in the web layer when viewing the logs that output the user principal.  However, this information is not being recognized by the business layer.  This is why I believe it has something to do with the security domain.  When I remove the @SecurityDomain annotation, I get a NullPointerException.  Therefore, JBoss is looking for a security domain which is specified in the jboss-web.xml but it appears that it does not get propagated from the web layer to the business layer.  Is this a limitation of waffle or is there a way of specifying a security domain with waffle?  Thanks.

Jun 7, 2011 at 3:36 PM


did you find any solution to this?

I'm facing a similar problem but i get the message "Invalid user" when i try to access an EJB.


Jun 7, 2011 at 6:30 PM

Hello.  I have not found a solution to this issue.  I have abandoned waffle since this is a critical issue for me to continue.  Sorry I couldn't be more help.

Jun 8, 2011 at 12:22 AM

What did you end up using (that I assume works)?

Jun 8, 2011 at 7:10 PM

I went with jboss-negotiation (SPNEGO).  There is much more to do in terms of configuration but it works for what I need to do.

Jun 8, 2011 at 7:16 PM
This discussion has been copied to a work item. Click here to go to the work item and continue the discussion.
Jun 8, 2011 at 7:21 PM

I don't think this is relevant to the work item so i'll post it here.

SPNEGO is not an option for me since we're using JBoss 6 which have changed some method signatures in AuthenticatorBase.

This means you have to refactor jboss negotiate or use a 2 year old version.