Major security bug or configuration problem?<br>The principal is not propagated to ejb session context. Is this a known bug?<br>Or is anything wrong with my configuration? I&#39;ve tested it with the nightly build of 2010-10-08<br>
<br>jboss-web.xml:<br>--------<br>    &lt;security-domain flushOnSessionInvalidation=&quot;true&quot;&gt;myDomain&lt;/security-domain&gt;<br>    &lt;valve&gt;<br>        &lt;class-name&gt;org.apache.catalina.authenticator.FormAuthenticator&lt;/class-name&gt;<br>
    &lt;/valve&gt;<br>---------<br><br>security-configuration in standalone.xml<br>----------<br>                &lt;security-domain name=&quot;myDomain&quot;&gt;<br>                    &lt;authentication&gt;<br>                        &lt;login-module code=&quot;org.jboss.security.auth.spiDatabaseServerLoginModule&quot; flag=&quot;required&quot;&gt;<br>
                            &lt;module-option name=&quot;debug&quot; value=&quot;true&quot; /&gt;<br>                            &lt;module-option name=&quot;dsJndiName&quot; value=&quot;java:/mydb&quot; /&gt;<br>                            &lt;module-option name=&quot;principalsQuery&quot; value=&quot;SELECT passwd etc&quot; /&gt;<br>
                            &lt;module-option name=&quot;rolesQuery&quot; value=&quot;SELECT role etc.&quot; /&gt;<br>                            &lt;module-option name=&quot;unauthenticatedIdentity&quot; value=&quot;nobody&quot; /&gt;                       <br>
                        &lt;/login-module&gt;<br>                    &lt;/authentication&gt;<br>                &lt;/security-domain&gt;<br><br>Ejb session bean<br>-------------<br>@Stateless(name=&quot;MyService&quot;)<br>
@TransactionManagement(TransactionManagementType.CONTAINER)<br>@org.jboss.ejb3.annotation.SecurityDomain(value = &quot;myDomain&quot;)<br>public class MyServiceBean {<br><br> <br>@Resource SessionContext ctx;<br><br>---------------------------<br>
<br>jboss.xml<br>----------------------<br>&lt;security-domain&gt;myDomain&lt;/security-domain&gt;<br>----------------------<br><br>web.xml<br>----------------------------<br>&lt;login-config&gt;<br>      &lt;auth-method&gt;FORM&lt;/auth-method&gt;<br>
      &lt;form-login-config&gt;<br>         &lt;form-login-page&gt;login.jsp&lt;/form-login-page&gt;<br>         &lt;form-error-page&gt;login-error.jsp&lt;/form-error-page&gt;<br>      &lt;/form-login-config&gt;<br>   &lt;/login-config&gt;<br>
----------------------------<br><br><br>With this configuration ctx.getCallerPrincipal() delivers &quot;anonymous&quot; principal, and not the successful logged in one<br><br>If I remove security-domain from ejb session bean, I get a<br>
javax.ejb.EJBException: java.lang.IllegalStateException: No principal available<br><br>Is there a workaraound, where exactly is the principal propagated to ejb. Can I use a customized class somewhere?<br>
<br><br>I&#39;ve posted already in the forum, without success: <a href="http://community.jboss.org/thread/173494">http://community.jboss.org/thread/173494</a><br>