<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<body link="#355491" alink="#4262a1" vlink="#355491" style="background: #e2e2e2; margin: 0; padding: 20px;">
<div>
        <table cellpadding="0" bgcolor="#FFFFFF" border="0" cellspacing="0" style="border: 1px solid #dadada; margin-bottom: 30px; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
                <tbody>
                        <tr>
                                <td>
                                        <table border="0" cellpadding="0" cellspacing="0" bgcolor="#FFFFFF" style="border: solid 2px #ccc; background: #dadada; width: 100%; -moz-border-radius: 6px; -webkit-border-radius: 6px;">
                                                <tbody>
                                                        <tr>
                                                                <td bgcolor="#000000" valign="middle" height="58px" style="border-bottom: 1px solid #ccc; padding: 20px; -moz-border-radius-topleft: 3px; -moz-border-radius-topright: 3px; -webkit-border-top-right-radius: 5px; -webkit-border-top-left-radius: 5px;">
                                                                        <h1 style="color: #333333; font: bold 22px Arial, Helvetica, sans-serif; margin: 0; display: block !important;">
                                                                        <!-- To have a header image/logo replace the name below with your img tag -->
                                                                        <!-- Email clients will render the images when the message is read so any image -->
                                                                        <!-- must be made available on a public server, so that all recipients can load the image. -->
                                                                        <a href="http://community.jboss.org/index.jspa" style="text-decoration: none; color: #E1E1E1">Community</a></h1>
                                                                </td>
                                                        </tr>
                                                        <tr>
                                                                <td bgcolor="#FFFFFF" style="font: normal 12px Arial, Helvetica, sans-serif; color:#333333; padding: 20px; -moz-border-radius-bottomleft: 4px; -moz-border-radius-bottomright: 4px; -webkit-border-bottom-right-radius: 5px; -webkit-border-bottom-left-radius: 5px;"><h3 style="margin: 10px 0 5px; font-size: 17px; font-weight: normal;">
Security principal propagation accross ejb3 modules
</h3>
<span style="margin-bottom: 10px;">
reply from <a href="http://community.jboss.org/people/giantPM">Davide Tabarelli</a> in <i>EJB 3.0</i> - <a href="http://community.jboss.org/message/544712#544712">View the full discussion</a>
</span>
<hr style="margin: 20px 0; border: none; background-color: #dadada; height: 1px;">
<div class="jive-rendered-content"><p>Of course ...</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>I forgot to mention that I've already patched JBoss with the EJB3 Plugin 1.0.19.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Here the security realm configuration in login-config.xml:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code jive-xml"><span class="jive-xml-tag"><application-policy  name="cdrms-realm"></span>
     <span class="jive-xml-tag"><authentication></span>          
          <span class="jive-xml-tag"><login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"></span>
               <span class="jive-xml-tag"><module-option name="dsJndiName"></span>java:cimecDS<span class="jive-xml-tag"></module-option></span>
               <span class="jive-xml-tag"><module-option name="principalsQuery"></span>SELECT CDRMS_JBOSS_USER(?)<span class="jive-xml-tag"></module-option></span>
               <span class="jive-xml-tag"><module-option name="rolesQuery"></span>SELECT 'CDRMSRealmUser', 'Roles' FROM RESOURCES_LIST WHERE NAME=?<span class="jive-xml-tag"></module-option></span>
               <span class="jive-xml-tag"><module-option name="hashAlgorithm"></span>MD5<span class="jive-xml-tag"></module-option></span>
               <span class="jive-xml-tag"><module-option name="hashEncoding"></span>HEX<span class="jive-xml-tag"></module-option></span>
               <span class="jive-xml-tag"><module-option name="ignorePasswordCase"></span>true<span class="jive-xml-tag"></module-option></span>
               <span class="jive-xml-tag"><module-option name="debug"></span>true<span class="jive-xml-tag"></module-option></span>
          <span class="jive-xml-tag"></login-module></span>
          <span class="jive-xml-tag"><login-module code="org.jboss.security.ClientLoginModule" flag="required"></span>
               <span class="jive-xml-tag"><module-option name="debug"></span>true<span class="jive-xml-tag"></module-option></span>
          <span class="jive-xml-tag"></login-module></span>
     <span class="jive-xml-tag"></authentication></span>
<span class="jive-xml-tag"></application-policy></span>
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>The Bean A in EJB A:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code jive-java"><font color="navy"><b>import</b></font> ...
 
@Stateless
@RemoteBinding(jndiBinding = <font color="red">"CDRMS/AuditMessageManager/remote"</font>)
@LocalBinding(jndiBinding = <font color="red">"CDRMS/AuditMessageManager/local"</font>)
@SecurityDomain(<font color="red">"cdrms-realm"</font>)
@RolesAllowed(<font color="navy">{</font><font color="red">"CDRMSRealmUser"</font><font color="navy">}</font>)
<font color="navy"><b>public</b></font> <font color="navy"><b>class</b></font> AuditMessageManagerBean <font color="navy"><b>implements</b></font> AuditMessageManagerRemote, AuditMessageManagerLocal <font color="navy">{</font>
     @EJB(mappedName = <font color="red">"CDRMS/AuditEventManager/local"</font>)
     <font color="navy"><b>private</b></font> AuditEventManager pm;
     @Resource
     <font color="navy"><b>private</b></font> SessionContext sctx;
 
     <font color="darkgreen">// ... business and lifecycle methods ...</font>
 
     <font color="navy"><b>public</b></font> <font color="navy"><b>int</b></font> count() <font color="navy">{</font>         
          log.info( <font color="red">"------------------> Principal = "</font> + this.sctx.getCallerPrincipal().getName());
 
          <font color="navy"><b>return</b></font> pm.count(); <font color="darkgreen">// (1)</font>
    <font color="navy">}</font>
 
<font color="navy">}</font>
 
 
 
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>The bean B in EJB B:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code jive-java"><font color="navy"><b>import</b></font> ...
 
@Stateless
@RemoteBinding(jndiBinding = <font color="red">"CDRMS/AuditEventManager/remote"</font>)
@LocalBinding(jndiBinding = <font color="red">"CDRMS/AuditEventManager/local"</font>)
@SecurityDomain(<font color="red">"cdrms-realm"</font>)
@RolesAllowed(<font color="navy">{</font><font color="red">"CDRMSRealmUser"</font><font color="navy">}</font>)
<font color="navy"><b>public</b></font> <font color="navy"><b>class</b></font> AuditEventManagerBean <font color="navy"><b>implements</b></font> AuditEventManagerLocal, AuditEventManagerRemote <font color="navy">{</font>
     @PersistenceContext(unitName = <font color="red">"cimecPU"</font>)
     <font color="navy"><b>private</b></font> EntityManager em;
     @Resource
     <font color="navy"><b>private</b></font> SessionContext sctx;
 
     <font color="darkgreen">// ... business and lifecycle methods ...</font>
 
 
 
     <font color="navy"><b>public</b></font> <font color="navy"><b>int</b></font> count() <font color="navy">{</font> <font color="darkgreen">//(2)</font>
 
          log.info( <font color="red">"------------------> Principal = "</font> + this.sctx.getCallerPrincipal().getName());
          <font color="navy"><b>return</b></font> ((Long) em.createQuery(<font color="red">"select count(o) from AuditEvent as o"</font>).getSingleResult()).intValue();
    <font color="navy">}</font>
 
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>The standalone client main method:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code jive-java"><font color="navy"><b>import</b></font> ...
 
<font color="navy"><b>public</b></font> <font color="navy"><b>static</b></font> <font color="navy"><b>void</b></font> main(String[] args) <font color="navy">{</font>
     <font color="navy"><b>try</b></font> <font color="navy">{</font>
          SecurityClient client = SecurityClientFactory.getSecurityClient();
          client.setSimple(<font color="red">"vera.aloe"</font>, <font color="red">"***"</font>);
          client.login();
 
          Properties env = <font color="navy"><b>new</b></font> Properties();
          env.setProperty(Context.INITIAL_CONTEXT_FACTORY, <font color="red">"org.jnp.interfaces.NamingContextFactory"</font>);
          env.setProperty(Context.URL_PKG_PREFIXES, <font color="red">"org.jnp.interfaces.NamingContextFactory"</font>);
          env.setProperty(Context.PROVIDER_URL, <font color="red">"jnp://mybindinghost:1099/"</font>);
 
          InitialContext ic = <font color="navy"><b>new</b></font> InitialContext(env);
 
          <font color="darkgreen">// This ok</font>
          AuditEventManager aem = (AuditEventManager) ic.lookup(<font color="red">"CDRMS/AuditEventManager/remote"</font>);
          System.out.println(aem.count());
 
          <font color="darkgreen">// This gives the exception below</font>
          AuditMessageManager am = (AuditMessageManager) ic.lookup(<font color="red">"CDRMS/AuditMessageManager/remote"</font>);
          System.out.println(am.count());
 
          <font color="darkgreen">// The same results by using LoginContext & CallbackHandler instead of SecurityClient</font>
          <font color="darkgreen">// and from the web tier</font>
        <font color="navy">}</font> <font color="navy"><b>catch</b></font> (Exception ex) <font color="navy">{</font>
            Logger.getLogger(SecurityTest.class.getName()).log(Level.SEVERE, null, ex);
        <font color="navy">}</font>
    <font color="navy">}</font>
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>The principal is correct in (2) but is anonymous in (1) ... here the exception trace:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code jive-java">17:51:56,691 DEBUG [ManagerBase](ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1274802716691 sessioncount 0
17:51:56,692 DEBUG [ManagerBase](ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 1 expired sessions: 0
17:51:56,692 DEBUG [ManagerBase](ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1274802716692 sessioncount 0
17:51:56,692 DEBUG [ManagerBase](ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 0 expired sessions: 0
17:51:59,082 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56746]) Begin isValid, principal:vera.aloe, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@42d31a[Subject(17610996).principals=org.jboss.security.SimplePrincipal@2853698(vera.aloe)org.jboss.security.SimpleGroup@32834360(Roles(members:CDRMSRealmUser)),credential.class=java.lang.String@27845948,expirationTime=1274802911126]
17:51:59,083 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56746]) Begin validateCache, info=org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@42d31a[Subject(17610996).principals=org.jboss.security.SimplePrincipal@2853698(vera.aloe)org.jboss.security.SimpleGroup@32834360(Roles(members:CDRMSRealmUser)),credential.class=java.lang.String@27845948,expirationTime=1274802911126];credential.class=java.lang.String@27845948
17:51:59,083 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56746]) End validateCache, isValid=<font color="navy"><b>true</b></font>
17:51:59,083 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56746]) End isValid, <font color="navy"><b>true</b></font>
17:51:59,083 TRACE [LogAuditProvider](WorkerThread#0[192.168.185.16:56746]) [Success]Source=org.jboss.security.javaee.EJBAuthenticationHelper;principal=vera.aloe;method=count;
17:51:59,083 TRACE [SecurityRolesAssociation](WorkerThread#0[192.168.185.16:56746]) Setting threadlocal:<font color="navy">{</font><font color="navy">}</font>
17:51:59,083 TRACE [JBossAuthorizationContext](WorkerThread#0[192.168.185.16:56746]) Control flag <font color="navy"><b>for</b></font> entry:org.jboss.security.authorization.config.AuthorizationModuleEntry<font color="navy">{</font>org.jboss.security.authorization.modules.DelegatingAuthorizationModule:<font color="navy">{</font><font color="navy">}</font>REQUIRED<font color="navy">}</font>is:[REQUIRED]
17:51:59,083 TRACE [EJBPolicyModuleDelegate](WorkerThread#0[192.168.185.16:56746]) method=<font color="navy"><b>public</b></font> <font color="navy"><b>int</b></font> org.cdrms.jpa.managers.AuditEventManagerBean.count(), interface=Remote, requiredRoles=Roles(CDRMSRealmUser,)
17:51:59,084 TRACE [LogAuditProvider](WorkerThread#0[192.168.185.16:56746]) [Success]Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Exception:=;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap=<font color="navy">{</font>policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1fb2e99<font color="navy">}</font>:method=<font color="navy"><b>public</b></font> <font color="navy"><b>int</b></font> org.cdrms.jpa.managers.AuditEventManagerBean.count():ejbMethodInterface=Remote:ejbName=AuditEventManagerBean:ejbPrincipal=vera.aloe:MethodRoles=Roles(CDRMSRealmUser,):securityRoleReferences=<font color="navy"><b>null</b></font>:callerSubject=Subject:
    Principal: vera.aloe
    Principal: Roles(members:CDRMSRealmUser)
:callerRunAs=<font color="navy"><b>null</b></font>:callerRunAs=<font color="navy"><b>null</b></font>:ejbRestrictionEnforcement=<font color="navy"><b>false</b></font>:ejbVersion=<font color="navy"><b>null</b></font>];policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1fb2e99;
17:51:59,084 INFO  [AuditEventManagerBean](WorkerThread#0[192.168.185.16:56746]) ------------------> Principal = vera.aloe
17:51:59,132 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56748]) Begin isValid, principal:vera.aloe, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@42d31a[Subject(17610996).principals=org.jboss.security.SimplePrincipal@2853698(vera.aloe)org.jboss.security.SimpleGroup@32834360(Roles(members:CDRMSRealmUser)),credential.class=java.lang.String@27845948,expirationTime=1274802911126]
17:51:59,132 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56748]) Begin validateCache, info=org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@42d31a[Subject(17610996).principals=org.jboss.security.SimplePrincipal@2853698(vera.aloe)org.jboss.security.SimpleGroup@32834360(Roles(members:CDRMSRealmUser)),credential.class=java.lang.String@27845948,expirationTime=1274802911126];credential.class=java.lang.String@27845948
17:51:59,132 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56748]) End validateCache, isValid=<font color="navy"><b>true</b></font>
17:51:59,132 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56748]) End isValid, <font color="navy"><b>true</b></font>
17:51:59,133 TRACE [LogAuditProvider](WorkerThread#0[192.168.185.16:56748]) [Success]Source=org.jboss.security.javaee.EJBAuthenticationHelper;principal=vera.aloe;method=count;
17:51:59,133 TRACE [SecurityRolesAssociation](WorkerThread#0[192.168.185.16:56748]) Setting threadlocal:<font color="navy">{</font><font color="navy">}</font>
17:51:59,133 TRACE [JBossAuthorizationContext](WorkerThread#0[192.168.185.16:56748]) Control flag <font color="navy"><b>for</b></font> entry:org.jboss.security.authorization.config.AuthorizationModuleEntry<font color="navy">{</font>org.jboss.security.authorization.modules.DelegatingAuthorizationModule:<font color="navy">{</font><font color="navy">}</font>REQUIRED<font color="navy">}</font>is:[REQUIRED]
17:51:59,133 TRACE [EJBPolicyModuleDelegate](WorkerThread#0[192.168.185.16:56748]) method=<font color="navy"><b>public</b></font> <font color="navy"><b>int</b></font> org.cdrms.audit.AuditMessageManagerBean.count(), interface=Remote, requiredRoles=Roles(CDRMSRealmUser,)
17:51:59,133 TRACE [LogAuditProvider](WorkerThread#0[192.168.185.16:56748]) [Success]Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Exception:=;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap=<font color="navy">{</font>policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1fb2e99<font color="navy">}</font>:method=<font color="navy"><b>public</b></font> <font color="navy"><b>int</b></font> org.cdrms.audit.AuditMessageManagerBean.count():ejbMethodInterface=Remote:ejbName=AuditMessageManagerBean:ejbPrincipal=vera.aloe:MethodRoles=Roles(CDRMSRealmUser,):securityRoleReferences=<font color="navy"><b>null</b></font>:callerSubject=Subject:
    Principal: vera.aloe
    Principal: Roles(members:CDRMSRealmUser)
:callerRunAs=<font color="navy"><b>null</b></font>:callerRunAs=<font color="navy"><b>null</b></font>:ejbRestrictionEnforcement=<font color="navy"><b>false</b></font>:ejbVersion=<font color="navy"><b>null</b></font>];policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1fb2e99;
17:51:59,139 TRACE [messaging](WorkerThread#0[192.168.185.16:56748]) Begin isValid, principal:null, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@11603fa[Subject(29654441).principals=org.jboss.security.SimplePrincipal@2853698(guest)org.jboss.security.SimpleGroup@32834360(Roles(members:john,guest,j2ee)),credential.class=null,expirationTime=1274802858447]
17:51:59,140 TRACE [messaging](WorkerThread#0[192.168.185.16:56748]) Begin validateCache, info=org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@11603fa[Subject(29654441).principals=org.jboss.security.SimplePrincipal@2853698(guest)org.jboss.security.SimpleGroup@32834360(Roles(members:john,guest,j2ee)),credential.class=null,expirationTime=1274802858447];credential.class=<font color="navy"><b>null</b></font>
17:51:59,140 TRACE [messaging](WorkerThread#0[192.168.185.16:56748]) End validateCache, isValid=<font color="navy"><b>true</b></font>
17:51:59,140 TRACE [messaging](WorkerThread#0[192.168.185.16:56748]) End isValid, <font color="navy"><b>true</b></font>
17:51:59,140 TRACE [SecurityAssociation](WorkerThread#0[192.168.185.16:56748]) popSubjectContext, sc=<font color="navy"><b>null</b></font>
17:51:59,140 TRACE [SecurityAssociation](WorkerThread#0[192.168.185.16:56748]) WARN::Deprecated usage of SecurityAssociation. Use SecurityContext
17:51:59,141 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56748]) getPrincipal, cache info: <font color="navy"><b>null</b></font>
17:51:59,141 INFO  [AuditMessageManagerBean](WorkerThread#0[192.168.185.16:56748]) ------------------> Principal = anonymous
17:51:59,141 TRACE [SecurityRolesAssociation](WorkerThread#0[192.168.185.16:56748]) Setting threadlocal:<font color="navy">{</font><font color="navy">}</font>
17:51:59,142 TRACE [JBossAuthorizationContext](WorkerThread#0[192.168.185.16:56748]) Control flag <font color="navy"><b>for</b></font> entry:org.jboss.security.authorization.config.AuthorizationModuleEntry<font color="navy">{</font>org.jboss.security.authorization.modules.DelegatingAuthorizationModule:<font color="navy">{</font><font color="navy">}</font>REQUIRED<font color="navy">}</font>is:[REQUIRED]
17:51:59,142 TRACE [EJBPolicyModuleDelegate](WorkerThread#0[192.168.185.16:56748]) method=<font color="navy"><b>public</b></font> <font color="navy"><b>int</b></font> org.cdrms.jpa.managers.AuditEventManagerBean.count(), interface=Local, requiredRoles=Roles(CDRMSRealmUser,)
17:51:59,142 TRACE [EJBPolicyModuleDelegate](WorkerThread#0[192.168.185.16:56748]) Exception:Insufficient method permissions, principal=null, ejbName=AuditEventManagerBean, method=count, interface=Local, requiredRoles=Roles(CDRMSRealmUser,), principalRoles=Roles()
17:51:59,144 TRACE [JBossAuthorizationContext](WorkerThread#0[192.168.185.16:56748]) REQUIRED failed <font color="navy"><b>for</b></font> Name=org.jboss.security.authorization.modules.DelegatingAuthorizationModule:subject=Subject:
    Principal: anonymous
:role=Roles()
17:51:59,144 TRACE [JBossAuthorizationContext](WorkerThread#0[192.168.185.16:56748]) Error in authorize:
org.jboss.security.authorization.AuthorizationException: Authorization Failed:
    at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:263)
    at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:67)
    at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:152)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:148)
    at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:474)
    at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:124)
    at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.authorize(EJBAuthorizationHelper.java:116)
    at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:189)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:182)
    at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:240)
    at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:188)
    at $Proxy786.count(Unknown Source)
    at org.cdrms.audit.AuditMessageManagerBean.count(AuditMessageManagerBean.java:303)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111)
    at org.jboss.ejb3.EJBContainerInvocationWrapper.invokeNext(EJBContainerInvocationWrapper.java:69)
    at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:76)
    at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:62)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.jboss.aop.advice.PerJoinpointAdvice.invoke(PerJoinpointAdvice.java:174)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.fillMethod(InvocationContextInterceptor.java:72)
    at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_fillMethod_6749397.invoke(InvocationContextInterceptor_z_fillMethod_6749397.java)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.setup(InvocationContextInterceptor.java:88)
    at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_setup_6749397.invoke(InvocationContextInterceptor_z_setup_6749397.java)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:62)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:56)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:68)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:79)
    at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:190)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.security.RunAsSecurityInterceptorv2.invoke(RunAsSecurityInterceptorv2.java:94)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:201)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:438)
    at org.jboss.ejb3.session.InvokableContextClassProxyHack._dynamicInvoke(InvokableContextClassProxyHack.java:53)
    at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:91)
    at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
    at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:891)
    at org.jboss.remoting.transport.socket.ServerThread.completeInvocation(ServerThread.java:744)
    at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:697)
    at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:524)
    at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:232)
17:51:59,147 TRACE [EJBAuthorizationHelper](WorkerThread#0[192.168.185.16:56748]) Error in authorization:
org.jboss.security.authorization.AuthorizationException: Authorization Failed:
    at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:263)
    at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:67)
    at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:152)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:148)
    at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:474)
    at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:124)
    at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.authorize(EJBAuthorizationHelper.java:116)
    at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:189)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:182)
    at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:240)
    at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:188)
    at $Proxy786.count(Unknown Source)
    at org.cdrms.audit.AuditMessageManagerBean.count(AuditMessageManagerBean.java:303)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111)
    at org.jboss.ejb3.EJBContainerInvocationWrapper.invokeNext(EJBContainerInvocationWrapper.java:69)
    at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:76)
    at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:62)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)
    at org.jboss.aop.advice.PerJoinpointAdvice.invoke(PerJoinpointAdvice.java:174)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.fillMethod(InvocationContextInterceptor.java:72)
    at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_fillMethod_6749397.invoke(InvocationContextInterceptor_z_fillMethod_6749397.java)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.setup(InvocationContextInterceptor.java:88)
    at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_setup_6749397.invoke(InvocationContextInterceptor_z_setup_6749397.java)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:62)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:56)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:68)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:79)
    at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:190)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.security.RunAsSecurityInterceptorv2.invoke(RunAsSecurityInterceptorv2.java:94)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:201)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86)
    at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
    at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:438)
    at org.jboss.ejb3.session.InvokableContextClassProxyHack._dynamicInvoke(InvokableContextClassProxyHack.java:53)
    at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:91)
    at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
    at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:891)
    at org.jboss.remoting.transport.socket.ServerThread.completeInvocation(ServerThread.java:744)
    at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:697)
    at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:524)
    at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:232)
17:51:59,149 TRACE [LogAuditProvider](WorkerThread#0[192.168.185.16:56748]) [Error]Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Exception:=Authorization Failed: ;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap=<font color="navy">{</font>policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1fb2e99<font color="navy">}</font>:method=<font color="navy"><b>public</b></font> <font color="navy"><b>int</b></font> org.cdrms.jpa.managers.AuditEventManagerBean.count():ejbMethodInterface=Local:ejbName=AuditEventManagerBean:ejbPrincipal=<font color="navy"><b>null</b></font>:MethodRoles=Roles(CDRMSRealmUser,):securityRoleReferences=<font color="navy"><b>null</b></font>:callerSubject=Subject:
    Principal: anonymous
:callerRunAs=<font color="navy"><b>null</b></font>:callerRunAs=<font color="navy"><b>null</b></font>:ejbRestrictionEnforcement=<font color="navy"><b>false</b></font>:ejbVersion=<font color="navy"><b>null</b></font>];policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1fb2e99;
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>I addition: I've tried both with and without specifying to use caller identity in ejb-jar.xml descriptors as follows:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>EJB A:</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><pre class="jive-pre"><code class="jive-code jive-xml"><span class="jive-xml-tag"><span><ejb-jar xmlns = "</span><a class="jive-link-external-small" href="http://java.sun.com/xml/ns/javaee" target="_blank">http://java.sun.com/xml/ns/javaee</a><span>"
         version = "3.0"
         xmlns:xsi = "</span><a class="jive-link-external-small" href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/2001/XMLSchema-instance</a><span>"
         xsi:schemaLocation = "</span><a class="jive-link-external-small" href="http://java.sun.com/xml/ns/javaee" target="_blank">http://java.sun.com/xml/ns/javaee</a><span> </span><a class="jive-link-external-small" href="http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd" target="_blank">http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd</a><span>"></span></span>
    <span class="jive-xml-tag"><enterprise-beans></span>
        <span class="jive-xml-tag"><session></span>
            <span class="jive-xml-tag"><ejb-name></span>AuditEventManagerBean<span class="jive-xml-tag"></ejb-name></span>
            <span class="jive-xml-tag"><security-identity></span>
                <span class="jive-xml-tag"><use-caller-identity/></span>
            <span class="jive-xml-tag"></security-identity></span>
        <span class="jive-xml-tag"></session></span>
    <span class="jive-xml-tag"></enterprise-beans></span>
<span class="jive-xml-tag"></ejb-jar></span></code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>EJB B:</p><pre class="jive-pre"><code class="jive-code jive-xml">
<span class="jive-xml-tag"><span><ejb-jar xmlns = "</span><a class="jive-link-external-small" href="http://java.sun.com/xml/ns/javaee" target="_blank">http://java.sun.com/xml/ns/javaee</a><span>"
         version = "3.0"
         xmlns:xsi = "</span><a class="jive-link-external-small" href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/2001/XMLSchema-instance</a><span>"
         xsi:schemaLocation = "</span><a class="jive-link-external-small" href="http://java.sun.com/xml/ns/javaee" target="_blank">http://java.sun.com/xml/ns/javaee</a><span> </span><a class="jive-link-external-small" href="http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd" target="_blank">http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd</a><span>"></span></span>
    <span class="jive-xml-tag"><enterprise-beans></span>
        <span class="jive-xml-tag"><session></span>
            <span class="jive-xml-tag"><ejb-name></span>AuditMessageManagerBean<span class="jive-xml-tag"></ejb-name></span>
            <span class="jive-xml-tag"><security-identity></span>
                <span class="jive-xml-tag"><use-caller-identity/></span>
            <span class="jive-xml-tag"></security-identity></span>
        <span class="jive-xml-tag"></session></span>
    <span class="jive-xml-tag"></enterprise-beans></span>
<span class="jive-xml-tag"></ejb-jar></span>
</code></pre><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>Thank you very much in advance.</p><p style="min-height: 8pt; height: 8pt; padding: 0px;"> </p><p>D.</p></div>
<div style="background-color: #f4f4f4; padding: 10px; margin-top: 20px;">
<p style="margin: 0;">Reply to this message by <a href="http://community.jboss.org/message/544712#544712">going to Community</a></p>
        <p style="margin: 0;">Start a new discussion in EJB 3.0 at <a href="http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2029">Community</a></p>
</div></td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>