switching users between ejb calls does not work when the call originates from a remote client --------------------------------------------------------------------------------------------- Key: WFLY-140 URL: https://issues.jboss.org/browse/WFLY-140 Project: WildFly Issue Type: Bug Components: EJB Reporter: Derek Horton Assignee: Darran Lofthouse Fix For: 8.0.0.Alpha1 Description of problem: Switching users between ejb calls does not work when the call originates from a remote client. In this case, both ejbs are on the same JBoss instance. The use case looks like the following: remote standalone client ---> unsecured ejb3 (switch user here) -> secured ejb3 I tried to use both approaches outlined in Q10/A10 of the JBoss Security FAQ [1] in order to establish a security context in the unsecured ejb that should be used to invoke the secured ejb. Neither approach worked in my testing. When the same unsecured ejb is called from a web application (secured or unsecured), then the user switching works correctly. The ejb security code appears to work differently based on the client type (standalone remote ejb client vs a web application). I believe this is happening because the org.jboss.as.security.service.SimpleSecurityManager.push method (called by the SecurityContextInterceptor) is checking for an existing RemotingContext and grabbing the security context from there even though the security context that should be used appears to be getting propagated correctly. The following area of the code appears to be causing the issue. This section of code is executed which causes the newly established security context to be ignored: if (RemotingContext.isSet()) { // In this case the principal and credential will not have been set to set some random values. SecurityContextUtil util = current.getUtil(); Steps to Reproduce: Create a test application that looks like the following: remote client ---> unsecured ejb3 (switch user here) -> secured ejb3 Actual results: If the unsecured ejb is invoked from a remote client, the user switching that takes place in the first ejb is ignored. Replace the remote standalone client with a web application and the user switching works. Expected results: User switching should work if the client is a standalone remote client or a web application. Additional info: