JAASCallbackHandler resets SecurityContext after authentication to it's pre-authentication value ------------------------------------------------------------------------------------------------ Key: WFLY-6004 URL: https://issues.jboss.org/browse/WFLY-6004 Project: WildFly Issue Type: Bug Components: Security Affects Versions: 9.0.2.Final, 10.0.0.CR5 Reporter: Ian MacIntyre Assignee: Darran Lofthouse Labels: remote-ejb-connection, roles We are using remote EJB calls and are finding role information being lost. I have traced this to our use of JAAS authentication for the ApplicationRealm security realm Within the handle() method of JaasCallbackHander it stores the current Security context at that point (via securityManager.push()) It then calls securityManager.authenticate() which results in login modules being called. We use the ClientLoginModule which stores information on the SecurityContext via SecurityAssociationActions.setPrincipalInfo After authentication the JaasCallbackHandler calls securityManager.pop() which resets the SecurityContext back its state before authentication - thus losing the context set in the ClientLoginModule. This only occurs via a remote ejb call, not via a call made from the web tier (as it does not use JaasLoginHandler) Ideally I'd like some way to stop the JaasCallbackHandler reseting the SecurityContext (even if it was incredibly simple by checking for an attribute on the current security context) The same operations work in EAP 6.3 / JBoss 7.2