Attribute security-domain from Elytron authentication-configuration does not propagate credentials with OAUTHBEARER mechanism ----------------------------------------------------------------------------------------------------------------------------- Key: ELY-1240 URL: https://issues.jboss.org/browse/ELY-1240 Project: WildFly Elytron Issue Type: Bug Affects Versions: 1.1.0.Beta47 Reporter: Ondrej Lukas Priority: Blocker Fix For: 1.1.0.Beta53 When client-server schema as 'Client -> Server A -> Server B' is used and intermediate server (server A) uses authentication-configuration.security-domain and OAUTHBEARER mechanism is used then application (i.e. EJB) from intermediate server cannot authenticate to server B. It seems that OAUTHBEARER mechanism cannot be chosen by SASL mechanism selector when bearer token is not explicitly provided. Intermediate server should be able to obtain credentials for OAuth from given security domain and use them for authentication [1]. See reproducer for more details. We request blocker flag since this issue breaks feature in RFE EAP7-284 Client / Server Security Context Propagation for Remoting and Running As a given user and RFE EAP7-568 Server side configuration for Elytron Client. Exception from intermediate server: {code} ERROR [org.jboss.as.ejb3.invocation] (default task-5) WFLYEJB0034: EJB Invocation failed on component Intermediate for method public abstract java.lang.String example.ejb.WhoAmIBeanRemote.whoAmI(): javax.ejb.EJBException: java.lang.IllegalStateException: EJBCLIENT000024: Not able to find EJB matching "StatelessEJBLocator for "/server-side/WhoAmIBean", view is interface example.ejb.WhoAmIBeanRemote, affinity is None" at org.jboss.as.ejb3.tx.CMTTxInterceptor.handleExceptionInOurTx(CMTTxInterceptor.java:188) at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:277) at org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:332) at org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:240) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) at org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:327) at org.jboss.weld.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:73) at org.jboss.as.weld.ejb.EjbRequestScopeActivationInterceptor.processInvocation(EjbRequestScopeActivationInterceptor.java:89) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) at org.jboss.as.ejb3.remote.EJBRemoteTransactionPropagatingInterceptor.processInvocation(EJBRemoteTransactionPropagatingInterceptor.java:89) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) at org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) at org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) at org.jboss.as.ejb3.security.IdentityOutflowInterceptor.processInvocation(IdentityOutflowInterceptor.java:73) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) at org.jboss.as.ejb3.security.RolesAllowedInterceptor.processInvocation(RolesAllowedInterceptor.java:63) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) at org.jboss.as.ejb3.security.SecurityDomainInterceptor.processInvocation(SecurityDomainInterceptor.java:44) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) at org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) at org.jboss.as.ejb3.deployment.processors.EjbSuspendInterceptor.processInvocation(EjbSuspendInterceptor.java:57) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:256) at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:609) at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53) at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198) at org.wildfly.security.auth.server.SecurityIdentity.runAsFunctionEx(SecurityIdentity.java:380) at org.jboss.as.ejb3.remote.AssociationImpl.invokeWithIdentity(AssociationImpl.java:460) at org.jboss.as.ejb3.remote.AssociationImpl.invokeMethod(AssociationImpl.java:455) at org.jboss.as.ejb3.remote.AssociationImpl.lambda$receiveInvocationRequest$0(AssociationImpl.java:165) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.IllegalStateException: EJBCLIENT000024: Not able to find EJB matching "StatelessEJBLocator for "/server-side/WhoAmIBean", view is interface example.ejb.WhoAmIBeanRemote, affinity is None" at org.jboss.ejb.client.EJBClientContext.discoverAffinityNone(EJBClientContext.java:719) at org.jboss.ejb.client.EJBClientContext.performLocatedAction(EJBClientContext.java:701) at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:162) at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:112) at com.sun.proxy.$Proxy47.whoAmI(Unknown Source) at example.ejb.Intermediate.whoAmI(Intermediate.java:21) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at org.jboss.as.ee.component.ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptor.java:52) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) at org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:327) at org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.doMethodInterception(Jsr299BindingsInterceptor.java:90) at org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.processInvocation(Jsr299BindingsInterceptor.java:101) at org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:63) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) at org.jboss.as.ejb3.component.invocationmetrics.ExecutionTimeInterceptor.processInvocation(ExecutionTimeInterceptor.java:43) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) at org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) at org.jboss.as.ee.concurrent.ConcurrentContextInterceptor.processInvocation(ConcurrentContextInterceptor.java:45) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) at org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:40) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53) at org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:52) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) at org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:240) at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:275) ... 46 more Suppressed: javax.security.sasl.SaslException: Authentication failed: none of the mechanisms presented by the server (OAUTHBEARER) are supported at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:438) at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:246) at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92) at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66) at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89) at org.xnio.nio.WorkerThread.run(WorkerThread.java:567) at ...asynchronous invocation...(Unknown Source) at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:545) at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:513) at org.jboss.remoting3.ConnectionInfo$None.getConnection(ConnectionInfo.java:84) at org.jboss.remoting3.ConnectionInfo.getConnection(ConnectionInfo.java:57) at org.jboss.remoting3.EndpointImpl.doGetConnection(EndpointImpl.java:464) at org.jboss.remoting3.EndpointImpl.getConnectedIdentity(EndpointImpl.java:410) at org.jboss.remoting3.Endpoint.getConnectedIdentity(Endpoint.java:126) at org.jboss.remoting3.Endpoint.getConnectedIdentity(Endpoint.java:139) at org.jboss.remoting3.Endpoint.getConnection(Endpoint.java:216) at org.jboss.ejb.protocol.remote.RemotingEJBDiscoveryProvider.lambda$discover$0(RemotingEJBDiscoveryProvider.java:103) at java.security.AccessController.doPrivileged(Native Method) at org.jboss.ejb.protocol.remote.RemotingEJBDiscoveryProvider.discover(RemotingEJBDiscoveryProvider.java:103) at org.wildfly.discovery.impl.AggregateDiscoveryProvider.discover(AggregateDiscoveryProvider.java:58) at org.wildfly.discovery.Discovery.discover(Discovery.java:94) at org.jboss.ejb.client.EJBClientContext.discover(EJBClientContext.java:442) at org.jboss.ejb.client.EJBClientContext.discoverAffinityNone(EJBClientContext.java:714) ... 76 more {code} [1] https://issues.jboss.org/browse/JBEAP-11377?focusedCommentId=13416866&...