Server-server EJB invocation fails if no security is defined on target bean due to faulty permission check ----------------------------------------------------------------------------------------------------------- Key: WFCORE-4192 URL: https://issues.jboss.org/browse/WFCORE-4192 Project: WildFly Core Issue Type: Bug Components: Security Affects Versions: 7.0.0.Alpha4 Reporter: Jiri Ondrusek Assignee: Jiri Ondrusek Priority: Major Customer impact: Possibly in testing scenarios, production scenarios will very likely use security. Scenario description: Automated test ([source code|http://git.app.eng.bos.redhat.com/git/jbossqe/eap-tests-ejb.git/tree...]) which does these steps: 1. starts two servers (with standalone-ha.xml profile, but they don't form a cluster): CLUSTER1_NODE1 and CLUSTER2_NODE1 (the original scenario was simplified from 2 clusters to 2 servers) 2. creates remote outbound connection on CLUSTER1_NODE1 to CLUSTER2_NODE1: {code:xml} <subsystem xmlns="urn:jboss:domain:remoting:4.0"> <endpoint/> <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/> <outbound-connections> <remote-outbound-connection name="connection-to-cluster2" outbound-socket-binding-ref="connection-to-cluster2"/> </outbound-connections> </subsystem> {code} 3. deletes security-realm="ApplicationRealm" from CLUSTER2_NODE1: {code:xml} <subsystem xmlns="urn:jboss:domain:remoting:4.0"> <endpoint/> <http-connector connector-ref="default" name="http-remoting-connector"/> </subsystem> {code} 4. deploys intermediary bean on CLUSTER1_NODE1 ([source code|http://git.app.eng.bos.redhat.com/git/jbossqe/eap-tests-ejb.git/tree...]) and target bean on CLUSTER2_NODE1 ([source code|http://git.app.eng.bos.redhat.com/git/jbossqe/eap-tests-ejb.git/tree...]) 5. invokes intermediary bean with this code: {code:java} final Properties properties = new Properties(); properties.put(Context.INITIAL_CONTEXT_FACTORY, WildFlyInitialContextFactory.class.getName()); final InitialContext ejbCtx = new InitialContext(properties); final IntermediaryBeanRemote bean = (IntermediaryBeanRemote)ejbCtx .lookup("ejb:/bean-intermediary/" + IntermediaryBeanStateless.class.getSimpleName() + "!" + IntermediaryBeanRemote.class.getName()); for (int i = 0; i < 200; i++) { bean.call(); } {code} When intermediary bean tries to invoke target bean, it gets this exception: {code} CLUSTER1_NODE1: 09:29:34,536 ERROR [org.jboss.as.ejb3.invocation] (default task-6) WFLYEJB0034: EJB Invocation failed on component IntermediaryBeanStateless for method public abstract void org.jboss.qa.ejb.tests.jbeap10217.beans.IntermediaryBeanRemote.call(): java.lang.SecurityException: WFTXN0013: The peer threw a SecurityException; see peer logs for more information at org.wildfly.transaction.client.provider.remoting.TransactionClientChannel.setRollbackOnly(TransactionClientChannel.java:178) at org.wildfly.transaction.client.provider.remoting.RemotingRemoteTransactionPeer$1.end(RemotingRemoteTransactionPeer.java:158) at org.wildfly.transaction.client.SubordinateXAResource.end(SubordinateXAResource.java:130) at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.doEnd(TransactionImple.java:1089) at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.endAssociation(TransactionImple.java:1060) at com.arjuna.ats.internal.jta.resources.arjunacore.XAResourceRecord.endAssociation(XAResourceRecord.java:1287) at com.arjuna.ats.internal.jta.resources.arjunacore.XAResourceRecord.topLevelAbort(XAResourceRecord.java:313) at com.arjuna.ats.arjuna.coordinator.BasicAction.doAbort(BasicAction.java:3023) at com.arjuna.ats.arjuna.coordinator.BasicAction.doAbort(BasicAction.java:3002) at com.arjuna.ats.arjuna.coordinator.BasicAction.Abort(BasicAction.java:1674) at com.arjuna.ats.arjuna.coordinator.BasicAction.Abort(BasicAction.java:1615) at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:99) at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162) at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1289) at com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126) at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89) at org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:73) at org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71) at org.jboss.as.ejb3.tx.CMTTxInterceptor.endTransaction(CMTTxInterceptor.java:92) at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:279) at org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:332) at org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:240) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509) at org.jboss.weld.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:73) at org.jboss.as.weld.ejb.EjbRequestScopeActivationInterceptor.processInvocation(EjbRequestScopeActivationInterceptor.java:89) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3.remote.EJBRemoteTransactionPropagatingInterceptor.processInvocation(EJBRemoteTransactionPropagatingInterceptor.java:89) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3.deployment.processors.EjbSuspendInterceptor.processInvocation(EjbSuspendInterceptor.java:57) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438) at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:609) at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57) at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53) at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198) at org.jboss.as.ejb3.remote.AssociationImpl$$Lambda$1232/202321503.apply(Unknown Source) at org.wildfly.security.auth.server.SecurityIdentity.runAsFunctionEx(SecurityIdentity.java:380) at org.jboss.as.ejb3.remote.AssociationImpl.invokeWithIdentity(AssociationImpl.java:535) at org.jboss.as.ejb3.remote.AssociationImpl.invokeMethod(AssociationImpl.java:530) at org.jboss.as.ejb3.remote.AssociationImpl.lambda$receiveInvocationRequest$0(AssociationImpl.java:193) at org.jboss.as.ejb3.remote.AssociationImpl$$Lambda$1230/1343168004.run(Unknown Source) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at java.lang.Thread.run(Thread.java:745) Caused by: Remote exception java.lang.SecurityException: WFTXN0088: User anonymous does not have permission ("org.wildfly.transaction.client.RemoteTransactionPermission" "") at org.wildfly.transaction.client.provider.remoting.TransactionServerChannel.getSecurityIdentity(TransactionServerChannel.java:745) at org.wildfly.transaction.client.provider.remoting.TransactionServerChannel.handleXaTxnRollbackOnly(TransactionServerChannel.java:390) at org.wildfly.transaction.client.provider.remoting.TransactionServerChannel$ReceiverImpl.handleMessage(TransactionServerChannel.java:132) at org.jboss.remoting3.remote.RemoteConnectionChannel.lambda$handleMessageData$3(RemoteConnectionChannel.java:430) at org.jboss.remoting3.remote.RemoteConnectionChannel$$Lambda$901/21589536.run(Unknown Source) at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:926) at org.jboss.remoting3.EndpointImpl$TrackingExecutor$$Lambda$885/1175809082.run(Unknown Source) ... 3 more {code} It seems, that transaction client is trying to check the "org.wildfly.transaction.client.RemoteTransactionPermission". This permission is bound to Elytron but Elytron is not running? The permission is defined in standalone-ha.xml on CLUSTER2_NODE1: {code:xml} <permission-mapping> <principal name="anonymous"/> <permission module="org.wildfly.extension.batch.jberet" target-name="*" class-name="org.wildfly.extension.batch.jberet.deployment.BatchPermission"/> <permission module="org.wildfly.transaction.client" class-name="org.wildfly.transaction.client.RemoteTransactionPermission"/> <permission module="org.jboss.ejb-client" class-name="org.jboss.ejb.client.RemoteEJBPermission"/> </permission-mapping> {code} Please check https://github.com/wildfly/wildfly-transaction-client/blob/master/src/mai...