Description of problem: Improve error the message for EJBs that have restricted access permission but are not assigned to a security-domain. In this situation, the EJB security will fallback to the "other" security-domain which will most likely end up with an "Invalid User" error message getting logged. In this situation, it might be better to log something like: "No security domain associated to this enterprise bean"
Not really sure if changing the message would make sense as the logic of the security manager is to say if the user is valid or not. Regarding the "other" as the default security-domain, this is the current behaviour of the app server. Not sure if this change is a good idea. PS: Maybe adding some debug info about which security domain is being used could help in this sort of use case :?
To reproduce: - build an application with a secured web application, assign the web application to a valid security-domain - make the servlet invoke a secured EJB - the ejb should use the @RolesAllowed annotation - the ejb should _not_ be assigned to a security-domain - it will fallback to using "other" by default There isn't a good warning in the logs about this behavior. You will see the servlet get authenticated using the security-domain that is assigned to it, but when the servlet invokes the secured EJB you will see that it "falls back" to the "other" security-domain which cannot authenticate the user...leading to an error. 10:17:34,664 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000200: Begin isValid, principal: admin, cache entry: null 10:17:34,664 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000209: defaultLogin, principal: admin 10:17:34,665 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000221: Begin getAppConfigurationEntry(other), size: 4 10:17:34,665 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000224: End getAppConfigurationEntry(other), AuthInfo: AppConfigurationEntry[]: [0] LoginModule Class: org.jboss.as.security.remoting.RemotingLoginModule ControlFlag: LoginModuleControlFlag: optional Options: name=password-stacking, value=useFirstPass [1] LoginModule Class: org.jboss.as.security.RealmDirectLoginModule ControlFlag: LoginModuleControlFlag: required Options: name=password-stacking, value=useFirstPass 10:17:34,665 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000236: Begin initialize method 10:17:34,665 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000240: Begin login method 10:17:34,666 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000236: Begin initialize method 10:17:34,666 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000240: Begin login method 10:17:34,676 DEBUG [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000283: Bad password for username admin 10:17:34,677 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000244: Begin abort method 10:17:34,677 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000244: Begin abort method 10:17:34,677 DEBUG [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286) [picketbox-4.1.3.Final-redhat-1.jar:4.1.3.Final-redhat-1] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_111] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_111] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_111] at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_111] at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) [rt.jar:1.8.0_111] at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) [rt.jar:1.8.0_111]