Troubleshooting: Recurring AccessException: SecurityException errors with container-managed authentication (JBoss)
Symptom
You have configured the JBoss application server, JBoss [EAP] 4.3.0.GA, for PRPC with container-managed authentication. During EJB deployment, the Pega system log repeatedly displays the following error, causing a glut of exceptions in the log:
( priv.context.JNDI Environment) ERROR - Exception during getEJBInstance "com.pega.pegarules.internal.etier.interfaces.EngineHome"
java.lang.reflect.InvocationTargetException
at sun.reflect.GeneratedMethodAccessor129.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at com.pega.pegarules.priv.context.JNDIEnvironment.getEJBInstance
...
...
Caused by: java.rmi.AccessException: SecurityException; nested exception is:
javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
at org.jboss.ejb.plugins.LogInterceptor.handleException(LogInterceptor.java:388)
at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:136)
The cause of this problem is that Pega credentials for anonymous users of PRPC on the JBoss application server do not work if you use container-managed authentication. The suggested approach explains how to avoid login failures when deploying PRPC with container-managed authentication.
Explanation
With container-managed authentication, the underlying application server authenticates users for logging in to PRPC.
- If a user name provided by the application server matches an existing operator ID, the user is granted access.
- If a user name does not match an existing operator ID, the user is denied access to PRPC.
Container-managed authentication does not allow for anonymous (unauthenticated) access because only the PegaAuthUser role has access to the secure internal PegaRULES Engine EJBs: EngineBMT and EngineCMT. All requests that look up these secured EJBs must have a valid Subject associated with them.
By default, the EJB deployment descriptor for the JBoss container, prpc_j2ee14_jbossJBM.ear/prbeans.jar/META-INF/jboss.xml, specifies, for the application policy “other”, the UsersRolesLoginModule option for “unauthenticatedIdentity” as anonymous. This default setting does not work for container-managed authentication:
<application-policy name = "other">
<authentication>
<login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
flag = "required">
<module-option name="unauthenticatedIdentity">anonymous</module-option>
</login-module>
</authentication>
</application-policy>
The jboss.xml security container must point to the custom application policy specified in the login-config.xml file.
Solution
Ensure that user identities in the LDAP service, or other security mechanism, that are authenticated with a valid Subject in the JBoss security container have authorization to invoke internal PRPC EJBs. Do this by using the application policy name that is specified in the login-config.xml file as your security-domain in the jboss.xml file.
In the $JBOSS_HOME/server/pega/conf/login-config.xml file, specify your application policy:
<application-policy name="your_custom_application_policy">
In the prpc_j2ee14_jbossJBM.ear/prbeans.jar/META-INF/jboss.xml file, specify that application policy as the security domain:
<security-domain>your_custom_application_policy </security-domain>
<security-domain>jaas:/java/your_custom_application_policy </security-domain>