I went through some issues with EJB3 and ZK.  I was using openejb at the time, integrated with tomcat 6. I found that my methods that had role restrictions (using @RolesAllowed) were not accessible.  Whenever I clicked a button, an event would be fired, but I would get an error of “Unauthorized Access by Principal Denied“, to that method, with a stack trace.

Here’s an example, where I have a method in an EJB that has a role restriction…

@RolesAllowed({"admin", "entryclerk"})
public void doSomething(String action)

Whenever the doSomething thread was called from an event, such as a button click event, it would fail with an error like the following.  Take note of the bold sections, indicating the error, and the fact that it is a ZK thread.

      Message : Unauthorized Access by Principal Denied
      Exception : javax.ejb.EJBAccessException
      Stack : javax.ejb.EJBAccessException: Unauthorized Access by Principal Denied
	at org.apache.openejb.core.stateful.StatefulContainer.checkAuthorization(StatefulContainer.java:706)
	at org.apache.openejb.core.stateful.StatefulContainer.businessMethod(StatefulContainer.java:479)
	at org.apache.openejb.core.stateful.StatefulContainer.invoke(StatefulContainer.java:277)
	at org.apache.openejb.core.ivm.EjbObjectProxyHandler.businessMethod(EjbObjectProxyHandler.java:217)
	at org.apache.openejb.core.ivm.EjbObjectProxyHandler._invoke(EjbObjectProxyHandler.java:77)
	at org.apache.openejb.core.ivm.BaseEjbProxyHandler.invoke(BaseEjbProxyHandler.java:281)
	at $Proxy47.isAuthenticated(Unknown Source)
	at com.example.main.SubmitButton.postTransaction(SubmitButton.java:65)
	at com.example.main.SubmitButton.onEvent(SubmitButton.java:186)
	at org.zkoss.zk.ui.impl.EventProcessor.process0(EventProcessor.java:197)
	at org.zkoss.zk.ui.impl.EventProcessor.process(EventProcessor.java:141)
	at org.zkoss.zk.ui.impl.EventProcessingThreadImpl.process0(EventProcessingThreadImpl.java:519)
	at org.zkoss.zk.ui.impl.EventProcessingThreadImpl.run(EventProcessingThreadImpl.java:446)

Threading is not allowed in EJB, and as a result, the user and role security was not propagated to the EJB calls I was making, as they calls were being made from within an entirely different thread than what was being managed by the EJB container.  The solution to this problem, is to disable ZK event threads.  ZK threads are enabled by default, but may be disabled in zk.xml, as follows.


Once the threads are disabled, the access denied errors disappear.

2 Replies to “ZK AJAX and EJB 3”

  1. Oh, almost forgot, thanks to David Blevins, the author of openejb, for catching the access from a thread bit. He spotted it immediately when I gave him a stack trace. It probably would have taken me quite awhile, since I was completely unaware that threads would have this sort of affect on an EJB container.

Leave a Reply

Your email address will not be published. Required fields are marked *