Skip to main content

         This documentation site is for previous versions. Visit our new documentation site for current releases.      

This content has been archived and is no longer being updated.

Links may not function; however, this content may be relevant to outdated versions of the product.

Troubleshooting: Recurring AccessException: SecurityException errors with container-managed authentication (JBoss)

Updated on October 6, 2015
The information in this article supplements the PRPC Installation Guide for the JBoss application server,Chapter 3: "Preparing the Application Server, Set up default Pega credentials for the server." It explains how to set Pega credentials when PRPC on the JBoss application server uses container-managed authentication.


You have configured the JBoss application server, JBoss [EAP] 4.3.0.GA, for PRPC with container-managed authentication. During EJB deployment, the Pega system log repeatedly displays the following error, causing a glut of exceptions in the log:

 (  priv.context.JNDI Environment) ERROR   - Exception during getEJBInstance "com.pega.pegarules.internal.etier.interfaces.EngineHome"
            at sun.reflect.GeneratedMethodAccessor129.invoke(Unknown Source)
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(
            at java.lang.reflect.Method.invoke(
            at com.pega.pegarules.priv.context.JNDIEnvironment.getEJBInstance
Caused by: java.rmi.AccessException: SecurityException; nested exception is: Password Incorrect/Password Required
 at org.jboss.ejb.plugins.LogInterceptor.handleException(
 at org.jboss.ejb.plugins.LogInterceptor.invokeHome(

The cause of this problem is that Pega credentials for anonymous users of PRPC on the JBoss application server do not work if you use container-managed authentication. The suggested approach explains how to avoid login failures when deploying PRPC with container-managed authentication.


With container-managed authentication, the underlying application server authenticates users for logging in to PRPC.

  • If a user name provided by the application server matches an existing operator ID, the user is granted access.
  • If a user name does not match an existing operator ID, the user is denied access to PRPC.

Container-managed authentication does not allow for anonymous (unauthenticated) access because only the PegaAuthUser role has access to the secure internal PegaRULES Engine EJBs: EngineBMT and EngineCMT. All requests that look up these secured EJBs must have a valid Subject associated with them.

By default, the EJB deployment descriptor for the JBoss container, prpc_j2ee14_jbossJBM.ear/prbeans.jar/META-INF/jboss.xml, specifies, for the application policy “other”, the UsersRolesLoginModule option for “unauthenticatedIdentity” as anonymous. This default setting does not work for container-managed authentication:

<application-policy name = "other">
          <login-module code = ""
             flag = "required">
             <module-option name="unauthenticatedIdentity">anonymous</module-option>

The jboss.xml security container must point to the custom application policy specified in the login-config.xml file.


Ensure that user identities in the LDAP service, or other security mechanism, that are authenticated with a valid Subject in the JBoss security container have authorization to invoke internal PRPC EJBs. Do this by using the application policy name that is specified in the  login-config.xml file as your security-domain in the jboss.xml file.

In the $JBOSS_HOME/server/pega/conf/login-config.xml file, specify your application policy:

<application-policy name="your_custom_application_policy">

In the prpc_j2ee14_jbossJBM.ear/prbeans.jar/META-INF/jboss.xml file, specify that application policy as the security domain:

<security-domain>your_custom_application_policy </security-domain>

If your PRPC deployment runs on JBoss [EAP] 4.2.2, set the security domain as follows:

<security-domain>jaas:/java/your_custom_application_policy </security-domain>

Have a question? Get answers now.

Visit the Support Center to ask questions, engage in discussions, share ideas, and help others.

Did you find this content helpful?

Want to help us improve this content?

We'd prefer it if you saw us at our best. is not optimized for Internet Explorer. For the optimal experience, please use:

Close Deprecation Notice
Contact us