EJB authorization error... within click listener

public class ContactListApp extends Appcliation
	private final Window mainWindow;

	public void init()
		System.out.println("ContactListApp init() called....");
		mainWindow = new Window("Contact List App");

		// Call the EJB (this succeeds)

		Button buttonRefreshContacts = new Button("refresh contact list");
		buttonRefreshContacts.addListener(new Button.ClickListener() {
		      private static final long serialVersionUID = 5019806363620874205L;

		      public void buttonClick(ClickEvent event)
				// call the EJB (this fails with javax.ejb.AccessLocalException: Client not authorized for this invocation)


	private @Nonnull List<Contact> getContacts()
			// Can't use @EJB on this project
			final Context context = new InitialContext(); 
			final ContactEjbBean contactEjbBean = context.lookup(ContactEjbBean.class.getName()); 

			final List<Contact> contacts = contactEjbBean.getContacts(); 
			System.out.println("Number of contacts: " + contacts.size());
			return Collections.unmodifiableList(contacts);
		catch (final NamingException ex)


App is deployed as a portlet in Liferay 5.2.3 running Glassfish v2.

Since the first EJB call succeeds, its reasonable to assume security is configured properly in web.xml (security-constraint, login-config, security-role, …) and with @RolesAllowed on the EJB. I have NOT tried this outside of liferay.

If someone else can create a similar app, running against the same platform that works, that would be great.

Hopefully this rings a bell and its programming error on my part.


I setup a similar application, EAR with war and one ejb jar that authenticates against the glassfish 2.1 file realm. Similiar to
Creating Secure Vaadin Application with JavaEE6
and the second EJB call succeeds.

I then setup an application that runs outside of liferay using the same setup as in the original post and all works well.
It seems the breakdown is in my liferay configruation, specifically my liferay auth configuration. I do have a custom realm and LiferayAuthenticator so I’ll look start there.

Its just wierd to me that it works when the application is initialized but not on a button click listener.
Also, the isUserInRole return true when the click listener is called from within liferay. I dont get it

Also, this project is potentially moving from ICEFaces to Vaadin.
With ICEFaces, my custom security conf in Liferay works like a charm.
The only thing that has changed is using Vaadin as the view technology.

fixed this by making portlet-name and servlet-name the same.
i am useing portlet 2.0 spec so this is OK i think.

liferay addes lots of stuff to web.xml after deploying a war through the liferays autodeploy directory. filters, servlets, and such. but i already new this. took a second look and noticed that liferay was a adding a servlet for my portlet-name to web.xml, i forget the impl. decided to make them the same and fixed the issue, at least for now.

anyone know why this was an issue, im to lazy/scared to digg deeper.