3 Replies Latest reply on Jan 29, 2010 11:06 AM by emuckenhuber

    Remote Access to Profile Service

    rareddy

      In an another discussion Emanuel pointed out that

       

      <emanuel>

      The link you posted about remote access to ProfileService seems to be out of date. I need to validate that, but AFAIK you don't need to specify the SecureProfileService anymore. Security can be enabled with some server side settings using the same references - i'll update that. Thanks!

      </emanuel>

       

      I am running into this above situation now. I can not seem to get a reference to remote Profile Service through "SecureProfileService" reference, and at the same time on "ProfileService" reference I am not sure how to turn on the security on the server side? Can somebody please give me some hints.

       

      There is little blurb in the "profileservice-jboss-beans.xml", I can not seem to make that work.

       

      Thank you.

        • 1. Re: Remote Access to Profile Service
          emuckenhuber

          You would need to enable the server side authentication interceptors: in deploy/profileservice-jboss-beans.xml

           

          <bean name="ProfileServiceProxyFactory" class="org.jboss.profileservice.remoting.ProxyFactory">
                  <!-- Server side security interceptor stack -->
                  <property name="serverProxyInterceptors">
                      <list>
                          <bean class="org.jboss.aspects.security.AuthenticationInterceptor">
                              <constructor>
                                  <parameter>
                                      <value-factory bean="JNDIBasedSecurityManagement" method="getAuthenticationManager"
                                      parameter="jmx-console"/>
                                  </parameter>
                              </constructor>
                          </bean>
                          <bean class="org.jboss.aspects.security.RoleBasedAuthorizationInterceptor">
                              <constructor>
                                  <parameter>
                                      <value-factory bean="JNDIBasedSecurityManagement" method="getAuthenticationManager"
                                          parameter="jmx-console"/>
                                  </parameter>
                                  <parameter>
                                      <value-factory bean="JNDIBasedSecurityManagement" method="getAuthenticationManager"
                                          parameter="jmx-console"/>
                                  </parameter>
                              </constructor>
                          </bean>
                      </list>
                  </property>
          </bean>
          
          
          

           

           

          You then still lookup a ProfileService, however calling methods like getViewManager() - should fail with a java.lang.SecurityException.

          • 2. Re: Remote Access to Profile Service
            rareddy

            The above in JBoss 5.1.0 GA does not work, as is. There were couple issues.

             

            The  property name should be "proxyInterceptors" instead of "serverProxyInterceptors", and this property fragment needs to be added as additional property under "ProfileServiceProxyFactory" rather then replacing the whole bean fragment. Then when I started the the AS, I am getting the following errors

             

             

            Caused by: java.io.NotSerializableException: org.jboss.aspects.security.AuthenticationInterceptor
                at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1156)
                at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:326)
                at java.util.ArrayList.writeObject(ArrayList.java:570)
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                at java.lang.reflect.Method.invoke(Method.java:597)
            

             

            So, then I thought, I will extend the following classes and add "Serializable" interface to them and replace them in the XML fragment

             

            org.jboss.aspects.security.AuthenticationInterceptor
            org.jboss.aspects.security.RoleBasedAuthorizationInterceptor

             

            Then I found that the constructor for "RoleBasedAuthorizationInterceptor" with signature

             

             

               public RoleBasedAuthorizationInterceptor(AuthenticationManager authManager, AuthorizationManager authzManager)
               {
                  this.authenticationManager = authManager;
                  this.authorizationManager = authzManager;
               }
            

             

            was not added until version 1.0.1 of "jboss-security-aspects.jar" file, but the version of jar bundled with JBoss AS 5.1.0 is 1.0.0 GA. This version has a constructor

             

               public RoleBasedAuthorizationInterceptor(AuthenticationManager manager, RealmMapping realmMapping)
               {
                  this.securityManager = manager;
                  this.realmMapping = realmMapping;
               }
            

             

            Here I was not sure what I can pass as "RealmMapping" object, do you have any suggestions?

             

            Thanks.

            • 3. Re: Remote Access to Profile Service
              emuckenhuber

              Ah yes, sorry. Yeah in 5.1.0.GA there is still this ejb3 facade to secure profileservice, the deployment is also called secured-profileservice.jar, well as far as i can remember. This has been removed in EAP and JBoss AS6 - this was the configuration i was referring to.