7 Replies Latest reply on Sep 6, 2010 4:59 AM by giantpm

    Security principal propagation accross ejb3 modules

    giantpm

      Hi,

       

      I'm developing an enterprise application within JBoss 5.

       

      I have multiple EJB3 modules in a single ear, each one under the same security domain.

      Authentication works properly and the ClientLoginModule is required in the application policy.

       

      My question is the following: if the client (or the web tier) calls EJB 1 that in turns call EJB 2 (both secured) is the security Principal propagated correctly?

       

      It is giving me a principal: null exception when the second EJB is called in the stack ..

       

      Where I'm wrong?

       

      Thanks in advance.

       

      D.

        • 1. Re: Security principal propagation accross ejb3 modules
          giantpm

          No one is answering me ... maybe my question is too newbie/stupid or ill-posed ??

           

          I suppose the last (ill-posed) and therefore I try to explain it again better.

           

          As far as I know, credential/principal has to be propagated within ejb modules in the same JVM/JBoss instance, but it seems this doesn't happen in my system (JBoss 5.1.0 GA).

           

          The situation:

          - Two EJB modules in an EAR. Same security realm.

          - A client (web or standalone ... doesn't matter) calls a method A inside a session bean in EJB A.

          - The client is authenticated as Principal="SomeOne", Role="MyRole".

          - The method requires role "MyRole" by means of @RolesAllowed("MyRole")

          - The method A in turns calls a method B, that is inside another session bean in EJB B.

          - Also the method B is marked with @RolesAllowed("MyRole").

          - Resulting exception: "javax.ejb.EJBAccessException: Caller unauthorized"

           

          Looking into the logs (TRACE level) it points out that:

          1) The call to the method A is succerssfully authenticated (Principal="SomeOne", Role="MyRole").

          2) The principal/credentials get lost in the subsequent call to method B (Principal=anonymous).

           

          Someone faced this issue before?

           

           

           

          Thanking you in advance.

           

          D.

          • 2. Re: Security principal propagation accross ejb3 modules
            jaikiran

            For the sake of completeness and better understanding, can you post the TRACE logs, the relevant code and the config files?

             

            P.S: Although I don't expect it to fix this issue, I would recommend that you apply our latest EJB3 plugin http://www.jboss.org/ejb3/ejb3plugin.html  against JBoss AS 5.1.0

            • 3. Re: Security principal propagation accross ejb3 modules
              giantpm

              Of course ...

               

              I forgot to mention that I've already patched JBoss with the EJB3 Plugin 1.0.19.

               

              Here the security realm configuration in login-config.xml:

               

              <application-policy  name="cdrms-realm">
                   <authentication>           
                        <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
                             <module-option name="dsJndiName">java:cimecDS</module-option>
                             <module-option name="principalsQuery">SELECT CDRMS_JBOSS_USER(?)</module-option>
                             <module-option name="rolesQuery">SELECT 'CDRMSRealmUser', 'Roles' FROM RESOURCES_LIST WHERE NAME=?</module-option>
                             <module-option name="hashAlgorithm">MD5</module-option>
                             <module-option name="hashEncoding">HEX</module-option>
                             <module-option name="ignorePasswordCase">true</module-option>
                             <module-option name="debug">true</module-option>
                        </login-module>
                        <login-module code="org.jboss.security.ClientLoginModule" flag="required">
                             <module-option name="debug">true</module-option>
                        </login-module>
                   </authentication>
              </application-policy>
              

               

              The Bean A in EJB A:

               

              import ...
              
              @Stateless
              @RemoteBinding(jndiBinding = "CDRMS/AuditMessageManager/remote")
              @LocalBinding(jndiBinding = "CDRMS/AuditMessageManager/local")
              @SecurityDomain("cdrms-realm")
              @RolesAllowed({"CDRMSRealmUser"})
              public class AuditMessageManagerBean implements AuditMessageManagerRemote, AuditMessageManagerLocal {
                   @EJB(mappedName = "CDRMS/AuditEventManager/local")
                   private AuditEventManager pm;
                   @Resource
                   private SessionContext sctx;
              
                   // ... business and lifecycle methods ...
              
                   public int count() {          
                        log.info( "------------------> Principal = " + this.sctx.getCallerPrincipal().getName());
                        return pm.count(); // (1)
                  }
              }
              
              

               

              The bean B in EJB B:

               

              import ...
              
              @Stateless
              @RemoteBinding(jndiBinding = "CDRMS/AuditEventManager/remote")
              @LocalBinding(jndiBinding = "CDRMS/AuditEventManager/local")
              @SecurityDomain("cdrms-realm")
              @RolesAllowed({"CDRMSRealmUser"})
              public class AuditEventManagerBean implements AuditEventManagerLocal, AuditEventManagerRemote {
                   @PersistenceContext(unitName = "cimecPU")
                   private EntityManager em;
                   @Resource
                   private SessionContext sctx;
              
                   // ... business and lifecycle methods ...
              
                   public int count() { //(2)
                        log.info( "------------------> Principal = " + this.sctx.getCallerPrincipal().getName());
                        return ((Long) em.createQuery("select count(o) from AuditEvent as o").getSingleResult()).intValue();
                  }
              

               

              The standalone client main method:

               

              import ...
              
              public static void main(String[] args) {
                   try {
                        SecurityClient client = SecurityClientFactory.getSecurityClient();
                        client.setSimple("vera.aloe", "***");
                        client.login();
              
                        Properties env = new Properties();
                        env.setProperty(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory");
                        env.setProperty(Context.URL_PKG_PREFIXES, "org.jnp.interfaces.NamingContextFactory");
                        env.setProperty(Context.PROVIDER_URL, "jnp://mybindinghost:1099/");
              
                        InitialContext ic = new InitialContext(env);
              
                        // This ok
                        AuditEventManager aem = (AuditEventManager) ic.lookup("CDRMS/AuditEventManager/remote");
                        System.out.println(aem.count());
              
                        // This gives the exception below
                        AuditMessageManager am = (AuditMessageManager) ic.lookup("CDRMS/AuditMessageManager/remote");
                        System.out.println(am.count());
              
                        // The same results by using LoginContext & CallbackHandler instead of SecurityClient
                        // and from the web tier
                      } catch (Exception ex) {
                          Logger.getLogger(SecurityTest.class.getName()).log(Level.SEVERE, null, ex);
                      }
                  }
              

               

              The principal is correct in (2) but is anonymous in (1) ... here the exception trace:

               

              17:51:56,691 DEBUG [ManagerBase](ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1274802716691 sessioncount 0
              17:51:56,692 DEBUG [ManagerBase](ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 1 expired sessions: 0
              17:51:56,692 DEBUG [ManagerBase](ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1274802716692 sessioncount 0
              17:51:56,692 DEBUG [ManagerBase](ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 0 expired sessions: 0
              17:51:59,082 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56746]) Begin isValid, principal:vera.aloe, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@42d31a[Subject(17610996).principals=org.jboss.security.SimplePrincipal@2853698(vera.aloe)org.jboss.security.SimpleGroup@32834360(Roles(members:CDRMSRealmUser)),credential.class=java.lang.String@27845948,expirationTime=1274802911126]
              17:51:59,083 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56746]) Begin validateCache, info=org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@42d31a[Subject(17610996).principals=org.jboss.security.SimplePrincipal@2853698(vera.aloe)org.jboss.security.SimpleGroup@32834360(Roles(members:CDRMSRealmUser)),credential.class=java.lang.String@27845948,expirationTime=1274802911126];credential.class=java.lang.String@27845948
              17:51:59,083 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56746]) End validateCache, isValid=true
              17:51:59,083 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56746]) End isValid, true
              17:51:59,083 TRACE [LogAuditProvider](WorkerThread#0[192.168.185.16:56746]) [Success]Source=org.jboss.security.javaee.EJBAuthenticationHelper;principal=vera.aloe;method=count;
              17:51:59,083 TRACE [SecurityRolesAssociation](WorkerThread#0[192.168.185.16:56746]) Setting threadlocal:{}
              17:51:59,083 TRACE [JBossAuthorizationContext](WorkerThread#0[192.168.185.16:56746]) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
              17:51:59,083 TRACE [EJBPolicyModuleDelegate](WorkerThread#0[192.168.185.16:56746]) method=public int org.cdrms.jpa.managers.AuditEventManagerBean.count(), interface=Remote, requiredRoles=Roles(CDRMSRealmUser,)
              17:51:59,084 TRACE [LogAuditProvider](WorkerThread#0[192.168.185.16:56746]) [Success]Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Exception:=;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1fb2e99}:method=public int org.cdrms.jpa.managers.AuditEventManagerBean.count():ejbMethodInterface=Remote:ejbName=AuditEventManagerBean:ejbPrincipal=vera.aloe:MethodRoles=Roles(CDRMSRealmUser,):securityRoleReferences=null:callerSubject=Subject:
                  Principal: vera.aloe
                  Principal: Roles(members:CDRMSRealmUser)
              :callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=null];policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1fb2e99;
              17:51:59,084 INFO  [AuditEventManagerBean](WorkerThread#0[192.168.185.16:56746]) ------------------> Principal = vera.aloe
              17:51:59,132 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56748]) Begin isValid, principal:vera.aloe, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@42d31a[Subject(17610996).principals=org.jboss.security.SimplePrincipal@2853698(vera.aloe)org.jboss.security.SimpleGroup@32834360(Roles(members:CDRMSRealmUser)),credential.class=java.lang.String@27845948,expirationTime=1274802911126]
              17:51:59,132 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56748]) Begin validateCache, info=org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@42d31a[Subject(17610996).principals=org.jboss.security.SimplePrincipal@2853698(vera.aloe)org.jboss.security.SimpleGroup@32834360(Roles(members:CDRMSRealmUser)),credential.class=java.lang.String@27845948,expirationTime=1274802911126];credential.class=java.lang.String@27845948
              17:51:59,132 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56748]) End validateCache, isValid=true
              17:51:59,132 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56748]) End isValid, true
              17:51:59,133 TRACE [LogAuditProvider](WorkerThread#0[192.168.185.16:56748]) [Success]Source=org.jboss.security.javaee.EJBAuthenticationHelper;principal=vera.aloe;method=count;
              17:51:59,133 TRACE [SecurityRolesAssociation](WorkerThread#0[192.168.185.16:56748]) Setting threadlocal:{}
              17:51:59,133 TRACE [JBossAuthorizationContext](WorkerThread#0[192.168.185.16:56748]) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
              17:51:59,133 TRACE [EJBPolicyModuleDelegate](WorkerThread#0[192.168.185.16:56748]) method=public int org.cdrms.audit.AuditMessageManagerBean.count(), interface=Remote, requiredRoles=Roles(CDRMSRealmUser,)
              17:51:59,133 TRACE [LogAuditProvider](WorkerThread#0[192.168.185.16:56748]) [Success]Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Exception:=;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1fb2e99}:method=public int org.cdrms.audit.AuditMessageManagerBean.count():ejbMethodInterface=Remote:ejbName=AuditMessageManagerBean:ejbPrincipal=vera.aloe:MethodRoles=Roles(CDRMSRealmUser,):securityRoleReferences=null:callerSubject=Subject:
                  Principal: vera.aloe
                  Principal: Roles(members:CDRMSRealmUser)
              :callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=null];policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1fb2e99;
              17:51:59,139 TRACE [messaging](WorkerThread#0[192.168.185.16:56748]) Begin isValid, principal:null, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@11603fa[Subject(29654441).principals=org.jboss.security.SimplePrincipal@2853698(guest)org.jboss.security.SimpleGroup@32834360(Roles(members:john,guest,j2ee)),credential.class=null,expirationTime=1274802858447]
              17:51:59,140 TRACE [messaging](WorkerThread#0[192.168.185.16:56748]) Begin validateCache, info=org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@11603fa[Subject(29654441).principals=org.jboss.security.SimplePrincipal@2853698(guest)org.jboss.security.SimpleGroup@32834360(Roles(members:john,guest,j2ee)),credential.class=null,expirationTime=1274802858447];credential.class=null
              17:51:59,140 TRACE [messaging](WorkerThread#0[192.168.185.16:56748]) End validateCache, isValid=true
              17:51:59,140 TRACE [messaging](WorkerThread#0[192.168.185.16:56748]) End isValid, true
              17:51:59,140 TRACE [SecurityAssociation](WorkerThread#0[192.168.185.16:56748]) popSubjectContext, sc=null
              17:51:59,140 TRACE [SecurityAssociation](WorkerThread#0[192.168.185.16:56748]) WARN::Deprecated usage of SecurityAssociation. Use SecurityContext
              17:51:59,141 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56748]) getPrincipal, cache info: null
              17:51:59,141 INFO  [AuditMessageManagerBean](WorkerThread#0[192.168.185.16:56748]) ------------------> Principal = anonymous
              17:51:59,141 TRACE [SecurityRolesAssociation](WorkerThread#0[192.168.185.16:56748]) Setting threadlocal:{}
              17:51:59,142 TRACE [JBossAuthorizationContext](WorkerThread#0[192.168.185.16:56748]) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
              17:51:59,142 TRACE [EJBPolicyModuleDelegate](WorkerThread#0[192.168.185.16:56748]) method=public int org.cdrms.jpa.managers.AuditEventManagerBean.count(), interface=Local, requiredRoles=Roles(CDRMSRealmUser,)
              17:51:59,142 TRACE [EJBPolicyModuleDelegate](WorkerThread#0[192.168.185.16:56748]) Exception:Insufficient method permissions, principal=null, ejbName=AuditEventManagerBean, method=count, interface=Local, requiredRoles=Roles(CDRMSRealmUser,), principalRoles=Roles()
              17:51:59,144 TRACE [JBossAuthorizationContext](WorkerThread#0[192.168.185.16:56748]) REQUIRED failed for Name=org.jboss.security.authorization.modules.DelegatingAuthorizationModule:subject=Subject:
                  Principal: anonymous
              :role=Roles()
              17:51:59,144 TRACE [JBossAuthorizationContext](WorkerThread#0[192.168.185.16:56748]) Error in authorize:
              org.jboss.security.authorization.AuthorizationException: Authorization Failed: 
                  at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:263)
                  at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:67)
                  at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:152)
                  at java.security.AccessController.doPrivileged(Native Method)
                  at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:148)
                  at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:474)
                  at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:124)
                  at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.authorize(EJBAuthorizationHelper.java:116)
                  at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:189)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:182)
                  at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:240)
                  at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:188)
                  at $Proxy786.count(Unknown Source)
                  at org.cdrms.audit.AuditMessageManagerBean.count(AuditMessageManagerBean.java:303)
                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                  at java.lang.reflect.Method.invoke(Method.java:597)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111)
                  at org.jboss.ejb3.EJBContainerInvocationWrapper.invokeNext(EJBContainerInvocationWrapper.java:69)
                  at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:76)
                  at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:62)
                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                  at java.lang.reflect.Method.invoke(Method.java:597)
                  at org.jboss.aop.advice.PerJoinpointAdvice.invoke(PerJoinpointAdvice.java:174)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.fillMethod(InvocationContextInterceptor.java:72)
                  at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_fillMethod_6749397.invoke(InvocationContextInterceptor_z_fillMethod_6749397.java)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.setup(InvocationContextInterceptor.java:88)
                  at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_setup_6749397.invoke(InvocationContextInterceptor_z_setup_6749397.java)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:62)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:56)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:68)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:79)
                  at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:190)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.security.RunAsSecurityInterceptorv2.invoke(RunAsSecurityInterceptorv2.java:94)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:201)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:438)
                  at org.jboss.ejb3.session.InvokableContextClassProxyHack._dynamicInvoke(InvokableContextClassProxyHack.java:53)
                  at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:91)
                  at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
                  at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:891)
                  at org.jboss.remoting.transport.socket.ServerThread.completeInvocation(ServerThread.java:744)
                  at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:697)
                  at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:524)
                  at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:232)
              17:51:59,147 TRACE [EJBAuthorizationHelper](WorkerThread#0[192.168.185.16:56748]) Error in authorization:
              org.jboss.security.authorization.AuthorizationException: Authorization Failed: 
                  at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:263)
                  at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:67)
                  at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:152)
                  at java.security.AccessController.doPrivileged(Native Method)
                  at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:148)
                  at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:474)
                  at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:124)
                  at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.authorize(EJBAuthorizationHelper.java:116)
                  at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:189)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:182)
                  at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:240)
                  at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:188)
                  at $Proxy786.count(Unknown Source)
                  at org.cdrms.audit.AuditMessageManagerBean.count(AuditMessageManagerBean.java:303)
                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                  at java.lang.reflect.Method.invoke(Method.java:597)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111)
                  at org.jboss.ejb3.EJBContainerInvocationWrapper.invokeNext(EJBContainerInvocationWrapper.java:69)
                  at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:76)
                  at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:62)
                  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                  at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
                  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                  at java.lang.reflect.Method.invoke(Method.java:597)
                  at org.jboss.aop.advice.PerJoinpointAdvice.invoke(PerJoinpointAdvice.java:174)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.fillMethod(InvocationContextInterceptor.java:72)
                  at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_fillMethod_6749397.invoke(InvocationContextInterceptor_z_fillMethod_6749397.java)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.setup(InvocationContextInterceptor.java:88)
                  at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_setup_6749397.invoke(InvocationContextInterceptor_z_setup_6749397.java)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:62)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:56)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:68)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:79)
                  at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:190)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.security.RunAsSecurityInterceptorv2.invoke(RunAsSecurityInterceptorv2.java:94)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:201)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86)
                  at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
                  at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:438)
                  at org.jboss.ejb3.session.InvokableContextClassProxyHack._dynamicInvoke(InvokableContextClassProxyHack.java:53)
                  at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:91)
                  at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
                  at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:891)
                  at org.jboss.remoting.transport.socket.ServerThread.completeInvocation(ServerThread.java:744)
                  at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:697)
                  at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:524)
                  at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:232)
              17:51:59,149 TRACE [LogAuditProvider](WorkerThread#0[192.168.185.16:56748]) [Error]Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Exception:=Authorization Failed: ;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1fb2e99}:method=public int org.cdrms.jpa.managers.AuditEventManagerBean.count():ejbMethodInterface=Local:ejbName=AuditEventManagerBean:ejbPrincipal=null:MethodRoles=Roles(CDRMSRealmUser,):securityRoleReferences=null:callerSubject=Subject:
                  Principal: anonymous
              :callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=null];policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1fb2e99;

               

              I addition: I've tried both with and without specifying to use caller identity in ejb-jar.xml descriptors as follows:

               

              EJB A:

               

              <ejb-jar xmlns = "http://java.sun.com/xml/ns/javaee" 
                       version = "3.0"
                       xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance"
                       xsi:schemaLocation = "http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd">
                  <enterprise-beans>
                      <session>
                          <ejb-name>AuditEventManagerBean</ejb-name>
                          <security-identity>
                              <use-caller-identity/>
                          </security-identity>
                      </session>
                  </enterprise-beans>
              </ejb-jar>

               

              EJB B:

              <ejb-jar xmlns = "http://java.sun.com/xml/ns/javaee" 
                       version = "3.0"
                       xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance"
                       xsi:schemaLocation = "http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd">
                  <enterprise-beans>
                      <session>
                          <ejb-name>AuditMessageManagerBean</ejb-name>
                          <security-identity>
                              <use-caller-identity/>
                          </security-identity>
                      </session>
                  </enterprise-beans>
              </ejb-jar>
              

               

              Thank you very much in advance.

               

              D.

              • 4. Re: Security principal propagation accross ejb3 modules
                giantpm

                ... sorry I've inverted the naming (EJB A vs EJB B) with respect to the first post) ...

                • 5. Re: Security principal propagation accross ejb3 modules
                  giantpm

                  I've found out the problem ...

                   

                  I have a JMS connection in the session bean that "loose" the authentication ...
                  .. and it seems that there are bugs in JBoss 5.1 together with JMS 1.4 (look [url]http://community.jboss.org/thread/44409?tstart=0[/url])

                   

                  Solved by updating to JMS 2.

                   

                  Thanks to everyone.

                   

                  D.

                  • 6. Re: Security principal propagation accross ejb3 modules
                    kobiianko

                    Hi Davide,

                    how did you updated ro jms 2.0, could you help me with the steps needed to perform the upgrade?

                     

                    10x, Kobi

                    • 7. Re: Security principal propagation accross ejb3 modules
                      giantpm

                      Hi Kobi.

                       

                      I simply install on JBoss 5 the HornetQ module following instructions at http://www.jboss.org/hornetq/docs.html

                       

                      Bye.