-
1. Re: Security principal propagation accross ejb3 modules
giantpm May 25, 2010 10:52 AM (in response to giantpm)No one is answering me ... maybe my question is too newbie/stupid or ill-posed ??
I suppose the last (ill-posed) and therefore I try to explain it again better.
As far as I know, credential/principal has to be propagated within ejb modules in the same JVM/JBoss instance, but it seems this doesn't happen in my system (JBoss 5.1.0 GA).
The situation:
- Two EJB modules in an EAR. Same security realm.
- A client (web or standalone ... doesn't matter) calls a method A inside a session bean in EJB A.
- The client is authenticated as Principal="SomeOne", Role="MyRole".
- The method requires role "MyRole" by means of @RolesAllowed("MyRole")
- The method A in turns calls a method B, that is inside another session bean in EJB B.
- Also the method B is marked with @RolesAllowed("MyRole").
- Resulting exception: "javax.ejb.EJBAccessException: Caller unauthorized"
Looking into the logs (TRACE level) it points out that:
1) The call to the method A is succerssfully authenticated (Principal="SomeOne", Role="MyRole").
2) The principal/credentials get lost in the subsequent call to method B (Principal=anonymous).
Someone faced this issue before?
Thanking you in advance.
D.
-
2. Re: Security principal propagation accross ejb3 modules
jaikiran May 25, 2010 11:27 AM (in response to giantpm)For the sake of completeness and better understanding, can you post the TRACE logs, the relevant code and the config files?
P.S: Although I don't expect it to fix this issue, I would recommend that you apply our latest EJB3 plugin http://www.jboss.org/ejb3/ejb3plugin.html against JBoss AS 5.1.0
-
3. Re: Security principal propagation accross ejb3 modules
giantpm May 25, 2010 11:57 AM (in response to jaikiran)Of course ...
I forgot to mention that I've already patched JBoss with the EJB3 Plugin 1.0.19.
Here the security realm configuration in login-config.xml:
<application-policy name="cdrms-realm"> <authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> <module-option name="dsJndiName">java:cimecDS</module-option> <module-option name="principalsQuery">SELECT CDRMS_JBOSS_USER(?)</module-option> <module-option name="rolesQuery">SELECT 'CDRMSRealmUser', 'Roles' FROM RESOURCES_LIST WHERE NAME=?</module-option> <module-option name="hashAlgorithm">MD5</module-option> <module-option name="hashEncoding">HEX</module-option> <module-option name="ignorePasswordCase">true</module-option> <module-option name="debug">true</module-option> </login-module> <login-module code="org.jboss.security.ClientLoginModule" flag="required"> <module-option name="debug">true</module-option> </login-module> </authentication> </application-policy>
The Bean A in EJB A:
import ... @Stateless @RemoteBinding(jndiBinding = "CDRMS/AuditMessageManager/remote") @LocalBinding(jndiBinding = "CDRMS/AuditMessageManager/local") @SecurityDomain("cdrms-realm") @RolesAllowed({"CDRMSRealmUser"}) public class AuditMessageManagerBean implements AuditMessageManagerRemote, AuditMessageManagerLocal { @EJB(mappedName = "CDRMS/AuditEventManager/local") private AuditEventManager pm; @Resource private SessionContext sctx; // ... business and lifecycle methods ... public int count() { log.info( "------------------> Principal = " + this.sctx.getCallerPrincipal().getName()); return pm.count(); // (1) } }
The bean B in EJB B:
import ... @Stateless @RemoteBinding(jndiBinding = "CDRMS/AuditEventManager/remote") @LocalBinding(jndiBinding = "CDRMS/AuditEventManager/local") @SecurityDomain("cdrms-realm") @RolesAllowed({"CDRMSRealmUser"}) public class AuditEventManagerBean implements AuditEventManagerLocal, AuditEventManagerRemote { @PersistenceContext(unitName = "cimecPU") private EntityManager em; @Resource private SessionContext sctx; // ... business and lifecycle methods ... public int count() { //(2) log.info( "------------------> Principal = " + this.sctx.getCallerPrincipal().getName()); return ((Long) em.createQuery("select count(o) from AuditEvent as o").getSingleResult()).intValue(); }
The standalone client main method:
import ... public static void main(String[] args) { try { SecurityClient client = SecurityClientFactory.getSecurityClient(); client.setSimple("vera.aloe", "***"); client.login(); Properties env = new Properties(); env.setProperty(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory"); env.setProperty(Context.URL_PKG_PREFIXES, "org.jnp.interfaces.NamingContextFactory"); env.setProperty(Context.PROVIDER_URL, "jnp://mybindinghost:1099/"); InitialContext ic = new InitialContext(env); // This ok AuditEventManager aem = (AuditEventManager) ic.lookup("CDRMS/AuditEventManager/remote"); System.out.println(aem.count()); // This gives the exception below AuditMessageManager am = (AuditMessageManager) ic.lookup("CDRMS/AuditMessageManager/remote"); System.out.println(am.count()); // The same results by using LoginContext & CallbackHandler instead of SecurityClient // and from the web tier } catch (Exception ex) { Logger.getLogger(SecurityTest.class.getName()).log(Level.SEVERE, null, ex); } }
The principal is correct in (2) but is anonymous in (1) ... here the exception trace:
17:51:56,691 DEBUG [ManagerBase](ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1274802716691 sessioncount 0 17:51:56,692 DEBUG [ManagerBase](ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 1 expired sessions: 0 17:51:56,692 DEBUG [ManagerBase](ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1274802716692 sessioncount 0 17:51:56,692 DEBUG [ManagerBase](ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 0 expired sessions: 0 17:51:59,082 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56746]) Begin isValid, principal:vera.aloe, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@42d31a[Subject(17610996).principals=org.jboss.security.SimplePrincipal@2853698(vera.aloe)org.jboss.security.SimpleGroup@32834360(Roles(members:CDRMSRealmUser)),credential.class=java.lang.String@27845948,expirationTime=1274802911126] 17:51:59,083 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56746]) Begin validateCache, info=org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@42d31a[Subject(17610996).principals=org.jboss.security.SimplePrincipal@2853698(vera.aloe)org.jboss.security.SimpleGroup@32834360(Roles(members:CDRMSRealmUser)),credential.class=java.lang.String@27845948,expirationTime=1274802911126];credential.class=java.lang.String@27845948 17:51:59,083 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56746]) End validateCache, isValid=true 17:51:59,083 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56746]) End isValid, true 17:51:59,083 TRACE [LogAuditProvider](WorkerThread#0[192.168.185.16:56746]) [Success]Source=org.jboss.security.javaee.EJBAuthenticationHelper;principal=vera.aloe;method=count; 17:51:59,083 TRACE [SecurityRolesAssociation](WorkerThread#0[192.168.185.16:56746]) Setting threadlocal:{} 17:51:59,083 TRACE [JBossAuthorizationContext](WorkerThread#0[192.168.185.16:56746]) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED] 17:51:59,083 TRACE [EJBPolicyModuleDelegate](WorkerThread#0[192.168.185.16:56746]) method=public int org.cdrms.jpa.managers.AuditEventManagerBean.count(), interface=Remote, requiredRoles=Roles(CDRMSRealmUser,) 17:51:59,084 TRACE [LogAuditProvider](WorkerThread#0[192.168.185.16:56746]) [Success]Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Exception:=;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1fb2e99}:method=public int org.cdrms.jpa.managers.AuditEventManagerBean.count():ejbMethodInterface=Remote:ejbName=AuditEventManagerBean:ejbPrincipal=vera.aloe:MethodRoles=Roles(CDRMSRealmUser,):securityRoleReferences=null:callerSubject=Subject: Principal: vera.aloe Principal: Roles(members:CDRMSRealmUser) :callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=null];policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1fb2e99; 17:51:59,084 INFO [AuditEventManagerBean](WorkerThread#0[192.168.185.16:56746]) ------------------> Principal = vera.aloe 17:51:59,132 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56748]) Begin isValid, principal:vera.aloe, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@42d31a[Subject(17610996).principals=org.jboss.security.SimplePrincipal@2853698(vera.aloe)org.jboss.security.SimpleGroup@32834360(Roles(members:CDRMSRealmUser)),credential.class=java.lang.String@27845948,expirationTime=1274802911126] 17:51:59,132 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56748]) Begin validateCache, info=org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@42d31a[Subject(17610996).principals=org.jboss.security.SimplePrincipal@2853698(vera.aloe)org.jboss.security.SimpleGroup@32834360(Roles(members:CDRMSRealmUser)),credential.class=java.lang.String@27845948,expirationTime=1274802911126];credential.class=java.lang.String@27845948 17:51:59,132 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56748]) End validateCache, isValid=true 17:51:59,132 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56748]) End isValid, true 17:51:59,133 TRACE [LogAuditProvider](WorkerThread#0[192.168.185.16:56748]) [Success]Source=org.jboss.security.javaee.EJBAuthenticationHelper;principal=vera.aloe;method=count; 17:51:59,133 TRACE [SecurityRolesAssociation](WorkerThread#0[192.168.185.16:56748]) Setting threadlocal:{} 17:51:59,133 TRACE [JBossAuthorizationContext](WorkerThread#0[192.168.185.16:56748]) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED] 17:51:59,133 TRACE [EJBPolicyModuleDelegate](WorkerThread#0[192.168.185.16:56748]) method=public int org.cdrms.audit.AuditMessageManagerBean.count(), interface=Remote, requiredRoles=Roles(CDRMSRealmUser,) 17:51:59,133 TRACE [LogAuditProvider](WorkerThread#0[192.168.185.16:56748]) [Success]Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Exception:=;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1fb2e99}:method=public int org.cdrms.audit.AuditMessageManagerBean.count():ejbMethodInterface=Remote:ejbName=AuditMessageManagerBean:ejbPrincipal=vera.aloe:MethodRoles=Roles(CDRMSRealmUser,):securityRoleReferences=null:callerSubject=Subject: Principal: vera.aloe Principal: Roles(members:CDRMSRealmUser) :callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=null];policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1fb2e99; 17:51:59,139 TRACE [messaging](WorkerThread#0[192.168.185.16:56748]) Begin isValid, principal:null, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@11603fa[Subject(29654441).principals=org.jboss.security.SimplePrincipal@2853698(guest)org.jboss.security.SimpleGroup@32834360(Roles(members:john,guest,j2ee)),credential.class=null,expirationTime=1274802858447] 17:51:59,140 TRACE [messaging](WorkerThread#0[192.168.185.16:56748]) Begin validateCache, info=org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@11603fa[Subject(29654441).principals=org.jboss.security.SimplePrincipal@2853698(guest)org.jboss.security.SimpleGroup@32834360(Roles(members:john,guest,j2ee)),credential.class=null,expirationTime=1274802858447];credential.class=null 17:51:59,140 TRACE [messaging](WorkerThread#0[192.168.185.16:56748]) End validateCache, isValid=true 17:51:59,140 TRACE [messaging](WorkerThread#0[192.168.185.16:56748]) End isValid, true 17:51:59,140 TRACE [SecurityAssociation](WorkerThread#0[192.168.185.16:56748]) popSubjectContext, sc=null 17:51:59,140 TRACE [SecurityAssociation](WorkerThread#0[192.168.185.16:56748]) WARN::Deprecated usage of SecurityAssociation. Use SecurityContext 17:51:59,141 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56748]) getPrincipal, cache info: null 17:51:59,141 INFO [AuditMessageManagerBean](WorkerThread#0[192.168.185.16:56748]) ------------------> Principal = anonymous 17:51:59,141 TRACE [SecurityRolesAssociation](WorkerThread#0[192.168.185.16:56748]) Setting threadlocal:{} 17:51:59,142 TRACE [JBossAuthorizationContext](WorkerThread#0[192.168.185.16:56748]) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED] 17:51:59,142 TRACE [EJBPolicyModuleDelegate](WorkerThread#0[192.168.185.16:56748]) method=public int org.cdrms.jpa.managers.AuditEventManagerBean.count(), interface=Local, requiredRoles=Roles(CDRMSRealmUser,) 17:51:59,142 TRACE [EJBPolicyModuleDelegate](WorkerThread#0[192.168.185.16:56748]) Exception:Insufficient method permissions, principal=null, ejbName=AuditEventManagerBean, method=count, interface=Local, requiredRoles=Roles(CDRMSRealmUser,), principalRoles=Roles() 17:51:59,144 TRACE [JBossAuthorizationContext](WorkerThread#0[192.168.185.16:56748]) REQUIRED failed for Name=org.jboss.security.authorization.modules.DelegatingAuthorizationModule:subject=Subject: Principal: anonymous :role=Roles() 17:51:59,144 TRACE [JBossAuthorizationContext](WorkerThread#0[192.168.185.16:56748]) Error in authorize: org.jboss.security.authorization.AuthorizationException: Authorization Failed: at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:263) at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:67) at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:152) at java.security.AccessController.doPrivileged(Native Method) at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:148) at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:474) at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:124) at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.authorize(EJBAuthorizationHelper.java:116) at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:189) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:182) at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:240) at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:188) at $Proxy786.count(Unknown Source) at org.cdrms.audit.AuditMessageManagerBean.count(AuditMessageManagerBean.java:303) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111) at org.jboss.ejb3.EJBContainerInvocationWrapper.invokeNext(EJBContainerInvocationWrapper.java:69) at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:76) at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:62) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.aop.advice.PerJoinpointAdvice.invoke(PerJoinpointAdvice.java:174) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.fillMethod(InvocationContextInterceptor.java:72) at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_fillMethod_6749397.invoke(InvocationContextInterceptor_z_fillMethod_6749397.java) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.setup(InvocationContextInterceptor.java:88) at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_setup_6749397.invoke(InvocationContextInterceptor_z_setup_6749397.java) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:62) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:56) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:68) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:79) at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:190) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.security.RunAsSecurityInterceptorv2.invoke(RunAsSecurityInterceptorv2.java:94) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:201) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:438) at org.jboss.ejb3.session.InvokableContextClassProxyHack._dynamicInvoke(InvokableContextClassProxyHack.java:53) at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:91) at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82) at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:891) at org.jboss.remoting.transport.socket.ServerThread.completeInvocation(ServerThread.java:744) at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:697) at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:524) at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:232) 17:51:59,147 TRACE [EJBAuthorizationHelper](WorkerThread#0[192.168.185.16:56748]) Error in authorization: org.jboss.security.authorization.AuthorizationException: Authorization Failed: at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:263) at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:67) at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:152) at java.security.AccessController.doPrivileged(Native Method) at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:148) at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:474) at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:124) at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.authorize(EJBAuthorizationHelper.java:116) at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:189) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:182) at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:240) at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:188) at $Proxy786.count(Unknown Source) at org.cdrms.audit.AuditMessageManagerBean.count(AuditMessageManagerBean.java:303) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111) at org.jboss.ejb3.EJBContainerInvocationWrapper.invokeNext(EJBContainerInvocationWrapper.java:69) at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:76) at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:62) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.aop.advice.PerJoinpointAdvice.invoke(PerJoinpointAdvice.java:174) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.fillMethod(InvocationContextInterceptor.java:72) at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_fillMethod_6749397.invoke(InvocationContextInterceptor_z_fillMethod_6749397.java) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.setup(InvocationContextInterceptor.java:88) at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_setup_6749397.invoke(InvocationContextInterceptor_z_setup_6749397.java) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:62) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:56) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:68) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:79) at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:190) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.security.RunAsSecurityInterceptorv2.invoke(RunAsSecurityInterceptorv2.java:94) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:201) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86) at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:438) at org.jboss.ejb3.session.InvokableContextClassProxyHack._dynamicInvoke(InvokableContextClassProxyHack.java:53) at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:91) at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82) at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:891) at org.jboss.remoting.transport.socket.ServerThread.completeInvocation(ServerThread.java:744) at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:697) at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:524) at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:232) 17:51:59,149 TRACE [LogAuditProvider](WorkerThread#0[192.168.185.16:56748]) [Error]Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Exception:=Authorization Failed: ;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1fb2e99}:method=public int org.cdrms.jpa.managers.AuditEventManagerBean.count():ejbMethodInterface=Local:ejbName=AuditEventManagerBean:ejbPrincipal=null:MethodRoles=Roles(CDRMSRealmUser,):securityRoleReferences=null:callerSubject=Subject: Principal: anonymous :callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=null];policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1fb2e99;
I addition: I've tried both with and without specifying to use caller identity in ejb-jar.xml descriptors as follows:
EJB A:
<ejb-jar xmlns = "http://java.sun.com/xml/ns/javaee" version = "3.0" xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation = "http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd"> <enterprise-beans> <session> <ejb-name>AuditEventManagerBean</ejb-name> <security-identity> <use-caller-identity/> </security-identity> </session> </enterprise-beans> </ejb-jar>
EJB B:
<ejb-jar xmlns = "http://java.sun.com/xml/ns/javaee" version = "3.0" xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation = "http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd"> <enterprise-beans> <session> <ejb-name>AuditMessageManagerBean</ejb-name> <security-identity> <use-caller-identity/> </security-identity> </session> </enterprise-beans> </ejb-jar>
Thank you very much in advance.
D.
-
4. Re: Security principal propagation accross ejb3 modules
giantpm May 25, 2010 11:58 AM (in response to giantpm)... sorry I've inverted the naming (EJB A vs EJB B) with respect to the first post) ...
-
5. Re: Security principal propagation accross ejb3 modules
giantpm Jun 3, 2010 6:39 AM (in response to giantpm)I've found out the problem ...
I have a JMS connection in the session bean that "loose" the authentication ...
.. and it seems that there are bugs in JBoss 5.1 together with JMS 1.4 (look [url]http://community.jboss.org/thread/44409?tstart=0[/url])Solved by updating to JMS 2.
Thanks to everyone.
D.
-
6. Re: Security principal propagation accross ejb3 modules
kobiianko Aug 18, 2010 4:42 AM (in response to giantpm)Hi Davide,
how did you updated ro jms 2.0, could you help me with the steps needed to perform the upgrade?
10x, Kobi
-
7. Re: Security principal propagation accross ejb3 modules
giantpm Sep 6, 2010 4:59 AM (in response to kobiianko)Hi Kobi.
I simply install on JBoss 5 the HornetQ module following instructions at http://www.jboss.org/hornetq/docs.html
Bye.