-
1. Re: security in ejb3.1 using jboss 6.0 CR1
jaikiran Dec 9, 2010 2:36 AM (in response to aravindsk)aravind kopparthi wrote:
That's too little information to even guess what might be wrong. Enable TRACE level logging for security (Q4 here http://community.jboss.org/wiki/SecurityFAQ) and see if it shows any issues.
-
2. Re: security in ejb3.1 using jboss 6.0 CR1
aravindsk Dec 9, 2010 7:26 AM (in response to jaikiran)i meant to say is that if i login as non "admin" user i am not getting any error ( as i expected ) when i call the method that is annotated as @RolesAllowed("admin"). it simply allows the method to be called.
-
3. Re: security in ejb3.1 using jboss 6.0 CR1
aravindsk Dec 9, 2010 12:49 PM (in response to aravindsk)Here is the log that i got ( when i enabled debug).
logged in as admin expecting that i will get a permission denied when calling getMembers() in SLSB since it is annotated as @RolesAllowed("businessowner").
user=admin
roles=HttpInvoker,JBossAdmin,WebAppUser
REST/WEB-REQUEST
@Path("/rest")
@RequestScoped
public class MemberRESTService
{
@EJB
Private SLSBProcessBean memberBean;
@GET
@Path("/members")
@Produces(MediaType.APPLICATION_XML)
public List<Member> findMembers() {
return memberBean.getMembers();
}
}
-----------EJB----------
@Stateless
Public class SLSBProcessBean {
@RolesAllowed("businessowner")
Public List getMembers()
{
//Business Logic
return members;
}
}
config
META-INF/Jboss.xml
<jboss>
<security-domain>java:/jaas/myapp-secure-domain</security-domain>
</jboss>
WEB-INF/jboss-web.xml
<jboss-web>
<security-domain>java:/jaas/myapp-secure-domain </security-domain>
</jboss-web>
------------------------------------------------------------------------------------------------------------------------------------LOG-------------------------------------------------------
11:44:16,109 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /javaee6-app/rest/members
11:44:16,109 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] We have cached auth type FORM for principal GenericPrincipal[admin(HttpInvoker,JBossAdmin,WebAppUser,)]
11:44:16,109 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[All resources]' against GET /rest/members--> false
11:44:16,109 DEBUG [org.apache.catalina.realm.RealmBase] No applicable constraint located
11:44:16,109 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Not subject to any constraint
11:44:16,109 DEBUG [org.jboss.resteasy.core.SynchronousDispatcher] PathInfo: members
11:44:16,109 DEBUG [org.jboss.resteasy.cdi.CdiConstructorInjector] Beans found for class com.sak.home.service.rest.MemberRESTService : [Managed Bean [class com.sak.home.service.rest.MemberRESTService] with qualifiers [@Any @Default @Exact]]
11:44:16,109 DEBUG [org.jboss.ejb3.ejbref.resolver.ejb30.impl.EJB30MetaDataBasedEjbReferenceResolver] Resolving reference for [EJB Reference: beanInterface 'com.sak.home.process.SLSBProcessBean', beanName '', mappedName 'null'] in org.jboss.metadata.ejb.jboss.JBossMetaData@1f
11:44:16,109 DEBUG [org.jboss.ejb3.ejbref.resolver.ejb30.impl.EJB30MetaDataBasedEjbReferenceResolver] Found match in EJB SLSBProcessBean for [EJB Reference: beanInterface 'com.sak.home.process.SLSBProcessBean', beanName '', mappedName 'null']
11:44:16,109 DEBUG [org.jboss.ejb3.ejbref.resolver.ejb31.impl.EJB31MetaDataBasedEjbReferenceResolver] Found specified beanInterface that is not a direct beanInterface of EJB SLSBProcessBean: com.sak.home.process.SLSBProcessBean
11:44:16,109 DEBUG [org.jboss.metadata.ejb.jboss.jndi.resolver.impl.JNDIPolicyBasedSessionBeanJNDINameResolver] Resolved JNDI Name for Interface com.sak.home.process.SLSBProcessBean of type NO_INTERFACE is SLSBProcessBean/no-interface
11:44:16,109 DEBUG [org.jboss.ejb3.ejbref.resolver.ejb31.impl.EJB31MetaDataBasedEjbReferenceResolver] Resolved JNDI Name for [EJB Reference: beanInterface 'com.sak.home.process.SLSBProcessBean', beanName '', mappedName 'null'] of EJB SLSBProcessBean: SLSBProcessBean/no-interface
-
4. Re: security in ejb3.1 using jboss 6.0 CR1
aravindsk Dec 14, 2010 12:24 PM (in response to aravindsk)i am surprised about no response. please at least provide me some alternatives if i need to make any to make security work in ejb using annotations.
-
5. Re: security in ejb3.1 using jboss 6.0 CR1
jaikiran Dec 14, 2010 12:27 PM (in response to aravindsk)Like I said, you first need to get TRACE level logs of security package. I don't see those logs in your post.
-
6. Re: security in ejb3.1 using jboss 6.0 CR1
wolfgangknauf Dec 14, 2010 1:07 PM (in response to aravindsk)Hi,
as far as I see, the server side config is missing (either by configuring the security domain in "login-config.xml" or by adding a "...-jboss-beans.xml" file). Take a look at this document:
http://server.dzone.com/articles/security-features-jboss-510
Best regards
Wolfgang
-
7. Re: security in ejb3.1 using jboss 6.0 CR1
aravindsk Dec 14, 2010 2:21 PM (in response to wolfgangknauf)i have modified login-config.xml,that is why j_security_check was working but not at the ejb method level
<application-policy name="javaee6-app"><authentication><login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"flag="required"><module-option name="usersProperties">props/javaee6-app-users.properties</module-option><module-option name="rolesProperties">props/javaee6-app-roles.properties</module-option></login-module></authentication></application-policy><application-policy name="javaee6-app">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
flag="required">
<module-option name="usersProperties">props/javaee6-app-users.properties</module-option>
<module-option name="rolesProperties">props/javaee6-app-roles.properties</module-option>
</login-module>
</authentication>
</application-policy>
-
8. Re: security in ejb3.1 using jboss 6.0 CR1
wolfgangknauf Dec 14, 2010 4:38 PM (in response to aravindsk)Hi,
your "jboss.xml" declares this security domain: "java:/jaas/myapp-secure-domain". But your login-config.xml uses "application-policy name="javaee6-app" ". Is this just a "typo" in your second configuration snippet? If not: the policy name has to match the security domain name.
By the way 1: you don't need the "java:/jaas/" prefix in jboss.xml as far as I know.
By the way 2: you did not declare a DTD/XSD version in e.g. jboss.xml?
It should look like this:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss PUBLIC
"-//JBoss//DTD JBOSS 5.0//EN"
"http://www.jboss.org/j2ee/dtd/jboss_5_0.dtd"><jboss>
<security-domain>myapp-secure-domain</security-domain>
</jboss>Maybe JBoss defaulted to an older DTD which does not support the "security-domain" feature.
Best regards
Wolfgang
-
9. Re: security in ejb3.1 using jboss 6.0 CR1
aravindsk Dec 14, 2010 10:36 PM (in response to wolfgangknauf)that's right the security-domain name that i mentioned above ( myapp-secure-domain) was a typo in above response. i did try as you suggested providing dtd in jboss.xml and removing java:/jaas.
also tried with java:/jaas/javaee6-app but no luck.
--------jboss.xml----------------------------------------
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE jboss PUBLIC
"-//JBoss//DTD JBOSS 5.0//EN"
"http://www.jboss.org/j2ee/dtd/jboss_5_0.dtd">
<jboss>
<security-domain>javaee6-app</security-domain>
</jboss>
<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE jboss PUBLIC"-//JBoss//DTD JBOSS 5.0//EN"<jboss><security-domain>javaee6-app</security-domain></jboss>and also just curious if @RolesAllowed annotation on the ejb method shouldn't they fail ? when there is no proper security-domain found in the app context?
and also looked at the 5.0 dtd and it has this comment could you please tell me how i can specifiy in jboss.xml
---------------------------------------------------------------------------------jboss_5_0.dtd----------------------------------------------------
<!ELEMENT container-configuration (container-name , call-logging?,
invoker-proxy-binding-name*, sync-on-commit-only?,
insert-after-ejb-post-create?, call-ejb-store-on-clean?, store-not-flushed?, container-interceptors? ,
instance-pool? , instance-cache? , persistence-manager? , web-class-loader? ,
locking-policy? , container-cache-conf? , container-pool-conf? ,
commit-option? , optiond-refresh-rate? , security-domain?, cluster-config?,
depends*)>
<!-- The extends attribute gives the container-name value of the configuration the container-configuration
is extending. This allows one to specify an extension configuration without having to reiterate all of
the other duplicate configuration info.
<container-configuration extends="Standard Stateful SessionBean">
<container-name>Secure Stateless SessionBean</container-name>
<security-domain>java:/jaas/other</security-domain>
</container-configuration>
-
10. Re: security in ejb3.1 using jboss 6.0 CR1
aravindsk Dec 14, 2010 10:50 PM (in response to aravindsk)when i check the Caller and isCallerinRole in side a EJB method that is annoated with @RolesAllowed("businessowner") which means EJB sessionContext has the security token but not being verified by @RolesAllowed?
@RolesAllowed(Roles.BUSINESS)
Public List getMembers(){
// Create the client
System.out.println("Caller : " + sctx.getCallerPrincipal().getName());
System.out.println("Caller is in Role : " + sctx.isCallerInRole(Roles.BUSINESS));
}
it prints out this
22:43:15,656 INFO [STDOUT] Caller : admin22:43:15,687 INFO [STDOUT] Caller is in Role : false22:43:15,656 INFO [STDOUT] Caller : admin
22:43:15,687 INFO [STDOUT] Caller is in Role : false
-
11. Re: security in ejb3.1 using jboss 6.0 CR1
wolfgangknauf Dec 15, 2010 3:53 AM (in response to aravindsk)Hi,
one question: do you have your EJBs in a separate JAR, or are they bundled in the WAR file (new feature of JavaEE6)?
If the latter is the case, there might be a JBoss bug on detecting the security config. Could you give it a try and extract the beans to a EJB jar module?
Assuming that there is no further error in your security config, it might really point to a JBoss bug. You might create a simple sample and post it in the JBoss bug tracking system: https://issues.jboss.org/
Best regards
Wolfgang
-
12. Re: security in ejb3.1 using jboss 6.0 CR1
aravindsk Dec 15, 2010 7:50 AM (in response to wolfgangknauf)ejbs are all bundled in one WAR, that to all of them are using no-interface design(3.1). will give it a try by separating them in a jar. should i have to create ejb-jar.xml ( this is what i would like to avoid though)
-
13. Re: security in ejb3.1 using jboss 6.0 CR1
jaikiran Dec 15, 2010 7:59 AM (in response to aravindsk)As a quick check, try adding the following to your SLSBProcessBean:
@org.jboss.ejb3.annotation.SecurityDomain("javaee6-app") @Stateless public class SLSBProcessBean { ... @RolesAllowed(Roles.BUSINESS) public List getMembers(){ ....
-
14. Re: security in ejb3.1 using jboss 6.0 CR1
aravindsk Dec 15, 2010 11:26 AM (in response to jaikiran)just for checking using annotation even though i would like to keep the security-domain name in configuration over convention ( as it is jboss specific)
it still did not work
@org.jboss.ejb3.annotation.SecurityDomain("javaee6-app") @Stateless public class SLSBProcessBean { ... @RolesAllowed(Roles.BUSINESS) public List getMembers(){
and also Jai you mentioned about TRACE in log4j.xml: I could not find the log4j.xml. can i modify something in jboss-logging.xml?
i added below dependency : i had to use provided other wise it did not get deployed properly ( i got class name null)
<dependency><groupId>org.jboss.ejb3</groupId><artifactId>jboss-ejb3-ext-api</artifactId><version>1.1.1</version><scope>provided</scope></dependency><dependency>
<groupId>org.jboss.ejb3</groupId>
<artifactId>jboss-ejb3-ext-api</artifactId>
<version>1.1.1</version>
<scope>provided</scope>
</dependency>
do i need to add anything else in web.xml just for ejbs specific security?. it works fine for web resources(challenging j_security_check).
what i have configured is this
<security-constraint>
<web-resource-collection>
<web-resource-name>All resources</web-resource-name>
<description>Protects all resources</description>
<url-pattern>/secure/faces/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>WebAppUser</role-name>
<role-name>businessowner</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>WebAppUser</role-name>
</security-role>
<security-role>
<role-name>businessowner</role-name>
</security-role>
LOG:
11:00:18,953 INFO [com.arjuna.ats.arjuna] ARJUNA-12337 TransactionStatusManagerItem host: 127.0.0.1 port: 4713
11:00:19,031 INFO [com.arjuna.ats.arjuna] ARJUNA-12170 TransactionStatusManager started on port 4713 and host 127.0.0.1 with service com.arjuna.ats.arjuna.recovery.ActionStatusService
11:01:45,953 INFO [STDOUT] Caller : admin
11:01:45,968 INFO [STDOUT] Caller is in Role : false