1 2 Previous Next 21 Replies Latest reply on Dec 18, 2010 9:33 AM by jaikiran

    security in ejb3.1 using jboss 6.0 CR1

    aravindsk

      Hi,

      i have SLSB and one of the methods annotated with @RolesAllowed("admin"). I have defined security-domain in WEB-INF\jboss-web.xml(for j_security_check web resources) and also defined one in META-INF/jboss.xml ( just to avoid the Jboss specific annotation(@SecureDomain) in EJBs ) j_security_check was working fine but not ejbs. what is that i am missing here please advice

        • 1. Re: security in ejb3.1 using jboss 6.0 CR1
          jaikiran

          aravind kopparthi wrote:

           

          and also defined one in META-INF/jboss.xml ( just to avoid the Jboss specific annotation(@SecureDomain) in EJBs ) j_security_check was working fine but not ejbs.

          That's too little information to even guess what might be wrong. Enable TRACE level logging for security (Q4 here http://community.jboss.org/wiki/SecurityFAQ) and see if it shows any issues.

          • 2. Re: security in ejb3.1 using jboss 6.0 CR1
            aravindsk

            i meant to say is that if i login as non "admin" user i am not getting any error ( as i expected ) when i call the method that is annotated as @RolesAllowed("admin"). it simply allows the method to be called.

            • 3. Re: security in ejb3.1 using jboss 6.0 CR1
              aravindsk

              Here is the log that i got ( when i enabled debug).

               

              logged in as admin expecting that i will get a permission denied when calling getMembers() in SLSB since it is annotated as @RolesAllowed("businessowner").

               

               

               

              user=admin

              roles=HttpInvoker,JBossAdmin,WebAppUser

               

               

              REST/WEB-REQUEST

               

              @Path("/rest")

              @RequestScoped

              public class MemberRESTService

              {

               

                    @EJB

                    Private SLSBProcessBean memberBean;

               

                   @GET

                     @Path("/members")

                    @Produces(MediaType.APPLICATION_XML)

                    public List<Member> findMembers() {

                          return memberBean.getMembers();

                    }

              }

               

              -----------EJB----------

              @Stateless

              Public class SLSBProcessBean {

               

               

              @RolesAllowed("businessowner")

              Public List getMembers()

              {

                          //Business Logic

                          return members;

              }

              }

               

              config

              META-INF/Jboss.xml

               

              <jboss>

                  <security-domain>java:/jaas/myapp-secure-domain</security-domain>

              </jboss>

               

               

              WEB-INF/jboss-web.xml

              <jboss-web>

               

                <security-domain>java:/jaas/myapp-secure-domain </security-domain>

               

              </jboss-web>

               

              ------------------------------------------------------------------------------------------------------------------------------------LOG-------------------------------------------------------

               

              11:44:16,109 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /javaee6-app/rest/members

              11:44:16,109 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] We have cached auth type FORM for principal GenericPrincipal[admin(HttpInvoker,JBossAdmin,WebAppUser,)]

              11:44:16,109 DEBUG [org.apache.catalina.realm.RealmBase]   Checking constraint 'SecurityConstraint[All resources]' against GET /rest/members--> false

              11:44:16,109 DEBUG [org.apache.catalina.realm.RealmBase]   No applicable constraint located

              11:44:16,109 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase]  Not subject to any constraint

              11:44:16,109 DEBUG [org.jboss.resteasy.core.SynchronousDispatcher] PathInfo: members

              11:44:16,109 DEBUG [org.jboss.resteasy.cdi.CdiConstructorInjector] Beans found for class com.sak.home.service.rest.MemberRESTService : [Managed Bean [class com.sak.home.service.rest.MemberRESTService] with qualifiers [@Any @Default @Exact]]

              11:44:16,109 DEBUG [org.jboss.ejb3.ejbref.resolver.ejb30.impl.EJB30MetaDataBasedEjbReferenceResolver] Resolving reference for [EJB Reference: beanInterface 'com.sak.home.process.SLSBProcessBean', beanName '', mappedName 'null'] in org.jboss.metadata.ejb.jboss.JBossMetaData@1f

              11:44:16,109 DEBUG [org.jboss.ejb3.ejbref.resolver.ejb30.impl.EJB30MetaDataBasedEjbReferenceResolver] Found match in EJB SLSBProcessBean for [EJB Reference: beanInterface 'com.sak.home.process.SLSBProcessBean', beanName '', mappedName 'null']

              11:44:16,109 DEBUG [org.jboss.ejb3.ejbref.resolver.ejb31.impl.EJB31MetaDataBasedEjbReferenceResolver] Found specified beanInterface that is not a direct beanInterface of EJB SLSBProcessBean: com.sak.home.process.SLSBProcessBean

              11:44:16,109 DEBUG [org.jboss.metadata.ejb.jboss.jndi.resolver.impl.JNDIPolicyBasedSessionBeanJNDINameResolver] Resolved JNDI Name for Interface com.sak.home.process.SLSBProcessBean of type NO_INTERFACE is SLSBProcessBean/no-interface

              11:44:16,109 DEBUG [org.jboss.ejb3.ejbref.resolver.ejb31.impl.EJB31MetaDataBasedEjbReferenceResolver] Resolved JNDI Name for [EJB Reference: beanInterface 'com.sak.home.process.SLSBProcessBean', beanName '', mappedName 'null'] of EJB SLSBProcessBean: SLSBProcessBean/no-interface

              • 4. Re: security in ejb3.1 using jboss 6.0 CR1
                aravindsk

                i am surprised about no response. please at least provide me some alternatives if i need to make any to make security work in ejb using annotations.

                • 5. Re: security in ejb3.1 using jboss 6.0 CR1
                  jaikiran

                  Like I said, you first need to get TRACE level logs of security package. I don't see those logs in your post.

                  • 6. Re: security in ejb3.1 using jboss 6.0 CR1
                    wolfgangknauf

                    Hi,

                     

                    as far as I see, the server side config is missing (either by configuring the security domain in "login-config.xml" or by adding a "...-jboss-beans.xml" file). Take a look at this  document:

                    http://server.dzone.com/articles/security-features-jboss-510

                     

                    Best regards

                     

                    Wolfgang

                    • 7. Re: security in ejb3.1 using jboss 6.0 CR1
                      aravindsk

                      i  have modified login-config.xml,that is why j_security_check was working but not at the ejb method level

                       

                      <application-policy name="javaee6-app">
                          <authentication>
                            <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                              flag="required">
                              <module-option name="usersProperties">props/javaee6-app-users.properties</module-option>
                              <module-option name="rolesProperties">props/javaee6-app-roles.properties</module-option>
                            </login-module>
                          </authentication>
                        </application-policy>

                      <application-policy name="javaee6-app">

                          <authentication>

                            <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"

                              flag="required">

                              <module-option name="usersProperties">props/javaee6-app-users.properties</module-option>

                              <module-option name="rolesProperties">props/javaee6-app-roles.properties</module-option>

                            </login-module>

                          </authentication>

                        </application-policy>

                      • 8. Re: security in ejb3.1 using jboss 6.0 CR1
                        wolfgangknauf

                        Hi,

                         

                        your "jboss.xml" declares this security domain: "java:/jaas/myapp-secure-domain". But your login-config.xml uses "application-policy name="javaee6-app" ". Is this just a "typo" in your second configuration snippet? If not: the policy name has to match the security domain name.

                         

                        By the way 1: you don't need the "java:/jaas/" prefix in jboss.xml as far as I know.

                         

                        By the way 2: you did not declare a DTD/XSD version in e.g. jboss.xml?

                        It should look like this:

                        <?xml version="1.0" encoding="UTF-8"?>
                        <!DOCTYPE jboss PUBLIC
                            "-//JBoss//DTD JBOSS 5.0//EN"
                            "http://www.jboss.org/j2ee/dtd/jboss_5_0.dtd">

                         

                        <jboss>
                            <security-domain>myapp-secure-domain</security-domain>
                        </jboss>

                         

                        Maybe JBoss defaulted to an older DTD which does not support the "security-domain" feature.

                         

                        Best regards

                         

                        Wolfgang

                        • 9. Re: security in ejb3.1 using jboss 6.0 CR1
                          aravindsk

                          that's right the security-domain name that i mentioned above  ( myapp-secure-domain) was a typo in above response. i did try as you suggested providing dtd in jboss.xml and removing java:/jaas.

                           

                          also tried with java:/jaas/javaee6-app but no luck.

                           

                          --------jboss.xml----------------------------------------

                           

                           

                          <?xml version="1.0" encoding="UTF-8"?>

                          <!DOCTYPE jboss PUBLIC

                              "-//JBoss//DTD JBOSS 5.0//EN"

                              "http://www.jboss.org/j2ee/dtd/jboss_5_0.dtd">

                           

                          <jboss>

                              <security-domain>javaee6-app</security-domain>

                          </jboss>

                           

                           

                          <?xml version="1.0" encoding="UTF-8"?>
                          <!DOCTYPE jboss PUBLIC
                              "-//JBoss//DTD JBOSS 5.0//EN"
                          <jboss>
                              <security-domain>javaee6-app</security-domain>
                          </jboss>

                           

                           

                          and also just curious if @RolesAllowed annotation on the ejb method shouldn't they fail ? when there is no proper security-domain found in the app context?

                           

                          and also looked at the 5.0 dtd  and it has this comment could you please tell me how i can specifiy in jboss.xml

                           

                          ---------------------------------------------------------------------------------jboss_5_0.dtd----------------------------------------------------

                           

                           

                          <!ELEMENT container-configuration (container-name , call-logging?,

                          invoker-proxy-binding-name*, sync-on-commit-only?,

                          insert-after-ejb-post-create?, call-ejb-store-on-clean?, store-not-flushed?, container-interceptors? ,

                          instance-pool? , instance-cache? ,  persistence-manager? , web-class-loader? ,

                          locking-policy? ,  container-cache-conf? , container-pool-conf? ,

                          commit-option? , optiond-refresh-rate? , security-domain?, cluster-config?,

                          depends*)>

                           

                          <!-- The extends attribute gives the container-name value of the configuration the container-configuration

                          is extending. This allows one to specify an extension configuration without having to reiterate all of

                          the other duplicate configuration info.

                           

                                  <container-configuration extends="Standard Stateful SessionBean">

                                      <container-name>Secure Stateless SessionBean</container-name>

                                     <security-domain>java:/jaas/other</security-domain>

                                  </container-configuration>

                          • 10. Re: security in ejb3.1 using jboss 6.0 CR1
                            aravindsk

                            when i  check the Caller and isCallerinRole in side a EJB method that is annoated with @RolesAllowed("businessowner") which means EJB sessionContext has the security token but not being verified by @RolesAllowed?

                             

                             

                             

                            @RolesAllowed(Roles.BUSINESS)

                            Public List getMembers(){

                             

                             

                            // Create the client

                            System.out.println("Caller : " + sctx.getCallerPrincipal().getName());

                            System.out.println("Caller is in Role : " + sctx.isCallerInRole(Roles.BUSINESS));

                            }

                             

                             

                            it prints out this

                             

                            22:43:15,656 INFO  [STDOUT] Caller : admin
                            22:43:15,687 INFO  [STDOUT] Caller is in Role : false

                            22:43:15,656 INFO  [STDOUT] Caller : admin

                             

                            22:43:15,687 INFO  [STDOUT] Caller is in Role : false

                            • 11. Re: security in ejb3.1 using jboss 6.0 CR1
                              wolfgangknauf

                              Hi,

                               

                              one question: do you have your EJBs in a separate JAR, or are they bundled in the WAR file (new feature of JavaEE6)?

                              If the latter is the case, there might be a JBoss bug on detecting the security config. Could you give it a try and extract the beans to a EJB jar module?

                               

                              Assuming that there is no further error in your security config, it might really point to a JBoss bug. You might create a simple sample and post it in the JBoss bug tracking system: https://issues.jboss.org/

                               

                              Best regards

                               

                              Wolfgang

                              • 12. Re: security in ejb3.1 using jboss 6.0 CR1
                                aravindsk

                                ejbs are all bundled in one WAR,  that to all of them are using no-interface design(3.1). will give it a try by separating them in a jar. should i have to create ejb-jar.xml ( this is what i would like to avoid though)

                                • 13. Re: security in ejb3.1 using jboss 6.0 CR1
                                  jaikiran

                                  As a quick check, try adding the following to your SLSBProcessBean:

                                   

                                  @org.jboss.ejb3.annotation.SecurityDomain("javaee6-app")
                                  @Stateless
                                  public class SLSBProcessBean
                                  {
                                  ...
                                  
                                  @RolesAllowed(Roles.BUSINESS)
                                  public List getMembers(){
                                  ....
                                  
                                  • 14. Re: security in ejb3.1 using jboss 6.0 CR1
                                    aravindsk

                                    just for checking using annotation even though i would like to keep the security-domain name in configuration over convention ( as it is jboss specific)

                                    it still did not work

                                     

                                    @org.jboss.ejb3.annotation.SecurityDomain("javaee6-app")
                                    @Stateless
                                    public class SLSBProcessBean
                                    {
                                    ...
                                     
                                    @RolesAllowed(Roles.BUSINESS)
                                    public List getMembers(){
                                    and also Jai you mentioned about TRACE in log4j.xml: I could not find the log4j.xml. can i modify something in jboss-logging.xml?

                                     

                                    i added below dependency : i had to use provided other wise it did not get deployed properly ( i got class name null)

                                     

                                    <dependency>
                                    <groupId>org.jboss.ejb3</groupId>
                                    <artifactId>jboss-ejb3-ext-api</artifactId>
                                    <version>1.1.1</version>
                                    <scope>provided</scope>
                                    </dependency>

                                                  <dependency>

                                    <groupId>org.jboss.ejb3</groupId>

                                    <artifactId>jboss-ejb3-ext-api</artifactId>

                                    <version>1.1.1</version>

                                    <scope>provided</scope>

                                    </dependency>

                                     

                                    do i need to add anything else in web.xml  just for ejbs specific security?. it works fine for web resources(challenging j_security_check).

                                     

                                    what i have configured is this

                                     

                                     

                                    <security-constraint>

                                    <web-resource-collection>

                                    <web-resource-name>All resources</web-resource-name>

                                    <description>Protects all resources</description>

                                    <url-pattern>/secure/faces/*</url-pattern>

                                    <http-method>GET</http-method>

                                    <http-method>POST</http-method>

                                    </web-resource-collection>

                                    <auth-constraint>

                                    <role-name>WebAppUser</role-name>

                                    <role-name>businessowner</role-name>

                                     

                                    </auth-constraint>

                                    </security-constraint>

                                     

                                    <security-role>

                                    <role-name>WebAppUser</role-name>

                                     

                                    </security-role>

                                    <security-role>

                                    <role-name>businessowner</role-name>

                                     

                                    </security-role>

                                     

                                     

                                     

                                    LOG:

                                     

                                    11:00:18,953 INFO  [com.arjuna.ats.arjuna] ARJUNA-12337 TransactionStatusManagerItem host: 127.0.0.1 port: 4713

                                    11:00:19,031 INFO  [com.arjuna.ats.arjuna] ARJUNA-12170 TransactionStatusManager started on port 4713 and host 127.0.0.1 with service com.arjuna.ats.arjuna.recovery.ActionStatusService

                                    11:01:45,953 INFO  [STDOUT] Caller : admin

                                     

                                    11:01:45,968 INFO  [STDOUT] Caller is in Role : false

                                    1 2 Previous Next