1 2 3 4 Previous Next 50 Replies Latest reply: May 14, 2008 8:49 AM by Anil Saldhana RSS

Security Injection in AS5

Anil Saldhana Master

this design thread is to discuss Adrian's subtask for me to tidy up some of the security injection in AS5.
http://jira.jboss.com/jira/browse/JBAS-5309

Adrian: There's no real way to depend upon a specific login module, you have to depend on the XMLLoginConfig

The dependency cannot be on a single login module. XMLLoginConfig just establishes the configuration needed for the modules.

I will take a look at the injection.

  • 1. Re: Security Injection in AS5
    Adrian Brock Master

     

    "anil.saldhana@jboss.com" wrote:
    this design thread is to discuss Adrian's subtask for me to tidy up some of the security injection in AS5.
    http://jira.jboss.com/jira/browse/JBAS-5309

    Adrian: There's no real way to depend upon a specific login module, you have to depend on the XMLLoginConfig

    The dependency cannot be on a single login module. XMLLoginConfig just establishes the configuration needed for the modules.


    I'm saying there should be.

    The first pass would be to make the SecurityDomain injectable
    by "hiding" all the wiring inside your own mc dependency.

    This would translate to the dependency is only satisfied
    when the login module repository has a "jbossmq" login module
    and the value returned is the security domain once it is satisifed

    Internally, this could use the current mechanism of looking up java:/jaas/name
    or it could be more optimised (more optimised is preferred since the
    jndi lookup doesn't provide a way to be notified of undeployment).

    <bean name="Whatever" ...>
     <property name="securityDomain"><security-domain-ref xmlns="urn:jboss-security-beans:1.0" name="jbossmq"/></property>
    ...
    


    The second pass would be to make security domains deployable inside the MC
    by writing a BeanMetaDataFactory

    This would be similar to above, except now you can deploy the login modules
    inside MC configuration

    bean name="Whatever" ...>
     <property name="securityDomain><inject name="jbossmq" property="securityDomain"/></property>
    </bean>
    
    <login-module xmlns="urn:jboss-security-beans:1.0" name="jbossmq">
     <authentication>
     <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
     flag = "required">
     <module-option name = "unauthenticatedIdentity">guest</module-option>
     <module-option name = "dsJndiName">java:/DefaultDS</module-option>
     <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
     <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
     </login-module>
     </authentication>
    </login-module>
    


    The real solution (longer term) is to get the secuity aspect to "automagically"
    inject it from the "metadata repository" (such a mechansim
    doesn't really exist in AOP yet so this is asperational :-).

    e.g. something like (the annotations are not real, just for discussion purposes)
    @AspectFactory("SecurityAspect" scope=Scope.PER_INSTANCE)
    public class SecurityAspect
    {
     public SecurityAspect(
     @Inject(fromMetaData=true)
     SecurityDomain securityDomain
     ) { ... }
    }
    


    The later (which doesn't exist) would mean that when AOP injects the
    parameter into the constructor method, it uses
    MetaData.getMetaData(SecurityDomain.class) as the parameter
    which could come from any of the scopes
    e.g. instance - the ejb,
    or deployment - the ear config
    server - a server wide default piece of metadata

  • 2. Re: Security Injection in AS5
    Adrian Brock Master

     

    "adrian@jboss.org" wrote:

    <bean name="Whatever" ...>
     <property name="securityDomain"><security-domain-ref xmlns="urn:jboss-security-beans:1.0" name="jbossmq"/></property>
    ...
    



    In practice a jboss developer would be more likely to use it programmatically

    String securityDomainName = ...
    beanMetaDataBuilder = ...
    beanMetaDataBuilder.addProperty("securityDomain", new SecurityDomainDependency(securityDomainName);
    


  • 3. Re: Security Injection in AS5
    Anil Saldhana Master

    Ok, now I follow you. "jbossmq" is the security domain name or application policy. The DatabaseServerLoginModule is the login module name. I was saying that it should not depend on DSLM. Just terminology difference.

    I also followed that the security domain name should be more like "jbossmq" and not "java:jaas/jbossmq" which is more like an internal implementation.

  • 4. Re: Security Injection in AS5
    Anil Saldhana Master

    http://jira.jboss.org/jira/browse/JBAS-5312

    DynamicLoginConfig provides dynamic installation of application policies (such as jbossmq).

  • 5. Re: Security Injection in AS5
    Anil Saldhana Master

    Stefan, since we can make DynamicLoginConfig as a bean, we should be able to convert "messaging-service.xml" services into beans and then inject a dynamicloginconfig bean defining "messaging" application policy into the

     <mbean code="org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore"
     name="jboss.messaging:service=SecurityStore">
    


  • 6. Re: Security Injection in AS5
    Stefan Guilhen Apprentice

    I've configured the DynamicLoginConfig as a bean, and it was working fine until I updated the AS and started getting a JBossXB error. This is the log that I get when using TRACE level for org.jboss.xb:

    TRACE [org.jboss.xb.binding.sunday.unmarshalling.SequenceBinding] (main) startElement {urn:jboss:security-config:5.0}policy in org.jboss.xb.binding.sunday.unmarshalling.SequenceBinding@19a639b, 3: sequence choice ]
    TRACE [org.jboss.xb.binding.sunday.unmarshalling.SequenceBinding] (main) startElement {urn:jboss:security-config:5.0}policy in org.jboss.xb.binding.sunday.unmarshalling.SequenceBinding@1019275, 1: {urn:jboss:bean-deployer:2.0}annotation ]
    TRACE [org.jboss.xb.binding.sunday.unmarshalling.ChoiceBinding] (main) startElement {urn:jboss:security-config:5.0}policy in org.jboss.xb.binding.sunday.unmarshalling.ChoiceBinding@f6fd54, 10: {urn:jboss:bean-deployer:2.0}array {urn:jboss:bean-deployer:2.0}collection {urn:jboss:bean-deployer:2.0}inject {urn:jboss:bean-deployer:2.0}list {urn:jboss:bean-deployer:2.0}map {urn:jboss:bean-deployer:2.0}set {urn:jboss:bean-deployer:2.0}null {urn:jboss:bean-deployer:2.0}this {urn:jboss:bean-deployer:2.0}value {urn:jboss:bean-deployer:2.0}value-factory ]
    TRACE [org.jboss.xb.binding.sunday.unmarshalling.ChoiceBinding] (main) leaving org.jboss.xb.binding.sunday.unmarshalling.ChoiceBinding@f6fd54 i=9, pos=-1
    TRACE [org.jboss.xb.binding.sunday.unmarshalling.DefaultSchemaResolver] (main) Mapped schemaLocation to filename: security-config_5_0.xsd
    TRACE [org.jboss.xb.binding.sunday.unmarshalling.DefaultSchemaResolver] (main) getInputSource, nsURI=urn:jboss:security-config:5.0, baseURI=null, schemaLocation=resource:security-config_5_0.xsd
    WARN [org.jboss.util.xml.JBossEntityResolver] (main) Cannot load publicId from resource: security-config_5_0.xsd
    WARN [org.jboss.util.xml.JBossEntityResolver] (main) Trying to resolve systemId as a non-file URL: resource:security-config_5_0.xsd
    DEBUG [org.jboss.util.xml.JBossEntityResolver] (main) Cannot resolve [publicID=urn:jboss:security-config:5.0,systemID=resource:security-config_5_0.xsd]
    TRACE [org.jboss.xb.binding.sunday.unmarshalling.DefaultSchemaResolver] (main) Resolved schema using namespace as publicId and schemaLocation as systemId
    WARN [org.jboss.util.xml.JBossEntityResolver] (main) Cannot load systemId from resource: security-config_5_0.xsd
    DEBUG [org.jboss.util.xml.JBossEntityResolver] (main) Cannot resolve [publicID=null,systemID=urn:jboss:security-config:5.0]
    TRACE [org.jboss.xb.binding.sunday.unmarshalling.DefaultSchemaResolver] (main) getInputSource, nsURI=urn:jboss:security-config:5.0, baseURI=null, schemaLocation=resource:security-config_5_0.xsd, is=null
    TRACE [org.jboss.xb.binding.sunday.unmarshalling.DefaultSchemaResolver] (main) found schema InputSource, nsURI=urn:jboss:security-config:5.0, baseURI=null, schemaLocation=resource:security-config_5_0.xsd
    TRACE [org.jboss.xb.binding.sunday.unmarshalling.DefaultSchemaResolver] (main) resolved schema: null
    TRACE [org.jboss.xb.binding.parser.sax.SaxJBossXBParser] (main) Exit startElement urn:jboss:security-config:5.0:policy
    DEBUG [org.jboss.deployers.vfs.deployer.kernel.BeanDeployer] (main) Error during deploy: vfsfile:/opt/workspace/JBAS-Trunk/build/output/jboss-5.0.0.CR1/server/default/deploy/security-policies-beans.xml
    org.jboss.deployers.spi.DeploymentException: Error creating managed object for vfsfile:/opt/workspace/JBAS-Trunk/build/output/jboss-5.0.0.CR1/server/default/deploy/security-policies-beans.xml
     at org.jboss.deployers.spi.DeploymentException.rethrowAsDeploymentException(DeploymentException.java:49)
     at org.jboss.deployers.spi.deployer.helpers.AbstractParsingDeployerWithOutput.createMetaData(AbstractParsingDeployerWithOutput.java:253)
     at org.jboss.deployers.spi.deployer.helpers.AbstractParsingDeployerWithOutput.createMetaData(AbstractParsingDeployerWithOutput.java:223)
     at org.jboss.deployers.spi.deployer.helpers.AbstractParsingDeployerWithOutput.deploy(AbstractParsingDeployerWithOutput.java:186)
     at org.jboss.deployers.plugins.deployers.DeployerWrapper.deploy(DeployerWrapper.java:174)
     at org.jboss.deployers.plugins.deployers.DeployersImpl.doInstallParentFirst(DeployersImpl.java:946)
     at org.jboss.deployers.plugins.deployers.DeployersImpl.install(DeployersImpl.java:887)
     at org.jboss.dependency.plugins.AbstractControllerContext.install(AbstractControllerContext.java:327)
     at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:1324)
     at org.jboss.dependency.plugins.AbstractController.incrementState(AbstractController.java:734)
     at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:862)
     at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:784)
     at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:622)
     at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:411)
     at org.jboss.deployers.plugins.deployers.DeployersImpl.process(DeployersImpl.java:579)
     at org.jboss.deployers.plugins.main.MainDeployerImpl.process(MainDeployerImpl.java:541)
     at org.jboss.system.server.profileservice.ProfileServiceBootstrap.loadProfile(ProfileServiceBootstrap.java:259)
     at org.jboss.system.server.profileservice.ProfileServiceBootstrap.start(ProfileServiceBootstrap.java:137)
     at org.jboss.bootstrap.AbstractServerImpl.start(AbstractServerImpl.java:409)
     at org.jboss.Main.boot(Main.java:209)
     at org.jboss.Main$1.run(Main.java:544)
     at java.lang.Thread.run(Thread.java:595)
    Caused by: org.jboss.xb.binding.JBossXBException: Failed to parse source: {urn:jboss:security-config:5.0}policy not found as a child of {urn:jboss:bean-deployer:2.0}property
     at org.jboss.xb.binding.parser.sax.SaxJBossXBParser.parse(SaxJBossXBParser.java:193)
     at org.jboss.xb.binding.UnmarshallerImpl.unmarshal(UnmarshallerImpl.java:153)
     at org.jboss.deployers.vfs.spi.deployer.SchemaResolverDeployer.parse(SchemaResolverDeployer.java:120)
     at org.jboss.deployers.vfs.spi.deployer.AbstractVFSParsingDeployer.parse(AbstractVFSParsingDeployer.java:143)
     at org.jboss.deployers.spi.deployer.helpers.AbstractParsingDeployerWithOutput.createMetaData(AbstractParsingDeployerWithOutput.java:249)
     ... 20 more
    Caused by: org.jboss.xb.binding.JBossXBRuntimeException: {urn:jboss:security-config:5.0}policy not found as a child of {urn:jboss:bean-deployer:2.0}property
     at org.jboss.xb.binding.sunday.unmarshalling.SundayContentHandler.startElement(SundayContentHandler.java:396)
     at org.jboss.xb.binding.parser.sax.SaxJBossXBParser$DelegatingContentHandler.startElement(SaxJBossXBParser.java:407)
     at org.apache.xerces.parsers.AbstractSAXParser.startElement(Unknown Source)
     at org.apache.xerces.xinclude.XIncludeHandler.startElement(Unknown Source)
     at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown Source)
     at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)
     at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
     at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
     at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
     at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
     at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
     at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
     at org.jboss.xb.binding.parser.sax.SaxJBossXBParser.parse(SaxJBossXBParser.java:189)
     ... 24 more
    2008-03-24 12:51:50,650 ERROR [org.jboss.kernel.plugins.dependency.AbstractKernelController] (main) Error installing to Parse: name=vfsfile:/opt/workspace/JBAS-Trunk/build/output/jboss-5.0.0.CR1/server/default/deploy/security-policies-beans.xml state=Not Installed mode=Manual requiredState=Parse
    


  • 7. Re: Security Injection in AS5
    Stefan Guilhen Apprentice

    Here is some background information

    As part of http://jira.jboss.org/jira/browse/JBAS-5312, I've created a new file, security-policies-beans.xml and configured the DynamicLoginConfig as a bean:

    <?xml version="1.0" encoding="UTF-8"?>
    
    <deployment xmlns="urn:jboss:bean-deployer:2.0">
    
     <bean name="StandardLoginConfig" class="org.jboss.security.auth.login.DynamicLoginConfig">
     <property name="policyConfig">
     <jbsx:policy
     xsi:schemaLocation="urn:jboss:security-config:5.0 resource:security-config_5_0.xsd"
     xmlns:jbsx="urn:jboss:security-config:5.0"
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
     <jbsx:application-policy name="jboss-web-policy" extends="other">
     <jbsx:authentication>
     </jbsx:authentication>
     <jbsx:authorization>
     <jbsx:policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/>
     </jbsx:authorization>
     </jbsx:application-policy>
     <jbsx:application-policy name="jboss-ejb-policy" extends="other">
     <jbsx:authentication>
     </jbsx:authentication>
     <jbsx:authorization>
     <jbsx:policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/>
     </jbsx:authorization>
     </jbsx:application-policy>
     </jbsx:policy>
     </property>
     <property name="mbeanServer"><inject bean="JMXKernel" property="mbeanServer"/></property>
     <property name="loginConfigService">jboss.security:service=XMLLoginConfig</property>
     <property name="securityManagerService">jboss.security:service=JaasSecurityManager</property>
     <!-- dependency to allow for a smooth shutdown -->
     <depends>jboss.security:service=XMLLoginConfig</depends>
     </bean>
    
    </deployment>
    


    This file replaced the old security-policies-service.xml, that was used to configure the DynamicLoginConfig as an MBean. I have tested this new configuration in many ways to make sure it was being properly parsed and the bean was being properly created.

    Before committing the changes, I've decided to update the AS workspace to make sure everything was still working. I then started getting the parse error saying that (policy) was not found as child of (property).

  • 8. Re: Security Injection in AS5
    Stefan Guilhen Apprentice

    Forgot to disable HTML, so my last sentence was not correctly displayed. It should read "started getting a parse error saying the {urn:jboss:security-config:5.0} policy was not found as a child of {urn:jboss:bean-deployer:2.0} property".

  • 9. Re: Security Injection in AS5
    Stefan Guilhen Apprentice

    I've reverted my AS workspace to older revisions to find out when this error started showing. The last revision I was able to deploy the DynamicLoginConfig bean is 70928. Starting from revision 70929 the error shows up. I'll now take a look at the changes to see if I find out what exactly is causing the problem.

  • 10. Re: Security Injection in AS5
    Adrian Brock Master

    Since this works in conf/bootstrap-beans.xml

     <bean name="ClassLoadingDefaultDeployer" class="org.jboss.deployers.plugins.classloading.ClassLoadingDefaultDeployer">
     <property name="defaultMetaData">
    
    <!-- HERE -->
    
     <classloading xmlns="urn:jboss:classloading:1.0" export-all="NON_EMPTY" import-all="true"/>
     </property>
     </bean>
    

    you need to explain what you are doing (or more likely not doing).

    This works in bootstrap-beans.xml because JBossXB knows not just where
    the schema is, but what to do with it.

    Where/how do you tell JBossXB what to do with that a schema called
    urn:jboss:security-config:5.0

    e.g. look at deployers/metadata-beans.xml for where we tell it how
    to do javaee metadata parsing.

    NOTE: The error message is misleading
    urn:jboss:bean-deployer:2.0:property will take any element as a child
    what it is really telling you is that it doesn't know what to do with

    We know it found the schema (assuming that file exists in the classpath
    and is reachable from the bean parsing deployer's classloader):
    TRACE [org.jboss.xb.binding.sunday.unmarshalling.DefaultSchemaResolver] (main) found schema InputSou
    rce, nsURI=urn:jboss:security-config:5.0, baseURI=null, schemaLocation=resource:security-config_5_0.
    xsd
    


    OFF TOPIC

    Also, by tradition schemas are put in schema subfolders.
    i.e. it should be resource:schema/security-config_5_0.xsd

    The JBossEntityResolver will even look for this resource if you specify
    a proper schema location, e.g. http://www.jboss.org/schemas/security-config_5_0.xsd
    It strips the file name and tries to do getResource("schema/filename.xsd");

  • 11. Re: Security Injection in AS5
    Alexey Loubyansky Master

    I have just updated my working copy of the AS trunk and replaced the content of the security-policies-service.xml with the xml above. I don't see any error in the log. Am I missing something?

  • 12. Re: Security Injection in AS5
    Anil Saldhana Master

    Thanks Alex for checking it. I think Stefan is trying to install the beans in security-policies-beans.xml (and remove the -service.xml all together).

    Stefan will provide the details in a little bit.

  • 13. Re: Security Injection in AS5
    Alexey Loubyansky Master

    Yes, obviously I missed that -beans.xml bit. Follow up to Adrian's post.

  • 14. Re: Security Injection in AS5
    Stefan Guilhen Apprentice

    Alex, I've replaced the security-policies-service.xml by the security-policies-beans.xml. This file contains the definition of the DynamicLoginConfig as bean (shown earlier in this thread) and needs to be named -beans.xml.

    What I am trying to do: I'm trying to get a PolicyConfig object from the contents of the policyConfig property of the DynamicLoginConfig bean. That is, I would like to have the jbsx:policy parsed and a PolicyConfig object built from the parsed information.

    What I don't know: Adrian said that JBossXB doesn't know what to do with the schema it finds. I don't yet know how to tell it that it should build the PolicyConfig object.

    What I have done: when I've first written this config file, I've tried deploying it using revision 70750 of the AS (that was my workspace back then) and it worked - the PolicyConfig object was created. After revision 70929 I've started getting the mentioned error.

1 2 3 4 Previous Next