-
1. problem calling ejb: SecurityActions.getContextSubject() returns null
hugbert Apr 20, 2010 2:57 AM (in response to hugbert)Hi
I have some additional info, maybe anybody has a clue what I don't see.
I went through all interceptors when invoking a method on the EJB.
I have an authenticated subject, a valid runAsIdentity consisting of princpal and role.
I saw that "SecurityActions.pushRunAsIdentity(runAsIdentity);" pushed the correct runAsIdendity assembled from ejb-jar.xml and jboss.xml
-With the SessionContext in the Ejb I can successfully call
context.getCallerPrincipal()
and get a valid Principal back as defined in RunAs.
-SecurityRoleRefMetaData.getRoleName() called by EnterpriseContext returns the correct roleName.
But SecurityActions.getContextSubject() returns NULL
Does anybody have a clue what I can do?
Thanks for helping
Hubert
Updated
-
2. SubjectPolicyContextHandler.getAuthenticatedSubject() returns NULL
hugbert Apr 20, 2010 5:19 AM (in response to hugbert)Hi,
When I do a IsCallerInRole("role") it calls
SubjectPolicyContextHandler.getAuthenticatedSubject(); which returns NULL
SecurityContext.getIncomingRunsAs() also returns null
I do not understand this, since I explicitly do a login before creating / calling the EJB.
This is my l appliaction-policy:
<application-policy name="MyRealm">
<authentication>
<login-module code="ch.abacus.flow.jboss.security.auth.SystemLogingModule" flag="required"/>
<login-module code="org.jboss.security.ClientLoginModule" flag="required"/>
</authentication>
</application-policy>The EJB 2.0 runs in MyRealm, and both login-module succeed.
Still hope for any hints.
Thank you
-
3. Re: SubjectPolicyContextHandler.getAuthenticatedSubject() returns NULL
hugbert Apr 21, 2010 7:38 AM (in response to hugbert)Ok, I think I isolated the problem.
SecurityActions.popSubjectContext() is called after every call and an authenticated subject is pushed before every call.
So when I arrive at my ejb method, the context is good and context.IsCallerInRole("role") works fine.
But I call several other EJB's with unchecked security / local view (BYPASS_SECURITY). When calling these EJB's the authenticated subject is set to NULL and left to NULL.
After return of these EJB calls the authenticated subject is still null and that's why my further context.isCallerInRole() from my current EJB fail.
Does anybody have an idea how to work arround this?
Thank you
Hubert -
4. Re: SubjectPolicyContextHandler.getAuthenticatedSubject() returns NULL
hugbert Apr 21, 2010 1:05 PM (in response to hugbert)Ok, I fixed my problem.
As mentioned I lost my authenticated subject .
In my EJB I call other EJBs. After such a call my subject was NULL. I figured out which EJB caused the loss of this.I edited the corresponding jboss.xml and added a
1. <security-domain>java:/jaas/EjbRealm</security-domain>
In login-config.xml I added:
1. <application-policy name="EjbRealm">
2. <authentication>
3. <login-module code="org.jboss.security.ClientLoginModule" flag="required">
4. <module-option name="restore-login-identity">true</module-option>
5. </login-module>
6. </authentication>
7. </application-policy>note the "restore-login-identity".
That was it, the specific EJB runs in the "EjbRealm" domain and my security association is restored after the call, so that context.isUserInRole("test") from my own EJB has a valid authenticated subject.Before my changes this EJB run in "BYPASSED-SECURITY" domain. I tried to create a <application-policy name="BYPASSED-SECURITY"> but this was never picked up.
Hope this help others.
Hubert