1 2 Previous Next 20 Replies Latest reply: Nov 4, 2011 11:53 PM by jaikiran pai Go to original post RSS
  • 15. Re: How to disable the SecurityClient login in Jboss 5.1
    jaikiran pai Master

    Anil Mathew wrote:

     

    Below is more from my stacktrace:

     

            at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityContext(SecurityInterceptor.java:368)
            at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:243)
            at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:205)
            at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:136)
            at org.jboss.ejb.plugins.security.PreSecurityInterceptor.invokeHome(PreSecurityInterceptor.java:88)

     

    Since i don't have a "security domain" setup, I would expect the "securityManager" to be null. But in my case if it is not null. Looking further in SecurityInterceptor.java, I could see we get the securityManager from Container class.

     

    What you really have to check is, why does it reach line 136 of PreSecurityInterceptor in the process() method. Because if you take a look at the PreSecurityInterceptor.process() method's line 93 through 99 here http://www.docjar.com/html/api/org/jboss/ejb/plugins/security/PreSecurityInterceptor.java.html you'll notice that it can't reach line 136 if the securityDomain is null.

  • 16. Re: How to disable the SecurityClient login in Jboss 5.1
    Anil Mathew Newbie

    Thank You for your thoughts.

     

    Like you said, the exact issue is on the line 93 through 99 in PreSecurityInterceptor.java.html. With this I was able to debug/trace more today. My trace says Jboss is setting the security domain from "jboss-ejb-policy"

     

    2011-11-03 16:51:53,195 TRACE [org.jboss.ejb.plugins.StatelessSessionInstancePool] (main) Constructing
    2011-11-03 16:51:53,195 INFO  [org.jboss.ejb.EjbModule] (main) Deploying msecworker.MsecWorkerHome
    2011-11-03 16:51:53,196 TRACE [org.jboss.ejb.StatelessSessionContainer] (main) Constructing
    2011-11-03 16:51:53,196 DEBUG [org.jboss.ejb.EjbModule] (main) Creating WebClassLoader of class org.jboss.web.WebClassLoader
    2011-11-03 16:51:53,308 DEBUG [org.jboss.ejb.EjbModule] (main) Setting security domain from: jboss-ejb-policy

     

    Also it seems like JBoss is setting the security domain during the deployment of my EJB. I digged more to see from where Jboss is getting "jboss-ejb-policy" and no luck on that yet. I will continue to dig on this more (assuming that Container is setting the security domain from  jboss-ejb-policy even though we didn't define one on the jboss.xml).

     

    Any thoughts on this will be helpful to me.

     

    Also I wonder does JBoss has a seperate "security forum" like this?

     

    Thanks

    Anil Mathew.

     

     

     

  • 17. Re: How to disable the SecurityClient login in Jboss 5.1
    jaikiran pai Master

    Anil Mathew wrote:

     


    2011-11-03 16:51:53,308 DEBUG [org.jboss.ejb.EjbModule] (main) Setting security domain from: jboss-ejb-policy

     

    Also it seems like JBoss is setting the security domain during the deployment of my EJB. I digged more to see from where Jboss is getting "jboss-ejb-policy" and no luck on that yet.

     

     

     

    It's a deployer level setting in JBOSS_HOME/server/<servername>/deployers/ejb-deployer-jboss-beans.xml:

     

     

     

    <bean name="EJB2xDeployer" class="org.jboss.ejb.deployers.EjbDeployer">    
    ...
           <!-- Specify a SecurityDomain as fallback -->
           <property name="defaultSecurityDomain">jboss-ejb-policy</property>
    

     

     

    I think all this was done to enable security when the ejb-jar.xml contains the method-permission section and when the jboss.xml doesn't specify a security-domain. See this https://issues.jboss.org/browse/JBAS-5960

     

    Apparently, setting a empty string to the security-domain in jboss.xml is an indication of disabling security. So you might want to give that a try.

  • 18. Re: How to disable the SecurityClient login in Jboss 5.1
    jaikiran pai Master

    Anil Mathew wrote:

     

     

    Also I wonder does JBoss has a seperate "security forum" like this?

     


     

    http://community.jboss.org/en/picketbox?view=discussions

  • 19. Re: How to disable the SecurityClient login in Jboss 5.1
    Anil Mathew Newbie

    IT WORKED!!!!!!!

     

    i.e i added <security-domain></security-domain> to the jboss.xml and it worked like a charm! Thank You so much to JaiKiran and Wolfgang. Really appreciate your time and help.

     

    I do have a suggestion to the Jboss team: I would say a missing <security-domain> node in the jboss.xml should be treated as an explicit bypass of security using securiy-domain. I am pretty sure this is how it was for JBoss 4.x and also many applications may only have method-permission section in ejb-jar.xml and don't care much about "security-domain" based security.

     

    So for other users who happen to have the same issue and if they use Jboss5.1, below is what it is:

     

    "When the ejb-jar.xml contains the method-permission section and when the jboss.xml doesn't specify a security-domain, the JBoss 5.1 AS will use the DEFAULT_EJB_APPLICATION_POLICY and we get errors when a client tries to invoke a EJB bean. So in order to do an explicit bypass of security domain, we need to add "<security-domain></security-domain>" in the jboss.xml.

     

    Thanks Again

    Anil Mathew

  • 20. Re: How to disable the SecurityClient login in Jboss 5.1
    jaikiran pai Master

    Anil Mathew wrote:

     

     

    I do have a suggestion to the Jboss team: I would say a missing <security-domain> node in the jboss.xml should be treated as an explicit bypass of security using securiy-domain. I am pretty sure this is how it was for JBoss 4.x and also many applications may only have method-permission section in ejb-jar.xml and don't care much about "security-domain" based security.

     

    I thought that's how it was supposed to behave too and it did look right, until I saw this JIRA. I'm not sure why the empty value was considered as an indication of disabling security instead of a missing security-domain element.

1 2 Previous Next