3 Replies Latest reply: Jan 29, 2010 11:06 AM by Emanuel Muckenhuber RSS

Remote Access to Profile Service

Ramesh Reddy Master

In an another discussion Emanuel pointed out that

 

<emanuel>

The link you posted about remote access to ProfileService seems to be out of date. I need to validate that, but AFAIK you don't need to specify the SecureProfileService anymore. Security can be enabled with some server side settings using the same references - i'll update that. Thanks!

</emanuel>

 

I am running into this above situation now. I can not seem to get a reference to remote Profile Service through "SecureProfileService" reference, and at the same time on "ProfileService" reference I am not sure how to turn on the security on the server side? Can somebody please give me some hints.

 

There is little blurb in the "profileservice-jboss-beans.xml", I can not seem to make that work.

 

Thank you.

  • 1. Re: Remote Access to Profile Service
    Emanuel Muckenhuber Master

    You would need to enable the server side authentication interceptors: in deploy/profileservice-jboss-beans.xml

     

    <bean name="ProfileServiceProxyFactory" class="org.jboss.profileservice.remoting.ProxyFactory">
            <!-- Server side security interceptor stack -->
            <property name="serverProxyInterceptors">
                <list>
                    <bean class="org.jboss.aspects.security.AuthenticationInterceptor">
                        <constructor>
                            <parameter>
                                <value-factory bean="JNDIBasedSecurityManagement" method="getAuthenticationManager"
                                parameter="jmx-console"/>
                            </parameter>
                        </constructor>
                    </bean>
                    <bean class="org.jboss.aspects.security.RoleBasedAuthorizationInterceptor">
                        <constructor>
                            <parameter>
                                <value-factory bean="JNDIBasedSecurityManagement" method="getAuthenticationManager"
                                    parameter="jmx-console"/>
                            </parameter>
                            <parameter>
                                <value-factory bean="JNDIBasedSecurityManagement" method="getAuthenticationManager"
                                    parameter="jmx-console"/>
                            </parameter>
                        </constructor>
                    </bean>
                </list>
            </property>
    </bean>
    
    
    

     

     

    You then still lookup a ProfileService, however calling methods like getViewManager() - should fail with a java.lang.SecurityException.

  • 2. Re: Remote Access to Profile Service
    Ramesh Reddy Master

    The above in JBoss 5.1.0 GA does not work, as is. There were couple issues.

     

    The  property name should be "proxyInterceptors" instead of "serverProxyInterceptors", and this property fragment needs to be added as additional property under "ProfileServiceProxyFactory" rather then replacing the whole bean fragment. Then when I started the the AS, I am getting the following errors

     

     

    Caused by: java.io.NotSerializableException: org.jboss.aspects.security.AuthenticationInterceptor
        at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1156)
        at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:326)
        at java.util.ArrayList.writeObject(ArrayList.java:570)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
    

     

    So, then I thought, I will extend the following classes and add "Serializable" interface to them and replace them in the XML fragment

     

    org.jboss.aspects.security.AuthenticationInterceptor
    org.jboss.aspects.security.RoleBasedAuthorizationInterceptor

     

    Then I found that the constructor for "RoleBasedAuthorizationInterceptor" with signature

     

     

       public RoleBasedAuthorizationInterceptor(AuthenticationManager authManager, AuthorizationManager authzManager)
       {
          this.authenticationManager = authManager;
          this.authorizationManager = authzManager;
       }
    

     

    was not added until version 1.0.1 of "jboss-security-aspects.jar" file, but the version of jar bundled with JBoss AS 5.1.0 is 1.0.0 GA. This version has a constructor

     

       public RoleBasedAuthorizationInterceptor(AuthenticationManager manager, RealmMapping realmMapping)
       {
          this.securityManager = manager;
          this.realmMapping = realmMapping;
       }
    

     

    Here I was not sure what I can pass as "RealmMapping" object, do you have any suggestions?

     

    Thanks.

  • 3. Re: Remote Access to Profile Service
    Emanuel Muckenhuber Master

    Ah yes, sorry. Yeah in 5.1.0.GA there is still this ejb3 facade to secure profileservice, the deployment is also called secured-profileservice.jar, well as far as i can remember. This has been removed in EAP and JBoss AS6 - this was the configuration i was referring to.