4 Replies Latest reply: Apr 21, 2010 1:05 PM by Hubert Felber RSS

problem calling ejb: "Subject is null for isCallerInRole ...."

Hubert Felber Newbie

Hi all,

 

I am porting an app from JBoss 4.2.2 to Jboss 5.1

 

I have an MBean that calls an EJB 2.0  method in the same  JBoss instance. There when I do a isCallerInRole("testRole") I always get:
[EnterpriseContext] Subject is null for isCallerInRole Check with  role=testRole
The EJB 2.0 method has following definition in ejb-jar.xml
     <method-permission>
            <unchecked/>
            <method>
                <ejb-name>myEjb</ejb-name>
                <method-intf>Remote</method-intf>
                <method-name>executeSystemCall</method-name>
            </method>
        </method-permission>
and in the corresponding jboss.xml we defined
         <security-identity>
                <run-as-principal>system</run-as-principal>
            </security-identity>
This worked fine in Jboss 4.2.2 but gives  the mentioned error above in Jboss 5.2.
Could anybody please help me how to solve this?
Thank you very much
Hubert
  • 1. problem calling ejb: SecurityActions.getContextSubject() returns null
    Hubert Felber Newbie

    Hi

     

    I have some additional info, maybe anybody has a clue what I don't see.

     

    I went through all interceptors when invoking a method on the EJB.

    I have an authenticated subject, a valid runAsIdentity consisting of princpal and role.

    I saw that "SecurityActions.pushRunAsIdentity(runAsIdentity);" pushed the correct runAsIdendity assembled from ejb-jar.xml and jboss.xml

     

    -With the SessionContext in the Ejb I can successfully call

         context.getCallerPrincipal()

    and get a valid Principal back as defined in RunAs.

    -SecurityRoleRefMetaData.getRoleName() called by EnterpriseContext returns the correct roleName.

     

     

    But SecurityActions.getContextSubject() returns NULL

     

    Does anybody have a clue what I can do?

     

    Thanks for helping

    Hubert

     

    Updated

  • 2. SubjectPolicyContextHandler.getAuthenticatedSubject() returns NULL
    Hubert Felber Newbie

    Hi,

     

    When I do a IsCallerInRole("role") it calls

    SubjectPolicyContextHandler.getAuthenticatedSubject();  which returns NULL

     

    SecurityContext.getIncomingRunsAs() also returns null

     

    I do not understand this, since I explicitly do a login before creating / calling the EJB.

    This is my l appliaction-policy:

     

    <application-policy name="MyRealm">
            <authentication>
                <login-module code="ch.abacus.flow.jboss.security.auth.SystemLogingModule" flag="required"/>
                <login-module code="org.jboss.security.ClientLoginModule" flag="required"/>
            </authentication>
      </application-policy>

     

    The EJB 2.0 runs in MyRealm, and both login-module succeed.

     

    Still hope for any hints.

     

    Thank you

  • 3. Re: SubjectPolicyContextHandler.getAuthenticatedSubject() returns NULL
    Hubert Felber Newbie

    Ok, I think I isolated the problem.

    SecurityActions.popSubjectContext() is called after every call and  an authenticated subject is pushed before every call.

    So when I arrive at my ejb method, the context is good and   context.IsCallerInRole("role") works fine.
    But I call several other EJB's with unchecked security / local view  (BYPASS_SECURITY). When calling these EJB's the authenticated subject  is set to NULL and left to NULL.
    After return of these EJB calls the authenticated subject is still  null and that's why my further context.isCallerInRole() from my current EJB fail.

    Does anybody have an idea how to work arround this?

    Thank you
    Hubert

  • 4. Re: SubjectPolicyContextHandler.getAuthenticatedSubject() returns NULL
    Hubert Felber Newbie

    Ok, I fixed my problem.

     

    As mentioned I lost my authenticated subject .
    In my EJB I call other EJBs. After such a call my subject was NULL. I figured out which EJB caused the loss of this.

     

    I edited the corresponding jboss.xml and added a

     

       1. <security-domain>java:/jaas/EjbRealm</security-domain>

     

     

    In login-config.xml I added:

     

       1.     <application-policy name="EjbRealm"> 
       2.         <authentication> 
       3.             <login-module code="org.jboss.security.ClientLoginModule" flag="required"> 
       4.                 <module-option name="restore-login-identity">true</module-option> 
       5.             </login-module> 
       6.         </authentication> 
       7.     </application-policy>

     

     

    note the "restore-login-identity".
    That was it, the specific EJB runs in the "EjbRealm" domain and my security association is restored after the call, so that context.isUserInRole("test") from my own EJB has a valid authenticated subject.

     

    Before my changes this EJB run in "BYPASSED-SECURITY" domain. I tried to create a <application-policy name="BYPASSED-SECURITY"> but this was never picked up.

     


    Hope this help others.
    Hubert