-
1. Re: Security and Message Driven Beans
rickardsson Aug 31, 2001 4:10 AM (in response to msquance)I got the same problem when using unauthenticatedIdentity=nobody in auth.conf (also with message driven beans). When I don't use this anonymous user the login fails which I suspect it to. But what I find strange is that it doesn't even get to the login method with unauthenticatedIdentity. btw I'm using a subclass of UsernamePasswordLoginModule.
Here's the exception:
[Default] New Client Connection accepted. Current Thread=Thread[OIL Worker,5,JB
ossMQ Server Threads]
[Default] Client Connection set spyDistributedConnection, ClientID=ID2. Current
Thread=Thread[OIL Worker,5,JBossMQ Server Threads]
[Default] ConnectionReceiver: Receive(ReceiveRequest[1])
[Default] SpyConnectionConsumer:Topic@testTopic->addMessage(mes=TextMessage@ tes
t message nr0 and type JMS)
[Default] SpyConnectionConsumer:Topic@testTopic->processMessages()
[Default] SpyConnectionConsumer:Topic@testTopic Starting the ServerSession.
[Default] SpySession: run()
[MDB] Insufficient method permissions, principal=null, method=onMessage, require
dRoles=[]
[Container factory] Exception in JMSCI message listener: : java.rmi.RemoteExcept
ion: checkSecurityAssociation; nested exception is:
java.lang.SecurityException: Insufficient method permissions, principal=
null, method=onMessage, requiredRoles=[]
[Default] java.rmi.RemoteException: checkSecurityAssociation; nested exception i
s:
java.lang.SecurityException: Insufficient method permissions, principal=
null, method=onMessage, requiredRoles=[]
[Default] java.lang.SecurityException: Insufficient method permissions, principa
l=null, method=onMessage, requiredRoles=[]
[Default] at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssoci
ation(SecurityInterceptor.java:215)
[Default]
[Default] at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInte
rceptor.java:117)
[Default]
[Default] at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.ja
va:195)
[Default]
[Default] at org.jboss.ejb.MessageDrivenContainer.invoke(MessageDrivenCont
ainer.java:281)
[Default]
[Default] at org.jboss.ejb.plugins.jms.JMSContainerInvoker.invoke(JMSConta
inerInvoker.java:150)
[Default]
[Default] at org.jboss.ejb.plugins.jms.JMSContainerInvoker$MessageListener
Impl.onMessage(JMSContainerInvoker.java:495)
[Default]
[Default] at org.jbossmq.SpyMessageConsumer.deliverMessage(SpyMessageConsu
mer.java:296)
[Default]
[Default] at org.jbossmq.SpySession.run(SpySession.java:218)
[Default]
[Default] at org.jboss.jms.asf.StdServerSession.run(StdServerSession.java:
132)
[Default]
[Default] at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(Po
oledExecutor.java:642)
[Default]
[Default] at java.lang.Thread.run(Thread.java:484)
[Default] -
2. Re: Security and Message Driven Beans
msquance Aug 31, 2001 2:47 PM (in response to msquance)What I've found is that the run-as role works correctly, once inside onMessage. It then uses that role when accessing other EJBs.
The issue seems to be getting into onMessage. If unauthenticatedIdentity=nobody, then I get the message:
java.lang.SecurityException: Insufficient method permissions, principal=null, method=onMessage, requiredRoles=[admin, mdb, guest]
However, I can set unauthenticatedIdentity=mdb, add user mdb to a role called mdb, add give the mdb role permission to onMessage of my MDB bean.
This seems to have two issues with it:
1) There is not a way to configure different security access to different message driven beans.
2) Any unauthenticated user now has access to onMessage of the MDB, so could theoretically generate a message of the appropriate type to get inside the MDB.
The only potential solution that comes to mind would involve passing some credentials via the message. This seems to have other security implications (anyone listening for the message could pick up the credentials).
Am I missing anything obvious?
Thanks,
Mike. -
3. Re: Security and Message Driven Beans
rickardsson Sep 3, 2001 8:41 AM (in response to msquance)When the commit method in AbstractServerLoginModule calls getRoleSets and there are no roles found, which is the case for an anonymous user, the result is "Insufficient method permissions, principal=null, method=onMessage, requiredRoles=[admin]" (due to the result of the rest of the code in commit). Thus adding a "dummy" role to be returned by getRoleSets for the anonymous user, solved the problem in my case. I'm using "unauthenticatedIdentity=nobody" and in the method-permission for the message driven bean.
I might be cheating a little bit here but it's a temporary solution anyway.