4 Replies Latest reply on Dec 10, 2001 3:03 PM by twhphan

    java.lang.SecurityException

    twhphan

      Hi, I get an error msg saying:

      [EJB] No method permissions assigned to method=create
      [EmbeddedCatalinaServiceSX] ApplicationDispatcher[/application] Servlet.service() for servlet jsp threw exception
      java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
      java.lang.SecurityException: No method permissions assigned to method=create
      java.lang.SecurityException: No method permissions assigned to method=create
      <<no stack trace available>>

      I use DatabaseServerLoginModule successfully. I get:

      [Default] User 'twhphan' authenticated.

      I'm using the same security domain in both jboss.xml and jboss-web.xml

      <security-domain>java:/jaas/domain</security-domain>

      My auth.conf is:
      domain {
      org.jboss.security.auth.spi.DatabaseServerLoginModule required
      dsJndiName="java:/applicationDS"
      principalsQuery="select password from User where username=?"
      rolesQuery="select roleName, NULL from UserRole where username=?"
      unauthenticatedIdentity=nobody
      ;
      };

      Also, who assign a EJB's caller principal & role if the EJB is invoked by a Servlet?

      Thx =)

        • 1. Re: java.lang.SecurityException

          So it's telling you that you haven't set any permissions for the 'create' method in your ejb-jar.xml file. As in most security setups, you have to explicitly grant access. The default isn't to just allow access.

          As for the principal, if you have logged in then it will be the username you logged in with. If you haven't then it will be the 'unauthenticatedIdentity' which you have specified in your auth.conf file.

          • 2. Re: java.lang.SecurityException
            twhphan

            Thanks Luke, I set the following:

            mysql> select * from UserRole;
            +----------+---------------+
            | username | roleName |
            +----------+---------------+
            | twhphan | Administrator |
            +----------+---------------+

            ejb-jar.xml
            ===========
            <security-role>
            <role-name>Administrator</role-name>
            </security-role>
            <method-permission>
            <role-name>Administrator</role-name>

            <ejb-name>EJBObj</ejb-name>
            <method-name>*</method-name>

            </method-permission>

            My JSP calls EJBObj, but still gets that error. What do I miss? Thanks again in advance

            • 3. Re: java.lang.SecurityException
              twhphan

              Sorry, I got it work, I just notice that I called 2 EJBs on my JSP page, and I didn't set the security for both, thanks

              • 4. Re: java.lang.SecurityException
                twhphan

                Me again, I found that the EJB's secuity works great, but it affects my RMI object.

                If I have <security-domain>java:/jaas/domain</security-domain> in my jboss.xml, and I bind a RMI object (JRMP version) with JBoss's JNDI. I get the following error when I attempt to invoke a RMI method

                [Default] User 'nobody' authenticated.
                [RMIObj] Authentication exception, principal=null
                [Default] java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
                java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
                java.lang.SecurityException: Authentication exception, principal=null
                [Default] java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
                java.lang.SecurityException: Authentication exception, principal=null
                [Default] java.lang.SecurityException: Authentication exception, principal=null
                [Default] at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:245)

                Note: My RMI object works if I comment out the <security-domain> tag

                There's no XML for RMI, and RMI doesn't bound to JBoss' security domain (I guess). Where can I correct this? May I bypass security only for my RMI object?

                Thanks