3 Replies Latest reply on Jan 31, 2002 12:53 PM by luke_t

    Another problem with method-permission :(

    rsolod

      I need to have no security checking for create of EJB session-bean, but other's methods should be secured. So I create a ejb-jar file like this:
      <ejb-jar>
      <enterprise-beans>

      <ejb-name>ClientControllerEJB</ejb-name>
      ...............
      <security-role-ref>
      <role-name>trainee</role-name>
      <role-link>trainee</role-link>
      </security-role-ref>
      <security-role-ref>
      <role-name>trader</role-name>
      <role-link>trader</role-link>
      </security-role-ref>

      </enterprise-beans>
      <assembly-descriptor>
      <security-role>
      <role-name>trainee</role-name>
      </security-role>
      <security-role>
      <role-name>trader</role-name>
      </security-role>
      <method-permission>
      <role-name>trader</role-name>

      <ejb-name>ClientControllerEJB</ejb-name>
      <method-name>*</method-name>

      </method-permission>
      <method-permission>
      <role-name>trainee</role-name>

      <ejb-name>ClientControllerEJB</ejb-name>
      <method-name>*</method-name>

      </method-permission>
      <method-permission>


      <ejb-name>ClientControllerEJB</ejb-name>
      <method-name>create</method-name>

      </method-permission>
      </assembly-descriptor>
      </ejb-jar>


      BUT! Exception uccured during create, couse user is unsuthenticated. (he is realy not authentificaled yet). Who can help me?

      Received throwable with Message: checkSecurityAssociation; nested exception is:
      java.lang.SecurityException: Authentication exception, principal=null; nested exception is:
      java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
      java.lang.SecurityException: Authentication exception, principal=null
      javax.transaction.TransactionRolledbackException: checkSecurityAssociation; nested exception is:
      java.lang.SecurityException: Authentication exception, principal=null; nested exception is:
      java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
      java.lang.SecurityException: Authentication exception, principal=null
      java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
      java.lang.SecurityException: Authentication exception, principal=null
      java.lang.SecurityException: Authentication exception, principal=null
      at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:213)
      at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:144)
      at org.jboss.ejb.plugins.StatefulSessionInstanceInterceptor.invokeHome(StatefulSessionInstanceInterceptor.java:99)
      at org.jboss.ejb.plugins.TxInterceptorCMT.invokeNext(TxInterceptorCMT.java:135)
      at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:263)
      at org.jboss.ejb.plugins.TxInterceptorCMT.invokeHome(TxInterceptorCMT.java:86)
      at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:106)
      at org.jboss.ejb.StatefulSessionContainer.invokeHome(StatefulSessionContainer.java:311)
      at org.jboss.ejb.plugins.jrmp.server.JRMPContainerInvoker.invokeHome(JRMPContainerInvoker.java:436)
      at org.jboss.ejb.plugins.jrmp.interfaces.HomeProxy.invoke(HomeProxy.java:212)
      at $Proxy47.create(Unknown Source)
      at ua.kiev.softline.forex.control.web.ModelManager.getCC(ModelManager.java:95)



      Is it possible to create session-bean accessible for authorized and dot'n authentificaled users?

        • 1. Re: Another problem with method-permission :(
          rsolod

          Hey! Anybody! Help me, please!
          In SUN-tutorial I just have read "By default, the J2EE SDK assigns the ANYONE role to a method. The guest user, which is anonymous and unauthenticated, belongs to the ANYONE role. Therefore, if you do not map the roles, any user may invoke the methods of an enterprise bean." (http://java.sun.com/j2ee/tutorial/1_3-fcs/doc/Security5.html#68056)
          So, what should I do for this at JBoss!?!?!?!

          • 2. Re: Another problem with method-permission :(
            rsolod

            Jesus!!!!!!!!!!!!!!!!!!!!!
            It is TERRIBLE!!!!!!!!!!!!!!!!!!!!!!!!!
            Who write this fucked org.jboss.security.auth.spi.DatabaseServerLoginModule?
            Is it really so difficult to write some description? Hey, developer, have you read a specification before?

            So, any unauthenticated user should be authenticated as "nobody" and plased into role "ANYONE" AUTOMATICALLY!!!!!!! Possible, some ability to modify this defauls should be foreseen, BUT IT MUST BE BY DEFAULT! (or be documented, at least!)

            For this purpouse I need to add a special instruction into configuration of the login-module (auth.conf). So, the correct view of module is:
            <security-domain>{
            org.jboss.security.auth.spi.DatabaseServerLoginModule required
            dsJndiName=<Datasource JNDI name>
            principalsQuery="SELECT PASSWORD FROM ...... WHERE USERNAME = ?"
            rolesQuery="SELECT ... WHERE USERNAME=?"
            unauthenticatedIdentity=nobody
            ;
            };


            God bless you.

            • 3. Re: Another problem with method-permission :(

              > Jesus!!!!!!!!!!!!!!!!!!!!!
              > It is TERRIBLE!!!!!!!!!!!!!!!!!!!!!!!!!
              > Who write this fucked
              > org.jboss.security.auth.spi.DatabaseServerLoginModule?
              > Is it really so difficult to write some description? Hey,
              > developer, have you read a specification before?
              >
              > <more ranting snipped>

              Nice one! I'm sure you'll get a lot of useful suggestions on how to solve your problems :).

              Niu bi hong hong...