8 Replies Latest reply on Mar 14, 2003 10:00 AM by rafcio

    security problem

    rafcio

      hi,

      I want only prevent calls from other clients without using any authentification to my beans. client should only comunicate with my facade session beans, which are checking the permissions. I#m working with JBoss 3.0.6 and there are my configurations:

      jboss.xml:

      <security-domain>java:/jaas/mmcms</security-domain>

      <enterprise-beans>

      <ejb-name>LanguageBean</ejb-name>
      <local-jndi-name>language/LanguageBean</local-jndi-name>



      <ejb-name>LanguageFacade</ejb-name>
      <!-- <jndi-name>language/LanguageFacade</jndi-name> -->
      <local-jndi-name>language/LanguageFacade</local-jndi-name>

      </enterprise-beans>

      <container-configurations>
      <container-configuration>
      <container-name>Standard CMP 2.x EntityBean</container-name>
      <commit-option>A</commit-option>
      </container-configuration>
      </container-configurations>


      ejb-jar.xml:
      <ejb-jar>
      <enterprise-beans>

      <display-name>Language Entity Bean</display-name>
      <ejb-name>LanguageBean</ejb-name>
      <local-home>de.polonium.ejb.language.entitybeans.LanguageLocalHome</local-home>
      de.polonium.ejb.language.entitybeans.LanguageLocal
      <ejb-class>de.polonium.ejb.language.entitybeans.LanguageBean</ejb-class>
      <persistence-type>Container</persistence-type>
      <prim-key-class>java.lang.Integer</prim-key-class>
      False
      <cmp-version>2.x</cmp-version>
      <abstract-schema-name>language</abstract-schema-name>
      <cmp-field><field-name>language_id</field-name></cmp-field>
      <cmp-field><field-name>lang_short</field-name></cmp-field>
      <cmp-field><field-name>lang_long</field-name></cmp-field>
      <primkey-field>language_id</primkey-field>
      <security-identity>
      <use-caller-identity/>
      </security-identity>

      ....




      <display-name>Language Facade Stateless Session Bean</display-name>
      <ejb-name>LanguageFacade</ejb-name>
      <local-home>de.polonium.ejb.language.sessionbeans.LanguageFacadeLocalHome</local-home>
      de.polonium.ejb.language.sessionbeans.LanguageFacadeLocal
      <ejb-class>de.polonium.ejb.language.sessionbeans.LanguageFacade</ejb-class>
      <session-type>Stateless</session-type>
      <transaction-type>Container</transaction-type>
      <security-identity>
      <run-as>
      <role-name>mmcms</role-name>
      </run-as>
      </security-identity>

      </enterprise-beans>

      <assembly-description>
      <security-role>
      <role-name>mmcms</role-name>
      </security-role>

      <method-permission>
      <role-name>mmcms</role-name>

      <ejb-name>LanguageBean</ejb-name>
      <method-name>*</method-name>

      </method-permission>

      <method-permission>
      <role-name>mmcms</role-name>

      <ejb-name>LanguageFacade</ejb-name>
      <method-name>*</method-name>

      </method-permission>

      <container-transaction>

      <ejb-name>LanguageBean</ejb-name>
      <method-name>*</method-name>



      <ejb-name>LanguageFacade</ejb-name>
      <method-name>*</method-name>

      <trans-attribute>Required</trans-attribute>
      </container-transaction>
      </assembly-description>
      </ejb-jar>

      login-config.xml:
      <application-policy name = "mmcms">

      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
      flag = "required" />

      </application-policy>

      my users.properties and roles.properties are stored in default\conf folder. starting JBoss works fine. But after a call of LanguageFacade I get:

      I get:

      15:15:58,676 ERROR [LogInterceptor] EJBException, causedBy: java.lang.SecurityException: Authentication exception, principal=null at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:173) at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:94) at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:129) at org.jboss.ejb.StatelessSessionContainer.invokeHome(StatelessSessionContainer.java:300) at org.jboss.ejb.plugins.local.BaseLocalContainerInvoker.invokeHome(BaseLocalContainerInvoker.java:230) at org.jboss.ejb.plugins.local.LocalHomeProxy.invoke(LocalHomeProxy.java:110) at $Proxy54.create(Unknown Source)
      [...]

      Why? Did I forgot something?


      Best Regards,
      Rafal

        • 1. Re: security problem
          rafcio

          Hi,


          I tested other configuration. in login-config.xml I defined this:


          <application-policy name = "mmcms">

          <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
          <module-option name = "dsJndiName">java:/DefaultDS</module-option>
          <module-option name = "principalsQuery">select password from principals where principal=?</module-option>
          <module-option name = "rolesQuery">select role, 'Roles' from roles where principal=?</module-option>
          </login-module>

          </application-policy>


          I created the principals and roles table in my db with data. the first query will be sended by JBoss to my PostgreSQL db, but:


          LOG: query: select password from principals where principal=null


          why ist principal=null? my values for InitialContext are:


          initial.context.factory=org.jnp.interfaces.NamingContextFactory
          java.naming.factory.url.pkgs=org.jboss.naming:org.jnp.interfaces
          provider.url=http://localhost:8080
          security.principal=mmcms
          security.credentials=mmcms


          principals table has entry:
          principal=mmcms,password=mmcms


          roles table has entry:
          principal=mmcms,role=mmcms



          I have no idea.



          Best Regards,
          Rafal

          • 2. Re: security problem

            Hi rafcio,
            You need to do a client login first which establishes the caller identity with jboss.

            Do this on every call to jboss:
            {
            String securityDomain = "this should be the name of the jboss client login realm in auth.conf";
            callbackHandler = new MyCallbackHandler(username, password);


            LoginContext loginContext = new LoginContext(securityDomain, callbackHandler);
            loginContext.login();
            ///
            do your ejb calls
            ///
            loginContext.logout();

            }


            public class MyCallbackHandler implements CallbackHandler
            {
            private String username;
            private char[] password;

            /**
            * Constructs a callback handler.
            */
            public MyCallbackHandler(String username, String password)
            {
            this.username = username;
            this.password = password.toCharArray();
            }

            /**
            * Handles the JAAS callbacks.
            */
            public void handle(Callback[] callbacks)
            throws UnsupportedCallbackException
            {
            for (int i = 0; i < callbacks.length; i++) {
            if (callbacks instanceof NameCallback) {
            ((NameCallback) callbacks
            ).setName(username);
            } else if (callbacks instanceof PasswordCallback) {
            ((PasswordCallback) callbacks
            ).setPassword(password);
            } else {
            throw new UnsupportedCallbackException(callbacks);
            }
            }
            }
            }



            I hope this helps.
            kv.

            • 3. Re: security problem

              I feel I should be a little more clear about this.
              On your client side you need to have a file with the jboss ClientLoginModule security domain configuration. I've attached one.
              You then need to tel your client where the file is and do that with passing -Djava.security.auth.login.config=path/to/auth.conf to the jvm as a java option.
              Your client must also have the jboss/client/*.jar in it's classpath or in a lib folder that is automatically loaded.
              In the code fragment above, the securityDomain String would then be "client-login", which is the only configured domain in auth.conf.

              • 4. Re: security problem
                rafcio

                hi,

                authentification works, but now I get this exception:

                11:22:05,890 ERROR [SecurityInterceptor] No method permissions assigned to method=create, interface=LOCALHOME 11:22:05,890 ERROR [LogInterceptor] EJBException, causedBy: java.lang.SecurityException: No method permissions assigned to method=create, interface=LOCALHOME at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:190) at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:94) at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:129) at org.jboss.ejb.StatelessSessionContainer.invokeHome(StatelessSessionContainer.java:300) at org.jboss.ejb.plugins.local.BaseLocalContainerInvoker.invokeHome(BaseLocalContainerInvoker.java:230) at org.jboss.ejb.plugins.local.LocalHomeProxy.invoke(LocalHomeProxy.java:110) at $Proxy54.create(Unknown Source)


                Best Regards,
                Rafal

                • 5. Re: security problem
                  rafcio

                  in my first posting you cann see my ejb-jar.xml definition.


                  Regards,
                  Rafal

                  • 6. Re: security problem

                    Hi Rafal,
                    Just take a look at the topic direectly above this one in the list: "No method permissions assigned to method=create" and I think that should help.
                    kv.

                    • 7. Re: security problem
                      rafcio

                      hi,

                      this is now working. I posted this to you on other posting.


                      Regards,
                      Rafal

                      • 8. Re: security problem
                        rafcio

                        hi,

                        this code is working when my client runs in the same JVM with my JBoss container. what have I to do, when the client is running in own JVM environment?


                        Regards,
                        Rafal