4 Replies Latest reply on Jul 31, 2003 5:31 PM by pkrishna

    JAAS Authorization

    pkrishna

      I am getting the following exception when I call create on an ejb:

      16:23:44,163 ERROR [SecurityInterceptor] Insufficient method permissions, princi
      pal=Eric, method=create, interface=HOME, requiredRoles=[], principalRol
      es=null
      16:23:44,174 ERROR [LogInterceptor] EJBException, causedBy:
      java.lang.SecurityException: Insufficient method permissions, principal=Eric, me
      thod=create, interface=HOME, requiredRoles=[], principalRoles=null
      at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(Se
      curityInterceptor.java:228)

      I have configured the login-config.xml, ejb-jar.xml, jboss.xml as suggested in the documentation.

      Could somebody help me out with this problem?

        • 1. Re: JAAS Authorization
          jarikr

          Hi,

          apparently you haven't assigned any role to your principal "Eric"? E.g. when you are using the UserRolesLoginModule, did you define a roles.properties besides the users.properties? Or did you use the unauthenticatedprincipal tag?

          • 2. Re: JAAS Authorization
            pkrishna

            Hello:

            I appreciate you responding to my querry. Let me give you little more details. I am using a custom login module called DatabaseRoleLoginModule which is supposed to query the database and map the role to the user. Here is the snippet of the entries:

            <application-policy name = "OciSRP">

            <login-module code = "org.jboss.security.srp.jaas.SRPCacheLoginModule"
            flag = "required">
            <module-option name = "cacheJndiName">srp/AuthenticationCache</module-option>
            </login-module>
            <login-module code = "com.ociweb.jmx.jaas.srp.DatabaseRoleLoginModule"
            flag = "required">
            <module-option name = "dsJndiName">java:/security</module-option>
            <module-option name = "rolesQuery">"SELECT Roles.name, 'Roles' FROM Roles,GroupRoles,Groups,UserGroups,Users WHERE Roles.id=GroupRoles.roleID AND GroupRoles.groupID=Groups.id AND UserGroups.groupID=Groups.ID AND UserGroups.userID=Users.id AND Users.username=?"</module-option>
            <module-option name="password-stacking">useFirstPass</module-option>
            </login-module>


            </application-policy>

            Here is the snippet of the ejb-jar.xml:

            <method-permission>


            <ejb-name>CatalogMgrBean</ejb-name>
            <method-name>create</method-name>


            <ejb-name>UserMgrBean</ejb-name>
            <method-name>create</method-name>

            </method-permission>

            The jboss.xml contains an entry:

            <security-domain>java:/jaas/OciSRP</security-domain>

            The client application calls the create method of the CatalogMgr and that's when the exception is thrown. Since the permission for this method is unchecked, anybody should be able to call the create method.

            I also put some print statements in the custom login module. There is a method called getRoleSets. This method does not get called.

            Does this information help?

            • 3. Re: JAAS Authorization
              jarikr

              Hi again,

              well the Exception that has been thrown shows that the principalrole is null - it should just be empty like principalRoles=[]. I don't know - maybe there is a problem in your LoginModule. Have tried the UserRolesLoginModule?

              • 4. Re: JAAS Authorization
                pkrishna

                Yes, I tried UsersRoleLoginModile and it seems to work on two different examples I tried. Since I had downloaded this login module, I am not sure if it has been properly implemented. Based on the documentation, this was supossed to work on JBoss 2.x. What I was trying was to port it to JBoss 3.x and I ran into these problems.