10 Replies Latest reply on Nov 2, 2004 9:23 AM by p_nevilleuk

    Does security work on jboss 4?

    p_nevilleuk
    p_nevilleuk Oct 27, 2004 10:47 AM

      Hi,
      Thought I would as this as I have spent a day trying various configurations with little joy.
      I am simply trying to use basic authentication (configured in web.xml) and then use a policy for UsersRolesLoginModule. I have set up some secutiry on the EJB that the servlet is calling and get mixed results:

      The authentication is working from the servlet (i.e. login takes place and EJB is aware of the role and principal (sometimes).

      If I add permission to call the EJB's create method alone then I get the exception = Insufficient method permissions, principal=externaluser, method=processMsg, interface=LOCAL, requiredRoles=[], principalRoles=[external]
      So if required roles is empty, what is the problem?

      If I add permission to both the create and busness method (processMsg) for the same role I get:
      CreateException, causedBy:
      java.lang.SecurityException: Insufficient method permissions, principal=null, me
      thod=create, interface=LOCALHOME, requiredRoles=[], principalRoles=[external]
      Strange as previously create was happy.

      If I add permission to the create and business method under different roles (but not giving the user this new role) I get:
      Insufficient method permissions, principal=externaluser, method=processMsg, interface=LOCAL, requiredRoles=[external1], principalRoles=[external]
      This sounds promising as it looks like I just need to add this role to the user.

      If I add the role 'external1' to the user I get:
      Insufficient method permissions, principal=null, me
      thod=create, interface=LOCALHOME, requiredRoles=[], principalRoles=[external]
      Again strange as previosuly create was working!

      Help much appreciated...

      • 8620 Views
      • Tags:
        • 1. Re: Does security work on jboss 4?
          p_nevilleuk
          p_nevilleuk Oct 27, 2004 11:48 AM (in response to p_nevilleuk)

          BTW: The same project works in 3.2.5, so I would love to hear from anyone with similar experience.

            • Actions
          • 2. Re: Does security work on jboss 4?
            p_nevilleuk
            p_nevilleuk Oct 28, 2004 9:22 AM (in response to p_nevilleuk)

            Is this related to http://sourceforge.net/tracker/index.php?func=detail&aid=1040200&group_id=22866&atid=376685 and will I therefroe have to wait until 4.0.1 is release?

              • Actions
            • 3. Re: Does security work on jboss 4?
              p_nevilleuk
              p_nevilleuk Oct 28, 2004 10:20 AM (in response to p_nevilleuk)

              Making a little more progress...

              If I add :
              <module-option name="unauthenticatedIdentity">nobody</module-option>
              then it works. I can now update permissions in the ejb-jar.xml and access is allowed/denied accordingly.
              However, I don't know why it works as in this case all permissions (ejb-jar.xml) require a specific role and therefore nobody should not be relevant.

              I've had enough talking to myself for today, anyone else got any views on this!!!?

                • Actions
              • 4. Re: Does security work on jboss 4?
                p_nevilleuk
                p_nevilleuk Oct 28, 2004 10:46 AM (in response to p_nevilleuk)

                 

                "p_nevilleuk" wrote:
                BTW: The same project works in 3.2.5, so I would love to hear from anyone with similar experience.


                This is not quite true. It only works in both 4.0.0 and 3.2.5 if unauthenticatedIdentity is set.

                  • Actions
                • 5. Re: Does security work on jboss 4?
                  starksm64
                  starksm64 Oct 28, 2004 3:13 PM (in response to p_nevilleuk)

                  A need to set unauthenticatedIdentity means that there is no caller identity. It could be related to the referenced bug but you have not provided enough context to say for certain.

                    • Actions
                  • 6. Re: Does security work on jboss 4?
                    p_nevilleuk
                    p_nevilleuk Oct 29, 2004 6:52 AM (in response to p_nevilleuk)

                    This morning I have created a very simple test ear and it works without the unauthenticatedIdentity.

                    I have re-examined my actual code and I now can only get it to fail when I try to create a MDB without specifying a role to run under or by not adding the unauthenticatedIdentity.
                    I was expecting to not have to specify a role in securty-identity for this bean as I had method-permission set to uncehcked.

                    Can anyone confirm whether this is the expected behaviour for MDB's please?

                      • Actions
                    • 7. Re: Does security work on jboss 4?
                      p_nevilleuk
                      p_nevilleuk Oct 29, 2004 7:04 AM (in response to p_nevilleuk)

                      EJB 2.1 spec:

                      The Application Assembler can indicate that some methods should not be checked for authorization
                      prior to invocation by the container. The Application Assembler uses the unchecked element instead
                      of a role name in the method-permission element to indicate that a method should not be checked
                      for authorization.


                      Does this indicate that there is a bug for security on MDB's?

                        • Actions
                      • 8. Re: Does security work on jboss 4?
                        starksm64
                        starksm64 Oct 29, 2004 10:44 AM (in response to p_nevilleuk)

                        Create a bug report on sourceforge with the testcase your talking about. Authorization is distinct from authentication so a secured mdb needs to be run under an unauthenticatedIdentity since there is no standard way for the jms invocation to establish the security context of the mdb onMessage.

                        http://sourceforge.net/tracker/?group_id=22866&atid=376685

                          • Actions
                        • 9. Re: Does security work on jboss 4?
                          jgoyvaer
                          jgoyvaer Nov 2, 2004 5:14 AM (in response to p_nevilleuk)

                          Hi,

                          I've got the same role/principal problem with the dukes bank example on jBoss 4.0.0, using mySQL. Even after adding the "unauthenticatedIdentity" option. On HyperSQL after adding it, it runs just fine.

                          Deploying the same application to mySQL causes in some cases the exception underneath.

                          Is this a know issue ?

                          Thanks !

                          EJBException:; nested exception is: javax.ejb.EJBException: executeTx: checkSecurityAssociation; CausedByException is: Insufficient method permissions, principal=200, method=create, interface=LOCALHOME, requiredRoles=[], principalRoles=[bankCustomer]

                            • Actions
                          • 10. Re: Security does work on jboss 4.
                            p_nevilleuk
                            p_nevilleuk Nov 2, 2004 9:23 AM (in response to p_nevilleuk)

                             

                            "scott.stark@jboss.org" wrote:
                            Create a bug report on sourceforge with the testcase your talking about. Authorization is distinct from authentication so a secured mdb needs to be run under an unauthenticatedIdentity since there is no standard way for the jms invocation to establish the security context of the mdb onMessage.

                            http://sourceforge.net/tracker/?group_id=22866&atid=376685


                            I assembled an ear to submit this as a bug, but on doing so, created a small demo that actually proves it does work. The problem I was finding was that the MDB went onto use other EJB's and without it having a role or unauthenticatedIdentity it was not the creation of the MDB that failed, but the creation of EJB's that the MDB was trying to create. These EJB's did have security permissions set.

                            I guess what makes things a little confusing is the length of the stack trace and the sometimes misleading error message on roles etc.



                              • Actions