-
1. Re: Does security work on jboss 4?
p_nevilleuk Oct 27, 2004 11:48 AM (in response to p_nevilleuk)BTW: The same project works in 3.2.5, so I would love to hear from anyone with similar experience.
-
2. Re: Does security work on jboss 4?
p_nevilleuk Oct 28, 2004 9:22 AM (in response to p_nevilleuk)Is this related to http://sourceforge.net/tracker/index.php?func=detail&aid=1040200&group_id=22866&atid=376685 and will I therefroe have to wait until 4.0.1 is release?
-
3. Re: Does security work on jboss 4?
p_nevilleuk Oct 28, 2004 10:20 AM (in response to p_nevilleuk)Making a little more progress...
If I add :
<module-option name="unauthenticatedIdentity">nobody</module-option>
then it works. I can now update permissions in the ejb-jar.xml and access is allowed/denied accordingly.
However, I don't know why it works as in this case all permissions (ejb-jar.xml) require a specific role and therefore nobody should not be relevant.
I've had enough talking to myself for today, anyone else got any views on this!!!? -
4. Re: Does security work on jboss 4?
p_nevilleuk Oct 28, 2004 10:46 AM (in response to p_nevilleuk)"p_nevilleuk" wrote:
BTW: The same project works in 3.2.5, so I would love to hear from anyone with similar experience.
This is not quite true. It only works in both 4.0.0 and 3.2.5 if unauthenticatedIdentity is set. -
5. Re: Does security work on jboss 4?
starksm64 Oct 28, 2004 3:13 PM (in response to p_nevilleuk)A need to set unauthenticatedIdentity means that there is no caller identity. It could be related to the referenced bug but you have not provided enough context to say for certain.
-
6. Re: Does security work on jboss 4?
p_nevilleuk Oct 29, 2004 6:52 AM (in response to p_nevilleuk)This morning I have created a very simple test ear and it works without the unauthenticatedIdentity.
I have re-examined my actual code and I now can only get it to fail when I try to create a MDB without specifying a role to run under or by not adding the unauthenticatedIdentity.
I was expecting to not have to specify a role in securty-identity for this bean as I had method-permission set to uncehcked.
Can anyone confirm whether this is the expected behaviour for MDB's please? -
7. Re: Does security work on jboss 4?
p_nevilleuk Oct 29, 2004 7:04 AM (in response to p_nevilleuk)EJB 2.1 spec:
The Application Assembler can indicate that some methods should not be checked for authorization
prior to invocation by the container. The Application Assembler uses the unchecked element instead
of a role name in the method-permission element to indicate that a method should not be checked
for authorization.
Does this indicate that there is a bug for security on MDB's? -
8. Re: Does security work on jboss 4?
starksm64 Oct 29, 2004 10:44 AM (in response to p_nevilleuk)Create a bug report on sourceforge with the testcase your talking about. Authorization is distinct from authentication so a secured mdb needs to be run under an unauthenticatedIdentity since there is no standard way for the jms invocation to establish the security context of the mdb onMessage.
http://sourceforge.net/tracker/?group_id=22866&atid=376685 -
9. Re: Does security work on jboss 4?
jgoyvaer Nov 2, 2004 5:14 AM (in response to p_nevilleuk)Hi,
I've got the same role/principal problem with the dukes bank example on jBoss 4.0.0, using mySQL. Even after adding the "unauthenticatedIdentity" option. On HyperSQL after adding it, it runs just fine.
Deploying the same application to mySQL causes in some cases the exception underneath.
Is this a know issue ?
Thanks !
EJBException:; nested exception is: javax.ejb.EJBException: executeTx: checkSecurityAssociation; CausedByException is: Insufficient method permissions, principal=200, method=create, interface=LOCALHOME, requiredRoles=[], principalRoles=[bankCustomer] -
10. Re: Security does work on jboss 4.
p_nevilleuk Nov 2, 2004 9:23 AM (in response to p_nevilleuk)"scott.stark@jboss.org" wrote:
Create a bug report on sourceforge with the testcase your talking about. Authorization is distinct from authentication so a secured mdb needs to be run under an unauthenticatedIdentity since there is no standard way for the jms invocation to establish the security context of the mdb onMessage.
http://sourceforge.net/tracker/?group_id=22866&atid=376685
I assembled an ear to submit this as a bug, but on doing so, created a small demo that actually proves it does work. The problem I was finding was that the MDB went onto use other EJB's and without it having a role or unauthenticatedIdentity it was not the creation of the MDB that failed, but the creation of EJB's that the MDB was trying to create. These EJB's did have security permissions set.
I guess what makes things a little confusing is the length of the stack trace and the sometimes misleading error message on roles etc.