8 Replies Latest reply on Nov 6, 2004 11:20 AM by starksm64

    Problem with roles: principalRoles=null

    robbutera
    robbutera Nov 6, 2004 11:20 AM

      Have been attempting to solve this problem for two days with absolutely no success, would greatly appreciate some advice

      Am trying to access a session bean using BASIC auth and the UsersRoles login module under jboss 4.0.0. Everything appears to work fine except intermittently the following Exception is thrown:


      java.lang.SecurityException: Insufficient method permissions, principal=cam, method=create, interface=HOME, requiredRoles=[Administrator, User], principalRoles=null
      at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:219)
      at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:96)
      at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:120)
      at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:93)
      at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:613)
      at org.jboss.ejb.Container.invoke(Container.java:876)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:324)
      at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
      at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
      at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
      at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:242)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:642)
      at org.jboss.invocation.local.LocalInvoker$MBeanServerAction.invoke(LocalInvoker.java:155)
      at org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:104)
      at org.jboss.invocation.MarshallingInvokerInterceptor.invoke(MarshallingInvokerInterceptor.java:55)
      at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:46)
      at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:55)
      at org.jboss.proxy.ejb.HomeInterceptor.invoke(HomeInterceptor.java:169)
      at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:86)
      at $Proxy93.create(Unknown Source)
      at au.edu.vut.esubmit.webcontainer.web.subject.SubjectListingAction.execute(SubjectListingAction.java:36)
      at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
      at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
      at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
      at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:507)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:697)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
      at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:75)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:186)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
      at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:198)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:152)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
      at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:66)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:540)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
      at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:169)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:118)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
      at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)
      at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:799)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:705)
      at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577)
      at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
      at java.lang.Thread.run(Thread.java:536)


      The exception is thrown just after authorisation and then everything is generally fine for the rest of the session. I attempted the same under jboss 4.0.1RC1 which only succeeded in turning the intermittent problem into a permanent one, the exception is thrown on every request.

      I have included some excerpts from the relevant files below. Any advice would be greatly appreciated. I have looked through the forum, however a more common problem appears to be the "principal=null" one, I am not sure if this is related.

      ejb-jar.xml
      --------------

      <![CDATA[Facade for Subject entity]]>
      <display-name>SubjectFacade</display-name>
      <ejb-name>SubjectFacade</ejb-name>
      au.edu.vut.esubmit.common.interfaces.domain.SubjectFacadeHome
      au.edu.vut.esubmit.common.interfaces.domain.SubjectFacade
      <ejb-class>au.edu.vut.esubmit.ejbcontainer.services.domain.ejb.SubjectFacadeSession</ejb-class>
      <session-type>Stateless</session-type>
      <transaction-type>Container</transaction-type>

      <ejb-local-ref >
      <ejb-ref-name>ejb/SubjectLocal</ejb-ref-name>
      <ejb-ref-type>Entity</ejb-ref-type>
      <local-home>au.edu.vut.esubmit.ejbcontainer.domain.interfaces.SubjectLocalHome</local-home>
      au.edu.vut.esubmit.ejbcontainer.domain.interfaces.SubjectLocal
      <ejb-link>Subject</ejb-link>
      </ejb-local-ref>
      <ejb-local-ref >
      <ejb-ref-name>ejb/UserLocal</ejb-ref-name>
      <ejb-ref-type>Entity</ejb-ref-type>
      <local-home>au.edu.vut.esubmit.ejbcontainer.domain.interfaces.UserLocalHome</local-home>
      au.edu.vut.esubmit.ejbcontainer.domain.interfaces.UserLocal
      <ejb-link>User</ejb-link>
      </ejb-local-ref>

      <security-role-ref>
      <role-name>Administrator</role-name>
      <role-link>Administrator</role-link>
      </security-role-ref>
      <security-role-ref>
      <role-name>User</role-name>
      <role-link>User</role-link>
      </security-role-ref>



      • 6097 Views
      • Tags:
        • 1. Re: authentication from transport layer (TLS, SSL)?
          starksm64
          starksm64 Nov 6, 2004 11:20 AM (in response to robbutera)

          Only tomcat has a proper notion of authentication based on the ssl certificate since is required by the servlet spec. You can do something similar for the ejb invokers, but you have to use a custom socket factory to get access to the ssl cert info. The authentication happens at the ssl level, and jboss is not involved with this, but if you want to use the client cert as credentials for authentication at the ejb container level then this has to be extracted from the transport layer and propagated to the to the container with the call invocation payload.

            • Actions
          • 2. Re: Problem with roles: principalRoles=null
            robbutera
            robbutera Nov 6, 2004 11:30 AM (in response to robbutera)

            Appologies, here is the rest of the post:

            ejb-jar (cont)
            ----------------
            <assembly-descriptor >
            <!--
            To add additional assembly descriptor info here, add a file to your
            XDoclet merge directory called assembly-descriptor.xml that contains
            the <assembly-descriptor></assembly-descriptor> markup.
            -->
            <security-role>
            <![CDATA[description not supported yet by ejbdoclet]]>
            <role-name>User</role-name>
            </security-role>
            <security-role>
            <![CDATA[description not supported yet by ejbdoclet]]>
            <role-name>Administrator</role-name>
            </security-role>

            <method-permission >
            <![CDATA[description not supported yet by ejbdoclet]]>
            <role-name>Administrator</role-name>
            <role-name>User</role-name>

            <![CDATA[description not supported yet by ejbdoclet]]>
            <ejb-name>SubjectFacade</ejb-name>
            <method-name>*</method-name>

            </method-permission>

            ...


            web.xml
            ----------
            <security-constraint>
            <web-resource-collection>
            <web-resource-name>action</web-resource-name>
            Restricted area
            <url-pattern>/pages/*</url-pattern>
            <http-method>HEAD</http-method>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
            <http-method>DELETE</http-method>
            </web-resource-collection>

            <auth-constraint>
            <role-name>Administrator</role-name>
            <role-name>User</role-name>
            </auth-constraint>

            <user-data-constraint>
            no description
            <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>

            </security-constraint>

            <login-config>
            <auth-method>BASIC</auth-method>
            <realm-name>esubmit</realm-name>
            <!--form-login-config>
            <form-login-page>/login.do</form-login-page>
            <form-error-page>/logoff.do</form-error-page>
            </form-login-config-->
            </login-config>

            <security-role>
            Admin user
            <role-name>Administrator</role-name>
            </security-role>

            <security-role>
            Regular user
            <role-name>User</role-name>
            </security-role>

            jboss.xml
            -----------


            <security-domain>java:/jaas/esubmit</security-domain>

            <enterprise-beans>


            <ejb-name>SubjectFacade</ejb-name>
            <jndi-name>ejb/SubjectFacade</jndi-name>

            <method-attributes>
            </method-attributes>

            ...

            login-config.xml
            -------------------
            <application-policy name = "esubmit">

            <login-module code="org.jboss.security.ClientLoginModule" flag="required">
            </login-module>
            <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required">
            <module-option name="unauthenticatedIdentity">nobody</module-option>
            </login-module>


              • Actions
            • 3. Re: Problem with roles: principalRoles=null
              starksm64
              starksm64 Nov 8, 2004 12:43 PM (in response to robbutera)

              principal=cam has no roles assigned. The roles.properties file must not contain any mappings for this principal. To be sure of what properties file is being picked up you should define properties files unique to the login configuration as show here:

               <application-policy name = "esubmit">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
 flag = "required">
 <module-option name="usersProperties">esubmit-users.properties</module-option>
 <module-option name="rolesProperties">esubmit-roles.properties</module-option>
 </login-module>
 </authentication>
 </application-policy>



                • Actions
              • 4. Problem solved
                robbutera
                robbutera Nov 8, 2004 9:08 PM (in response to robbutera)

                Thanks for your reply Scott.

                Had tried to explicity specify the user and roles file in the application policy. however it didn't make a difference.

                The problem ended up being the ClientLoginModule that was included in my application policy. i.e.

                Before:

                <application-policy name = "esubmit">

                <login-module code="org.jboss.security.ClientLoginModule" flag="required">
                </login-module>
                <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required">
                <module-option name="unauthenticatedIdentity">nobody</module-option>
                <module-option name="usersProperties">users.properties</module-option>
                <module-option name="rolesProperties">roles.properties</module-option>
                </login-module>

                </application-policy>

                After:

                <application-policy name = "esubmit">

                <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required">
                <module-option name="unauthenticatedIdentity">nobody</module-option>
                <module-option name="usersProperties">users.properties</module-option>
                <module-option name="rolesProperties">roles.properties</module-option>
                </login-module>

                </application-policy>

                This rectified the problem in both jboss 4.0 and jboss 4.0.1RC1.

                  • Actions
                • 5. Re: Problem with roles: principalRoles=null
                  time4tea
                  time4tea Nov 10, 2004 11:14 AM (in response to robbutera)

                  Hmm.. this seems very similar to the problem I'm seeing.

                  Does it work sometimes and not others?

                  If you add:

                  <category name="org.jboss.security">
 <priority value="TRACE" />
 </category>

 <category name="org.jboss.security">
 <priority value="TRACE" class="org.jboss.logging.XLevel"/>
 </category>


                  to your log4j.xml , can you see that initially there IS in fact a bunch of roles?



                    • Actions
                  • 6. Re: Problem with roles: principalRoles=null
                    robbutera
                    robbutera Nov 11, 2004 11:23 AM (in response to robbutera)

                    On JBoss 4.0.0 it was occuring sporadically, however in JBoss 4.0.1R1 it was occuring on every request.

                    Yes, if I revert my configuration and change the logging settings, I can see the roles just before the exception is thrown:

                    2004-11-12 00:12:57,510 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] User 'cam' authenticated, loginOk=true
2004-11-12 00:12:57,510 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] commit, loginOk=true
2004-11-12 00:12:57,510 TRACE [org.jboss.security.plugins.JaasSecurityManager.esubmit] updateCache, subject=Subject:
 Principal: cam
 Principal: Roles(members:Administrator)

2004-11-12 00:12:57,520 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] logout
2004-11-12 00:12:57,520 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] Insufficient method permissions, principal=cam, method=create, interface=HOME, requiredRoles=[Administrator, User], principalRoles=null


                    Am still not sure however, why this occurs when the ClientLoginModule is included in the application policy and why it disappears when it is removed.

                      • Actions
                    • 7. Re: Problem with roles: principalRoles=null
                      fnowak
                      fnowak Nov 15, 2004 8:13 AM (in response to robbutera)

                      Hello scott, hello robuttera,

                      I experience the same problem.
                      I try to use a protected method in an ejb but it
                      seems the roles are not set properly.

                      Here is the stack trace ...

                      
14:01:36,254 INFO [STDOUT] fnowak
14:01:36,254 INFO [STDOUT] ROLES(members:moderator,administrator,user)

14:01:36,264 ERROR [SecurityInterceptor] Insufficient method permissions, principal=fnowak, method=deleteNews, interface=LOCAL, requiredRoles=[administrator, root, server, moderator], principalRoles=null
14:01:36,264 ERROR [LogInterceptor] EJBException in method: public abstract void com.holomind.ejb.communication.CommunicationAgentLocal.deleteNews(com.holomind.ejb.communication.CommunicationNewsData) throws com.holomind.ejb.communication.CommunicationException, causedBy:
java.lang.SecurityException: Insufficient method permissions, principal=fnowak, method=deleteNews, interface=LOCAL, requiredRoles=[administrator, root, server, moderator], principalRoles=null
 at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:219)
 at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:118)
 at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:191)
 at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor.java:122)
 at org.jboss.ejb.SessionContainer.internalInvoke(SessionContainer.java:624)
 at org.jboss.ejb.Container.invoke(Container.java:854)
 at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invoke(BaseLocalProxyFactory.java:413)
 at org.jboss.ejb.plugins.local.StatelessSessionProxy.invoke(StatelessSessionProxy.java:82)
 at $Proxy134.deleteNews(Unknown Source)
 at com.holomind.cocoon.communication.acting.DeleteNewsAction.act(DeleteNewsAction.java:62)
 ...


                      I use the Jaas API to log JBoss 4.0.0.
                      I set up the servlet filter shown in tutorial on Jaas.
                      So I keep the login context in a session attribute and print its content just before using the protected method. (see before)

                      Here is the login configuration i use (i do not use an unauthenticatedIdentity) : 

                       <application-policy name="other">
 <authentication>
 <login-module
 code = "org.jboss.security.ClientLoginModule" flag = "required">
 </login-module>
 <login-module
 code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
 <module-option name="managedConnectionFactoryName">jboss.jca.service=LocalTxCM,name=MySqlDS</module-option>
 <module-option name="dsJndiName">java:/MySqlDS</module-option>
 <module-option name="principalsQuery">
 // skipped for brievty
 </module-option>
 <module-option name="rolesQuery">
 // skipped for brievty
 </module-option>
 </login-module>
 </authentication>
 </application-policy>


                      An


                        • Actions
                      • 8. Re: Problem with roles: principalRoles=null
                        darknight
                        darknight Dec 2, 2004 8:14 AM (in response to robbutera)

                        Try to put the ClientLoginModule as the last module in your config file.

                          • Actions