-
1. Re: Insufficient method permissions, principal=richja, metho
arnold Nov 10, 2004 9:34 AM (in response to time4tea)I get similar error too.
Which version of JBoss are you running?
Have you made any changes to JaasSecurityManagerService in jboss-service.xml? -
2. Re: Insufficient method permissions, principal=richja, metho
time4tea Nov 10, 2004 9:40 AM (in response to time4tea)
This is 4.0.0.
Actually the subject was chopped, it wasInsufficient method permissions, principal=richja, method=create, interface=LOCALHOME, requiredRoles=[], principalRoles=[CMD-DRV-LON-...]
Note that the required roles are [] (nothing, i assume). What gives?
Cheers
James -
3. Forgot method permission
time4tea Nov 10, 2004 11:11 AM (in response to time4tea)
The problem was that I had not specified any method-permission roles for the call, nor had i said the method was unchecked.
Adding a method permission solved the problem. Hurrah.
Now i still have the issue that with the next invocation ( like resubmitting the page for example) the principal is kept, but the roles are reset to null, and thus get a permission error.
It seems like the authentication cache is not caching the roles?
Thanks for any help! -
4. Re: Insufficient method permissions, principal=richja, metho
starksm64 Nov 10, 2004 11:22 AM (in response to time4tea)The auth cache contains the Subject and its roles. A trace level log on the org.jboss.security category may shed some light.
-
5. Re: Insufficient method permissions, principal=richja, metho
time4tea Nov 10, 2004 11:51 AM (in response to time4tea)I can tell you that if you reduce the authentication cache timeout to 5 seconds, and the resolution to 1 second, and wait 5 seconds between page submissions, it works fine.
If you refresh the page twice in quick succession, it fails.
The call getEnvironments is where is succeeds....then refresh again, and failure, immediately after calling updateCache2004-11-10 16:46:04,453 INFO [com.db.es.filter.JaasLoginFilter] doFilter() 2004-11-10 16:46:04,454 INFO [com.db.es.filter.JaasLoginFilter] checkAuthentication=true 2004-11-10 16:46:04,455 INFO [com.db.es.filter.JaasLoginFilter] Create login context for gmprofile 2004-11-10 16:46:04,455 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(gmprofile), size=11 2004-11-10 16:46:04,455 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(gmprofile), authInfo=AppConfigurationEntry[]: [0] LoginModule Class: org.jboss.security.WedgetailLoginModule ControlFlag: LoginModuleControlFlag: required Options:name=password-stacking, value=useFirstPass [1] LoginModule Class: org.jboss.security.ClientLoginModule ControlFlag: LoginModuleControlFlag: required Options:name=restore-login-identity, value=true name=password-stacking, value=useFirstPass 2004-11-10 16:46:04,456 INFO [com.db.es.filter.JaasLoginFilter] login() 2004-11-10 16:46:04,456 TRACE [org.jboss.security.WedgetailLoginModule] initialize 2004-11-10 16:46:04,456 DEBUG [org.jboss.security.WedgetailLoginModule] WedgetailLoginModule: Initialise 2004-11-10 16:46:04,456 DEBUG [org.jboss.security.WedgetailLoginModule] Subject: Subject: 2004-11-10 16:46:04,456 DEBUG [org.jboss.security.WedgetailLoginModule] CallbackHandler: javax.security.auth.login.LoginContext$SecureCallbackHandler@1a264f1 2004-11-10 16:46:04,456 DEBUG [org.jboss.security.WedgetailLoginModule] State: 2004-11-10 16:46:04,456 DEBUG [org.jboss.security.WedgetailLoginModule] Opts: 2004-11-10 16:46:04,456 DEBUG [org.jboss.security.WedgetailLoginModule] password-stacking : useFirstPass 2004-11-10 16:46:04,456 DEBUG [org.jboss.security.WedgetailLoginModule] Login() 2004-11-10 16:46:04,456 TRACE [org.jboss.security.WedgetailLoginModule] login 2004-11-10 16:46:04,456 DEBUG [org.jboss.security.WedgetailLoginModule] Wedgetail: gives richja 2004-11-10 16:46:04,456 DEBUG [org.jboss.security.WedgetailLoginModule] commit() 2004-11-10 16:46:04,456 TRACE [org.jboss.security.WedgetailLoginModule] commit, loginOk=true 2004-11-10 16:46:04,456 DEBUG [org.jboss.security.WedgetailLoginModule] getIdentity() returning richja 2004-11-10 16:46:04,456 DEBUG [org.jboss.security.WedgetailLoginModule] getRoleSets() 2004-11-10 16:46:04,458 INFO [com.db.es.filter.JaasLoginFilter] doFilter(..) 2004-11-10 16:46:04,459 TRACE [org.jboss.security.WedgetailLoginModule] logout 2004-11-10 16:46:04,459 DEBUG [org.jboss.security.WedgetailLoginModule] getIdentity() returning richja 2004-11-10 16:46:04,459 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(gmprofile), size=11 2004-11-10 16:46:04,460 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(gmprofile), authInfo=AppConfigurationEntry[]: [0] LoginModule Class: org.jboss.security.WedgetailLoginModule ControlFlag: LoginModuleControlFlag: required Options:name=password-stacking, value=useFirstPass [1] LoginModule Class: org.jboss.security.ClientLoginModule ControlFlag: LoginModuleControlFlag: required Options:name=restore-login-identity, value=true name=password-stacking, value=useFirstPass 2004-11-10 16:46:04,460 TRACE [org.jboss.security.WedgetailLoginModule] initialize 2004-11-10 16:46:04,460 DEBUG [org.jboss.security.WedgetailLoginModule] WedgetailLoginModule: Initialise 2004-11-10 16:46:04,460 DEBUG [org.jboss.security.WedgetailLoginModule] Subject: Subject: 2004-11-10 16:46:04,460 DEBUG [org.jboss.security.WedgetailLoginModule] CallbackHandler: javax.security.auth.login.LoginContext$SecureCallbackHandler@914272 2004-11-10 16:46:04,460 DEBUG [org.jboss.security.WedgetailLoginModule] State: 2004-11-10 16:46:04,460 DEBUG [org.jboss.security.WedgetailLoginModule] Opts: 2004-11-10 16:46:04,460 DEBUG [org.jboss.security.WedgetailLoginModule] password-stacking : useFirstPass 2004-11-10 16:46:04,460 DEBUG [org.jboss.security.WedgetailLoginModule] Login() 2004-11-10 16:46:04,460 TRACE [org.jboss.security.WedgetailLoginModule] login 2004-11-10 16:46:04,460 DEBUG [org.jboss.security.WedgetailLoginModule] Wedgetail: gives richja 2004-11-10 16:46:04,460 DEBUG [org.jboss.security.WedgetailLoginModule] commit() 2004-11-10 16:46:04,460 TRACE [org.jboss.security.WedgetailLoginModule] commit, loginOk=true 2004-11-10 16:46:04,460 DEBUG [org.jboss.security.WedgetailLoginModule] getIdentity() returning richja 2004-11-10 16:46:04,460 DEBUG [org.jboss.security.WedgetailLoginModule] getRoleSets() 2004-11-10 16:46:04,461 TRACE [org.jboss.security.plugins.JaasSecurityManager.gmprofile] updateCache, subject=Subject: Principal: richja Principal: Roles(members:Domain Users) 2004-11-10 16:46:04,462 TRACE [org.jboss.security.plugins.JaasSecurityManager.gmprofile] validateCache, info=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@a16b7c[Subject(26712630).principals=[richja, Roles(members:Domain Users)]] 2004-11-10 16:46:04,462 TRACE [org.jboss.security.plugins.JaasSecurityManager.gmprofile] validateCache, isValid=true 2004-11-10 16:46:04,462 INFO [STDOUT] getEnvironments() : Called by richja 2004-11-10 16:46:04,463 INFO [com.db.es.filter.JaasLoginFilter] doneFilter.. 2004-11-10 16:46:04,463 TRACE [org.jboss.security.WedgetailLoginModule] logout 2004-11-10 16:46:04,463 DEBUG [org.jboss.security.WedgetailLoginModule] getIdentity() returning richja 2004-11-10 16:46:05,108 INFO [com.db.es.filter.JaasLoginFilter] doFilter() 2004-11-10 16:46:05,108 INFO [com.db.es.filter.JaasLoginFilter] checkAuthentication=true 2004-11-10 16:46:05,110 INFO [com.db.es.filter.JaasLoginFilter] Create login context for gmprofile 2004-11-10 16:46:05,110 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(gmprofile), size=11 2004-11-10 16:46:05,110 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(gmprofile), authInfo=AppConfigurationEntry[]: [0] LoginModule Class: org.jboss.security.WedgetailLoginModule ControlFlag: LoginModuleControlFlag: required Options:name=password-stacking, value=useFirstPass [1] LoginModule Class: org.jboss.security.ClientLoginModule ControlFlag: LoginModuleControlFlag: required Options:name=restore-login-identity, value=true name=password-stacking, value=useFirstPass 2004-11-10 16:46:05,110 INFO [com.db.es.filter.JaasLoginFilter] login() 2004-11-10 16:46:05,110 TRACE [org.jboss.security.WedgetailLoginModule] initialize 2004-11-10 16:46:05,110 DEBUG [org.jboss.security.WedgetailLoginModule] WedgetailLoginModule: Initialise 2004-11-10 16:46:05,110 DEBUG [org.jboss.security.WedgetailLoginModule] Subject: Subject: 2004-11-10 16:46:05,110 DEBUG [org.jboss.security.WedgetailLoginModule] CallbackHandler: javax.security.auth.login.LoginContext$SecureCallbackHandler@d8355 2004-11-10 16:46:05,110 DEBUG [org.jboss.security.WedgetailLoginModule] State: 2004-11-10 16:46:05,111 DEBUG [org.jboss.security.WedgetailLoginModule] Opts: 2004-11-10 16:46:05,111 DEBUG [org.jboss.security.WedgetailLoginModule] password-stacking : useFirstPass 2004-11-10 16:46:05,111 DEBUG [org.jboss.security.WedgetailLoginModule] Login() 2004-11-10 16:46:05,111 TRACE [org.jboss.security.WedgetailLoginModule] login 2004-11-10 16:46:05,111 DEBUG [org.jboss.security.WedgetailLoginModule] Wedgetail: gives richja 2004-11-10 16:46:05,111 DEBUG [org.jboss.security.WedgetailLoginModule] commit() 2004-11-10 16:46:05,111 TRACE [org.jboss.security.WedgetailLoginModule] commit, loginOk=true 2004-11-10 16:46:05,111 DEBUG [org.jboss.security.WedgetailLoginModule] getIdentity() returning richja 2004-11-10 16:46:05,111 DEBUG [org.jboss.security.WedgetailLoginModule] getRoleSets() 2004-11-10 16:46:05,113 INFO [com.db.es.filter.JaasLoginFilter] doFilter(..) 2004-11-10 16:46:05,114 TRACE [org.jboss.security.plugins.JaasSecurityManager.gmprofile] validateCache, info=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@a16b7c[Subject(26712630).principals=[richja, Roles(members:Domain Users)]] 2004-11-10 16:46:05,114 TRACE [org.jboss.security.plugins.JaasSecurityManager.gmprofile] validateCache, isValid=false 2004-11-10 16:46:05,114 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(gmprofile), size=11 2004-11-10 16:46:05,114 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(gmprofile), authInfo=AppConfigurationEntry[]: [0] LoginModule Class: org.jboss.security.WedgetailLoginModule ControlFlag: LoginModuleControlFlag: required Options:name=password-stacking, value=useFirstPass [1] LoginModule Class: org.jboss.security.ClientLoginModule ControlFlag: LoginModuleControlFlag: required Options:name=restore-login-identity, value=true name=password-stacking, value=useFirstPass 2004-11-10 16:46:05,114 TRACE [org.jboss.security.WedgetailLoginModule] initialize 2004-11-10 16:46:05,114 DEBUG [org.jboss.security.WedgetailLoginModule] WedgetailLoginModule: Initialise 2004-11-10 16:46:05,115 DEBUG [org.jboss.security.WedgetailLoginModule] Subject: Subject: 2004-11-10 16:46:05,115 DEBUG [org.jboss.security.WedgetailLoginModule] CallbackHandler: javax.security.auth.login.LoginContext$SecureCallbackHandler@129645a 2004-11-10 16:46:05,115 DEBUG [org.jboss.security.WedgetailLoginModule] State: 2004-11-10 16:46:05,115 DEBUG [org.jboss.security.WedgetailLoginModule] Opts: 2004-11-10 16:46:05,115 DEBUG [org.jboss.security.WedgetailLoginModule] password-stacking : useFirstPass 2004-11-10 16:46:05,115 DEBUG [org.jboss.security.WedgetailLoginModule] Login() 2004-11-10 16:46:05,115 TRACE [org.jboss.security.WedgetailLoginModule] login 2004-11-10 16:46:05,115 DEBUG [org.jboss.security.WedgetailLoginModule] Wedgetail: gives richja 2004-11-10 16:46:05,115 DEBUG [org.jboss.security.WedgetailLoginModule] commit() 2004-11-10 16:46:05,115 TRACE [org.jboss.security.WedgetailLoginModule] commit, loginOk=true 2004-11-10 16:46:05,115 DEBUG [org.jboss.security.WedgetailLoginModule] getIdentity() returning richja 2004-11-10 16:46:05,115 DEBUG [org.jboss.security.WedgetailLoginModule] getRoleSets() 2004-11-10 16:46:05,116 TRACE [org.jboss.security.plugins.JaasSecurityManager.gmprofile] updateCache, subject=Subject: Principal: richja Principal: Roles(members:Domain Users) 2004-11-10 16:46:05,116 TRACE [org.jboss.security.WedgetailLoginModule] logout 2004-11-10 16:46:05,116 DEBUG [org.jboss.security.WedgetailLoginModule] getIdentity() returning richja 2004-11-10 16:46:05,116 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] Insufficient method permissions, principal=richja, method=create, interface=LOCALHOME, requiredRoles=[Domain Users], principalRoles=null 2004-11-10 16:46:05,116 ERROR [org.jboss.ejb.plugins.LogInterceptor] EJBException in method: public abstract com.db.es.position.test.doclet.ejb.ControllerSes com.db.es.position.test.doclet.ejb.ControllerSesLocalHome.create() throws javax.ejb.CreateException, causedBy: java.lang.SecurityException: Insufficient method permissions, principal=richja, method=create, interface=LOCALHOME, requiredRoles=[Domain Users], principalRoles=null at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:219) at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:96) at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:120) at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:93) at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:613) at org.jboss.ejb.Container.invoke(Container.java:876) at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invokeHome(BaseLocalProxyFactory.java:342) at org.jboss.ejb.plugins.local.LocalHomeProxy.invoke(LocalHomeProxy.java:118) at $Proxy63.create(Unknown Source) at org.apache.jsp.controller_jsp._jspService(controller_jsp.java:59) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94) at javax.servlet.http.HttpServlet.service(HttpServlet.java:810) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:324) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:292) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:236) at javax.servlet.http.HttpServlet.service(HttpServlet.java:810) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157) at com.db.es.filter.JaasLoginFilter.doFilter(JaasLoginFilter.java:91) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:75) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:198) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:152) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104) at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:44) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:169) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:118) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929) at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:799) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:705) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683) at java.lang.Thread.run(Thread.java:534) 2004-11-10 16:46:05,119 TRACE [org.jboss.security.WedgetailLoginModule] logout 2004-11-10 16:46:05,119 DEBUG [org.jboss.security.WedgetailLoginModule] getIdentity() returning richja 2004-11-10 16:46:05,119 ERROR [org.jboss.web.localhost.Engine] StandardWrapperValve[jsp]: Servlet.service() for servlet jsp threw exception javax.ejb.EJBException: checkSecurityAssociation; CausedByException is: Insufficient method permissions, principal=richja, method=create, interface=LOCALHOME, requiredRoles=[Domain Users], principalRoles=null at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:220) at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:96) at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:120) at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:93) at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:613) at org.jboss.ejb.Container.invoke(Container.java:876) at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invokeHome(BaseLocalProxyFactory.java:342) at org.jboss.ejb.plugins.local.LocalHomeProxy.invoke(LocalHomeProxy.java:118) at $Proxy63.create(Unknown Source) at org.apache.jsp.controller_jsp._jspService(controller_jsp.java:59) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94) at javax.servlet.http.HttpServlet.service(HttpServlet.java:810) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:324) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:292) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:236) at javax.servlet.http.HttpServlet.service(HttpServlet.java:810) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157) at com.db.es.filter.JaasLoginFilter.doFilter(JaasLoginFilter.java:91) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:75) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:198) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:152) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104) at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:44) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:169) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:118) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929) at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:799) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:705) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683) at java.lang.Thread.run(Thread.java:534) java.lang.SecurityException: Insufficient method permissions, principal=richja, method=create, interface=LOCALHOME, requiredRoles=[Domain Users], principalRoles=null at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:219) at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:96) at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:120) at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:93) at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:613) at org.jboss.ejb.Container.invoke(Container.java:876) at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invokeHome(BaseLocalProxyFactory.java:342) at org.jboss.ejb.plugins.local.LocalHomeProxy.invoke(LocalHomeProxy.java:118) at $Proxy63.create(Unknown Source) at org.apache.jsp.controller_jsp._jspService(controller_jsp.java:59) at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:94) at javax.servlet.http.HttpServlet.service(HttpServlet.java:810) at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:324) at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:292) at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:236) at javax.servlet.http.HttpServlet.service(HttpServlet.java:810) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157) at com.db.es.filter.JaasLoginFilter.doFilter(JaasLoginFilter.java:91) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:75) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:198) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:152) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104) at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:44) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:169) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:118) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929) at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:799) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:705) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683) at java.lang.Thread.run(Thread.java:534)
-
6. Re: Insufficient method permissions, principal=richja, metho
starksm64 Nov 10, 2004 12:15 PM (in response to time4tea)First, org.jboss.security.WedgetailLoginModule is not a jboss login module and should not be using the org.jboss package namespace.
The logout immediately before the exception is the problem:
2004-11-10 16:46:05,116 TRACE [org.jboss.security.WedgetailLoginModule] logout
This invalidates the previously authenticated Subject and removes all associated roles. -
7. Re: Insufficient method permissions, principal=richja, metho
time4tea Nov 10, 2004 12:29 PM (in response to time4tea)
Yeah, the code is in the wrong package, because I thought I might have to use the SecurityAssociation classes, but it turns out that its not necessary. This was solved by the use of ClientLoginModule.. it will move back to where it belongs!
However, the logout call (its not one that I am making) is also made in the successful call..... so why would that make a difference?? (honest question)
Thanks! -
8. Re: Insufficient method permissions, principal=richja, metho
starksm64 Nov 10, 2004 12:54 PM (in response to time4tea)Just putting a class into a package namespace does not give you access to the package protected classes. The class needs to be loaded by the same class loader, and depending on the class loader, the same jar to actually be seen as from the org.jboss.security package and non-jboss code does not satisfy this condition unless your rebuilding the server with the login module added to the codebase.
You seem to have a race condition between multiple threads using the same principal. A cached Subject is a shared object and if there is a logout in one thread after authentication in another thread, but before the authorization check these threads are walking over each other. You need a thread local copy of the Subject to isolate these threads. We do this in the jca layer where authorization checks happen well beyond the authentication point, but I don't think this behavior is accessible from the LoginContext. Create a bug report on sourceforge with an example of what your doing and I can look into how this can be supported.
http://sourceforge.net/tracker/?group_id=22866&atid=376685 -
9. Re: Insufficient method permissions, principal=richja, metho
time4tea Nov 10, 2004 1:15 PM (in response to time4tea)(The classloader issue is a red-herring)
I'm not 100% sure that this is a race condition. Simply waiting until the cache times out will mean that the code works all the time. Refreshing the page before the cache times out will reliably fail all the time.
Reducing the cache to zero means the page is now working all the time.
This would seem to imply that the cache is at fault? Or I'm interacting with the login system in a non-standard way. -
10. Re: Insufficient method permissions, principal=richja, metho
starksm64 Nov 10, 2004 1:20 PM (in response to time4tea)The cache is just a map. I explained how the behavior you described could be explained by having two threads running agaist the cached Subject such that the logout of t1 invalidates the Subject instance of t2. Disabling the caching effectively gives you a thread local copy of the Subject.
-
11. Re: Insufficient method permissions, principal=richja, metho
arnold Nov 10, 2004 1:25 PM (in response to time4tea)Hi,
This is turning into a real interesting discussion. I too suffer from the principalRoles=null problem, but please allow me to explain situation.
I am running JBoss 3.2.4
LoginModule:
client: ClientLoginModule, multithreaded=true
server: UsersRolesLoginModule
I have enabled TRACE level log, please see below.2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Passworg hashing activated: algorithm = SHA, encoding = base64 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/home/demo/arnold/Kensington/jboss/server/default-01/conf/users.properties 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/home/demo/arnold/Kensington/jboss/server/default-01/conf/roles.properties 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] login 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] User 'demo' authenticated, loginOk=true 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] commit, loginOk=true 2004-11-10 18:13:58,850 TRACE [org.jboss.security.plugins.JaasSecurityManager.inforsense] updateCache, subject=Subject: Principal: demo Principal: Roles(members:is-user,mygroup,demoGroup) 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] logout 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] getAppConfigurationEntry(inforsense), authInfo=AppConfigurationEntry[]: [0] LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule ControlFlag: LoginModuleControlFlag: required Options:name=hashEncoding, value=base64 name=hashAlgorithm, value=SHA 2004-11-10 18:13:58,850 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] Insufficient method permissions, principal=demo, method=executeNonBlocking, interface=REMOTE, requiredRoles=[<ANYBODY>], principalRoles=null 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Passworg hashing activated: algorithm = SHA, encoding = base64 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/home/demo/arnold/Kensington/jboss/server/default-01/conf/users.properties 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/home/demo/arnold/Kensington/jboss/server/default-01/conf/roles.properties 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] login 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] User 'demo' authenticated, loginOk=true 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] commit, loginOk=true 2004-11-10 18:13:58,850 TRACE [org.jboss.security.plugins.JaasSecurityManager.inforsense] updateCache, subject=Subject: Principal: demo Principal: Roles(members:is-user,mygroup,demoGroup) 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] logout 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] getAppConfigurationEntry(inforsense), authInfo=AppConfigurationEntry[]: [0] LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule ControlFlag: LoginModuleControlFlag: required Options:name=hashEncoding, value=base64 name=hashAlgorithm, value=SHA 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Passworg hashing activated: algorithm = SHA, encoding = base64 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/home/demo/arnold/Kensington/jboss/server/default-01/conf/users.properties 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: null 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/home/demo/arnold/Kensington/jboss/server/default-01/conf/roles.properties 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] login 2004-11-10 18:13:58,850 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] User 'demo' authenticated, loginOk=true 2004-11-10 18:13:58,850 ERROR [org.jboss.ejb.plugins.LogInterceptor] EJBException, causedBy: java.lang.SecurityException: Insufficient method permissions, principal=demo, method=executeNonBlocking, interface=REMOTE, requiredRoles=[<ANYBODY>], principalRoles=null at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:229) at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:109) at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:185) at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:84) at org.jboss.ejb.plugins.AbstractTxInterceptorBMT.invokeNext(AbstractTxInterceptorBMT.java:144)
Scott, do you think this also indicates a race condition? -
12. Re: Insufficient method permissions, principal=richja, metho
starksm64 Nov 10, 2004 1:32 PM (in response to time4tea)Yes. Enable logging of the thread by adding %t to the logging pattern to better see this. The logout should be from a seperate thread. If that is not the case someone needs to create a bug report with an example of what is being done.
-
13. Re: Insufficient method permissions, principal=richja, metho
arnold Nov 10, 2004 1:34 PM (in response to time4tea)I forgot to mention that I have only observed this problem if the cache is disabled!
<!-- JAAS security manager and realm mapping --> <mbean code="org.jboss.security.plugins.JaasSecurityManagerService" name="jboss.security:service=JaasSecurityManager"> <attribute name="SecurityManagerClassName"> org.jboss.security.plugins.JaasSecurityManager </attribute> <!-- DefaultCacheTimeout: Specifies the default timed cache policy timeout in seconds. If you want to disable caching of security credentials, set this to 0 to force authentication to occur every time. This has no affect if the AuthenticationCacheJndiName has been changed from the default value. --> <attribute name="DefaultCacheTimeout">0</attribute> <!-- DefaultCacheResolution: Specifies the default timed cache policy resolution in seconds. This controls the interval at which the cache current timestamp is updated and should be less than the DefaultCacheTimeout in order for the timeout to be meaningful. This has no affect if the AuthenticationCacheJndiName has been changed from the default value. --> <attribute name="DefaultCacheResolution">60</attribute> </mbean>
This seems to be a clash with time4tea theory of a cache problem. -
14. Re: Insufficient method permissions, principal=richja, metho
arnold Nov 11, 2004 5:43 AM (in response to time4tea)Hello Scott,
TRACE log with thread information! Logout is called from separate thread, but it seems to have stepped over the other thread's login session?2004-11-11 10:25:49,820 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (NCI60_V4) initialize 2004-11-11 10:25:49,820 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (NCI60_V4) Passworg hashing activated: algorithm = SHA, encoding = base64 2004-11-11 10:25:49,820 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (NCI60_V4) findResource: null 2004-11-11 10:25:49,820 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (NCI60_V4) Properties file=file:/home/demo/arnold/Kensington/jboss/server/default-01/conf/users.properties 2004-11-11 10:25:49,820 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (NCI60_V4) findResource: null 2004-11-11 10:25:49,820 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (NCI60_V4) Properties file=file:/home/demo/arnold/Kensington/jboss/server/default-01/conf/roles.properties 2004-11-11 10:25:49,820 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (NCI60_V4) login 2004-11-11 10:25:49,820 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (NCI60_V4) User 'demo' authenticated, loginOk=true 2004-11-11 10:25:49,820 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (NCI60_V4) commit, loginOk=true 2004-11-11 10:25:49,820 TRACE [org.jboss.security.plugins.JaasSecurityManager.inforsense] (NCI60_V4) updateCache, subject=Subject: Principal: demo Principal: Roles(members:is-user,mygroup,demoGroup) 2004-11-11 10:25:49,820 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (RMI TCP Connection(2)-155.198.19.226) logout 2004-11-11 10:25:49,820 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (RMI TCP Connection(2)-155.198.19.226) getAppConfigurationEntry(inforsense), authInfo=AppConfigurationEntry[]: [0] LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule ControlFlag: LoginModuleControlFlag: required Options:name=hashEncoding, value=base64 name=hashAlgorithm, value=SHA 2004-11-11 10:25:49,820 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] (NCI60_V4) Insufficient method permissions, principal=demo, method=create, interface=LOCALHOME, requiredRoles=[<ANYBODY>], principalRoles=null 2004-11-11 10:25:49,820 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (RMI TCP Connection(2)-155.198.19.226) initialize 2004-11-11 10:25:49,820 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (RMI TCP Connection(2)-155.198.19.226) Passworg hashing activated: algorithm = SHA, encoding = base64 2004-11-11 10:25:49,820 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (RMI TCP Connection(2)-155.198.19.226) findResource: null 2004-11-11 10:25:49,820 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (RMI TCP Connection(2)-155.198.19.226) Properties file=file:/home/demo/arnold/Kensington/jboss/server/default-01/conf/users.properties 2004-11-11 10:25:49,820 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (RMI TCP Connection(2)-155.198.19.226) findResource: null 2004-11-11 10:25:49,820 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (RMI TCP Connection(2)-155.198.19.226) Properties file=file:/home/demo/arnold/Kensington/jboss/server/default-01/conf/roles.properties 2004-11-11 10:25:49,820 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (RMI TCP Connection(2)-155.198.19.226) login 2004-11-11 10:25:49,820 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (RMI TCP Connection(2)-155.198.19.226) User 'demo' authenticated, loginOk=true 2004-11-11 10:25:49,820 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] (RMI TCP Connection(2)-155.198.19.226) commit, loginOk=true 2004-11-11 10:25:49,820 TRACE [org.jboss.security.plugins.JaasSecurityManager.inforsense] (RMI TCP Connection(2)-155.198.19.226) updateCache, subject=Subject: Principal: demo Principal: Roles(members:is-user,mygroup,demoGroup) 2004-11-11 10:25:49,820 ERROR [org.jboss.ejb.plugins.LogInterceptor] (NCI60_V4) EJBException, causedBy: java.lang.SecurityException: Insufficient method permissions, principal=demo, method=create, interface=LOCALHOME, requiredRoles=[<ANYBODY>], principalRoles=null at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:229) at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:83) at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:120)
Thanks.
Arnold