3 Replies Latest reply on Jan 15, 2005 6:01 PM by tcherel

    confusion about when requiredRoles=[] (i.e. no required role

    davehaas
    davehaas Jan 14, 2005 7:46 PM

      Hi all.

      I'm trying to set up the situation where client authentication is NOT required (client does not need to supply username/password) but EJB operations are still done over SSL.

      I have the following config:

      in server.policy:

      grant {
 // Allow everything for now
 permission java.security.AllPermission;
};


      in jboss-service.xml I have configured a security domain 

       <mbean code="org.jboss.security.plugins.JaasSecurityDomain" name="jboss.security:service=JaasSecurityDomain,domain=simpleSecureSB">
 <constructor>
 <arg type="java.lang.String" value="simpleSecureSB"/>
 </constructor>
 <attribute name="KeyStoreURL">test.keystore</attribute>
 <attribute name="KeyStorePass">test</attribute>
 </mbean>


      in login-config.xml I have set up the security domain to NOT require a username and password (at least I think I have): 

       <application-policy name="simpleSecureSB">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="optional">
 <module-option name="unauthenticatedIdentity">anonymous</module-option>
 </login-module>
 </authentication>
 </application-policy>


      and yet when I run the client I get the following error: 

      Insufficient method permissions, principal=null, method=create, interface=HOME, requiredRoles=[], principalRoles=[]


      which doesn't make any sense at all. If there are no required roles, what's the problem?

      Cheers,

      Dave

      • 4313 Views
      • Tags:
        • 1. Re: confusion about when requiredRoles=[] (i.e. no required
          tcherel
          tcherel Jan 15, 2005 6:24 AM (in response to davehaas)

          I believe that you will have to explicitly say in the ejb-jar.xml that no roles cheking is required:

          <method-permission>


          <ejb-name>[your bean name]</ejb-name>
          <method-name>*</method-name>

          </method-permission>

          Thomas

            • Actions
          • 2. Re: confusion about when requiredRoles=[] (i.e. no required
            davehaas
            davehaas Jan 15, 2005 2:22 PM (in response to davehaas)

            Hi Thomas.

            I tried your suggestion but I'm still having some problems. I got it to work using the following setup, but I'm not completely sure it's the proper solution.

            1) It seems that you HAVE to have a security domain set up in the jboss-service.xml file to use the jrmp invoker using SSL. If I try to run the jrmp invoker without having defined a security domain it blows up. So, I have this in jboss-service.xml:

            <!-- Secure RMI/JRMP invoker -->
<mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker" name="jboss:service=invoker,type=jrmp,socketType=SSL">
 <attribute name="RMIObjectPort">14445</attribute>
 <attribute name="RMIClientSocketFactory">org.jboss.security.ssl.RMISSLClientSocketFactory</attribute>
 <attribute name="RMIServerSocketFactory">org.jboss.security.ssl.RMISSLServerSocketFactory</attribute>
 <attribute name="SecurityDomain">java:/jaas/simpleSecureSB</attribute>
 <depends>jboss:service=TransactionManager</depends>
 <depends>jboss.security:service=JaasSecurityDomain,domain=simpleSecureSB</depends>
</mbean>


            2) Given that you have to have a security domain defined in jboss-service.xml, you also have to then configure how the authentication works in login-config.xml (otherwise the 'other' domain kicks in). So, I have a simple security domain with the unauthenticatedIdentity attribute set to 'everyone'. Now at least when the client doesn't send any credentials at all, the 'everyone' user is assigned instead. So, I have this in login-config.xml: 

            <application-policy name="simpleSecureSB">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
 <module-option name="unauthenticatedIdentity">everyone</module-option>
 </login-module>
 </authentication>
</application-policy>


            3) In the ejb-jar.xml descriptor I have: 

            <assembly-descriptor>
 <method-permission>
 <unchecked/>
 <method>
 <ejb-name>simpleSecureSB</ejb-name>
 <method-name>*</method-name>
 </method>
 </method-permission>
</assembly-descriptor>


            4) In the jboss.xml file I have assigned the session bean to the appropriate security domain and told it to use the jrmp invoker over SSL: 

            <security-domain>java:/jaas/simpleSecureSB</security-domain>
<enterprise-beans>
 <session>
 <ejb-name>simpleSecureSB</ejb-name>
 <jndi-name>ejb/simpleSecureSB</jndi-name>
 <configuration-name>Standard Stateless SessionBean</configuration-name>
 <invoker-bindings>
 <invoker>
 <invoker-proxy-binding-name>stateless-ssl-invoker</invoker-proxy-binding-name>
 </invoker>
 </invoker-bindings>
 </session>
</enterprise-beans>


            Does the setup seem reasonable? It works, but I'm not sure if it can be streamlined any more ...

            Cheers,

            Dave

              • Actions
            • 3. Re: confusion about when requiredRoles=[] (i.e. no required
              tcherel
              tcherel Jan 15, 2005 6:01 PM (in response to davehaas)

              I am not JRMP/SSL expert, but if it requires a security domain, then the rest of the setup is the correct one.

              Thomas

                • Actions