-
1. Re: MDB run-as and SessionContext.isCallerInRole inconsisten
twalsh2 Feb 10, 2005 12:15 PM (in response to twalsh2)Anyone have any ideas on this?
Anyone from JBoss available to comment on it? -
2. Re: MDB run-as and SessionContext.isCallerInRole inconsisten
starksm64 Feb 10, 2005 2:54 PM (in response to twalsh2)run-as has no affect on the roles seen by the onMessage invocation. It only affects calls made to other resources from within the onMessage method. There is no spec defined mechanism to setting the identity of an mdb message. You would have to use a custom interceptor and establish the identity based on some message property.
-
3. Re: MDB run-as and SessionContext.isCallerInRole inconsisten
twalsh2 Feb 14, 2005 10:20 AM (in response to twalsh2)In this case, I am calling a Secure Stateless Session Bean from within the onMessage method of an MDB.
The SLSB is in turn calling another secure SLSB. The second SLSB is calling SessionContext.isCallerInRole("Administrator");
So we haveJMS message --> MDB.onMessage -->SLSB1.method() --> SLSB2.method() --> SessionContext.isCallerInRole("Administrator");
So the call to isCallerInRole is being done by within a call made to other resources from within the onMessage method. isCallerInRole is returning false, which is a suprise as the MDB is set to run-as Administrator.
All of the calls to the SLSB are done via local interfaces. I was suprised that isCallerInRole returned false, as the caller definitley is in the Administrator role. For example, if I have the MDB call a SLSB method with only a* @ejb.permission role-name = "Administrator"
the security framework will allow the MDB to make the call. Its only isCallerInRole that does not seem able to determine the role of the calling MDB. -
4. principal=null
bartvh Feb 17, 2005 10:13 AM (in response to twalsh2)I'm seeing exactly the same problem, though I am still using jboss-3.2.3.
Have you made any progress on this?
I had TRACE logging enabled for 'org.jboss.ejb.plugins' and saw the following pass by:2005-02-17 15:05:51,540 TRACE [SecurityInterceptor] Authenticated principal=null
In the source code of org.jboss.ejb.EnterpriseContext.EJBContextImpl (3.2.3), I found:// TODO - how to handle this best? public boolean isCallerInRole(String id) { if (principal == null) return false; ....
Probably related, no? -
5. Re: MDB run-as and SessionContext.isCallerInRole inconsisten
twalsh2 Feb 18, 2005 4:36 PM (in response to twalsh2)I was acutally able to work around the "principal=null" condition by setting the following property on my Login Module:
<application-policy name = "nms"> <authentication> <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required"> <module-option name="dsJndiName">java:/NMS-DS</module-option> <module-option name = "hashAlgorithm">MD5</module-option> <module-option name = "hashEncoding">base64</module-option> <module-option name="unauthenticatedIdentity">nobody</module-option> </login-module> </authentication> </application-policy>
This causes the principal for unauthenticated entities (such as MDBs or MBeans) to be "nobody". Pair this with a <run-as> and you can kind of get MDB's to interact properly with secure session beans.
Unfortunatley, having a principal on the call does not fix my problem where isCallerInRole is returning an unexpected result. -
6. Re: MDB run-as and SessionContext.isCallerInRole inconsisten
twalsh2 Feb 20, 2005 5:40 PM (in response to twalsh2)Well, I have a workaround for anyone who encounters this problem. Its not the prettiest solution.
Basically on another SLSB, I create a local method called checkCallerAdmin. Then in my code where I want to do aSessionContext.isCallerInRole("Administrator");
I callotherSLSB.checkCallerAdmin()
The checkCallerAdmin method is set up to only allow callers with the role of "Administrator". Basically, it has a* @ejb.permission role-name = "Administrator"
XDoclet tag. If my caller is not an Admin, I get a LocalAccessException which I can catch and use that fact to identify that the caller in the Administrator role.
It works, but the biggest drawback is that you are calling another EJB method, so you need to go through the entire interceptor chain (in order to get the the Security Interceptor) in order to get the check to occur. This probably will perform poorer than a direct call to:sessionContext.isCallerInRole("Administrator");
I'd still be interested in hearing from someone from JBoss as to wether this behavior is by design or is a bug. -
7. Re: MDB run-as and SessionContext.isCallerInRole inconsisten
starksm64 Feb 21, 2005 10:24 AM (in response to twalsh2)Its a limitation/bug of the 3.2.x anonymous caller/run-as interaction. There is an equivalent testcase that works fine in 4.0.1+. There is a jira issue for the 3.2.x behavior.
http://jira.jboss.com/jira/browse/JBAS-1493 -
8. Re: MDB run-as and SessionContext.isCallerInRole inconsisten
twalsh2 Feb 21, 2005 12:09 PM (in response to twalsh2)Thank you. I will continue using my work around for the time being.