2 Replies Latest reply on Jul 27, 2005 4:37 AM by michaelkonietzka

UndeclaredThrowableException on client when recevieng Faile

michaelkonietzka Jul 14, 2005 8:52 AM

When my client tries to access a secured EJB with wrong credentials, the server throws a FailedLoginException as expected. But then the client throws UndeclaredThrowableException, because the method signature doesn't know anything about LoginException.

From my point of view, the container has to wrap the LoginException into a RuntimeException,
but it seems it does not. In the EJB 2.1 spec:
"21.6.9 Runtime Security Enforcement
[..]
11/12/03 490 If the container denies a client access to a business method, the container must throw the java.rmi.RemoteException (or its sub class, the java.rmi.AccessException) to the client if the client is a remote client, or the javax.ejb.EJBException (or its subclass, the javax.ejb.AccessLocalException) if the client is a local client.
"
System is JBoss-4.0.2 on Linux, with CustomLoginModule extends UsernamePasswordLoginModule

Best regards
Michael

Example StackTrace:

java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at de.schlund.shop3.util.ServiceLocator.createEJBObject(ServiceLocator.java:90)
at de.schlund.shop3.util.ServiceLocator.createEJBObject(ServiceLocator.java:69)
at de.schlund.shop3.proxy.UserProxy.getRemote(UserProxy.java:44)
at de.schlund.shop3.proxy.UserProxy.getRoles(UserProxy.java:56)
at de.schlund.shop3config.login.LoginHelper.login(LoginHelper.java:27)

...

Caused by: java.lang.reflect.UndeclaredThrowableException
at $Proxy1.create(Unknown Source)
... 50 more
Caused by: javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:166)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)

1. Re: UndeclaredThrowableException on client when recevieng F

michaelkonietzka Jul 25, 2005 10:07 AM (in response to michaelkonietzka)

"Michael Konietzka" wrote:
When my client tries to access a secured EJB with wrong credentials, the server throws a FailedLoginException as expected. But then the client throws UndeclaredThrowableException, because the method signature doesn't know anything about LoginException.
[..]

Well, it seems to be a problem from our client-application:

There:
Class[] classes = ReflectionHelper.getClasses(args);
EJBObject ejbObject = null;

// get EJB home
EJBHome ejbHome = getEJBHome(jndiName, narrowTo);
// call create method
try {
Method method = ejbHome.getClass().getMethod("create", classes);
ejbObject = (EJBObject)method.invoke(ejbHome, args);
} catch (Exception e) { ...}

There is an InvocationTargetException with UndeclaredThrowableException.
while the following code is ok:

Object obj = ctx.lookup(AnotherRemoteHome.JNDI_NAME);
AnotherRemoteHome home = (AnotherRemoteHome) PortableRemoteObject
.narrow(obj, AnotherRemoteHome.class);

EJBObject ejbObject = null;
// call create method

try {
Method method = home.getClass().getMethod("create", null);
ejbObject = (EJBObject)method.invoke(home, null);
} catch (Exception ite)
{...}
There will be an InvocationException, with the "real" RemoteException, none UndeclaredThrowableException.

Nevertheless, this is not a JBoss-Security issue.
Actions
2. Re: UndeclaredThrowableException on client when recevieng F

michaelkonietzka Jul 27, 2005 4:37 AM (in response to michaelkonietzka)

"Michael Konietzka" wrote:
"Michael Konietzka" wrote:
When my client tries to access a secured EJB with wrong credentials, the server throws a FailedLoginException as expected. But then the client throws UndeclaredThrowableException, because the method signature doesn't know anything about LoginException.
[..]

Well, it seems to be a problem from our client-application:

There:
Class[] classes = ReflectionHelper.getClasses(args);
EJBObject ejbObject = null;

// get EJB home
EJBHome ejbHome = getEJBHome(jndiName, narrowTo);
// call create method
try {
Method method = ejbHome.getClass().getMethod("create", classes);
ejbObject = (EJBObject)method.invoke(ejbHome, args);
} catch (Exception e) { ...}

There is an InvocationTargetException with UndeclaredThrowableException.
while the following code is ok:

Object obj = ctx.lookup(AnotherRemoteHome.JNDI_NAME);
AnotherRemoteHome home = (AnotherRemoteHome) PortableRemoteObject
.narrow(obj, AnotherRemoteHome.class);

EJBObject ejbObject = null;
// call create method

try {
Method method = home.getClass().getMethod("create", null);
ejbObject = (EJBObject)method.invoke(home, null);
} catch (Exception ite)
{...}
There will be an InvocationException, with the "real" RemoteException, none UndeclaredThrowableException.

Nevertheless, this is not a JBoss-Security issue.

Well, it was a container-configuration issue.
We used a custom container configuration without org.jboss.ejb.plugins.LogInterceptor,
which handles any unexpected exceptions, which is mentioned somewhere in the JavaDoc ...
. We had a custom LogInterceptor which does not handle exceptions like the standard LogInterceptor, so any Exception like FailedLoginException
resulted in the behaviour described above. Using the org.jboss.ejb.plugins.LogInterceptor additionally in our custom container-configuration fixes the problem.
Actions

Go to original post