-
1. Re: EJB SecurityException even though roles are present
Wanted to add some more details.
Since the same security domain seems to work for the web application and not for the EJB, I suspect it could be some EJB config. I am positn the jboss.xml and the ejb-jar.xml here for reference.
jboss.xml<jboss> <security-domain>java:/jaas/jwdomain</security-domain> <enterprise-beans> <!-- To add beans that you have deployment descriptor info for, add a file to your XDoclet merge directory called jboss-beans.xml that contains the <session></session>, <entity></entity> and <message-driven></message-driven> markup for those beans. --> <session> <ejb-name>Fibo</ejb-name> <jndi-name>ejb/tutorial/Fibo</jndi-name> </session> </enterprise-beans> <resource-managers> </resource-managers> </jboss>
And the ejb-jar.xml<ejb-jar > <display-name>Generated by XDoclet</display-name> <enterprise-beans> <session > <description>EJB that computes Fibonacci suite</description> <display-name>Fibo EJB</display-name> <ejb-name>Fibo</ejb-name> <home>tutorial.interfaces.FiboHome</home> <remote>tutorial.interfaces.Fibo</remote> <ejb-class>tutorial.ejb.FiboBean</ejb-class> <session-type>Stateless</session-type> <transaction-type>Container</transaction-type> </session> </enterprise-beans> <assembly-descriptor > <security-role> <role-name>Secure</role-name> </security-role> <method-permission> <unchecked/> <method> <ejb-name>Fibo</ejb-name> <method-name>create</method-name> </method> </method-permission> <method-permission> <role-name>Secure</role-name> <method> <ejb-name>Fibo</ejb-name> <method-name>factorial</method-name> </method> </method-permission>
Again am I missing something ? Any help is appreciated.
thanks -
2. Re: EJB SecurityException even though roles are present
I did a little source code searching and found that the exception is thrown by the org.jboss.ejb.plugins.SecurityInterceptor.
The exact piece of code that fails is// Check if the caller is allowed to access the method if (methodRoles.contains(AnybodyPrincipal.ANYBODY_PRINCIPAL) == false) { // The caller is using a the caller identity if (callerRunAsIdentity == null) { // Now actually check if the current caller has one of the required method roles if (realmMapping.doesUserHaveRole(principal, methodRoles) == false) { Set userRoles = realmMapping.getUserRoles(principal); String method = mi.getMethod().getName(); BeanMetaData beanMetaData = container.getBeanMetaData(); String msg = "Insufficient method permissions, principal=" + principal + ", ejbName=" + beanMetaData.getEjbName() + ", method=" + method + ", interface=" + iface + ", requiredRoles=" + methodRoles + ", principalRoles=" + userRoles; SecurityException e = new SecurityException(msg); throw e; } }
I was unable to debug any further as RealmMapping is an interface and am not sure which Impl class is actually working durign runtime.
Also what baffles me most is that the exception indicates that I am not in role but the message in the exception clearly shows that I am indeed in the role.
Any pointers? -
3. Re: EJB SecurityException even though roles are present
Finally managed to fix the problem. The issue was with my implementation of java.security.acl.Group interface. In the isMember() I was checking directly the principal rather than checking principal.getName(). The RealmMapping impl used by the EJB Container checks for available roles using the isMember() method.
Surprisingly the same on the web container gets all the roles as strings and then checks against the strings. Wonder why this is so.
In any case I am glad I was able to fix the issue and hopefully this helps others.