JAAS Caller identity null on second EJB call in a transactio
mclark00 Nov 20, 2005 1:55 AMHi,
First off, I have tried my best to look through the sticky topics and many other posts on the net, and cannot figure out how to make this work. Sorry if this is a basic question.
I've set up a Struts application using JBoss 4.0.3SP1, and I've set up form-based authentication posting to j_security_check. I'm seeing the following sequence:
1) Attempt to access a secured resource
2) Receive the login page
3) Submit the login page
4) User is authenticated successfully using the DatabaseLoginModule
5) SessionBean1 is successfully looked up and a method is executed
6) SessionBean1 attempts to look up SessionBean2
7) Receive exception: 'java.lang.IllegalStateExeception: No valid security context for the caller identity'
My understanding was that the default behavior was that subsequent EJB calls would run under the calling user's identity, but that doesn't appear to be happening. Am I doing soemthing wrong?
Thank you very much for your help, and let me know if I can provide any more information.
Thanks,
Matt
Section of login-config.xml
<application-policy name="mwo"> <authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> <module-option name="managedConnectionFactoryName"> jboss.jca:service=LocalTxCM,name=MySQLDS </module-option> <module-option name="dsJndiName"> java:/MySQLDS </module-option> <module-option name="principalsQuery"> Select Password from Principals where ID =? </module-option> <module-option name="rolesQuery"> Select R.Role 'Roles', R.RoleGroup 'RoleGroups' from Roles R, LINK_PRINCIPAL_ROLE L where L.PRINCIPAL_ID =? </module-option> </login-module> <login-module code="org.jboss.security.ClientLoginModule" flag="required" restore-login-identity="true"/> </authentication> </application-policy>
Snippet from ejb-jar.xml
<method-permission> <role-name>Administrator</role-name> <method> <ejb-name>SessionBean1</ejb-name> <method-name>*</method-name> </method> <method> <ejb-name>SessionBean2</ejb-name> <method-name>*</method-name> </method> </method-permission>
My EJB-JBoss configuration and my Web.xml are both using the same <security-domain>, and I have no unauthenticated-principal set.
Here is the trace:
2005-11-20 00:46:17,140 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Begin invoke, callerGenericPrincipal[admin(Administrator,Guest,)]
2005-11-20 00:46:17,140 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
2005-11-20 00:46:17,140 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Restoring principal info from cache
2005-11-20 00:46:17,140 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
Principal: admin
Principal: Roles(members:Guest,Administrator)
, sc=org.jboss.security.SecurityAssociation$SubjectContext@13f25e3{principal=admin,subject=18489944}
2005-11-20 00:46:17,140 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
2005-11-20 00:46:17,140 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
2005-11-20 00:46:17,156 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
2005-11-20 00:46:17,156 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
2005-11-20 00:46:17,156 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
2005-11-20 00:46:17,156 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] End invoke, callerGenericPrincipal[admin(Administrator,Guest,)]
2005-11-20 00:46:17,156 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
2005-11-20 00:46:18,375 DEBUG [org.apache.catalina.connector.CoyoteAdapter] Requested cookie session id is 2E6F48CFB8D7C4D4A6B829B9E87D4256
2005-11-20 00:46:18,375 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /mwo/actions/secure/ListAccounts.do
2005-11-20 00:46:18,375 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] We have cached auth type FORM for principal GenericPrincipal[admin(Administrator,Guest,)]
2005-11-20 00:46:18,375 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[action]' against GET /actions/secure/ListAccounts.do --> true
2005-11-20 00:46:18,390 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[action]' against GET /actions/secure/ListAccounts.do --> true
2005-11-20 00:46:18,390 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
2005-11-20 00:46:18,390 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
2005-11-20 00:46:18,390 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
2005-11-20 00:46:18,390 DEBUG [org.apache.catalina.authenticator.FormAuthenticator] Already authenticated 'admin'
2005-11-20 00:46:18,390 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
2005-11-20 00:46:18,390 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints
2005-11-20 00:46:18,390 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Begin invoke, callerGenericPrincipal[admin(Administrator,Guest,)]
2005-11-20 00:46:18,390 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
2005-11-20 00:46:18,390 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Restoring principal info from cache
2005-11-20 00:46:18,390 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
Principal: admin
Principal: Roles(members:Guest,Administrator)
, sc=org.jboss.security.SecurityAssociation$SubjectContext@d062ed{principal=admin,subject=18489944}
2005-11-20 00:46:18,390 DEBUG [org.apache.catalina.core.StandardWrapper] Returning non-STM instance
2005-11-20 00:46:18,390 TRACE [org.jboss.web.tomcat.security.RunAsListener] action, runAs: null
2005-11-20 00:46:18,390 TRACE [org.jboss.web.tomcat.security.RunAsListener] action, runAs: null
2005-11-20 00:46:18,390 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=admin
2005-11-20 00:46:18,390 TRACE [org.jboss.security.plugins.JaasSecurityManager.mwo] Begin isValid, principal:admin, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@17fdc2d[Subject(20435221).principals=org.jboss.security.SimplePrincipal@17286677(admin)org.jboss.security.SimpleGroup@17346346(Roles(members:Guest,Administrator)),credential.class=java.lang.String@13577344,expirationTime=1132470898390]
2005-11-20 00:46:18,390 TRACE [org.jboss.security.plugins.JaasSecurityManager.mwo] Begin validateCache, info=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@17fdc2d[Subject(20435221).principals=org.jboss.security.SimplePrincipal@17286677(admin)org.jboss.security.SimpleGroup@17346346(Roles(members:Guest,Administrator)),credential.class=java.lang.String@13577344,expirationTime=1132470898390];credential.class=java.lang.String@13577344
2005-11-20 00:46:18,390 TRACE [org.jboss.security.plugins.JaasSecurityManager.mwo] End validateCache, isValid=true
2005-11-20 00:46:18,390 TRACE [org.jboss.security.plugins.JaasSecurityManager.mwo] End isValid, true
2005-11-20 00:46:18,390 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
Principal: admin
Principal: Roles(members:Guest,Administrator)
, sc=org.jboss.security.SecurityAssociation$SubjectContext@10edaf3{principal=admin,subject=4767079}
2005-11-20 00:46:18,390 TRACE [org.jboss.security.SecurityAssociation] getSubject, sc=org.jboss.security.SecurityAssociation$SubjectContext@10edaf3{principal=admin,subject=4767079}
2005-11-20 00:46:18,390 TRACE [org.jboss.security.plugins.JaasSecurityManager.mwo] doesUserHaveRole(Set), subject: Subject:
Principal: admin
Principal: Roles(members:Guest,Administrator)
2005-11-20 00:46:18,390 TRACE [org.jboss.security.plugins.JaasSecurityManager.mwo] roles=Roles(members:Guest,Administrator)
2005-11-20 00:46:18,390 TRACE [org.jboss.security.plugins.JaasSecurityManager.mwo] hasRole(Administrator)=true
2005-11-20 00:46:18,390 TRACE [org.jboss.security.plugins.JaasSecurityManager.mwo] hasRole=true
2005-11-20 00:46:18,390 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
2005-11-20 00:46:18,390 DEBUG [com.myejb.Session1Bean] getSession2
2005-11-20 00:46:18,484 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=admin
2005-11-20 00:46:18,484 TRACE [org.jboss.security.plugins.JaasSecurityManager.mwo] Begin isValid, principal:admin, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@17fdc2d[Subject(20435221).principals=org.jboss.security.SimplePrincipal@17286677(admin)org.jboss.security.SimpleGroup@17346346(Roles(members:Guest,Administrator)),credential.class=java.lang.String@13577344,expirationTime=1132470898390]
2005-11-20 00:46:18,484 TRACE [org.jboss.security.plugins.JaasSecurityManager.mwo] Begin validateCache, info=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@17fdc2d[Subject(20435221).principals=org.jboss.security.SimplePrincipal@17286677(admin)org.jboss.security.SimpleGroup@17346346(Roles(members:Guest,Administrator)),credential.class=java.lang.String@13577344,expirationTime=1132470898390];credential.class=java.lang.String@13577344
2005-11-20 00:46:18,484 TRACE [org.jboss.security.plugins.JaasSecurityManager.mwo] End validateCache, isValid=true
2005-11-20 00:46:18,484 TRACE [org.jboss.security.plugins.JaasSecurityManager.mwo] End isValid, true
2005-11-20 00:46:18,484 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
Principal: admin
Principal: Roles(members:Guest,Administrator)
, sc=org.jboss.security.SecurityAssociation$SubjectContext@15ab821{principal=admin,subject=15632500}
2005-11-20 00:46:18,484 TRACE [org.jboss.security.SecurityAssociation] getSubject, sc=org.jboss.security.SecurityAssociation$SubjectContext@15ab821{principal=admin,subject=15632500}
2005-11-20 00:46:18,484 TRACE [org.jboss.security.plugins.JaasSecurityManager.mwo] doesUserHaveRole(Set), subject: Subject:
Principal: admin
Principal: Roles(members:Guest,Administrator)
2005-11-20 00:46:18,484 TRACE [org.jboss.security.plugins.JaasSecurityManager.mwo] roles=Roles(members:Guest,Administrator)
2005-11-20 00:46:18,484 TRACE [org.jboss.security.plugins.JaasSecurityManager.mwo] hasRole(Administrator)=true
2005-11-20 00:46:18,484 TRACE [org.jboss.security.plugins.JaasSecurityManager.mwo] hasRole=true
2005-11-20 00:46:18,484 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
2005-11-20 00:46:18,484 DEBUG [com.myejb.jboss.Session2SecurityProxy] Entered setEJBContext(EJBContext)
2005-11-20 00:46:18,484 TRACE [org.jboss.security.plugins.JaasSecurityManager.mwo] getPrincipal, cache info: null
2005-11-20 00:46:18,484 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
2005-11-20 00:46:18,500 TRACE [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext@15ab821{principal=admin,subject=15632500}
2005-11-20 00:46:18,500 ERROR [org.jboss.ejb.plugins.LogInterceptor] TransactionRolledbackException in method: public abstract com.myejb.Session2Remote com.myejb.Session2Home.create() throws javax.ejb.CreateException,java.rmi.RemoteException, causedBy:
java.lang.IllegalStateException: No valid security context for the caller identity
at org.jboss.ejb.EnterpriseContext$EJBContextImpl.getCallerPrincipalInternal(EnterpriseContext.java:370)