-
1. Re: isCallerInRole() called with no security context.
soppe.hhb Nov 22, 2005 3:29 AM (in response to soppe.hhb)Sorry I typed:
I can use the isUserInRole() in the session context with no problems but when i want to use the isCallerInRole() method on the session context i get an exception.
But I ment:
I can use the isUserInRole() on the HttpServletRequest with no problems but when i want to use the isCallerInRole() method on the session context in a session bean i get an exception. -
2. Re: isCallerInRole() called with no security context.
oglueck Nov 22, 2005 4:00 AM (in response to soppe.hhb)Isn't that very clear: "Check that a security-domain has been set for the
application."?
@SecurityDomain("yourdomain")
@Statless
public class MyBean {
} -
3. Re: isCallerInRole() called with no security context.
soppe.hhb Nov 22, 2005 4:06 AM (in response to soppe.hhb)It looks very clear but the @SecurityDomain is set.
If this was the problem it was already been solved. -
4. Re: isCallerInRole() called with no security context.
oglueck Nov 22, 2005 4:23 AM (in response to soppe.hhb)Try and use the JBoss client login module on the HTTP servlet side. For this define a new login config called "http" for instance:
http {
org.jboss.security.ClientLoginModule required multi-threaded=true;
};
and use this in your webapp to authenticate against.
For your EJB application then specify your actual login modules. -
5. Re: isCallerInRole() called with no security context.
soppe.hhb Nov 22, 2005 5:07 AM (in response to soppe.hhb)ok, in my login config there are now two application policy configurations:
<application-policy name="haqcsd"> <authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> <module-option name="dsJndiName">java:/MySqlDS</module-option> <module-option name="principalsQuery">SELECT wachtwoord FROM gebruiker WHERE gebruikersnaam=?</module-option> <module-option name="rolesQuery">SELECT gebruiker_type,'Roles' FROM gebruiker WHERE gebruikersnaam=?</module-option> <module-option name="hashAlgorithm">MD5</module-option> <module-option name="hashEncoding">BASE64</module-option> </login-module> </authentication> </application-policy> <application-policy name="http"> <authentication> <login-module code = "org.jboss.security.ClientLoginModule" flag = "required"> </login-module> </authentication> </application-policy>
in my jboss-web i select the http security domain<jboss-web> <security-domain>java:/jaas/http</security-domain> </jboss-web>
in the Session bean i select the haqcsd domain:
@SecurityDomain("haqcsd")
is this what you ment?
i get "Access to the requested resource has been denied" -
6. Re: isCallerInRole() called with no security context.
oglueck Nov 22, 2005 5:19 AM (in response to soppe.hhb)Yes, exactly. For the http domain also set the multi-threaded=true option. Otherwise this is not thread safe (very hazardous is a web environment...)!
I guess the error comes from the security interceptor of the session bean. Does it say, WHY access was denied? -
7. Re: isCallerInRole() called with no security context.
soppe.hhb Nov 22, 2005 5:41 AM (in response to soppe.hhb)Does it make any difference if i set the domain in the auth.conf by:
http { org.jboss.security.ClientLoginModule required multi-threaded=true; };
or in the login config by:<application-policy name="http"> <authentication> <login-module code = "org.jboss.security.ClientLoginModule" flag = "required" multi-threaded="true"> </login-module> </authentication> </application-policy>
I guess i have to comment out the security contraint in my web.xml?
<security-constraint> <web-resource-collection> <web-resource-name>Secure Content</web-resource-name> <url-pattern>/app/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>D</role-name> <role-name>Z</role-name> <role-name>B</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>NONE</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>secure</realm-name> </login-config> <security-role> <description>D.</description> <role-name>D</role-name> </security-role> <security-role> <description>Z.</description> <role-name>Z</role-name> </security-role> <security-role> <description>B.</description> <role-name>B</role-name> </security-role>
-
8. Re: isCallerInRole() called with no security context.
oglueck Nov 22, 2005 6:02 AM (in response to soppe.hhb)auth.conf is not a standard file. If you use it, some component must read it and make a JAAS configuration object out of it. JBoss' DynamicLoginConfig can do that for example. So for the moment do it in login-config.xml.
Oh and the correct use of the multi-threaded option is:<application-policy name="http"> <authentication> <login-module code = "org.jboss.security.ClientLoginModule" flag = "required"> <module-option name="multi-threaded">true</module-option> </login-module> </authentication> </application-policy>
Instead of disabling it, you can also include both login modules as required in the http policy:<application-policy name="http"> <authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> <module-option name="dsJndiName">java:/MySqlDS</module-option> <module-option name="principalsQuery">SELECT wachtwoord FROM gebruiker WHERE gebruikersnaam=?</module-option> <module-option name="rolesQuery">SELECT gebruiker_type,'Roles' FROM gebruiker WHERE gebruikersnaam=?</module-option> <module-option name="hashAlgorithm">MD5</module-option> <module-option name="hashEncoding">BASE64</module-option> </login-module> <login-module code = "org.jboss.security.ClientLoginModule" flag = "required"> <module-option name="multi-threaded">true</module-option> </login-module> </authentication> </application-policy>
-
9. Re: isCallerInRole() called with no security context.
soppe.hhb Nov 22, 2005 6:27 AM (in response to soppe.hhb)Ok, this is the full output when i call a method getDeelnemers on a session bean from a servlet.
javax.ejb.EJBException: null; CausedByException is: isCallerInRole() called with no security context. Check that a security-domain has been set for the application. org.jboss.ejb3.tx.Ejb3TxPolicy.handleExceptionInOurTx(Ejb3TxPolicy.java:46) org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:70) org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:134) org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98) org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:61) org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98) org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:39) org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98) org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:63) org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98) org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:32) org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98) org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:91) org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98) org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:148) org.jboss.ejb3.stateless.StatelessLocalProxy.invoke(StatelessLocalProxy.java:60) $Proxy122.getDeelnemers(Unknown Source) web.application.DeelnemersController.handleRequest(DeelnemersController.java:54) org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:44) org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:717) org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:658) org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:392) org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:347) javax.servlet.http.HttpServlet.service(HttpServlet.java:697) javax.servlet.http.HttpServlet.service(HttpServlet.java:810) org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)
-
10. Re: isCallerInRole() called with no security context.
oglueck Nov 22, 2005 6:35 AM (in response to soppe.hhb)So you are still getting this exception? The servlet must of course use the http policy! Have you configured that correctly?
-
11. Re: isCallerInRole() called with no security context.
soppe.hhb Nov 22, 2005 7:14 AM (in response to soppe.hhb)in my login-config.xml i have:
<application-policy name="http"> <authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> <module-option name="dsJndiName">java:/MySqlDS</module-option> <module-option name="principalsQuery">SELECT wachtwoord FROM gebruiker WHERE gebruikersnaam=?</module-option> <module-option name="rolesQuery">SELECT gebruiker_type,'Roles' FROM gebruiker WHERE gebruikersnaam=?</module-option> <module-option name="hashAlgorithm">MD5</module-option> <module-option name="hashEncoding">BASE64</module-option> </login-module> <login-module code = "org.jboss.security.ClientLoginModule" flag = "required"> <module-option name="multi-threaded">true</module-option> </login-module> </authentication> </application-policy>
In my jboss-web.xml i have:<jboss-web> <security-domain>java:/jaas/http</security-domain> </jboss-web>
This is for the jsp and servlets right?
in my session beans i have:@SecurityDomain("http")
-
12. Re: isCallerInRole() called with no security context.
oglueck Nov 22, 2005 8:43 AM (in response to soppe.hhb)I think you want "haqcsd" for your beans as they are not clients.
The "with no security context" suggests that the container does not perform a JAAS login for your servlet request. Make 100% sure that it does perform authentication (try an invalid user and you should get an error). Then it will work. -
13. Re: isCallerInRole() called with no security context.
soppe.hhb Nov 22, 2005 9:07 AM (in response to soppe.hhb)After i try to login three times with a invalid user/password i get a HTTP 401 error. "This request requires HTTP authentication ()."
I get the exception when i call the isCallerInRole(String role) methode on the SessionContext ctx.
But i can call the getCallerPrincipal() and methods on the SessionContext ctx with a result and no exceptions. -
14. Re: isCallerInRole() called with no security context.
oglueck Nov 22, 2005 10:35 AM (in response to soppe.hhb)When you use isCallerInRole(String) you have to specify all the roles you are referring to in a @RolesReferenced({"role1", "role2"}) at class level. Otherwise they are not available.