7 Replies Latest reply on Jul 12, 2006 1:46 AM by jaikiran

    Problem extending Web security to EJBs

    flarosa
    flarosa Jan 20, 2006 12:35 PM

      Hello,

      I am able to set up accounts and protect web resources in my application, but I'm unable to figure out how to protect my EJBs.

      Here is what I have done so far:

      (1) I created users.properties and roles.properties files, and deployed them to the ".ear" directory.

      (2) I did not create any jboss-web.xml file, so my default security realm ought to be the one defined in the jboss-service.xml file in the Tomcat directory; i.e. java:/jaas/other.

      (3) I added all of this to my web.xml file:

      <security-constraint>
      <web-resource-collection>
      <web-resource-name>Administrative</web-resource-name>
      <url-pattern>/admin/*</url-pattern>
      <http-method>GET</http-method>
      <http-method>POST</http-method>
      </web-resource-collection>
      <auth-constraint>
      <role-name>Producer</role-name>
      </auth-constraint>
      </security-constraint>

      <login-config>
      <auth-method>BASIC</auth-method>
      <realm-name>default</realm-name>
      </login-config>

      <security-role>
      Website producers
      <role-name>Producer</role-name>
      </security-role>

      So far this does what I want: when I try to access any web resource at or below /admin, I'm prompted for a login. Entering a name and password from the users.properties file which has the Producer role lets me in.

      Next, I want to assign the same protection to some EJB methods, so I did this:

      (1) I created a jboss.xml file and typed this into it:


      <security-domain>java:/jaas/other</security-domain>


      (2) I deployed the jboss.xml file to my EJB's META-INF directory (same place as ejb-jar.xml).

      (3) I modified my ejb-jar.xml file as follows:

      <security-role>
      <role-name>Producer</role-name>
      </security-role>

      <method-permission>
      <role-name>Producer</role-name>

      <ejb-name>DataServices</ejb-name>
      <method-name>*</method-name>

      </method-permission>

      (4) I added this code to my EJB client application, which runs outside of the JBoss container:

      ht.put(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory");
      ht.put(Context.PROVIDER_URL, args[0]);
      ht.put(Context.URL_PKG_PREFIXES, "org.jboss.naming:org.jnp.interfaces" );
      ht.put(Context.SECURITY_PRINCIPAL, username);
      ht.put(Context.SECURITY_CREDENTIALS, password);
      ht.put(Context.SECURITY_AUTHENTICATION, "simple");

      Regardless of what username and password I pass here - valid or invalid - I get this exception when I try to call the create() method on the EJB's home object:

      java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
      java.rmi.AccessException: SecurityException; nested exception is:
      javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required

      It would seem that while JBoss has correctly figured out that some sort of login is required to access the EJB, it does not recognize the supplied credentials.

      Any advice would be appreciated, thanks.

      Frank

      • 4337 Views
      • Tags:
        • 1. Re: Problem extending Web security to EJBs
          starksm64
          starksm64 Jan 20, 2006 1:03 PM (in response to flarosa)

          Q10:
          http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQ

            • Actions
          • 2. Re: Problem extending Web security to EJBs
            flarosa
            flarosa Jan 20, 2006 2:50 PM (in response to flarosa)

            Hi Scott,

            Thanks for the reply. I wasn't sure which factory to use, so I tried them both.

            With JndiLoginInitialContextFactory, I get:
            Exception in thread "main" java.lang.NoClassDefFoundError: org/jboss/security/jndi/SecurityAssociationActions

            I can't seem to locate that class - it isn't in jbossall-client.jar.

            With LoginInitialContextFactory, I get:
            java.lang.SecurityException: Unable to locate a login configuration

            I didn't see anything about having to have a login configuration in the FAQ.

            What should I be passing for Security Protocol? Does it expect just the name of the JAAS module, or does it want the whole path?

              • Actions
            • 3. Re: Problem extending Web security to EJBs
              starksm64
              starksm64 Jan 20, 2006 3:02 PM (in response to flarosa)

               

              [sstark@sstark tutorial]$ jar -tf /cvs/Releases/jboss-4.0.3SP1/client/jbossall-
client.jar | grep JndiLoginInitialContextFactory
org/jboss/security/jndi/JndiLoginInitialContextFactory.class


              http://wiki.jboss.org/wiki/Wiki.jsp?page=LoginInitialContextFactory

                • Actions
              • 4. Re: Problem extending Web security to EJBs
                flarosa
                flarosa Jan 20, 2006 3:16 PM (in response to flarosa)

                Thanks. I did read that Wiki page earlier. That class is in fact in the jar and the jar is in in my classpath, so I can't figure out why I'm getting a NoClassDefFoundError.

                Can you elaborate on what the value of Context.SECURITY_PROTOCOL should be? The doc says "name of the JAAS login module". Should I put "java:/jaas/other" for this? Or just "other"? I tried them both, but I'm not getting past the NoClassDefFound problem.

                Here's the rest of the stack trace:
                Exception in thread "main" java.lang.NoClassDefFoundError: org/jboss/security/jndi/SecurityAssociationActions
                at org.jboss.security.jndi.JndiLoginInitialContextFactory.getInitialContext(JndiLoginInitialContextFactory.java:64)
                at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
                at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:247)
                at javax.naming.InitialContext.init(InitialContext.java:223)
                at javax.naming.InitialContext.(InitialContext.java:197)

                  • Actions
                • 5. Re: Problem extending Web security to EJBs
                  flarosa
                  flarosa Jan 20, 2006 3:53 PM (in response to flarosa)

                  I have also noticed that as soon as I added the security-domain element to my jboss.xml file, it broke the rest of my application because now all the EJB methods require security to access them, not just the ones I marked.

                  I tried marking the rest as "guest", but this is no help.

                    • Actions
                  • 6. Re: Problem extending Web security to EJBs
                    warrenc6
                    warrenc6 Jul 11, 2006 8:48 PM (in response to flarosa)

                    Release ID: JBoss [Zion] 4.0.4.GA (build: CVSTag=JBoss_4_0_4_GA date=200605151000)

                    As soon as I add
                    <security-domain>java:/jaas/CLICK2CALL</security-domain> to jboss.xml

                    I get

                    java.lang.SecurityException: Insufficient method permissions, principal=admin, ejbName=CallControlBean, method=create, interface=HOME, requiredRoles=[], principalRoles=[admin]

                    Even when there are no roles or method-permissions defined. I think this is a bug.

                      • Actions
                    • 7. Re: Problem extending Web security to EJBs
                      jaikiran
                      jaikiran Jul 12, 2006 1:46 AM (in response to flarosa)

                      You have to *explicitly* add the

                      <unchecked/>
                      tag as part of method permissions to your bean. Something like: 

                      <method-permission>

<unchecked/>

 <method>
 <ejb-name>MyBean</ejb-name>
 <method-name>*</method-name>
 </method>
</method-permission>






                        • Actions