12 Replies Latest reply on Jun 29, 2006 8:06 PM by smajima

NEED HELP : Declarative authorization doesn't work

smajima Jun 26, 2006 4:26 AM

package security.sample;

import java.security.Principal;

import javax.annotation.Resource;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.ejb.SessionContext;
import javax.ejb.Stateless;


@Stateless
public class CalculatorBean implements Calculator {

 @Resource SessionContext ctx;

 @RolesAllowed("user")
 public int multi(int value1, int value2) {
 checkUser("multi");
 return value1 * value2;
 }

 @RolesAllowed("admin")
 public int plus(int value1, int value2) {
 checkUser("plus");
 return value1 + value2;
 }


 @PermitAll
 public int minus(int value1, int value2) {
 checkUser("minus");
 return value1 - value2;
 }

 private void checkUser(String methodName) {
 System.out.println("method:" + methodName);
 Principal caller = ctx.getCallerPrincipal();
 String name = caller.getName();
 System.out.println("name:" + name);


 }
}

Does anyone check declarative authorization ?

Could you give me advices?

Susumu

1. Re: NEED HELP : Declarative authorization doesn't work

j2ee_junkie Jun 26, 2006 8:28 AM (in response to smajima)

Susumu,

It would be helpful to see what is happening at authentication time in trace logging for jboss security layer. As well, you can verify what roles the principals have by viewing the authentication cache using jmx-console. Please let us know.

thanks, cgriffith
Actions

2. Re: NEED HELP : Declarative authorization doesn't work

smajima Jun 27, 2006 1:09 AM (in response to smajima)

Sorry I'm new to JBOSS & EJB.

I'm not sure the log cutouted from server.log is appropriate part.

the server.log is

TestDB is a database I use to store security data,users,roles.

2006-06-27 09:25:11,918 DEBUG [org.jboss.security.plugins.JaasSecurityManager.TestDB] CallbackHandler: org.jboss.security.auth.callback.SecurityAssociationHandler@14d8c01
2006-06-27 09:25:11,918 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@22a6bb
2006-06-27 09:25:11,918 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@f0756d{ url=null ,addedOrder=0}
2006-06-27 09:25:11,918 DEBUG [org.jboss.security.plugins.JaasSecurityManager.TestDB] CachePolicy set to: org.jboss.util.TimedCachePolicy@ad4bb0
2006-06-27 09:25:11,918 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@ad4bb0
2006-06-27 09:25:11,918 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added TestDB, org.jboss.security.plugins.SecurityDomainContext@144426c to map
2006-06-27 09:25:11,934 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@187b796{ url=null ,addedOrder=0}
2006-06-27 09:25:11,949 DEBUG [org.jboss.resource.connectionmanager.IdleRemover] internalRegisterPool: registering pool with interval 900000 old interval: 9223372036854775807
2006-06-27 09:25:11,949 DEBUG [org.jboss.resource.connectionmanager.IdleRemover] internalRegisterPool: about to notify thread: old next: 1151368361949, new next: 1151368361949
2006-06-27 09:25:12,199 DEBUG [org.jboss.web.tomcat.tc5.jasper.TagLibCache] Scanning for tlds in: file:/C:/jboss-4.0.4.GA/server/default/deploy/jbossweb-tomcat55.sar/jsf-libs/myfaces-impl.jar
2006-06-27 09:25:12,668 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@2efae4{ url=null ,addedOrder=0}
2006-06-27 09:25:12,714 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@19dc72f{ url=null ,addedOrder=0}
2006-06-27 09:25:12,886 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@1b3251d{ url=null ,addedOrder=0}
2006-06-27 09:25:13,167 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@12b71eb{ url=null ,addedOrder=0}
2006-06-27 09:25:13,167 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@1441dc0{ url=null ,addedOrder=0}
2006-06-27 09:25:13,183 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@1b6c74{ url=null ,addedOrder=0}
2006-06-27 09:25:21,100 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@109eab7{ url=null ,addedOrder=0}
2006-06-27 09:25:21,100 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@10cf62{ url=null ,addedOrder=0}
2006-06-27 09:25:21,100 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@19f332b{ url=null ,addedOrder=0}
2006-06-27 09:25:21,100 INFO [STDOUT] method:plus
2006-06-27 09:25:21,100 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@d86cae{ url=null ,addedOrder=0}
2006-06-27 09:25:21,100 INFO [STDOUT] name:user1
2006-06-27 09:25:21,100 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@16915d4{ url=null ,addedOrder=0}
2006-06-27 09:25:21,132 DEBUG [org.jboss.mx.loading.RepositoryClassLoader] setRepository, repository=org.jboss.mx.loading.HeirarchicalLoaderRepository3@1f74864, cl=org.jboss.mx.loading.HeirarchicalLoaderRepository3$CacheClassLoader@1b2979e{ url=null ,addedOrder=0}

I don't understand what I should enter as parameter in java.util.List getAuthenticationCachePrincipals()
.

Cloud you let me know what I should enter for checking authentication cache by jmx-console ?

Thanks in advance

3. Re: NEED HELP : Declarative authorization doesn't work

j2ee_junkie Jun 27, 2006 8:23 AM (in response to smajima)

Susumu,

The String parameter of java.util.List getAuthenticationCachePrincipals() is the name of the security domain. This function will show you what principals are currently logged in that domain.

Your post below is useless. What is needed is trace logging of the authentication at the time a user requests a secured resource for the first time. Also, it would be useful to check your application-policy config.

cgriffith
Actions
4. Re: NEED HELP : Declarative authorization doesn't work

smajima Jun 29, 2006 12:14 AM (in response to smajima)

I'm terribly sorry but I don't know how to get authetication trace logging.
Where(in which file) can I find application-policy config?

Could you let me know it?

I use jmx-console and the currently logged principal in the domain is user1.

Susumu
Actions
5. Re: NEED HELP : Declarative authorization doesn't work

muhviehstarr Jun 29, 2006 3:37 AM (in response to smajima)

Hello. I think you forgot the @SecurityDomain at the class.
Actions
6. Re: NEED HELP : Declarative authorization doesn't work

jaikiran Jun 29, 2006 4:01 AM (in response to smajima)

I'm terribly sorry but I don't know how to get authetication trace logging

Have a look at Q4: How to debug security layer at:

http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQ

Where(in which file) can I find application-policy config?

You can find this is login-config.xml file present in %JBOSS_HOME%/server/default/conf directory.
Actions
7. Re: NEED HELP : Declarative authorization doesn't work

smajima Jun 29, 2006 6:00 AM (in response to smajima)
The log is below. In this case I select multi as user1.

2006-06-29 18:53:58,408 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
2006-06-29 18:53:58,408 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
2006-06-29 18:53:58,408 DEBUG [org.apache.catalina.core.ApplicationDispatcher] Disabling the response for futher output
2006-06-29 18:53:58,408 TRACE [org.jboss.web.tomcat.security.RunAsListener] calcservlet, runAs: null
2006-06-29 18:53:58,408 TRACE [org.jboss.web.tomcat.security.RunAsListener] calcservlet, runAs: null
2006-06-29 18:53:58,408 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
2006-06-29 18:53:58,408 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] End invoke, callerGenericPrincipal[user1(user,)]
2006-06-29 18:53:58,408 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
2006-06-29 18:54:22,876 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1151574862876 sessioncount 1
2006-06-29 18:54:22,876 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
2006-06-29 18:54:52,876 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1151574892876 sessioncount 0
2006-06-29 18:54:52,876 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
2006-06-29 18:54:52,876 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1151574892876 sessioncount 0
2006-06-29 18:54:52,876 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
2006-06-29 18:54:52,876 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1151574892876 sessioncount 0
2006-06-29 18:54:52,876 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
2006-06-29 18:55:22,875 DEBUG [org.apache.catalina.session.ManagerBase] Start expire sessions StandardManager at 1151574922875 sessioncount 1
2006-06-29 18:55:22,875 DEBUG [org.apache.catalina.session.ManagerBase] End expire sessions StandardManager processingTime 0 expired sessions: 0
2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.connector.CoyoteAdapter] Requested cookie session id is 42C1AA6EFF40E2ACA51C4C43298226D5
2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /SecurityCheckEJB/calc.jsp
2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] We have cached auth type FORM for principal GenericPrincipal[user1(user,)]
2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[User Auth]' against GET /calc.jsp --> true
2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[User Auth]' against GET /calc.jsp --> true
2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
2006-06-29 18:55:28,063 DEBUG [org.jboss.web.tomcat.security.FormAuthenticator] Already authenticated 'user1'
2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking roles GenericPrincipal[user1(user,)]
2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.realm.RealmBase] Username user1 does NOT have role admin
2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] No role found: admin
2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.realm.RealmBase] Username user1 has role user
2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] No role found: user
2006-06-29 18:55:28,063 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints
2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Begin invoke, callerGenericPrincipal[user1(user,)]
2006-06-29 18:55:28,063 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Restoring principal info from cache
2006-06-29 18:55:28,063 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=??????:
??: user1
??: Roles(members:user)
, sc=org.jboss.security.SecurityAssociation$SubjectContext@1e07d3e{principal=user1,subject=17274660}
2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
2006-06-29 18:55:28,063 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
2006-06-29 18:55:28,063 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] End invoke, callerGenericPrincipal[user1(user,)]
2006-06-29 18:55:28,063 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.connector.CoyoteAdapter] Requested cookie session id is 42C1AA6EFF40E2ACA51C4C43298226D5
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request GET /SecurityCheckEJB/calc
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] We have cached auth type FORM for principal GenericPrincipal[user1(user,)]
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[User Auth]' against GET /calc --> true
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[User Auth]' against GET /calc --> true
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
2006-06-29 18:55:33,594 DEBUG [org.jboss.web.tomcat.security.FormAuthenticator] Already authenticated 'user1'
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking roles GenericPrincipal[user1(user,)]
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.realm.RealmBase] Username user1 does NOT have role admin
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] No role found: admin
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.realm.RealmBase] Username user1 has role user
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] No role found: user
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all security constraints
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Begin invoke, callerGenericPrincipal[user1(user,)]
2006-06-29 18:55:33,594 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Restoring principal info from cache
2006-06-29 18:55:33,594 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=??????:
??: user1
??: Roles(members:user)
, sc=org.jboss.security.SecurityAssociation$SubjectContext@13e9963{principal=user1,subject=17274660}
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.RunAsListener] calcservlet, runAs: null
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.RunAsListener] calcservlet, runAs: null
2006-06-29 18:55:33,594 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=user1
2006-06-29 18:55:33,594 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext@c85a33{principal=user1,subject=null}
2006-06-29 18:55:33,594 INFO [STDOUT] method:plus
2006-06-29 18:55:33,594 TRACE [org.jboss.security.SecurityAssociation] getCallerPrincipal, principal=user1
2006-06-29 18:55:33,594 INFO [STDOUT] name:user1
2006-06-29 18:55:33,594 TRACE [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext@c85a33{principal=user1,subject=null}
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.core.ApplicationDispatcher] servletPath=/answer.jsp, pathInfo=null, queryString=null, name=null
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.core.ApplicationDispatcher] Path Based Forward
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.RunAsListener] jsp, runAs: null
2006-06-29 18:55:33,594 DEBUG [org.apache.catalina.core.ApplicationDispatcher] Disabling the response for futher output
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.RunAsListener] calcservlet, runAs: null
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.RunAsListener] calcservlet, runAs: null
2006-06-29 18:55:33,594 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
2006-06-29 18:55:33,594 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] End invoke, callerGenericPrincipal[user1(user,)]
2006-06-29 18:55:33,594 TRACE [org.jboss.security.SecurityAssociation] clear, server=true

My application-policy is
 <application-policy name="TestDB"> <authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required" > <module-option name="dsJndiName">java:/MySecurityDS</module-option> <module-option name="principalsQuery">select passwd from users where username=?</module-option> <module-option name="rolesQuery">select userroles, 'Roles' from userroles where username=?</module-option> </login-module> </authentication> </application-policy>
Actions
8. Re: NEED HELP : Declarative authorization doesn't work

jaikiran Jun 29, 2006 6:37 AM (in response to smajima)

In this case I select multi as user1.

This is going to work, isnt it? Since you have specified that the method multi can be invoked by users in role "user" (and user1 belongs to "user" role).

Your first post mentioned that

The method multi is allowed only "user" role. but manager is able to execute multi

Try out this case(i.e. try the multi operation with manager) and post the TRACE logs.
Actions
9. Re: NEED HELP : Declarative authorization doesn't work

smajima Jun 29, 2006 9:48 AM (in response to smajima)

I'm sorry I gave you a wrong information.
I selected plus as user. The logging above is in this case.

If it works correct,user1 can't excute plus.

Susumu
Actions
10. Re: NEED HELP : Declarative authorization doesn't work

jaikiran Jun 29, 2006 9:53 AM (in response to smajima)

Can you please post your ejb-jar.xml
Actions
11. Re: NEED HELP : Declarative authorization doesn't work

jaikiran Jun 29, 2006 9:55 AM (in response to smajima)

Can you please post your ejb-jar.xml. The logs show that the user1 was authenticated correctly and he has been identified in the correct role.
Actions
12. Re: NEED HELP : Declarative authorization doesn't work

smajima Jun 29, 2006 8:06 PM (in response to smajima)

I don't have ejb-jar.xml. Because I don't thinlk specify anything in ejb-jar.xml.

Am I understanding wrong?

If something is needed in ejb-jar.xml,could you show me the example?
Actions

Go to original post