8 Replies Latest reply on Jul 21, 2006 7:27 AM by plukh

    Problem accessing EJB unchecked method from a servlet (with

    plukh
    plukh Jul 18, 2006 7:48 PM

      Hello, I'm stuck at the following problem. I have one EJB module and two web apps inside a single ear. Relevant parts of configuration files follow:

      From jboss.xml:

      <security-domain>java:/jaas/db_store</security-domain>


      From ejb-jar.xml: 
       <method-permission>
 <unchecked/>
 <method>
 <ejb-name>ModerEJB</ejb-name>
 <method-intf>Home</method-intf>
 <method-name>create</method-name>
 </method>
 </method-permission>


      From jboss-web.xml #1: 
      <security-domain>java:/jaas/db_store</security-domain>


      From jboss-web.xml #2: 
      <security-domain>java:/jaas/other</security-domain>


      From login-config.xml: 
       <application-policy name="db_store">
 <authentication>

 <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
 <module-option name="dsJndiName">
 DS/Standard
 </module-option>
 <module-option name="principalsQuery">
 SELECT usr_password FROM users WHERE usr_login = ?
 </module-option>
 <module-option name="rolesQuery">
 SELECT 'CommonUser', 'Roles' FROM users WHERE usr_login = ?
 </module-option>
 <module-option name="hashAlgorithm">SHA1</module-option>
 <module-option name="hashEncoding">hex</module-option>
 <module-option name="ignorePasswordCase">true</module-option>
 <module-option name="unauthenticatedIdentity">nobody</module-option>
 </login-module>
 </authentication>
 </application-policy>

 <application-policy name = "other">
 <authentication>
 <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
 flag = "required">
 <module-option name="unauthenticatedIdentity">nobody</module-option>
 </login-module>
 </authentication>
 </application-policy>


      The bean itself is constructed by a helper (BeanHelper), located inside the ejb module - don't know if it makes a difference.

      Now, on to the problem. I have a servlet in web app #2, which tries to create a bean (by calling an unchecked create() method). Only authorised users have access to the servlet (through BASIC authorization, if it matters). When the call to create() is made, it fails with the following exception (parts skipped for clarity): 

      java.rmi.AccessException: SecurityException; nested exception is:
 javax.security.auth.login.FailedLoginException: No matching username found in Principals
 at org.jboss.ejb.plugins.LogInterceptor.handleException(LogInterceptor.java:388)
 at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:136)
...
 at ru.singlecity.ejb.BeanHelper.getModerBean(BeanHelper.java:216)
...
Caused by: javax.security.auth.login.FailedLoginException: No matching username found in Principals
 at org.jboss.security.auth.spi.DatabaseServerLoginModule.getUsersPassword(DatabaseServerLoginModule.java:152)
 at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:206)
...
 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
 at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
 at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
 at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:601)
 at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:535)
 at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
 at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:211)
 at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:135)
 at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:132)
 ... 47 more


      So - what am I doing wrong? The principal is already set (by the web app) and access to the method of the bean is set to unchecked... If the principal wasn't passed on to the EJB, it would've caused a different exception (see item #1 in the FAQ), but it hadn't. Any help would be greatly appreciated!

      With best regards,
      Victor Denisov.

      • 3925 Views
      • Tags:
        • 1. Re: Problem accessing EJB unchecked method from a servlet (w
          j2ee_junkie
          j2ee_junkie Jul 19, 2006 8:44 AM (in response to plukh)

          Victor,

          Is the principal used as identity (ie username) in web-app#2 during BASIC authentication in your database?

          cgriffith

            • Actions
          • 2. Re: Problem accessing EJB unchecked method from a servlet (w
            plukh
            plukh Jul 19, 2006 12:34 PM (in response to plukh)

             

            Is the principal used as identity (ie username) in web-app#2 during BASIC authentication in your database?


            No, its not - I understand that it tries to find the principal in the database and fails. Unfortunately, its not possible to store users of app#1 and app#2 in the same place - so I have to use different auth schemes.

            Before I implemented BASIC auth in the app#2, I was getting "isufficient method permissions" (IIRC), because principal was null. This was solved by adding "unauthenticatedIdentity" option in login-config. Mind you, it didn't try to access the DB then.

            As soon as I added BASIC auth, it started to try to access the DB. So, the question is why is it doing it, when the method is marked as unchecked?

              • Actions
            • 3. Re: Problem accessing EJB unchecked method from a servlet (w
              j2ee_junkie
              j2ee_junkie Jul 19, 2006 1:05 PM (in response to plukh)

              Victor,

              It is doing what you have configured it to do.

              Webapp#2 is secured using the "other" security domain. So when a user attempts to access a secured resource (i.e. your servlet), the conatainer performs BASIC authentication via the UsersRolesLoginModule. Thus you have set some principal username, and string password in the x.properties files that is referenced by the URLM. This is successfully, and a principal is established. Well call this principal "admin". The servlet then tries to access ModerEJB. This bean is secured via the "db_store" security domain. So the databaseServerLoginModule is used to authenticate "admin". However, "admin" is not in the database so an LoginException is being thrown.

              The method is marked unchecked, but see Q 1 at http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQ

              cgriffith

                • Actions
              • 4. Re: Problem accessing EJB unchecked method from a servlet (w
                plukh
                plukh Jul 19, 2006 3:41 PM (in response to plukh)

                Hmm. I must've read the FAQ about 20 times, and still hadn't thought about this :-(((. So, I must somehow fake unauthenticated access to the bean (so that it will use its unauthenticatedIdentity identity to grant access to an unchecked method). Good starting point, time to read on.

                  • Actions
                • 5. Re: Problem accessing EJB unchecked method from a servlet (w
                  j2ee_junkie
                  j2ee_junkie Jul 19, 2006 4:07 PM (in response to plukh)

                  Victor,

                  There are many options you can try.

                  1.) combine the "other" and "db_store" domains into one and use for webapp#1, webapp#2, and ejb. Thus if a user is not authenticated by DBSLM, the URLM will.

                  2.) Use a run-as role with the servlet

                  3.) Use EJB3.0. The ability to assign a security domain to a method of a bean is very usefull. Then you could have two accessors, one for each security domain.

                  4.)etc, etc, etc...

                  I learned a long time ago, if I hit a brick wall trying to do something in JBoss, it is usually because it was the wrong way of doing it.

                  enjoy, cgriffith

                    • Actions
                  • 6. Re: Problem accessing EJB unchecked method from a servlet (w
                    j2ee_junkie
                    j2ee_junkie Jul 19, 2006 4:13 PM (in response to plukh)

                    Sorry, #3 is poppy-cock. I am still learning EJB3.0 spec and Jboss extensions. But I think it can be done with multiple interfaces.

                      • Actions
                    • 7. Re: Problem accessing EJB unchecked method from a servlet (w
                      j2ee_junkie
                      j2ee_junkie Jul 20, 2006 9:30 AM (in response to plukh)

                      Victor,

                      I just want to further point out that the fine folks at jboss labs has a wonder EJB3.0 trial. I have not found any other info on the net to be quite so usefull.
                      You can get to it at http://trailblazer.demo.jboss.com/EJB3Trail/

                      enjoy, cgriffith

                        • Actions
                      • 8. Re: Problem accessing EJB unchecked method from a servlet (w
                        plukh
                        plukh Jul 21, 2006 7:27 AM (in response to plukh)

                        Thank you very much, Chris, I've used run-as, and it does just what I hadin mind! Thanks for the help!

                          • Actions