java.lang.SecurityException: Insufficient method permissions
craig1980 Mar 9, 2007 11:29 AMHi all.
I have a problem in invoking a statefull session bean in JBoss AS.
When i call this Ejb i have this error:
java.lang.SecurityException: Insufficient method permissions, principal=tiziana1, ejbName=WorkflowEngine, method=create, interface=HOME, requiredRoles=[WfMOpenAdmin], principalRoles=[WfMOpenAdmin, WfMOpenAdmin]
As you can see the expected role is WfMOpenAdmin and the principal used for invokign this EJB has these roles: WfMOpenAdmin, WfMOpenAdmin
For loggin into JBoss i have written this login module:
package it.eng.smclient.accessmanager.authentication.jaas.module.jboss; import it.eng.smclient.accessmanager.authentication.jaas.principals.Login; import it.eng.smclient.accessmanager.authentication.jaas.principals.WfmOpen; import it.eng.smclient.accessmanager.configuration.Configuration; import it.eng.smclient.accessmanager.configuration.securityaccessfilter.EjbRole; import it.eng.smclient.accessmanager.configuration.utils.SingletonConfiguration; import it.eng.smclient.accessmanager.iface.SecManagerAuthorizationIface; import it.eng.smclient.accessmanager.util.resource.Message; import it.eng.smclient.accessmanager.util.resource.constants.Rbaccessmanager; import java.security.Principal; import java.security.acl.Group; import java.util.ArrayList; import java.util.Enumeration; import java.util.Iterator; import java.util.List; import java.util.Map; import java.util.Set; import javax.security.auth.Subject; import javax.security.auth.callback.CallbackHandler; import javax.security.auth.login.FailedLoginException; import javax.security.auth.login.LoginException; //import javax.security.auth.spi.LoginModule; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.jboss.security.NestableGroup; import org.jboss.security.SecurityAssociation; import org.jboss.security.SimpleGroup; //import org.jboss.security.SimplePrincipal; import org.jboss.security.auth.spi.AbstractServerLoginModule; public class SecurityManagerLoginModule extends AbstractServerLoginModule{ static public final Log logger = LogFactory.getLog(SecurityManagerLoginModule.class); private Rbaccessmanager rb = new Rbaccessmanager(); private Message message = new Message(rb); String username = null; protected Subject subject; protected CallbackHandler callbackHandler; protected Map sharedState; protected Map options; protected boolean loginOk; protected Principal unauthenticatedIdentity; protected Configuration conf = null; protected String ejbRole = null; public void initialize(Subject subject, CallbackHandler callbackHandler, Map sharedState, Map options) { logger.debug("[Method - initialize] [INIT]"); if (logger.isTraceEnabled()) logger.debug("[Method - initialize] [instance=@] " + System.identityHashCode(this)); this.subject = subject; this.callbackHandler = callbackHandler; this.sharedState = sharedState; this.options = options; logger.debug("[Method - initialize] [Security domain:] " + (String) options.get("jboss.security.security_domain")); String name = (String) options.get("unauthenticatedIdentity"); ejbRole = (String) options.get("ejbRole"); if (name != null) { try { unauthenticatedIdentity = createIdentity(name); logger.info("Aggiungo il principal: " + unauthenticatedIdentity+ " al subject: "+ subject); subject.getPrincipals().add(unauthenticatedIdentity); subject.getPrincipals().add(getIdentity()); Set principals = subject.getPrincipals(); Group roleSets[] = getRoleSets(); for (int g = 0; g < roleSets.length; g++) { Group group = roleSets[g]; String aName = group.getName(); Group subjectGroup = createGroup(aName, principals); if (subjectGroup instanceof NestableGroup) { SimpleGroup tmp = new SimpleGroup("Roles"); subjectGroup.addMember(tmp); subjectGroup = tmp; } // if (subjectGroup instanceof NestableGroup) Principal role; for (Enumeration members = group.members(); members .hasMoreElements(); subjectGroup.addMember(role)) role = (Principal) members.nextElement(); } SecurityAssociation.setPrincipal(unauthenticatedIdentity); //SecurityAssociation.setCredential(credential); SecurityAssociation.setSubject(subject); logger.info("Aggiunto il principal a subject che ora è: " + subject); logger.debug("[Method - initialize] [navigazione anonima] " + name); } catch (Exception e) { logger.error("[Method - initialize] " + "[Inizializzazione modulo di login non riuscita - " + " Verificare la configurazione dei moduli]"); logger.error("[Method - initialize] [Exception]",e); logger.error("[Method - initialize] [message]" + e.getMessage()); } } // if (name != null) logger.debug("[Method - initialize] [END]"); } // public void initialize(Subject subject, CallbackHandler // callbackHandler, Map sharedState, Map options) public boolean login() throws LoginException { logger.debug("[Method - login] [LoginModule]"); /* JAASConfigFile jaas = new JAASConfigFile(); jaas.displayProperties(); */ boolean result = false; loginOk = false; try { if (subject != null) { Iterator iter = subject.getPrivateCredentials().iterator(); while (iter.hasNext()) { Object obj = iter.next(); if (obj instanceof Login) { username = ((Login) obj).getName(); logger.debug("[Method - login]" + "[Username not null] " + username); System.setProperty("javax.security.auth.login.name",username); } // if (obj instanceof Login) } // while ( iter.hasNext()) } // if (subject != null) // Se username = [null] vuol dire che ho effettuato autenticazione // e sto richiamando il modulo all'interno dell'applicazione if (username == null) { logger.debug("[Method - login] " + "[Username = null] [Leggo le propietà di Sistema]"); username = System.getProperty("javax.security.auth.login.name"); logger.debug("[Method - login] " + "[javax.security.auth.login.name] " + username); } else { sharedState.put("javax.security.auth.login.name",username); Object credential = System.getProperty("javax.security.auth.login.name"); List rolesPM = ((SecManagerAuthorizationIface) Configuration .getAccessManagerImplementation()).getRoles(); logger.debug("[Method - login] [Lista Ruoli PM] " + rolesPM); WfmOpen wfmPrincipal = new WfmOpen(username); SingletonConfiguration singletonConfig = SingletonConfiguration.getInstance(null,null); Configuration conf = singletonConfig.getConfiguration(); wfmPrincipal.setApplication(conf.getApplication() .getApplicationCode()); ArrayList roles = new ArrayList(); String role = ((EjbRole) conf.getEjbSecurityIdentity() .getEjbRoles().iterator().next()).getRole(); roles.add(role); ArrayList groups = new ArrayList(); groups.add("Some Group"); groups.add("Order Processing"); wfmPrincipal.setRoles(roles); wfmPrincipal.setGroups(groups); SecurityAssociation.setPrincipal(wfmPrincipal); SecurityAssociation.setCredential(credential); SecurityAssociation.setSubject(subject); } // if (username != null) loginOk = true; result = true; logger.debug("[Method - login] [END]"); } catch (Exception e) { logger.error("[Method - login] ", e); throw new FailedLoginException(message .getMessage(rb.MODULE_LOGIN_ERROR)); // throw new LoginException( e.getMessage() ); } return result; } // public boolean login() throws LoginException protected Principal createIdentity(String name) throws Exception { logger.trace("[Method - login] [INIT]"); Principal principal = null; logger.trace("[Method - login] [name] " + name); principal = new WfmOpen(name); return principal; } // protected Principal createIdentity(String name) throws Exception public boolean commit() throws LoginException { logger.trace("[Method - commit] [INIT]"); logger.trace("[Method - commit] [subject] " + subject); if (!loginOk) return false; Set principals = subject.getPrincipals(); Principal identity = getIdentity(); logger.trace("[Method - commit] [identity] " + identity.getName()); principals.add(identity); Group roleSets[] = getRoleSets(); for (int g = 0; g < roleSets.length; g++) { Group group = roleSets[g]; String name = group.getName(); Group subjectGroup = createGroup(name, principals); if (subjectGroup instanceof NestableGroup) { SimpleGroup tmp = new SimpleGroup("Roles"); subjectGroup.addMember(tmp); subjectGroup = tmp; } // if (subjectGroup instanceof NestableGroup) Principal role; for (Enumeration members = group.members(); members .hasMoreElements(); subjectGroup.addMember(role)) role = (Principal) members.nextElement(); } // for(int g = 0; g < roleSets.length; g++) return true; } // public boolean commit() throws LoginException public boolean abort() throws LoginException { logger.trace("[Method - abort() ] [INIT]"); return true; } // public boolean abort() throws LoginException public boolean logout() throws LoginException { logger.trace("[Method - logout() ] [INIT]"); Principal identity = getIdentity(); Set principals = subject.getPrincipals(); principals.remove(identity); return true; } // public boolean logout() throws LoginException protected Principal getIdentity() { logger.info("[Method - getIdentity() ] [INIT]"); logger.trace("[Method - getIdentity() ] [username] " + username); Principal p = null; if (username != null) { logger.info("La username era diversa da null... "+ username); p = new WfmOpen(username); } else { // Ruolo reucperato dalla configurazione XML if (conf != null) { logger.info("Conf non era null....."); String role = ((EjbRole) conf.getEjbSecurityIdentity() .getEjbRoles().iterator().next()).getRole(); p = new WfmOpen(role); } else { logger.info("Conf era null....."); p = new WfmOpen(ejbRole); } } // if (username != null) return p; } // private Principal getIdentity() protected Group[] getRoleSets() throws LoginException { logger.trace("[Method - getRoleSets() ] [INIT]"); SimpleGroup rolesGroup = new SimpleGroup("Roles"); ArrayList groups = new ArrayList(); // Ruolo reucperato dalla configurazione XML Principal p = null; if (conf != null) { String role = ((EjbRole) conf.getEjbSecurityIdentity() .getEjbRoles().iterator().next()).getRole(); logger.trace("[Method - getRoleSets() ] [Ruolo di sistema recuperato]"); p = new WfmOpen(role); } else { p = new WfmOpen(ejbRole); } rolesGroup.addMember(p); groups.add(rolesGroup); Group roleSets[] = new Group[groups.size()]; groups.toArray(roleSets); logger.trace("[Method - getRoleSets() ] [END]"); return roleSets; } // private Group[] getRoleSets() throws LoginException protected Principal getUnauthenticatedIdentity() { return unauthenticatedIdentity; } protected Group createGroup(String name, Set principals) { logger.trace("[Method - createGroup ] [INIT]"); Group roles = null; Iterator iter = principals.iterator(); do { if (!iter.hasNext()) break; Object next = iter.next(); if (!(next instanceof Group)) continue; Group grp = (Group) next; if (!grp.getName().equals(name)) continue; roles = grp; break; } while (true); if (roles == null) { roles = new SimpleGroup(name); principals.add(roles); } // if (roles == null) logger.trace("[Method - createGroup ] [END]"); return roles; } // protected Group createGroup(String name, Set principals) }
I know that when there is an unauthenticatedIdentity a cabled principal is created but i was trying to understand what error was created....
In my login-config.xml I have this configuration:
<application-policy name = "wfdemopluto">
<authentication>
<login-module code = "org.jboss.security.auth.spi.ProxyLoginModule" flag = "sufficient">
<module-option name = "moduleName">it.eng.smclient.accessmanager.authentication.jaas.module.jboss.SecurityManagerLoginModule</module-option>
<module-option name="unauthenticatedIdentity">nobody</module-option>
<module-option name="debug">true</module-option>
<!--module-option name="password-stacking">useFirstPass</module-option-->
<module-option name="ejbRole">WfMOpenAdmin</module-option>
</login-module>
</authentication>
</application-policy>
Can anybody help me?
Thnks to all,
Angelo