1 Reply Latest reply on Mar 12, 2007 2:02 PM by anil.saldhana

    java.lang.SecurityException: Insufficient method permissions

    craig1980

      Hi all.

      I have a problem in invoking a statefull session bean in JBoss AS.
      When i call this Ejb i have this error:

      java.lang.SecurityException: Insufficient method permissions, principal=tiziana1, ejbName=WorkflowEngine, method=create, interface=HOME, requiredRoles=[WfMOpenAdmin], principalRoles=[WfMOpenAdmin, WfMOpenAdmin]


      As you can see the expected role is WfMOpenAdmin and the principal used for invokign this EJB has these roles: WfMOpenAdmin, WfMOpenAdmin

      For loggin into JBoss i have written this login module:
      package it.eng.smclient.accessmanager.authentication.jaas.module.jboss;
      
      import it.eng.smclient.accessmanager.authentication.jaas.principals.Login;
      import it.eng.smclient.accessmanager.authentication.jaas.principals.WfmOpen;
      import it.eng.smclient.accessmanager.configuration.Configuration;
      import it.eng.smclient.accessmanager.configuration.securityaccessfilter.EjbRole;
      import it.eng.smclient.accessmanager.configuration.utils.SingletonConfiguration;
      import it.eng.smclient.accessmanager.iface.SecManagerAuthorizationIface;
      import it.eng.smclient.accessmanager.util.resource.Message;
      import it.eng.smclient.accessmanager.util.resource.constants.Rbaccessmanager;
      
      import java.security.Principal;
      import java.security.acl.Group;
      import java.util.ArrayList;
      import java.util.Enumeration;
      import java.util.Iterator;
      import java.util.List;
      import java.util.Map;
      import java.util.Set;
      
      import javax.security.auth.Subject;
      import javax.security.auth.callback.CallbackHandler;
      import javax.security.auth.login.FailedLoginException;
      import javax.security.auth.login.LoginException;
      //import javax.security.auth.spi.LoginModule;
      
      import org.apache.commons.logging.Log;
      import org.apache.commons.logging.LogFactory;
      import org.jboss.security.NestableGroup;
      import org.jboss.security.SecurityAssociation;
      import org.jboss.security.SimpleGroup;
      //import org.jboss.security.SimplePrincipal;
      import org.jboss.security.auth.spi.AbstractServerLoginModule;
      
      public class SecurityManagerLoginModule extends AbstractServerLoginModule{
      
      
       static public final Log logger =
       LogFactory.getLog(SecurityManagerLoginModule.class);
      
       private Rbaccessmanager rb = new Rbaccessmanager();
       private Message message = new Message(rb);
       String username = null;
       protected Subject subject;
       protected CallbackHandler callbackHandler;
       protected Map sharedState;
       protected Map options;
       protected boolean loginOk;
       protected Principal unauthenticatedIdentity;
       protected Configuration conf = null;
       protected String ejbRole = null;
       public void initialize(Subject subject,
       CallbackHandler callbackHandler,
       Map sharedState,
       Map options) {
       logger.debug("[Method - initialize] [INIT]");
       if (logger.isTraceEnabled())
       logger.debug("[Method - initialize] [instance=@] "
       + System.identityHashCode(this));
       this.subject = subject;
       this.callbackHandler = callbackHandler;
       this.sharedState = sharedState;
       this.options = options;
       logger.debug("[Method - initialize] [Security domain:] "
       + (String) options.get("jboss.security.security_domain"));
       String name = (String) options.get("unauthenticatedIdentity");
       ejbRole = (String) options.get("ejbRole");
       if (name != null) {
       try {
       unauthenticatedIdentity = createIdentity(name);
       logger.info("Aggiungo il principal: " + unauthenticatedIdentity+ " al subject: "+ subject);
       subject.getPrincipals().add(unauthenticatedIdentity);
       subject.getPrincipals().add(getIdentity());
       Set principals = subject.getPrincipals();
       Group roleSets[] = getRoleSets();
       for (int g = 0; g < roleSets.length; g++) {
       Group group = roleSets[g];
       String aName = group.getName();
       Group subjectGroup = createGroup(aName, principals);
       if (subjectGroup instanceof NestableGroup) {
       SimpleGroup tmp = new SimpleGroup("Roles");
       subjectGroup.addMember(tmp);
       subjectGroup = tmp;
       } // if (subjectGroup instanceof NestableGroup)
       Principal role;
       for (Enumeration members = group.members(); members
       .hasMoreElements(); subjectGroup.addMember(role))
       role = (Principal) members.nextElement();
       }
       SecurityAssociation.setPrincipal(unauthenticatedIdentity);
       //SecurityAssociation.setCredential(credential);
       SecurityAssociation.setSubject(subject);
       logger.info("Aggiunto il principal a subject che ora è: " + subject);
       logger.debug("[Method - initialize] [navigazione anonima] " + name);
       } catch (Exception e) {
       logger.error("[Method - initialize] " +
       "[Inizializzazione modulo di login non riuscita - " +
       " Verificare la configurazione dei moduli]");
       logger.error("[Method - initialize] [Exception]",e);
       logger.error("[Method - initialize] [message]" + e.getMessage());
       }
       } // if (name != null)
       logger.debug("[Method - initialize] [END]");
       } // public void initialize(Subject subject, CallbackHandler
       // callbackHandler, Map sharedState, Map options)
       public boolean login() throws LoginException {
       logger.debug("[Method - login] [LoginModule]");
       /*
       JAASConfigFile jaas = new JAASConfigFile();
       jaas.displayProperties();
       */
       boolean result = false;
       loginOk = false;
       try {
       if (subject != null) {
       Iterator iter = subject.getPrivateCredentials().iterator();
       while (iter.hasNext()) {
       Object obj = iter.next();
       if (obj instanceof Login) {
       username = ((Login) obj).getName();
       logger.debug("[Method - login]" +
       "[Username not null] " + username);
       System.setProperty("javax.security.auth.login.name",username);
       } // if (obj instanceof Login)
       } // while ( iter.hasNext())
       } // if (subject != null)
      
       // Se username = [null] vuol dire che ho effettuato autenticazione
       // e sto richiamando il modulo all'interno dell'applicazione
       if (username == null) {
       logger.debug("[Method - login] " +
       "[Username = null] [Leggo le propietà di Sistema]");
       username = System.getProperty("javax.security.auth.login.name");
       logger.debug("[Method - login] " +
       "[javax.security.auth.login.name] " + username);
       } else {
       sharedState.put("javax.security.auth.login.name",username);
       Object credential = System.getProperty("javax.security.auth.login.name");
       List rolesPM = ((SecManagerAuthorizationIface) Configuration
       .getAccessManagerImplementation()).getRoles();
       logger.debug("[Method - login] [Lista Ruoli PM] " + rolesPM);
       WfmOpen wfmPrincipal = new WfmOpen(username);
      
       SingletonConfiguration singletonConfig =
       SingletonConfiguration.getInstance(null,null);
      
       Configuration conf =
       singletonConfig.getConfiguration();
      
       wfmPrincipal.setApplication(conf.getApplication()
       .getApplicationCode());
      
       ArrayList roles = new ArrayList();
       String role = ((EjbRole) conf.getEjbSecurityIdentity()
       .getEjbRoles().iterator().next()).getRole();
       roles.add(role);
      
       ArrayList groups = new ArrayList();
       groups.add("Some Group");
       groups.add("Order Processing");
      
       wfmPrincipal.setRoles(roles);
       wfmPrincipal.setGroups(groups);
      
       SecurityAssociation.setPrincipal(wfmPrincipal);
       SecurityAssociation.setCredential(credential);
       SecurityAssociation.setSubject(subject);
      
       } // if (username != null)
      
       loginOk = true;
       result = true;
       logger.debug("[Method - login] [END]");
       } catch (Exception e) {
       logger.error("[Method - login] ", e);
       throw new FailedLoginException(message
       .getMessage(rb.MODULE_LOGIN_ERROR));
       // throw new LoginException( e.getMessage() );
       }
       return result;
       } // public boolean login() throws LoginException
      
       protected Principal createIdentity(String name) throws Exception {
       logger.trace("[Method - login] [INIT]");
       Principal principal = null;
       logger.trace("[Method - login] [name] " + name);
       principal = new WfmOpen(name);
       return principal;
       } // protected Principal createIdentity(String name) throws Exception
       public boolean commit() throws LoginException {
       logger.trace("[Method - commit] [INIT]");
       logger.trace("[Method - commit] [subject] " + subject);
       if (!loginOk) return false;
       Set principals = subject.getPrincipals();
       Principal identity = getIdentity();
       logger.trace("[Method - commit] [identity] " + identity.getName());
      
       principals.add(identity);
       Group roleSets[] = getRoleSets();
      
       for (int g = 0; g < roleSets.length; g++) {
       Group group = roleSets[g];
       String name = group.getName();
       Group subjectGroup = createGroup(name, principals);
       if (subjectGroup instanceof NestableGroup) {
       SimpleGroup tmp = new SimpleGroup("Roles");
       subjectGroup.addMember(tmp);
       subjectGroup = tmp;
       } // if (subjectGroup instanceof NestableGroup)
       Principal role;
       for (Enumeration members = group.members(); members
       .hasMoreElements(); subjectGroup.addMember(role))
       role = (Principal) members.nextElement();
       } // for(int g = 0; g < roleSets.length; g++)
       return true;
       } // public boolean commit() throws LoginException
       public boolean abort() throws LoginException {
       logger.trace("[Method - abort() ] [INIT]");
       return true;
       } // public boolean abort() throws LoginException
      
       public boolean logout() throws LoginException {
       logger.trace("[Method - logout() ] [INIT]");
       Principal identity = getIdentity();
       Set principals = subject.getPrincipals();
       principals.remove(identity);
       return true;
       } // public boolean logout() throws LoginException
       protected Principal getIdentity() {
       logger.info("[Method - getIdentity() ] [INIT]");
       logger.trace("[Method - getIdentity() ] [username] " + username);
       Principal p = null;
       if (username != null) {
      
       logger.info("La username era diversa da null... "+ username);
       p = new WfmOpen(username);
       } else {
       // Ruolo reucperato dalla configurazione XML
       if (conf != null) {
       logger.info("Conf non era null.....");
       String role = ((EjbRole) conf.getEjbSecurityIdentity()
       .getEjbRoles().iterator().next()).getRole();
       p = new WfmOpen(role);
       } else {
      
       logger.info("Conf era null.....");
       p = new WfmOpen(ejbRole);
       }
       } // if (username != null)
       return p;
       } // private Principal getIdentity()
      
       protected Group[] getRoleSets() throws LoginException {
       logger.trace("[Method - getRoleSets() ] [INIT]");
      
       SimpleGroup rolesGroup = new SimpleGroup("Roles");
       ArrayList groups = new ArrayList();
      
       // Ruolo reucperato dalla configurazione XML
       Principal p = null;
       if (conf != null) {
       String role = ((EjbRole) conf.getEjbSecurityIdentity()
       .getEjbRoles().iterator().next()).getRole();
       logger.trace("[Method - getRoleSets() ] [Ruolo di sistema recuperato]");
       p = new WfmOpen(role);
       } else {
       p = new WfmOpen(ejbRole);
       }
       rolesGroup.addMember(p);
       groups.add(rolesGroup);
      
       Group roleSets[] = new Group[groups.size()];
       groups.toArray(roleSets);
      
       logger.trace("[Method - getRoleSets() ] [END]");
      
       return roleSets;
      
       } // private Group[] getRoleSets() throws LoginException
       protected Principal getUnauthenticatedIdentity() {
       return unauthenticatedIdentity;
       }
      
       protected Group createGroup(String name, Set principals) {
       logger.trace("[Method - createGroup ] [INIT]");
       Group roles = null;
       Iterator iter = principals.iterator();
       do {
       if (!iter.hasNext())
       break;
       Object next = iter.next();
       if (!(next instanceof Group))
       continue;
       Group grp = (Group) next;
       if (!grp.getName().equals(name))
       continue;
       roles = grp;
       break;
       } while (true);
       if (roles == null) {
       roles = new SimpleGroup(name);
       principals.add(roles);
       } // if (roles == null)
       logger.trace("[Method - createGroup ] [END]");
       return roles;
       } // protected Group createGroup(String name, Set principals)
      
      }
      


      I know that when there is an unauthenticatedIdentity a cabled principal is created but i was trying to understand what error was created....

      In my login-config.xml I have this configuration:

      <application-policy name = "wfdemopluto">
      <authentication>
      <login-module code = "org.jboss.security.auth.spi.ProxyLoginModule" flag = "sufficient">
      <module-option name = "moduleName">it.eng.smclient.accessmanager.authentication.jaas.module.jboss.SecurityManagerLoginModule</module-option>

      <module-option name="unauthenticatedIdentity">nobody</module-option>
      <module-option name="debug">true</module-option>
      <!--module-option name="password-stacking">useFirstPass</module-option-->
      <module-option name="ejbRole">WfMOpenAdmin</module-option>
      </login-module>
      </authentication>
      </application-policy>


      Can anybody help me?
      Thnks to all,
      Angelo