java.lang.SecurityException: Insufficient method permissions
Hi all.
I have a problem in invoking a statefull session bean in JBoss AS.
When i call this Ejb i have this error:
java.lang.SecurityException: Insufficient method permissions, principal=tiziana1, ejbName=WorkflowEngine, method=create, interface=HOME, requiredRoles=[WfMOpenAdmin], principalRoles=[WfMOpenAdmin, WfMOpenAdmin]
As you can see the expected role is WfMOpenAdmin and the principal used for invokign this EJB has these roles: WfMOpenAdmin, WfMOpenAdmin
For loggin into JBoss i have written this login module:
package it.eng.smclient.accessmanager.authentication.jaas.module.jboss;
import it.eng.smclient.accessmanager.authentication.jaas.principals.Login;
import it.eng.smclient.accessmanager.authentication.jaas.principals.WfmOpen;
import it.eng.smclient.accessmanager.configuration.Configuration;
import it.eng.smclient.accessmanager.configuration.securityaccessfilter.EjbRole;
import it.eng.smclient.accessmanager.configuration.utils.SingletonConfiguration;
import it.eng.smclient.accessmanager.iface.SecManagerAuthorizationIface;
import it.eng.smclient.accessmanager.util.resource.Message;
import it.eng.smclient.accessmanager.util.resource.constants.Rbaccessmanager;
import java.security.Principal;
import java.security.acl.Group;
import java.util.ArrayList;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
//import javax.security.auth.spi.LoginModule;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.jboss.security.NestableGroup;
import org.jboss.security.SecurityAssociation;
import org.jboss.security.SimpleGroup;
//import org.jboss.security.SimplePrincipal;
import org.jboss.security.auth.spi.AbstractServerLoginModule;
public class SecurityManagerLoginModule extends AbstractServerLoginModule{
static public final Log logger =
LogFactory.getLog(SecurityManagerLoginModule.class);
private Rbaccessmanager rb = new Rbaccessmanager();
private Message message = new Message(rb);
String username = null;
protected Subject subject;
protected CallbackHandler callbackHandler;
protected Map sharedState;
protected Map options;
protected boolean loginOk;
protected Principal unauthenticatedIdentity;
protected Configuration conf = null;
protected String ejbRole = null;
public void initialize(Subject subject,
CallbackHandler callbackHandler,
Map sharedState,
Map options) {
logger.debug("[Method - initialize] [INIT]");
if (logger.isTraceEnabled())
logger.debug("[Method - initialize] [instance=@] "
+ System.identityHashCode(this));
this.subject = subject;
this.callbackHandler = callbackHandler;
this.sharedState = sharedState;
this.options = options;
logger.debug("[Method - initialize] [Security domain:] "
+ (String) options.get("jboss.security.security_domain"));
String name = (String) options.get("unauthenticatedIdentity");
ejbRole = (String) options.get("ejbRole");
if (name != null) {
try {
unauthenticatedIdentity = createIdentity(name);
logger.info("Aggiungo il principal: " + unauthenticatedIdentity+ " al subject: "+ subject);
subject.getPrincipals().add(unauthenticatedIdentity);
subject.getPrincipals().add(getIdentity());
Set principals = subject.getPrincipals();
Group roleSets[] = getRoleSets();
for (int g = 0; g < roleSets.length; g++) {
Group group = roleSets[g];
String aName = group.getName();
Group subjectGroup = createGroup(aName, principals);
if (subjectGroup instanceof NestableGroup) {
SimpleGroup tmp = new SimpleGroup("Roles");
subjectGroup.addMember(tmp);
subjectGroup = tmp;
} // if (subjectGroup instanceof NestableGroup)
Principal role;
for (Enumeration members = group.members(); members
.hasMoreElements(); subjectGroup.addMember(role))
role = (Principal) members.nextElement();
}
SecurityAssociation.setPrincipal(unauthenticatedIdentity);
//SecurityAssociation.setCredential(credential);
SecurityAssociation.setSubject(subject);
logger.info("Aggiunto il principal a subject che ora è: " + subject);
logger.debug("[Method - initialize] [navigazione anonima] " + name);
} catch (Exception e) {
logger.error("[Method - initialize] " +
"[Inizializzazione modulo di login non riuscita - " +
" Verificare la configurazione dei moduli]");
logger.error("[Method - initialize] [Exception]",e);
logger.error("[Method - initialize] [message]" + e.getMessage());
}
} // if (name != null)
logger.debug("[Method - initialize] [END]");
} // public void initialize(Subject subject, CallbackHandler
// callbackHandler, Map sharedState, Map options)
public boolean login() throws LoginException {
logger.debug("[Method - login] [LoginModule]");
/*
JAASConfigFile jaas = new JAASConfigFile();
jaas.displayProperties();
*/
boolean result = false;
loginOk = false;
try {
if (subject != null) {
Iterator iter = subject.getPrivateCredentials().iterator();
while (iter.hasNext()) {
Object obj = iter.next();
if (obj instanceof Login) {
username = ((Login) obj).getName();
logger.debug("[Method - login]" +
"[Username not null] " + username);
System.setProperty("javax.security.auth.login.name",username);
} // if (obj instanceof Login)
} // while ( iter.hasNext())
} // if (subject != null)
// Se username = [null] vuol dire che ho effettuato autenticazione
// e sto richiamando il modulo all'interno dell'applicazione
if (username == null) {
logger.debug("[Method - login] " +
"[Username = null] [Leggo le propietà di Sistema]");
username = System.getProperty("javax.security.auth.login.name");
logger.debug("[Method - login] " +
"[javax.security.auth.login.name] " + username);
} else {
sharedState.put("javax.security.auth.login.name",username);
Object credential = System.getProperty("javax.security.auth.login.name");
List rolesPM = ((SecManagerAuthorizationIface) Configuration
.getAccessManagerImplementation()).getRoles();
logger.debug("[Method - login] [Lista Ruoli PM] " + rolesPM);
WfmOpen wfmPrincipal = new WfmOpen(username);
SingletonConfiguration singletonConfig =
SingletonConfiguration.getInstance(null,null);
Configuration conf =
singletonConfig.getConfiguration();
wfmPrincipal.setApplication(conf.getApplication()
.getApplicationCode());
ArrayList roles = new ArrayList();
String role = ((EjbRole) conf.getEjbSecurityIdentity()
.getEjbRoles().iterator().next()).getRole();
roles.add(role);
ArrayList groups = new ArrayList();
groups.add("Some Group");
groups.add("Order Processing");
wfmPrincipal.setRoles(roles);
wfmPrincipal.setGroups(groups);
SecurityAssociation.setPrincipal(wfmPrincipal);
SecurityAssociation.setCredential(credential);
SecurityAssociation.setSubject(subject);
} // if (username != null)
loginOk = true;
result = true;
logger.debug("[Method - login] [END]");
} catch (Exception e) {
logger.error("[Method - login] ", e);
throw new FailedLoginException(message
.getMessage(rb.MODULE_LOGIN_ERROR));
// throw new LoginException( e.getMessage() );
}
return result;
} // public boolean login() throws LoginException
protected Principal createIdentity(String name) throws Exception {
logger.trace("[Method - login] [INIT]");
Principal principal = null;
logger.trace("[Method - login] [name] " + name);
principal = new WfmOpen(name);
return principal;
} // protected Principal createIdentity(String name) throws Exception
public boolean commit() throws LoginException {
logger.trace("[Method - commit] [INIT]");
logger.trace("[Method - commit] [subject] " + subject);
if (!loginOk) return false;
Set principals = subject.getPrincipals();
Principal identity = getIdentity();
logger.trace("[Method - commit] [identity] " + identity.getName());
principals.add(identity);
Group roleSets[] = getRoleSets();
for (int g = 0; g < roleSets.length; g++) {
Group group = roleSets[g];
String name = group.getName();
Group subjectGroup = createGroup(name, principals);
if (subjectGroup instanceof NestableGroup) {
SimpleGroup tmp = new SimpleGroup("Roles");
subjectGroup.addMember(tmp);
subjectGroup = tmp;
} // if (subjectGroup instanceof NestableGroup)
Principal role;
for (Enumeration members = group.members(); members
.hasMoreElements(); subjectGroup.addMember(role))
role = (Principal) members.nextElement();
} // for(int g = 0; g < roleSets.length; g++)
return true;
} // public boolean commit() throws LoginException
public boolean abort() throws LoginException {
logger.trace("[Method - abort() ] [INIT]");
return true;
} // public boolean abort() throws LoginException
public boolean logout() throws LoginException {
logger.trace("[Method - logout() ] [INIT]");
Principal identity = getIdentity();
Set principals = subject.getPrincipals();
principals.remove(identity);
return true;
} // public boolean logout() throws LoginException
protected Principal getIdentity() {
logger.info("[Method - getIdentity() ] [INIT]");
logger.trace("[Method - getIdentity() ] [username] " + username);
Principal p = null;
if (username != null) {
logger.info("La username era diversa da null... "+ username);
p = new WfmOpen(username);
} else {
// Ruolo reucperato dalla configurazione XML
if (conf != null) {
logger.info("Conf non era null.....");
String role = ((EjbRole) conf.getEjbSecurityIdentity()
.getEjbRoles().iterator().next()).getRole();
p = new WfmOpen(role);
} else {
logger.info("Conf era null.....");
p = new WfmOpen(ejbRole);
}
} // if (username != null)
return p;
} // private Principal getIdentity()
protected Group[] getRoleSets() throws LoginException {
logger.trace("[Method - getRoleSets() ] [INIT]");
SimpleGroup rolesGroup = new SimpleGroup("Roles");
ArrayList groups = new ArrayList();
// Ruolo reucperato dalla configurazione XML
Principal p = null;
if (conf != null) {
String role = ((EjbRole) conf.getEjbSecurityIdentity()
.getEjbRoles().iterator().next()).getRole();
logger.trace("[Method - getRoleSets() ] [Ruolo di sistema recuperato]");
p = new WfmOpen(role);
} else {
p = new WfmOpen(ejbRole);
}
rolesGroup.addMember(p);
groups.add(rolesGroup);
Group roleSets[] = new Group[groups.size()];
groups.toArray(roleSets);
logger.trace("[Method - getRoleSets() ] [END]");
return roleSets;
} // private Group[] getRoleSets() throws LoginException
protected Principal getUnauthenticatedIdentity() {
return unauthenticatedIdentity;
}
protected Group createGroup(String name, Set principals) {
logger.trace("[Method - createGroup ] [INIT]");
Group roles = null;
Iterator iter = principals.iterator();
do {
if (!iter.hasNext())
break;
Object next = iter.next();
if (!(next instanceof Group))
continue;
Group grp = (Group) next;
if (!grp.getName().equals(name))
continue;
roles = grp;
break;
} while (true);
if (roles == null) {
roles = new SimpleGroup(name);
principals.add(roles);
} // if (roles == null)
logger.trace("[Method - createGroup ] [END]");
return roles;
} // protected Group createGroup(String name, Set principals)
}
I know that when there is an unauthenticatedIdentity a cabled principal is created but i was trying to understand what error was created....
In my login-config.xml I have this configuration:
<application-policy name = "wfdemopluto">
<authentication>
<login-module code = "org.jboss.security.auth.spi.ProxyLoginModule" flag = "sufficient">
<module-option name = "moduleName">it.eng.smclient.accessmanager.authentication.jaas.module.jboss.SecurityManagerLoginModule</module-option>
<module-option name="unauthenticatedIdentity">nobody</module-option>
<module-option name="debug">true</module-option>
<!--module-option name="password-stacking">useFirstPass</module-option-->
<module-option name="ejbRole">WfMOpenAdmin</module-option>
</login-module>
</authentication>
</application-policy>
Can anybody help me?
Thnks to all,
Angelo
