This content has been marked as final.
Show 2 replies
-
1. Re: Problem securing NamingService, InvokerAdaptorService on
anil.saldhana Oct 26, 2007 1:17 PM (in response to kasimier)http://anil-identity.blogspot.com/2007/04/tip-1-if-security-does-not-work-in.html
The idea is to read the JBoss security FAQ and to enable trace level logging to see what the issue is. -
2. Re: Problem securing NamingService, InvokerAdaptorService on
kasimier Oct 30, 2007 1:41 PM (in response to kasimier)thanx for the info about the log level. I got a fine grained trace about what´s going on now, but the issue isn´t clear to me:
the security relevant services (configured in a own sar) are created correctly and my PolicyConfig named "lcfg" is loaded correctly too. Don´t know if this matters, but JaasSecurityManagerService says nothing about a configured securityMgrCtxPath named "java:/jaas/lcfg"
I have configured my NamingService XMBean with the following interceptors:<descriptors> <interceptors> <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" securityDomain="java:/jaas/lcfg" /> <interceptor code="org.jboss.mx.interceptor.PersistenceInterceptor2" /> <interceptor code="org.jboss.mx.interceptor.ModelMBeanInterceptor" /> <interceptor code="org.jboss.mx.interceptor.ObjectReferenceInterceptor" /> </interceptors> </descriptors>
and of course the JRMPProxyFactory for the Naming service.
Further I got a JRMPProxyFactory for the InvokerAdaptorService. InvokerAdaptorService is configured with following interceptors on it´s invoke() method:<operation> <name>invoke</name> <parameter> <name>invocation</name> <type>org.jboss.invocation.Invocation</type> </parameter> <return-type>java.lang.Object</return-type> <descriptors> <interceptors> <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" securityDomain="java:/jaas/lcfg"/> <interceptor code="org.jboss.jmx.connector.invoker.SerializableInterceptor" policyClass="StripModelMBeanInfoPolicy"/> </interceptors> </descriptors> </operation> </xmbean>
When I connect to the MBeanServer via standard org.jnp.interfaces.NamingContextFactory, I can read all registered objects, without auth or error, of course jmx/rmi/RMIAdaptor too.
I also can call invoke() on jmx/rmi/RMIAdaptor without auth or error.
The security log trace when I stop a web module via invoke() does not say much, or I cannot interpret it correctly:
....
2007-10-29 18:13:09,796 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext@912f10{principal=null,subject=null}
....
2007-10-29 18:13:11,093 TRACE [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext@1e2e8cc{principal=null,subject=null}
2007-10-29 18:13:11,109 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext@aa780b{principal=null,subject=null}
2007-10-29 18:13:11,109 TRACE [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext@aa780b{principal=null,subject=null}
2007-10-29 18:13:13,281 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext@1eb186a{principal=null,subject=null}
2007-10-29 18:13:13,281 DEBUG [org.jboss.system.ServiceController] stopping service: jboss.web.deployment:war=iwa.war,id=-1069725553
....
....
2007-10-29 18:13:13,531 DEBUG [org.apache.catalina.core.ContainerBase] unregistering jboss.web:j2eeType=WebModule,name=//localhost/iwa,J2EEApplication=none,J2EEServer=none
2007-10-29 18:13:13,531 TRACE [org.jboss.web.tomcat.security.config.JBossContextConfig] destroy called with DELEGATE_TO_PARENT=false
2007-10-29 18:13:13,531 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] delete
2007-10-29 18:13:13,531 DEBUG [org.jboss.web.WebModule] Stopped jboss.web.deployment:war=iwa.war,id=-1069725553
....
....
Really have no idea what kind of problem pains me.
Maybe I have to force creation of the policy config before Interceptors using a JAAS domain are created?
Maybe I must not configure InvokerAdaptorService, JRMPInvoker aso, directly in myServer/conf/jboss-service.xml?
btw: securing a web application with the same JAAS domain works fine and forces my browser to pop up the login dialog.