2 Replies Latest reply on Oct 30, 2007 1:41 PM by kasimier

Problem securing NamingService, InvokerAdaptorService on 4.2

kasimier Oct 24, 2007 5:31 AM

I really tried everything and earned just kidding. Please can anyone help ??

I tried to secure NamingService with AuthenticationInterceptor and UsersRolesLoginModule as described in docs and wiki (including JRMPProxyFactory config for NamingService). It has no effect at all.
Then I tried to secure InvokerAdaptorService with AuthenticationInterceptor and UsersRolesLoginModule. The same problem occured.

I still can retrieve the Naming Proxy, the JRMPInvokerProxy and of course can call invoke() without authentication. There are no log messages or Exceptions about the problem (org.jboss is on DEBUG level).

Sending login information via LoginInitialContextFactory has no effect too. I also have configured SecureConfig, XMLLoginConfig, and JaasSecurityManager in a own SAR and server.log says that they are started successfully. MBean attributes of those services look fine.

Maybe I have not configured depending MBeans?
My server is configured with the following service:

AttributePersistenceService
ThreadPool
Log4jService
NamingBeanImpl
NamingService
JRMPInvoker
JRMPProxyFactory for InvokerAdaptorService
JRMPProxyFactory for NamingService
MBeanProxyRemote
NamingAlias
InvokerAdaptorService
URLDeploymentScanner
TransactionManagerService
WorkManagerThreadPool
WorkManager
RARDeployer
XSLSubDeployer
CachedConnectionManager

WebServer

SecurityConfig
XMLLoginConfig
JaasSecurityManager

one MailService
jboss-local-jdbc.rar
one DataSource

any idea ??

1. Re: Problem securing NamingService, InvokerAdaptorService on

anil.saldhana Oct 26, 2007 1:17 PM (in response to kasimier)

http://anil-identity.blogspot.com/2007/04/tip-1-if-security-does-not-work-in.html

The idea is to read the JBoss security FAQ and to enable trace level logging to see what the issue is.
Actions
2. Re: Problem securing NamingService, InvokerAdaptorService on

kasimier Oct 30, 2007 1:41 PM (in response to kasimier)
thanx for the info about the log level. I got a fine grained trace about what´s going on now, but the issue isn´t clear to me:

the security relevant services (configured in a own sar) are created correctly and my PolicyConfig named "lcfg" is loaded correctly too. Don´t know if this matters, but JaasSecurityManagerService says nothing about a configured securityMgrCtxPath named "java:/jaas/lcfg"

I have configured my NamingService XMBean with the following interceptors:
<descriptors> <interceptors> <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" securityDomain="java:/jaas/lcfg" /> <interceptor code="org.jboss.mx.interceptor.PersistenceInterceptor2" /> <interceptor code="org.jboss.mx.interceptor.ModelMBeanInterceptor" /> <interceptor code="org.jboss.mx.interceptor.ObjectReferenceInterceptor" /> </interceptors> </descriptors>

and of course the JRMPProxyFactory for the Naming service.

Further I got a JRMPProxyFactory for the InvokerAdaptorService. InvokerAdaptorService is configured with following interceptors on it´s invoke() method:
<operation> <name>invoke</name> <parameter> <name>invocation</name> <type>org.jboss.invocation.Invocation</type> </parameter> <return-type>java.lang.Object</return-type> <descriptors> <interceptors> <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" securityDomain="java:/jaas/lcfg"/> <interceptor code="org.jboss.jmx.connector.invoker.SerializableInterceptor" policyClass="StripModelMBeanInfoPolicy"/> </interceptors> </descriptors> </operation> </xmbean>

When I connect to the MBeanServer via standard org.jnp.interfaces.NamingContextFactory, I can read all registered objects, without auth or error, of course jmx/rmi/RMIAdaptor too.
I also can call invoke() on jmx/rmi/RMIAdaptor without auth or error.

The security log trace when I stop a web module via invoke() does not say much, or I cannot interpret it correctly:

....
2007-10-29 18:13:09,796 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext@912f10{principal=null,subject=null}
....
2007-10-29 18:13:11,093 TRACE [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext@1e2e8cc{principal=null,subject=null}
2007-10-29 18:13:11,109 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext@aa780b{principal=null,subject=null}
2007-10-29 18:13:11,109 TRACE [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext@aa780b{principal=null,subject=null}
2007-10-29 18:13:13,281 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext@1eb186a{principal=null,subject=null}
2007-10-29 18:13:13,281 DEBUG [org.jboss.system.ServiceController] stopping service: jboss.web.deployment:war=iwa.war,id=-1069725553
....
....
2007-10-29 18:13:13,531 DEBUG [org.apache.catalina.core.ContainerBase] unregistering jboss.web:j2eeType=WebModule,name=//localhost/iwa,J2EEApplication=none,J2EEServer=none
2007-10-29 18:13:13,531 TRACE [org.jboss.web.tomcat.security.config.JBossContextConfig] destroy called with DELEGATE_TO_PARENT=false
2007-10-29 18:13:13,531 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] delete
2007-10-29 18:13:13,531 DEBUG [org.jboss.web.WebModule] Stopped jboss.web.deployment:war=iwa.war,id=-1069725553
....
....

Really have no idea what kind of problem pains me.
Maybe I have to force creation of the policy config before Interceptors using a JAAS domain are created?
Maybe I must not configure InvokerAdaptorService, JRMPInvoker aso, directly in myServer/conf/jboss-service.xml?

btw: securing a web application with the same JAAS domain works fine and forces my browser to pop up the login dialog.
Actions

Go to original post