4 Replies Latest reply on Jan 26, 2008 3:43 AM by carcophan

    java.lang.SecurityException: Insufficient method permissions

    carcophan

      Hi,

      I checked the FAQ but couldn't find anything to solve my problem.
      I am using JBoss 4.0.3 with Java 1.5_06 and am developing a web-application frontend with struts for a fully implemented EJB application layer running on JBOSS. I have a lot of experience writing stand-alone Tomcat applications but virtually no experience with EJBs and JBoss.

      Anyway heres the problem:

      I implemented an HttpSessionListener that does certain final cleaning-up jobs just before the http-session is about to expire/invalidate. When the user logs off by clicking the logoff button in the frontend, session.invalidate() is called, the public void sessionDestroyed(HttpSessionEvent event) method in my SessionListener class is executed as expected and everything is fine. In the "sessionDestroyed" method I access a cleanup(int id) method that I call from the remoteInterface provided by the application-layer.
      However if the user doesn't actively log off but waits for his http-session to expire by timeout, I get the following exception when the sessionDestroyed() method in the SessionListener class tries to do its work:

      java.lang.SecurityException: Insufficient method permissions, principal=null, ejbName=AppLayerEJB, method=cleanup, interface=REMOTE, requiredRoles=[superuser, basicuser], principalRoles=[]
       at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:258)
       at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:143)
       at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:192)
       at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor.java:122)
       at org.jboss.ejb.SessionContainer.internalInvoke(SessionContainer.java:624)
       at org.jboss.ejb.Container.invoke(Container.java:873)
       at sun.reflect.GeneratedMethodAccessor98.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
       at java.lang.reflect.Method.invoke(Unknown Source)
       at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:245)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
       at org.jboss.invocation.local.LocalInvoker$MBeanServerAction.invoke(LocalInvoker.java:155)
       at org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:104)
       at org.jboss.invocation.InvokerInterceptor.invokeLocal(InvokerInterceptor.java:179)
       at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:165)
       at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:46)
       at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:55)
       at org.jboss.proxy.ejb.StatelessSessionInterceptor.invoke(StatelessSessionInterceptor.java:97)
       at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:86)


      What really puzzles me is that this only works from the SessionListener when the user logs-off normally but not at session-timeout. The application layer seems to "forget" the user even though the HttpSession is still existent and the id passed to cleanup(int id) can be accessed and is existent.

      please help.

        • 1. Re: java.lang.SecurityException: Insufficient method permiss
          ragavgomatam

          In your HttpSessionListener, you have a sessionDestroyed() which in turn calls cleanUp(int id). In the cleaUp() call is made to ejb with an expired Principal . What happens is that when HttpSession times out, the Principal is cleared from Http session cache by jboss. So at that moment any calls to ejb's is made with an empty Principal resulting in the exception.

          Can you use the Principal from the request instead ?

          request.getPrincipal()
          should geive you the Principal from HttpRequest. Check if it null & then do what you want instead.





          • 2. Re: java.lang.SecurityException: Insufficient method permiss
            carcophan

            I tried getting the principal from the request but in my class that implements the SessionListener interface, there is no way of accessing the request, I guess simply because there is no request - only the session. Is there a way of making Tomcat not signalling JBoss that the session has timedout and therefore nulling the Principal?

            Is it uncommon to do cleaning up of for eg. certain temporary database tables when an Http Session expires?

            Or is there some workaround without having to patch Tomcat or JBoss in order to force it to do what I want?

            • 3. Re: java.lang.SecurityException: Insufficient method permiss
              ragavgomatam

              Nope...When the session times out & the Pricipal is cleared out by JBoss, then you can't call the protected ejb. UNLESS you want to change method permission on that ejb to

              <any>.
              If you can't do that & still want to call cleanUp(int) , you'll have to by pass the secured ejb, or do a programmatic jaas log in again. (which is kinda covoluted)



              • 4. Re: java.lang.SecurityException: Insufficient method permiss
                carcophan

                Thank you for your suggestions!