1 2 Previous Next 20 Replies Latest reply on Oct 21, 2009 5:20 AM by wolfgangknauf Go to original post
      • 15. Re: Caller unauthorized on using a ejb3 statetlesssessionbea
        wolfgangknauf
        wolfgangknauf Oct 13, 2009 5:50 AM (in response to praenti)

        Hi Michael,

        I hope that I am not too annoying by insisting on the use of "WebAuthentication", but I still think that your use case should basically work with it. I am not sure whether the problems result from usage of it in the Struts2 action or whether they are a matter of some other error.

        First of all: to get the servlet request inside your Action, implement the interface "org.apache.struts2.interceptor.ServletRequestAware" instead of calling "ServletActionContext.getRequest()". Maybe the latter creates new request instance where the login information is missing.

        To test the login stuff, I would advice you to create a complete new web client for your app without struts, and use a plain servlet to perform a login in "doGet" or "doPost". If this works, then you know that your login module is OK and you can continue with your "real" app.

        Your concerns about "j_security_check" and form based login: take a look at this link: http://roneiv.wordpress.com/2008/03/15/using-webauthentication-in-jboss/ . Though it is for JSF, it shows how to use a login form with a custom login servlet.

        Hope this helps

        Wolfgang

          • Actions
        • 16. Re: Caller unauthorized on using a ejb3 statetlesssessionbea
          praenti Oct 13, 2009 7:51 AM (in response to praenti)

          Hmm. Change that.

          But which policy does the WebAuthentication use? I've changed that but my JAAS SpiiderLoginModule is not executed anymore :-/. I think that is a configuration problem.

            • Actions
          • 17. Re: Caller unauthorized on using a ejb3 statetlesssessionbea
            praenti Oct 14, 2009 8:07 AM (in response to praenti)

            ok. WebAuthentication is working. I had to create the jboss-web.xml and added there the security-domain. Now my Login module is running.

            But the original error is still present. Using a Servlet which does WebAuthentication.

            The error:

            13:59:50,370 INFO [SpiiderLoginModule] LdapLoginModule, dsJndiName=cancardviewe
rDS
13:59:50,370 INFO [SpiiderLoginModule] rolesQuery=SELECT u.userid, r."role" FRO
M "security".application_user u, "security".application_role r, "security".user_
role ur WHERE u.userid = ? AND u.userid = ur.user_id AND ur.role_id = r."role"
13:59:50,370 INFO [SpiiderLoginModule] defaultRole=RegularUser
13:59:50,370 INFO [SpiiderLoginModule] trying dn: uid=extern.michael.obster, ou
=xxx,ou=People,ou=Access
13:59:50,370 INFO [SpiiderLoginModule] Logging into LDAP server, env={java.nami
ng.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, dsJndiName=cancardviewerDS,
 rolesQuery=SELECT u.userid, r."role" FROM "security".application_user u, "secur
ity".application_role r, "security".user_role ur WHERE u.userid = ? AND u.userid
 = ur.user_id AND ur.role_id = r."role", java.naming.security.principal=uid=exte
rn.michael.obster, ou=xxx,ou=People,ou=Access, jboss.security.security_domai
n=cancardDomain, java.naming.provider.url=ldap://xxxxxxx, java.namin
g.security.authentication=simple, java.naming.security.credentials=***, principa
l.dn.groups=ou=xxxxxx
,ou=People,ou=Access:ou=External,ou=People,ou=Access}
13:59:50,401 INFO [SpiiderLoginModule] Failed to log into LDAP server. [LDAP: e
rror code 32 - No Such Object]
13:59:50,401 INFO [SpiiderLoginModule] trying dn: uid=extern.michael.obster, ou
=External,ou=People,ou=Access
13:59:50,401 INFO [SpiiderLoginModule] Logging into LDAP server, env={java.nami
ng.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, dsJndiName=cancardviewerDS,
 rolesQuery=SELECT u.userid, r."role" FROM "security".application_user u, "secur
ity".application_role r, "security".user_role ur WHERE u.userid = ? AND u.userid
 = ur.user_id AND ur.role_id = r."role", java.naming.security.principal=uid=exte
rn.michael.obster, ou=External,ou=People,ou=Access, jboss.security.security_doma
in=cancardDomain, java.naming.provider.url=ldap://xxxxxxxx, java.nami
ng.security.authentication=simple, java.naming.security.credentials=***, princip
al.dn.groups=ou=xxxxxx
,ou=People,ou=Access:ou=External,ou=People,ou=Access}
13:59:50,417 INFO [SpiiderLoginModule] Logged into LDAP server, javax.naming.ld
ap.InitialLdapContext@1a21699
13:59:50,480 INFO [SpiiderLoginModule] getRoleSets using rolesQuery: SELECT u.u
serid, r."role" FROM "security".application_user u, "security".application_role
r, "security".user_role ur WHERE u.userid = ? AND u.userid = ur.user_id AND ur.r
ole_id = r."role", gid: 99A44E672EA8C49B
13:59:50,511 DEBUG [SpiiderLoginModule] Principal: AdminUser
13:59:50,542 INFO [LoginServlet] Login sucessfull
13:59:51,011 ERROR [[LoginServlet]] Servlet.service() for servlet LoginServlet t
hrew exception
javax.ejb.EJBAccessException: Caller unauthorized
 at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(Ro
leBasedAuthorizationInterceptorv2.java:199)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
java:102)
 at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3Au
thenticationInterceptorv2.java:186)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
java:102)
 at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterce
ptor.java:41)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
java:102)
 at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContaine
rShutdownInterceptor.java:67)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
java:102)
 at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invo
ke(CurrentInvocationInterceptor.java:67)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
java:102)
 at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessCo
ntainer.java:421)
 at org.jboss.ejb3.remoting.IsLocalInterceptor.invokeLocal(IsLocalInterce
ptor.java:85)
 at org.jboss.ejb3.remoting.IsLocalInterceptor.invoke(IsLocalInterceptor.
java:72)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.
java:102)
 at org.jboss.aspects.remoting.PojiProxy.invoke(PojiProxy.java:62)
 at $Proxy344.invoke(Unknown Source)
 at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandl
erBase.invoke(SessionProxyInvocationHandlerBase.java:207)
 at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandl
erBase.invoke(SessionProxyInvocationHandlerBase.java:164)
 at $Proxy343.getAllRoles(Unknown Source)
 at vwg.audi.cancard.webservlet.LoginServlet.serveRequest(LoginServlet.ja
va:61)
 at vwg.audi.cancard.webservlet.LoginServlet.doGet(LoginServlet.java:29)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:617)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:290)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:206)
 at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFi
lter.java:96)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl
icationFilterChain.java:235)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF
ilterChain.java:206)
 at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV
alve.java:235)
 at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV
alve.java:191)
 at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(Securit
yAssociationValve.java:190)
 at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValv
e.java:92)
 at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.proce
ss(SecurityContextEstablishmentValve.java:126)
 at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invok
e(SecurityContextEstablishmentValve.java:70)
 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
ava:127)
 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
ava:102)
 at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedC
onnectionValve.java:158)
 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
ve.java:109)
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav
a:330)
 at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java
:829)
 at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proce
ss(Http11Protocol.java:598)
 at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:44
7)
 at java.lang.Thread.run(Thread.java:619)


            The used servlet LoginServlet: 
            package vwg.audi.cancard.webservlet;

import java.io.IOException;

import javax.ejb.EJBAccessException;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

import org.apache.log4j.Logger;
import org.jboss.web.tomcat.security.login.WebAuthentication;

public class LoginServlet extends HttpServlet
{
 private Logger log = Logger.getLogger(LoginServlet.class);

 /**
 *
 */
 private static final long serialVersionUID = -5539909157863711284L;

 /**
 * Process the HTTP Get request
 */
 public void doGet(HttpServletRequest request, HttpServletResponse response)
 throws ServletException, IOException
 {
 serveRequest(request, response);
 }

 /**
 * Process the HTTP Post request
 */
 public void doPost(HttpServletRequest request, HttpServletResponse response)
 throws ServletException, IOException
 {
 serveRequest(request, response);
 } // doPost

 /**
 * In dieser Methode findet die eigentliche Verarbeitung des
 * HTTPServletRequests statt. Sie wird von den beiden public Methoden doPost
 * und doGet aufgerufen.
 */
 public void serveRequest(HttpServletRequest request,
 HttpServletResponse response) throws ServletException, IOException
 {
 String username = "extern.michael.obster";
 String pass = "myPassword";
 WebAuthentication webAuthentication = new WebAuthentication();

 if (webAuthentication.login(username, pass)) {
 log.info("Login sucessfull");
 }
 else {
 log.info("Login failed");
 }

 try {
 ServiceLocator.getInstance().getUserService().getAllRoles();
 } catch (ServiceLocatorException e) {
 e.printStackTrace();
 }

 webAuthentication.logout();


 }



}


            Any idea what the problem is?

            Best regards,
            Michael

              • Actions
            • 18. Re: Caller unauthorized on using a ejb3 statetlesssessionbea
              wolfgangknauf
              wolfgangknauf Oct 14, 2009 11:40 AM (in response to praenti)

              Hi Michael,

              I am sorry, but I don't have further ideas. Might be a problem of the config, or might be a JBoss problem.


              Your console log contained only output of your Spiider login module and the servlet, but no output of the JBoss security layer. If you did not do so already: activate this logging (sticky post "FAQ" in this forum, question 4). Maybe this provides more information.

              Try to create a very simple sample app (just the web client, the EJB and the login module) which reproduces the issue. Then I might take a look at it. Well, the LDAP login won't be reproducable at my site, but maybe the problem also occurs with some other login module.

              Best regards

              Wolfgang

                • Actions
              • 19. Re: Caller unauthorized on using a ejb3 statetlesssessionbea
                praenti Oct 21, 2009 4:48 AM (in response to praenti)

                Hi Wolfgang,

                yes I've enabled the security layer debugging. There is no more output on my JBoss then that waht I've posted already. I don't know what you have expected.

                After trying a simple Servlet application with WebAuthentication as described in the blog, the same error "Caller unauthorized" comes up on the access of an EJB3 bean when there is a @RunAs annotation.

                So for now I continued with checking if the EJB3 context gets the user authentication correctly.
                Now I have tried to see what happens when I do a

                log.info(request.getUserPrincipal());
log.info(request.getRemoteUser());
log.info(request.isUserInRole("AdminUser"));

                The results are: 
                extern.michael.obster
extern.michael.obster
false


                The conclusion from my point is that there are 3 possible errors:
                1. The authentication gets lost, so the request don't know the role of the user.
                2. The JAAS gets confused about which ID has to be used to get the role for the user
                3. The roles query has a wrong result.

                After some debugging I found out, that my roles query returns a result with some other columns the JAAS system does not expect.

                So correcting the roles query fixed my problem.

                But thank you for your help. It was not useless, because I got some more knowlegde how to debug the security layer ;-).

                For people who have the same problem, check if your result from the roles query contains the columns "name" (with the name of the role) and "role_group"!

                Cheers,
                Michael

                  • Actions
                • 20. Re: Caller unauthorized on using a ejb3 statetlesssessionbea
                  wolfgangknauf
                  wolfgangknauf Oct 21, 2009 5:20 AM (in response to praenti)

                  Hi Michael,

                  glad you solved your problem. That was a nasty "bug" ;-). If you see a chance that JBoss might error check this condition, you might raise a JIRA issue. But it happened in your custom login module, didn't it? So maybe no JBoss error ;-)?

                  Best regards

                  Wolfgang

                    • Actions
                  1 2 Previous Next