java.lang.SecurityException: Denied: caller with subject=Sub
Hi,
I have written custom JAAS Login Module which extends AbstractServerLoginModule for authN and authZ. I am getting the following error when I try to access the protected EJB with required role. But the Webcontainer is working as expected, able to access the secured resources based on the user role. But the EJB containers is not working. Please find the below error.
My environment:
JBoss 5.1.0 GA, Win XP
As jboss.xml the <security-domain> element is ignored by JBoss 5.1.0 GA. Please correct me if I am worng, I think it is a bug in JBoss 5.1.0 GA? So, I have modified the security-policies-jboss-beans.xml for jboss-ejb-policy element as follows:
<?xml version="1.0" encoding="UTF-8"?>
<application-policy xmlns="urn:jboss:security-beans:1.0" name="jboss-web-policy" extends="other">
<policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/>
</application-policy>
<application-policy xmlns="urn:jboss:security-beans:1.0" name="jboss-ejb-policy" extends="UIdPSso">
<policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/>
</application-policy>
<application-policy xmlns="urn:jboss:security-beans:1.0" name="jboss-WebUIdP-policy" extends="UIdPSso">
<policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/>
ejb-jar.xml is in EJB's/META-INF :
<?xml version="1.0"?>
<!DOCTYPE ejb-jar PUBLIC '-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 1.1//EN' 'http://java.sun.com/j2ee/dtds/ejb-jar_1_1.dtd'>
<ejb-jar>
<enterprise-beans>
<ejb-name>DsBean</ejb-name>
com.sample.as2.weblogic.test.DsBeanHome
com.sample.as2.weblogic.test.DsBean
<ejb-class>com.sample.as2.weblogic.test.DsBeanEJB</ejb-class>
<session-type>Stateless</session-type>
<transaction-type>Container</transaction-type>
</enterprise-beans>
<assembly-descriptor>
<security-role>
DSmart Bean Level Access
<role-name>DSBeanRole</role-name>
</security-role>
<method-permission>
<role-name>DSBeanRole</role-name>
<ejb-name>DsBean</ejb-name>
<method-intf>Remote</method-intf>
<method-name>*</method-name>
</method-permission>
<container-transaction>
<ejb-name>DsBean</ejb-name>
<method-name>*</method-name>
<trans-attribute>Required</trans-attribute>
</container-transaction>
</assembly-descriptor>
</ejb-jar>
ERROR org.jboss.ejb.plugins.SecurityInterceptor - Error in Security Interceptor
java.lang.SecurityException: Denied: caller with subject=Subject:
Principal: jaasuser
Principal: Roles(members:DSBeanRole,ProtectedServletGroup,ValidUser,jaasrole)
Principal: CallerPrincipal(members:jaasuser)
and security context post-mapping roles=Roles(DSBeanRole,ProtectedServletGroup,ValidUser,jaasrole,): ejbMethod=public abstract com.sample.as2.weblogic.test.DsBean com.sample.as2.weblogic.test.DsBeanHome.create() throws javax.ejb.CreateException,java.rmi.RemoteException
at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityContext(SecurityInterceptor.java:368)
at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:243)
at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:205)
at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:136)
at org.jboss.ejb.plugins.security.PreSecurityInterceptor.invokeHome(PreSecurityInterceptor.java:88)
at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:132)
at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:107)
at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:639)
at org.jboss.ejb.Container.invoke(Container.java:1046)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:157)
at org.jboss.mx.server.Invocation.dispatch(Invocation.java:96)
at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)
at org.jboss.invocation.local.LocalInvoker$MBeanServerAction.invoke(LocalInvoker.java:169)
at org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:118)
at org.jboss.invocation.InvokerInterceptor.invokeLocal(InvokerInterceptor.java:209)
at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:195)
at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:61)
at org.jboss.proxy.ejb.SecurityContextInterceptor.invoke(SecurityContextInterceptor.java:64)
at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:68)
at org.jboss.proxy.ejb.HomeInterceptor.invoke(HomeInterceptor.java:184)
at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:101)
at $Proxy248.create(Unknown Source)
at com.sample.as2.servlets.unprotectedServlet.doPost(Unknown Source)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:402)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:595)
1462903 [http-127.0.0.1-8080-1] ERROR com.sample.as2.servlets.unprotectedServlet - Exception caught initializing beans:java.rmi.AccessException: SecurityException; nested exception is:
java.lang.SecurityException: Denied: caller with subject=Subject:
Principal: jaasuser
Principal: Roles(members:DSBeanRole,ProtectedServletGroup,ValidUser,jaasrole)
Principal: CallerPrincipal(members:jaasuser)
and security context post-mapping roles=Roles(DSBeanRole,ProtectedServletGroup,ValidUser,jaasrole,): ejbMethod=public abstract com.sample.as2.weblogic.test.DsBean com.sample.as2.weblogic.test.DsBeanHome.create() throws javax.ejb.CreateException,java.rmi.RemoteException
Thanks,
Sangeetha
