1 2 Previous Next 19 Replies Latest reply on Apr 24, 2008 1:14 PM by starksm64

Security EJB2 and dependencies

adrian.brock Apr 22, 2008 10:46 AM

If you run the pooled tests in JBoss5

./build.sh test -Dtest=pooled -Dnojars=t

you will see it fails with

16:20:26,857 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
 at org.jboss.security.auth.spi.Util.loadProperties(Util.java:366)
 at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
 at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
 at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756)
 at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
 at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
 at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:563)
 at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:497)
 at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
 at org.jboss.security.javaee.EJBAuthenticationHelper.isValid(EJBAuthenticationHelper.java:76)
 at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityContext(SecurityInterceptor.java:301)
 at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:238)
 at org.jboss.ejb.plugins.SSLSessionInterceptor.invokeHome(SSLSessionInterceptor.java:53)
 at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:132)
 at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:107)
 at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:640)
 at org.jboss.ejb.Container.invoke(Container.java:1031)
 at sun.reflect.GeneratedMethodAccessor156.invoke(Unknown Source)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:157)
 at org.jboss.mx.server.Invocation.dispatch(Invocation.java:96)
 at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
 at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
 at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)
 at org.jboss.invocation.pooled.server.PooledInvoker$MBeanServerAction.invoke(PooledInvoker.java:896)
 at org.jboss.invocation.pooled.server.PooledInvoker.invoke(PooledInvoker.java:383)
 at org.jboss.invocation.pooled.server.ServerThread.processInvocation(ServerThread.java:233)
 at org.jboss.invocation.pooled.server.ServerThread.dorun(ServerThread.java:275)
 at org.jboss.invocation.pooled.server.ServerThread.run(ServerThread.java:156)

This is because it has been configured to use the ssl-pooled domain which is hot
deployed with the ejbs, but it is actually using the "other" domain.

I'd guess this is because org.jboss.ejb.plugins.SecurityInterceptor
is not respecting the jmx dependency rules.
i.e. it is trying to retrieve the SecurityDomain in setContainer() instead of start()
setContainer() is invoked from EJB.create()

 public void setContainer(Container container)
 {
...

// HERE This is invoked from EJB.create() which is too early since
the SecurityDomain is not deployed until start()

 if(securityManager != null)
 {
 appSecurityDomain = securityManager.getSecurityDomain();
 appSecurityDomain = SecurityUtil.unprefixSecurityDomain(appSecurityDomain);
 }
 }
 }

From the debug logging


This is where it tries to retrieve the security domain:

2008-04-22 16:20:25,185 DEBUG [org.jboss.ejb.StatelessSessionContainer] (RMI TCP Connection(6)-127.0.0.1) Creating jboss.j2ee:jndiName=StatelessSessionWithPooledSSL,se
rvice=EJB

This is where the security domain is actually deployed

2008-04-22 16:20:25,198 DEBUG [org.jboss.security.plugins.JaasSecurityDomain] (RMI TCP Connection(6)-127.0.0.1) Starting jboss.security:service=JaasSecurityDomain,doma
in=pooled-ssl
2008-04-22 16:20:25,201 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] (RMI TCP Connection(6)-127.0.0.1) Added pooled-ssl, org.jboss.security.plugins.Ja
asSecurityDomain@18441c1 to map
2008-04-22 16:20:25,213 DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.pooled-ssl] (RMI TCP Connection(6)-127.0.0.1) CachePolicy set to: org.jboss.util
.TimedCachePolicy@1f90a95
2008-04-22 16:20:25,213 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] (RMI TCP Connection(6)-127.0.0.1) setCachePolicy, c=org.jboss.util.TimedCachePoli
cy@1f90a95
2008-04-22 16:20:25,213 DEBUG [org.jboss.security.plugins.JaasSecurityDomain] (RMI TCP Connection(6)-127.0.0.1) Started jboss.security:service=JaasSecurityDomain,domai
n=pooled-ssl

This is where it should be retrieved

2008-04-22 16:20:25,269 DEBUG [org.jboss.ejb.StatelessSessionContainer] (RMI TCP Connection(6)-127.0.0.1) Started jboss.j2ee:jndiName=StatelessSessionWithPooledSSL,ser
vice=EJB

1. Re: Security EJB2 and dependencies

adrian.brock Apr 22, 2008 10:51 AM (in response to adrian.brock)

There's a plethora of other security deployment failures in the JBoss5 testsuite.

e.g.

http://hudson.jboss.org/hudson/job/JBoss-AS-5.0.x-TestSuite-sun15/533/testReport/org.jboss.test.jacc.test/
http://hudson.jboss.org/hudson/job/JBoss-AS-5.0.x-TestSuite-sun15/533/testReport/org.jboss.test.jca.test/SecurityContextUnitTestCase(tests-security-basic-unit)/testRunAsIdentityPropagationFS/
http://hudson.jboss.org/hudson/job/JBoss-AS-5.0.x-TestSuite-sun15/533/testReport/org.jboss.test.jmx.test/DeployXMBeanUnitTestCase/testSecuredJndiXMBean/
http://hudson.jboss.org/hudson/job/JBoss-AS-5.0.x-TestSuite-sun15/533/testReport/org.jboss.test.naming.test/SecurityUnitTestCase(tests-security-basic-unit)/testSecureHttpInvoker/
http://hudson.jboss.org/hudson/job/JBoss-AS-5.0.x-TestSuite-sun15/533/testReport/org.jboss.test.perf.test/SecurePerfStressTestCase(tests-security-basic-unit)/testClientSession/
http://hudson.jboss.org/hudson/job/JBoss-AS-5.0.x-TestSuite-sun15/533/testReport/org.jboss.test.security.test/
http://hudson.jboss.org/hudson/job/JBoss-AS-5.0.x-TestSuite-sun15/533/testReport/org.jboss.test.security.test.client/
http://hudson.jboss.org/hudson/job/JBoss-AS-5.0.x-TestSuite-sun15/533/testReport/org.jboss.test.security.test.opends/
http://hudson.jboss.org/hudson/job/JBoss-AS-5.0.x-TestSuite-sun15/533/testReport/org.jboss.test.web.security/

Some of which have been broken for months.

With this many tests failing, I don't know how you catch when you've broken something? :-)
Actions
2. Re: Security EJB2 and dependencies

adrian.brock Apr 22, 2008 11:46 AM (in response to adrian.brock)

There's some more in the web tests:
http://hudson.jboss.org/hudson/job/JBoss-AS-5.0.x-TestSuite-sun15/533/testReport/org.jboss.test.web.test/

Why do we have security tests in web and web.security? ;-)
Actions
3. Re: Security EJB2 and dependencies

anil.saldhana Apr 22, 2008 11:48 AM (in response to adrian.brock)

Overall, we have between 7-10% of security test failures in the AS test suite in the last few months. A few of the tests are some legacy stuff (hard core SecurityAssociation stuff) that I have not yet decided whether we will support going forward.

In the last 3-4 days, I may have increased that failure rate a bit. Hopefully once I resolve the ejb3 refactoring (they want me to do) and make them happy, I can look at increasing the passing rate.
Actions
4. Re: Security EJB2 and dependencies

anil.saldhana Apr 22, 2008 11:49 AM (in response to adrian.brock)

Additionally, in the security project I have written unit tests that test the core functionality. So in the AS test suite, the failures are mainly integration as well as dependency/ordering issues.
Actions
5. Re: Security EJB2 and dependencies

adrian.brock Apr 22, 2008 12:11 PM (in response to adrian.brock)

"anil.saldhana@jboss.com" wrote:
Overall, we have between 7-10% of security test failures in the AS test suite in the last few months. A few of the tests are some legacy stuff (hard core SecurityAssociation stuff) that I have not yet decided whether we will support going forward.

I'd estimate that besides the clustering tests, most of the failures in the JBoss5
testsuite are due to broken security integration.
http://hudson.jboss.org/hudson/job/JBoss-AS-5.0.x-TestSuite-sun15/533/testReport/

Most look like deployment issues, which usually materialises as NameNotFoundException
when there is no real dependency expressed to the new deployers.
e.g. choosing one at random:
http://hudson.jboss.org/hudson/job/JBoss-AS-5.0.x-TestSuite-sun15/533/testReport/org.jboss.test.jacc.test/EJBSpecUnitTestCase(JACC)/testRunAsWithRoles/

If you look at the JACC tests from yesterday, you've lost half the tests!!!!!
http://hudson.jboss.org/hudson/job/JBoss-AS-5.0.x-TestSuite-sun15/533/testReport/org.jboss.test.jacc.test/

I'll see if I can find some low hanging fruit in these tests (like the dependency problem
I mentioned earlier).
It'll give me chance to read, learn and **COMPLAIN** about the new security code. :-)
Actions
6. Re: Security EJB2 and dependencies

anil.saldhana Apr 22, 2008 12:18 PM (in response to adrian.brock)

I was planning to take a look at the JACC failing tests this afternoon.
Actions
7. Re: Security EJB2 and dependencies

anil.saldhana Apr 22, 2008 12:21 PM (in response to adrian.brock)
Adrian, I am wondering if you have maybe some few minutes to take a look at the deployment archive for this test.
org.jboss.test.security.test.DeepCopySubjectUnitTestCase

This test has failed to deploy for ever and Scott had told me that he would take a look at it a couple of months ago (but cannot bug him now).
Actions
8. Re: Security EJB2 and dependencies

adrian.brock Apr 22, 2008 12:52 PM (in response to adrian.brock)

It's trying to load a resource from the META-INF folder of an ear.
The root of an ear isn't part of the classpath in JBoss5 (at least by default).

I guess the resource just needs moving to the new "lib" folder supported in JavaEE5?
Actions

9. Re: Security EJB2 and dependencies

anil.saldhana Apr 22, 2008 1:15 PM (in response to adrian.brock)

Adrian, I tried adding the following piece of code into start() of SecurityInterceptor for the pooled tests,


 // Container implementation --------------------------------------
 public void start() throws Exception
 {
 ....

 //Take care of hot deployed security domains
 if(container != null)
 {
 securityManager = container.getSecurityManager();
 if(securityManager != null)
 {
 appSecurityDomain = securityManager.getSecurityDomain();
 appSecurityDomain = SecurityUtil.unprefixSecurityDomain(appSecurityDomain);
 }
 }
 }

I see basically deployment issues.

2008-04-22 11:55:28,593 DEBUG [org.jboss.ejb.StatelessSessionContainer] (RMI TCP
 Connection(6)-127.0.0.1) End java:comp/env for EJB: StatelessSessionWithPooledSSL
2008-04-22 11:55:28,593 DEBUG [org.jboss.ejb.plugins.local.BaseLocalProxyFactory
] (RMI TCP Connection(6)-127.0.0.1) StatelessSessionWithPooledSSL cannot be Bound, doesn't have local and local home interfaces
2008-04-22 11:55:28,593 DEBUG [org.jboss.ejb.StatelessSessionContainer] (RMI TCP
 Connection(6)-127.0.0.1) Starting failed jboss.j2ee:jndiName=StatelessSessionWi
thPooledSSL,service=EJB
java.lang.RuntimeException: invoker is null: jboss:service=invoker,type=pooled,socketType=SSLSocketFactory,wantsClientAuth=true at org.jboss.proxy.ejb.ProxyFactory.setupInvokers(ProxyFactory.java:254)

 at org.jboss.proxy.ejb.ProxyFactory.start(ProxyFactory.java:238) at org.jboss.ejb.SessionContainer.startInvokers(SessionContainer.java:44
0)
 at org.jboss.ejb.SessionContainer.startService(SessionContainer.java:398
)
 at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanS

So there seem to be other issues as well.

10. Re: Security EJB2 and dependencies

anil.saldhana Apr 22, 2008 6:27 PM (in response to adrian.brock)

I had introduced a bug when release 2.0.2.Beta6. This is the reason why 7-10 tests in JACC were failing. I will fix some more and release 2.0.2.Beta7 tomorrow.
Actions
11. Re: Security EJB2 and dependencies

anil.saldhana Apr 22, 2008 11:11 PM (in response to adrian.brock)

Adrian, I packaged the resources in a jar and placed in a lib directory in the ear and the deployment of previously failing tests passed. So thanks for the pointer.
Actions

12. Re: Security EJB2 and dependencies

anil.saldhana Apr 23, 2008 12:12 AM (in response to adrian.brock)

Adrian, regarding the pooled tests, I updated the META-INF/jboss.xml to include the PreSecurityInterceptor before the SecurityInterceptor in the container configuration. The PreSI is needed to correctly establish the security context for the container on the thread.

With this change, I do not see the errors indicating lack of properties files (users/roles.properties). But the tests now fail mainly with the following messages:

23:04:12,964 INFO [MainDeployer] deploy, url=file:/C:/cygwin/home/asaldhana/jboss-5.0/jboss-head/testsuite/output/lib/pooled.jar
23:04:13,527 INFO [EjbModule] Deploying StatelessSessionWithPooledSSL
23:04:14,120 INFO [EjbModule] Deploying StatelessSession
23:04:14,120 WARN [EjbModule] EJB Deployment has no configured security domain.
 Security will be bypassed. Please verify if this is intended. Bean=StatelessSession Deployment=vfsfile:/C:/cygwin/home/asaldhana/jboss-5.0/jboss-head/testsuite/output/lib/pooled.jar
23:04:14,183 INFO [ProxyFactory] Bound EJB Home 'StatelessSession' to jndi 'PooledStatelessSession'
23:04:14,261 INFO [STDOUT] com.sun.net.ssl.internal.ssl.SSLSessionContextImpl@9
21807
23:04:14,370 INFO [ProxyFactory] Bound EJB Home 'StatelessSessionWithPooledSSL'
 to jndi 'StatelessSessionWithPooledSSL'

<== LOOK BELOW FOR THE WARN MESSAGES =>
23:04:16,230 WARN [BaseCertLoginModule] CallbackHandler did not provide a certificate
23:04:16,230 WARN [BaseCertLoginModule] Domain, KeyStore, or cert is null. Unable to validate the certificate.
<== TILL HERE ==>

23:04:16,277 INFO [ProxyFactory] Unbind EJB Home 'StatelessSessionWithPooledSSL
' from jndi 'StatelessSessionWithPooledSSL'
23:04:16,292 INFO [ProxyFactory] Unbind EJB Home 'StatelessSession' from jndi 'PooledStatelessSession'

Let me take a look at what the issue with the certs packaged in the archive is.

13. Re: Security EJB2 and dependencies

adrian.brock Apr 23, 2008 8:17 AM (in response to adrian.brock)

I'm seeing a completely different error message:

14:13:17,618 ERROR [Context] Failed to init SSLContext
java.lang.SecurityException: Failed to lookup SecurityDomain, java:/jaas/pooled-ssl
 at org.jboss.security.propertyeditor.SecurityDomainEditor$SecurityDomainProxy.initDelegate(SecurityDomainEditor.java:123)
 at org.jboss.security.propertyeditor.SecurityDomainEditor$SecurityDomainProxy.getKeyManagerFactory(SecurityDomainEditor.java:138)
 at org.jboss.security.ssl.Context.forDomain(Context.java:66)
...
Caused by: java.lang.ClassCastException: org.jboss.security.plugins.JaasSecurityManager
 at org.jboss.security.propertyeditor.SecurityDomainEditor$SecurityDomainProxy.initDelegate(SecurityDomainEditor.java:119)
 ... 103 more

14. Re: Security EJB2 and dependencies

adrian.brock Apr 23, 2008 8:54 AM (in response to adrian.brock)

It's failing because this configuration simply cannot work in general:

 <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
 name="jboss.security:service=JaasSecurityDomain,domain=pooled-ssl">
 <constructor>
 <arg type="java.lang.String" value="pooled-ssl"/>
 </constructor>
 <attribute name="KeyStoreURL">resource:localhost.keystore</attribute>
 <attribute name="KeyStorePass">unit-tests-server</attribute>
 <attribute name="TrustStoreURL">resource:localhost.keystore</attribute>
 <attribute name="TrustStorePass">unit-tests-server</attribute>
 <attribute name="Salt">abcdefgh</attribute>
 <attribute name="IterationCount">13</attribute>
 <depends>jboss.security.tests:service=LoginConfig,policy=pooled-ssl</depends>
 </mbean>

 <mbean code="org.jboss.invocation.pooled.server.PooledInvoker"
 name="jboss:service=invoker,type=pooled,socketType=SSLSocketFactory,wantsClientAuth=true">
 <attribute name="NumAcceptThreads">1</attribute>
 <attribute name="MaxPoolSize">300</attribute>
 <attribute name="ClientMaxPoolSize">300</attribute>
 <attribute name="SocketTimeout">60000</attribute>
 <attribute name="ServerBindAddress">${jboss.bind.address}</attribute>
 <attribute name="ServerBindPort">0</attribute>
 <attribute name="ClientConnectAddress">${jboss.bind.address}</attribute>
 <attribute name="ClientConnectPort">0</attribute>
 <attribute name="ClientRetryCount">1</attribute>
 <attribute name="EnableTcpNoDelay">false</attribute>

 <!-- Customized socket factory attributes -->
 <attribute name="ClientSocketFactoryName">org.jboss.security.ssl.ClientSocketFactory</attribute>
 <attribute name="ServerSocketFactory"
 attributeClass="org.jboss.security.ssl.DomainServerSocketFactory"
 serialDataType="javaBean">
 <property name="bindAddress">${jboss.bind.address}</property>
 <property name="securityDomain">java:/jaas/pooled-ssl</property>
 <property name="wantsClientAuth">true</property>
 <property name="needsClientAuth">true</property>
 <property name="CiperSuites">TLS_DHE_DSS_WITH_AES_128_CBC_SHA</property>
 <property name="Protocols">SSLv2Hello,SSLv3,TLSv1</property>
 </attribute>
 <depends>jboss.security.tests:service=LoginConfig,policy=pooled-ssl</depends>
 </mbean>

The server socket factory is being constructed during
the PooledInvoker::CONFIGURE stage.
But it requires the SecurityDomain to be in the STARTED state to work
(it needs to be bound into JNDI).

There's no way to express this dependency for this config.

JBoss5 does have the option to do:

 <attribute name="SecurityDomain"><inject bean="jboss.security:service=JaasSecurityDomain,domain=pooled-ssl"/></attribute>

which will do what is required.

But the above example isn't configuring an mbean. It is configuring a POJO
that is not managed by the MC which then gets set on the MBean.

1 2 Previous Next

Go to original post