-
1. Re: JBAS-4890:EJBAccessException: Caller unauthorized
anil.saldhana Oct 23, 2007 4:27 PM (in response to anil.saldhana)With the branch,
asaldhana~/jbossws/stack/native/jbossws-native-2.0.2>ant -Dtest=org.jboss.test. ws.jaxws.samples.context.WebServiceContextEJBTestCase .... [servicegen] INFO: wrote interface definition: locationURI=hello.wsdl, basePath= C:\cygwin\home\asaldhana\jbossws\stack\native\jbossws-native-2.0.2/output/tests/ wstools/resources/jaxrpc/samples/wsbpel/hello/WEB-INF/wsdl [servicegen] Oct 23, 2007 3:25:46 PM org.jbpm.bpel.wsdl.util.ServiceGenerator ge neratePortComponents [servicegen] INFO: wrote binding definition: hello-binding-1.wsdl [servicegen] Oct 23, 2007 3:25:46 PM org.jbpm.bpel.wsdl.util.ServiceGenerator ge neratePortComponents [servicegen] INFO: wrote service definition: hello-service.wsdl wstools: BUILD FAILED C:\cygwin\home\asaldhana\jbossws\stack\native\jbossws-native-2.0.2\ant-import-te sts\build-testsuite.xml:133: Error running jbossws:
-
2. Re: JBAS-4890:EJBAccessException: Caller unauthorized
ropalka Oct 24, 2007 5:03 AM (in response to anil.saldhana)Hi Anil,
you must follow these steps to run JBossWS tests:
* checkout JBossWS SVN (let's call the target directory JBOSSWS_ROOT)
* copy ant.properties.example to ant.properties and modify it accordingly
* pushd JBOSSWS_ROOT
* ./make.sh deploy-jbossXXX
* # start JBOSS AS
* ./make.sh clean main
* ./make.sh -Dtest=somepackage.SomeTestSuite one-test
* ./make.sh tests-report
Richard -
3. Re: JBAS-4890:EJBAccessException: Caller unauthorized
thomas.diesler Oct 24, 2007 6:27 AM (in response to anil.saldhana)Richard, I think Anil knows all that. Before he became security lead he was in our team just like you are ;-)
Anil, sorry about the the broken test build, please try again.
Yes, that branch is the onejbossws/stack/native/jbossws-native-2.0.2
-
4. Re: JBAS-4890:EJBAccessException: Caller unauthorized
thomas.diesler Oct 24, 2007 6:30 AM (in response to anil.saldhana)Please note, that you will need to modify
https://svn.jboss.org/repos/jbossws/stack/native/branches/jbossws-native-2.0.2/src/test/resources/test-excludes-jboss500.txt
to enable some tests -
5. Re: JBAS-4890:EJBAccessException: Caller unauthorized
anil.saldhana Oct 24, 2007 11:52 AM (in response to anil.saldhana)For the branch, I am still seeing the following:
BUILD FAILED C:\cygwin\home\asaldhana\jbossws\stack\native\trunk\ant-import-tests\build-tests uite.xml:182: org.jboss.xb.binding.JBossXBRuntimeException: Failed to create a new SAX parser
I guess I need to look a little bit further at:
http://wiki.jboss.org/wiki/Wiki.jsp?page=JBWSFAQClientJars
Note: that error is still for the branch. I just copy pasted the error from above ( (so it is not in trunk) -
6. Re: JBAS-4890:EJBAccessException: Caller unauthorized
anil.saldhana Oct 24, 2007 12:20 PM (in response to anil.saldhana)As I said before, if you can give me the log entry for the authorization failure from the audit log of JBAS in the log directory, I can tell right away what the issue is.
-
7. Re: JBAS-4890:EJBAccessException: Caller unauthorized
anil.saldhana Oct 24, 2007 1:21 PM (in response to anil.saldhana)For the time being, applied the workaround (commenting out the wsprovide gen) as in
http://jira.jboss.org/jira/browse/JBWS-1852
This got me beyond the sax parser error.
After uncommenting out the test from the excludes, I am able to reproduce the issue.
I will take a look. -
8. Re: JBAS-4890:EJBAccessException: Caller unauthorized
anil.saldhana Oct 24, 2007 1:31 PM (in response to anil.saldhana)From the audit entries for the authorization failures:
2007-10-24 12:20:22,171 TRACE [org.jboss.security.audit.providers.LogAuditProvid er] (http-0.0.0.0-8080-1:) [Error]runAsIdentity=[roles=[anonymous],principal=ano nymous];ejb.principal=kermit;ejb.methodRoles=friend;authorizationManager=[Author izationManager:class=org.jboss.security.plugins.JBossAuthorizationManager:JBossW S:];ejb.method=public java.lang.String org.jboss.test.ws.jaxws.samples.context.EndpointEJB.testGetUserPrincipal();Source=org.jboss.security.integration.ejb.EJBA uthorizationHelper;ejb.name=EndpointEJB;caller.subject=Subject: Principal: kermit Principal: Roles(members:friend) ;Exception:=Authorization Failed;ejb.methodInterface=Local;ejb.codeSource=(vfsfi le:/C:/cygwin/home/asaldhana/jbossws/stack/native/jbossws-native-2.0.2/output/te sts/libs/jaxws-samples-context.jar <no signer certificates>);^M
and2007-10-24 12:20:22,296 TRACE [org.jboss.security.audit.providers.LogAuditProvid er] (http-0.0.0.0-8080-1:) [Error]runAsIdentity=[roles=[anonymous],principal=ano nymous];ejb.principal=kermit;ejb.methodRoles=friend;authorizationManager=[Author izationManager:class=org.jboss.security.plugins.JBossAuthorizationManager:JBossW S:];ejb.method=public boolean org.jboss.test.ws.jaxws.samples.context.EndpointEJ B.testIsUserInRole(java.lang.String);Source=org.jboss.security.integration.ejb.E JBAuthorizationHelper;ejb.name=EndpointEJB;caller.subject=Subject: Principal: kermit Principal: Roles(members:friend) ;Exception:=Authorization Failed;ejb.methodInterface=Local;ejb.codeSource=(vfsfi le:/C:/cygwin/home/asaldhana/jbossws/stack/native/jbossws-native-2.0.2/output/te sts/libs/jaxws-samples-context.jar <no signer certificates>);
I am suspecting that there is a push of RunAsIdentity of anonymous in the pipeline that is creating the issue. I need to look further where this RunAs push is happening.
Does that ring any immediate bells? -
9. Re: JBAS-4890:EJBAccessException: Caller unauthorized
anil.saldhana Oct 24, 2007 4:09 PM (in response to anil.saldhana)The issue seems to be stemming from the following change that Scott made:
http://viewvc.jboss.org/cgi-bin/viewvc.cgi/jbossas/trunk/tomcat/src/main/org/jboss/web/tomcat/security/RunAsListener.java?r1=65384&r2=66068
I will fix it and see if this JIRA issue can be closed. -
10. Re: JBAS-4890:EJBAccessException: Caller unauthorized
anil.saldhana Oct 24, 2007 4:18 PM (in response to anil.saldhana)The JIRA issue is closed now. Scott had made a RunAsIdentity push of "anonymous" in the absence of any RAI, which is wrong.
-
11. Re: JBAS-4890:EJBAccessException: Caller unauthorized
starksm64 Oct 24, 2007 4:20 PM (in response to anil.saldhana)That was what my TODO question was about.
-
12. Re: JBAS-4890:EJBAccessException: Caller unauthorized
anil.saldhana Oct 24, 2007 4:31 PM (in response to anil.saldhana)"scott.stark@jboss.org" wrote:
That was what my TODO question was about.
Yeah, we still push a null runas (as per my latest change). Wonder why u pushed an "anonymous", rather than a null?
RunAs takes preference in authorization and programmatic security (isUserxxx. isCallerXXX, getCallerP).