3 Replies Latest reply on Mar 23, 2004 7:39 PM by starksm64

    run-as role in ejbCreate

    edstorm
    edstorm Mar 21, 2004 2:43 PM

      Hi,

      I originally posted this question in another forum, but thought it might do a bit better here. I have two session beans, TestSession and InternalSession. TestSession is stateful, InternalSession is stateless. TestSession has the run-as role set to "internal", and all of the methods for InternalSession require the "internal" role. Everthing runs fine, until ejbActivate is invoked on TestSession. I get the following exception:


      12:08:13,801 ERROR [SecurityInterceptor] Insufficient method permissions, principal=null, method=create, interface=LOCALHOME, requiredRoles=[internal], principalRoles=[]
      12:08:13,804 ERROR [LogInterceptor] EJBException, causedBy:
      java.lang.SecurityException: Insufficient method permissions, principal=null, method=create, interface=LOCALHOME, requiredRoles=[internal], principalRoles=[]
      at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:229)
      at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:81)
      at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:120)
      at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:93)
      at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:562)
      at org.jboss.ejb.Container.invoke(Container.java:909)
      at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invokeHome(BaseLocalProxyFactory.java:293)
      at org.jboss.ejb.plugins.local.LocalHomeProxy.invoke(LocalHomeProxy.java:110)
      at $Proxy51.create(Unknown Source)
      at test.TestSessionBean.getInternalSessionLocal(TestSessionBean.java:73)
      at test.TestSessionBean.checkRoles(TestSessionBean.java:210)
      at test.TestSessionBean.checkLocal(TestSessionBean.java:187)
      at test.TestSessionBean.ejbActivate(TestSessionBean.java:127)
      at org.jboss.ejb.plugins.StatefulSessionFilePersistenceManager.activateSession(StatefulSessionFilePersistenceManager.java:331)
      at org.jboss.ejb.plugins.StatefulSessionInstanceCache.activate(StatefulSessionInstanceCache.java:90)
      at org.jboss.ejb.plugins.AbstractInstanceCache.get(AbstractInstanceCache.java:107)
      at org.jboss.ejb.plugins.StatefulSessionInstanceInterceptor.invoke(StatefulSessionInstanceInterceptor.java:211)
      at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:84)
      at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:314)
      at org.jboss.ejb.plugins.TxInterceptorCMT.invoke(TxInterceptorCMT.java:148)




      The bit of code where the exception occurs is where create() is called on the InternalSession ( which requires "internal" role ) below: 

       private InternalSessionLocal getInternalSessionLocal()
 throws EJBException {

 try {

 InitialContext initCtx = new InitialContext();
 InternalSessionLocalHome ilocalhome = (InternalSessionLocalHome)initCtx.lookup(
 "java:comp/env/ejb/test/InternalSession"
 );
 return ilocalhome.create();

 } catch (Exception e ) {
 log.error( "Exception getting internal session.",e);
 throw new EJBException( "exception getting internal session",e);
 }

 }


      I have tested this on jboss-3.2.3 and jboss-4.0.0DR3, and the results are the same. So the question is: Should jboss be applying the run-as role when ejbActivate is invoked? My reading of the 2.0 spec suggests that is should, but I am not by any means an expert.

      Thanks,
      Ed

      • 15275 Views
      • Tags:
        • 1. Re: run-as role in ejbCreate
          starksm64
          starksm64 Mar 23, 2004 1:25 AM (in response to edstorm)

          Yes, it should. You should be able to enable this behavior by moving the SecurityInterceptor ahead of the StatefulSessionInstanceInterceptor in the conf/standardjboss.xml descriptor:

          <container-configuration>
 <container-name>Standard Stateful SessionBean</container-name>
...
 <container-interceptors>
...
 <interceptor>org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor</interceptor>
 <interceptor>org.jboss.ejb.plugins.LogInterceptor</interceptor>
 <interceptor>org.jboss.ejb.plugins.SecurityInterceptor</interceptor>
 <!-- CMT -->
 <interceptor transaction="Container">org.jboss.ejb.plugins.TxInterceptorCMT</interceptor>
 <interceptor transaction="Container" metricsEnabled="true">org.jboss.ejb.plugins.MetricsInterceptor</interceptor>
 <interceptor transaction="Container">org.jboss.ejb.plugins.StatefulSessionInstanceInterceptor</interceptor>
 <!-- BMT -->
 <interceptor transaction="Bean">org.jboss.ejb.plugins.StatefulSessionInstanceInterceptor</interceptor>
 <interceptor transaction="Bean">org.jboss.ejb.plugins.TxInterceptorBMT</interceptor>
 <interceptor transaction="Bean" metricsEnabled="true">org.jboss.ejb.plugins.MetricsInterceptor</interceptor>
 <interceptor>org.jboss.resource.connectionmanager.CachedConnectionInterceptor</interceptor>
 </container-interceptors>



            • Actions
          • 2. Re: run-as role in ejbCreate
            edstorm
            edstorm Mar 23, 2004 11:05 AM (in response to edstorm)

            Thanks Scott, that works well. Is there any down side to running in this configuration?

            Ed

              • Actions
            • 3. Re: run-as role in ejbCreate
              starksm64
              starksm64 Mar 23, 2004 7:39 PM (in response to edstorm)

              Only that security exceptions no longer throw the stateful session out of the cache. This is why the security interceptor is after the instance interceptor by default. If a session attempts an invalid access, it invalidates the session. With the security interceptor up front, the session will remain alive. Generally it should not be a big deal, but that is a change in behavior.

                • Actions