6 Replies Latest reply on Dec 27, 2005 3:16 PM by bill.burke

    Can't get method permissions to work on a session bean

    jimih
    jimih Dec 5, 2005 12:35 PM

      Hi,

      I'm trying to limit access to a method in a session bean, but it doesn't work. Can someone show me an simple example maybe? Using annotations... Or just take a look at my files, and tell me what I'm doing wrong.

      I have a working web application, with all the beans working. And I have configured a working authentication policy (<application-policy name="recruit">...) using MySQL. All this works like a charm.

      And in one of my session beans, I wanted to limit access to a specific method, so that only users of the admin role can use the method. This is what it looks like:

      import org.jboss.annotation.security.SecurityDomain;
      import org.jboss.aspects.security.Permissions;

      @Remote ({ProfileManager.class})
      @Stateless
      @SecurityDomain("recruit")
      public class ProfileManagerBean implements ProfileManager
      {
      ....

      @Permissions({"admin"})
      public String getTheSecret()
      {
      return "the secret2";
      }
      }

      And then, in another session bean (a facade), I do:

      ....
      public void testAuthentication()
      {
      InitialContext ctx = new InitialContext();
      ProfileManager profileManager =
      (ProfileManager)ctx.lookup(ProfileManager.class.getName());
      System.out.println("Secret: " + profileManager.getTheSecret());
      }

      And this method is called from a struts action. And even though I haven't logged in, the getTheSecret method gets called. Why isn't the authentication checked? What am I doing wrong?


      Also, maybe I should tell you what I eventually want to do... I want a webservice to access this session bean facade, and only allow the user to call methods that he has the right to, by checking the roles.

      Regards
      /Jimi

      • 4919 Views
      • Tags:
        • 1. Re: Can't get method permissions to work on a session bean
          jimih
          jimih Dec 5, 2005 12:51 PM (in response to jimih)

          I forgot to mention one thing...

          First I tried using org.jboss.aspects.security.SecurityDomain, but then when I deployed the application, the JBoss console window printed "ProfileManagerBean has no @SecurityDomain - skipping JACC configuration". Then I tried org.jboss.annotation.security.SecurityDomain instead, and that resulted in:

          [JaccHelper] ProfileManagerBean has @SecurityDomain - peforming JACC configuration
          [JaccHelper] Creating permission: (javax.security.jacc.EJBMethodPermission ProfileManagerBean getTheSecret,,)[*:getTheSecret()]
          [JaccHelper] JACC Policy Configuration for deployment has been put in service

          But when I tried the application, the method still gets called, as if no restriction was there.

          I use JBoss 4.0.3SP1.

          /Jimi

            • Actions
          • 2. Re: Can't get method permissions to work on a session bean
            starksm64
            starksm64 Dec 5, 2005 1:56 PM (in response to jimih)

            And you have gone through the ejb3 docs?
            http://www.jboss.com/products/ejb3

              • Actions
            • 3. Re: Can't get method permissions to work on a session bean
              psmith
              psmith Dec 6, 2005 6:03 AM (in response to jimih)

              I seem to be having the same problem as well. I've configured the web application with the correct Security Domain and added the annotation to the SLSB but I still see the following in the deployment log:

              20:36:41,562 INFO [Ejb3AnnotationHandler] found EJB3: ejbName=au.com.pulse.online.ejb3.creditcard.CreditCardFacadeBean, class=au.com.pulse.online.ejb3.creditcard.CreditCardFacadeBean, type=STATELESS
              20:36:41,687 INFO [JaccHelper] au.com.pulse.online.ejb3.creditcard.CreditCardFacadeBean has no @SecurityDomain - skipping JACC configuration
              20:36:41,718 INFO [Ejb3AnnotationHandler] found EJB3: ejbName=au.com.pulse.online.ejb3.entity.EntityFacadeBean, class=au.com.pulse.online.ejb3.entity.EntityFacadeBean, type=STATELESS
              20:36:41,796 INFO [JaccHelper] au.com.pulse.online.ejb3.entity.EntityFacadeBean has no @SecurityDomain - skipping JACC configuration
              20:36:41,812 INFO [JaccHelper] JACC Policy Configuration for deployment has been put in service
              20:36:41,812 INFO [Ejb3Deployment] EJB3 deployment time took: 297

              Yet the code has:

              import org.apache.commons.logging.Log;
              import org.apache.commons.logging.LogFactory;
              import org.jboss.aspects.security.SecurityDomain;

              import au.com.pulse.online.ejb3.AbstractFacadeBean;
              import au.com.pulse.online.ejb3.ValidationException;
              import au.com.pulse.online.ejb3.bi.creditcard.ICreditCardFacade;
              import au.com.pulse.online.persistence.ejb.crm.CreditCardDetail;

              @Stateless
              @SecurityDomain ("pulse-domain")
              public class CreditCardFacadeBean extends AbstractFacadeBean implements ICreditCardFacade {

              My main issue is that I get an IllegalStateException when I call getCallerPrincipal().

              Anybody got any ideas?

                • Actions
              • 4. how to configure my EJB to work over SSL connections?
                joselitol
                joselitol Dec 23, 2005 11:51 AM (in response to jimih)

                hi people,

                I´ve been looking the JBoss 4.0 documentation and I couldn´t make my EJB work with SSL. I configured the jboss.xml and jboss-service.xml files and I put the annotation @SecurityDomain at the Bean just like the documentation describbed.

                My EJB:

                package serpro.safe.server.operations;

import java.util.Date;

import javax.ejb.Remote;
import javax.ejb.Stateless;
import javax.ejb.TransactionAttribute;
import javax.ejb.TransactionAttributeType;

import org.jboss.aspects.security.SecurityDomain;

import serpro.safe.negocio.calendario.feriado.Feriado;
import serpro.safe.negocio.calendario.feriado.IControladorFeriado;
import serpro.safe.server.operations.SafeOperations;
import serpro.safe.util.exception.NegocioException;
import serpro.safe.util.proxy.ControladorFactory;

@Remote(SafeOperations.class)
@Stateless
public @SecurityDomain("RMI+SSL") class SafeOperationsBean implements SafeOperations {

 @TransactionAttribute(TransactionAttributeType.REQUIRED)
 public void inserirFeriado(Feriado feriado) throws NegocioException{
 try {

 IControladorFeriado controlador = (IControladorFeriado)ControladorFactory.criar(IControladorFeriado.class);
 controlador.inserirFeriado(feriado);
 } catch (Exception e) {
 throw new NegocioException(e);
 }
 }


}



                jboss-service.xml: 


                <server>

 <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
 name="jboss.security:service=JaasSecurityDomain,domain=RMI+SSL">
 <constructor>
 <arg type="java.lang.String" value="RMI+SSL" />
 </constructor>
 <attribute name="KeyStoreURL">certs.keystore</attribute>
 <attribute name="KeyStorePass">taylor</attribute>
 </mbean>

 <mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"
 name="jboss:service=invoker,type=jrmp,socketType=SSL">
 <attribute name="RMIObjectPort">14445</attribute>
 <attribute name="RMIClientSocketFactory">
 org.jboss.security.ssl.RMISSLClientSocketFactory
 </attribute>
 <attribute name="RMIServerSocketFactory">
 org.jboss.security.ssl.RMISSLServerSocketFactory
 </attribute>
 <attribute name="SecurityDomain">java:/jaas/RMI+SSL</attribute>
 <depends>
 jboss.security:service=JaasSecurityDomain,domain=RMI+SSL
 </depends>
 </mbean>
</server>




                jboss.xml: 

                <jboss>
 <enterprise-beans>
 <session>
 <ejb-name>SafeOperations</ejb-name>
 <configuration-name>Standard Stateless SessionBean</configuration-name>
 <invoker-bindings>
 <invoker>
 <invoker-proxy-binding-name>stateless-ssl-invoker</invoker-proxy-binding-name>
 </invoker>
 </invoker-bindings>
 </session>
 </enterprise-beans>

 <invoker-proxy-bindings>
 <invoker-proxy-binding>
 <name>stateless-ssl-invoker</name>
 <invoker-mbean>jboss:service=invoker,type=jrmp,socketType=SSL</invoker-mbean>
 <proxy-factory>org.jboss.proxy.ejb.ProxyFactory</proxy-factory>
 <proxy-factory-config>
 <client-interceptors>
 <home>
 <interceptor>org.jboss.proxy.ejb.HomeInterceptor</interceptor>
 <interceptor>org.jboss.proxy.SecurityInterceptor</interceptor>
 <interceptor>org.jboss.proxy.TransactionInterceptor</interceptor>
 <interceptor>org.jboss.invocation.InvokerInterceptor</interceptor>
 </home>
 <bean>
 <interceptor>org.jboss.proxy.ejb.StatelessSessionInterceptor</interceptor>
 <interceptor>org.jboss.proxy.SecurityInterceptor</interceptor>
 <interceptor>org.jboss.proxy.TransactionInterceptor</interceptor>
 <interceptor>org.jboss.invocation.InvokerInterceptor</interceptor>
 </bean>
 </client-interceptors>
 </proxy-factory-config>
 </invoker-proxy-binding>
 </invoker-proxy-bindings>
</jboss>



                I´ve got the following messages on JBoss console:

                13:32:07,279 INFO [JaccHelper] Initialising JACC Context for deployment: safe-beans.ejb3
                13:32:07,310 INFO [Ejb3AnnotationHandler] found EJB3: ejbName=OperacaoBean, class=OperacaoBean, type=STATELESS
                13:32:07,560 INFO [JaccHelper] OperacaoBean has no @SecurityDomain - skipping JACC configuration
                13:32:07,591 INFO [Ejb3AnnotationHandler] found EJB3: ejbName=serpro.safe.server.operations.SafeOperationsBean, class=serpro.safe.server.operations.SafeOperationsBean, type=STATELESS
                13:32:07,638 INFO [JaccHelper] serpro.safe.server.operations.SafeOperationsBean has no @SecurityDomain - skipping JACC configuration
                13:32:07,654 INFO [JaccHelper] JACC Policy Configuration for deployment has been put in service
                13:32:07,654 INFO [Ejb3Deployment] EJB3 deployment time took: 375
                13:32:07,794 INFO [ProxyDeployer] no declared remote bindings for : OperacaoBean
                13:32:07,794 INFO [ProxyDeployer] there is remote interfaces for OperacaoBean
                13:32:07,794 INFO [ProxyDeployer] default remote binding has jndiName of Operacao
                13:32:07,919 INFO [ProxyDeployer] no declared remote bindings for : serpro.safe.server.operations.SafeOperationsBean
                13:32:07,919 INFO [ProxyDeployer] there is remote interfaces for serpro.safe.server.operations.SafeOperationsBean
                13:32:07,919 INFO [ProxyDeployer] default remote binding has jndiName of serpro.safe.server.operations.SafeOperations
                13:32:07,966 INFO [EJB3Deployer] Deployed: file:/C:/jboss-4.0.3SP1/server/default/deploy/safe-beans.ejb3
                13:33:38,513 INFO [JaccHelper] Initialising JACC Context for deployment: safe-beans.ejb3
                13:33:38,560 INFO [Ejb3AnnotationHandler] found EJB3: ejbName=OperacaoBean, class=OperacaoBean, type=STATELESS
                13:33:38,607 INFO [JaccHelper] OperacaoBean has no @SecurityDomain - skipping JACC configuration
                13:33:38,685 INFO [Ejb3AnnotationHandler] found EJB3: ejbName=serpro.safe.server.operations.SafeOperationsBean, class=serpro.safe.server.operations.SafeOperationsBean, type=STATELESS
                13:33:38,732 INFO [JaccHelper] serpro.safe.server.operations.SafeOperationsBean has no @SecurityDomain - skipping JACC configuration
                13:33:38,732 INFO [JaccHelper] JACC Policy Configuration for deployment has been put in service
                13:33:38,732 INFO [Ejb3Deployment] EJB3 deployment time took: 219
                13:33:38,779 INFO [ProxyDeployer] no declared remote bindings for : OperacaoBean
                13:33:38,779 INFO [ProxyDeployer] there is remote interfaces for OperacaoBean
                13:33:38,779 INFO [ProxyDeployer] default remote binding has jndiName of Operacao
                13:33:38,872 INFO [ProxyDeployer] no declared remote bindings for : serpro.safe.server.operations.SafeOperationsBean
                13:33:38,872 INFO [ProxyDeployer] there is remote interfaces for serpro.safe.server.operations.SafeOperationsBean
                13:33:38,872 INFO [ProxyDeployer] default remote binding has jndiName of serpro.safe.server.operations.SafeOperations
                13:33:38,919 INFO [EJB3Deployer] Deployed: file:/C:/jboss-4.0.3SP1/server/default/deploy/safe-beans.ejb3




                  • Actions
                • 5. Re: Can't get method permissions to work on a session bean
                  joselitol
                  joselitol Dec 27, 2005 10:17 AM (in response to jimih)

                   

                  "jimih" wrote:
                  I forgot to mention one thing...

                  First I tried using org.jboss.aspects.security.SecurityDomain, but then when I deployed the application, the JBoss console window printed "ProfileManagerBean has no @SecurityDomain - skipping JACC configuration". Then I tried org.jboss.annotation.security.SecurityDomain instead, and that resulted in:

                  [JaccHelper] ProfileManagerBean has @SecurityDomain - peforming JACC configuration
                  [JaccHelper] Creating permission: (javax.security.jacc.EJBMethodPermission ProfileManagerBean getTheSecret,,)[*:getTheSecret()]
                  [JaccHelper] JACC Policy Configuration for deployment has been put in service

                  But when I tried the application, the method still gets called, as if no restriction was there.

                  I use JBoss 4.0.3SP1.

                  /Jimi


                  Hi have you found the solution about it? I´m having the same problem...

                    • Actions
                  • 6. Re: Can't get method permissions to work on a session bean
                    bill.burke
                    bill.burke Dec 27, 2005 3:16 PM (in response to jimih)

                    we have not documented yet on how to use SSL with EJB3. THere is a unit test case for it within CVS if you need it now.

                    You are looking at the EJB 2.1 container way to configure SSL. This will not work AT ALL and don't even attempt it.

                      • Actions