6 Replies Latest reply on Mar 7, 2006 6:52 PM by sbivol

    Security with JBoss EJB3

    mwoelke

      Hello,
      I've some questions about security issues on JBoss 4.0.3 with EJB 3.0.

      1:
      If I annotate the base class of all our sessionbeans with @SecurityDomain I get an exception (see below). What we want to achieve that way is that all derived sessionbeans are contained within one securitydomain without annotating every single one. Is this a bug, or am I doing something wrong?

      16:10:29,588 WARN [ServiceController] Problem creating service jboss.j2ee:service=EJB3,name=de.psitrans.vl.base.performance.test.session.PerformanceTestBean
      java.lang.NullPointerException
       at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorFactory.createPerClass(RoleBasedAuthorizationInterceptorFactory.java:34)
       at org.jboss.aop.advice.AspectFactoryDelegator.createPerClass(AspectFactoryDelegator.java:85)
       at org.jboss.aop.Advisor.addPerClassAspect(Advisor.java:491)
       at org.jboss.aop.advice.ScopedInterceptorFactory.create(ScopedInterceptorFactory.java:52)
       at org.jboss.aop.Advisor.createInterceptorChain(Advisor.java:535)
       at org.jboss.aop.Advisor.resolveMethodPointcut(Advisor.java:576)
       at org.jboss.aop.ClassContainer.createInterceptorChains(ClassContainer.java:219)
       at org.jboss.aop.ClassContainer.rebuildInterceptors(ClassContainer.java:100)
       at org.jboss.aop.ClassContainer.initializeClassContainer(ClassContainer.java:42)
       at org.jboss.ejb3.EJBContainer.create(EJBContainer.java:292)
       at org.jboss.ejb3.stateless.StatelessManager.createService(StatelessManager.java:87)
       at org.jboss.system.ServiceMBeanSupport.jbossInternalCreate(ServiceMBeanSupport.java:245)
       at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:228)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:245)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
       at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:943)
       at $Proxy0.create(Unknown Source)
       at org.jboss.system.ServiceController.create(ServiceController.java:341)
       at sun.reflect.GeneratedMethodAccessor70.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:245)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
       at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:176)
       at $Proxy255.create(Unknown Source)
       at org.jboss.ejb3.Ejb3JmxDeployment.registerContainer(Ejb3JmxDeployment.java:220)
       at org.jboss.ejb3.Ejb3Deployment.deployElement(Ejb3Deployment.java:329)
       at org.jboss.ejb3.Ejb3Deployment.deployElement(Ejb3Deployment.java:311)
       at org.jboss.ejb3.Ejb3Deployment.deployUrl(Ejb3Deployment.java:293)
       at org.jboss.ejb3.Ejb3Deployment.deploy(Ejb3Deployment.java:264)
       at org.jboss.ejb3.Ejb3Deployment.create(Ejb3Deployment.java:251)
       at org.jboss.ejb3.Ejb3JmxDeployment.create(Ejb3JmxDeployment.java:230)
       at org.jboss.ejb3.Ejb3Module.createService(Ejb3Module.java:34)
       at org.jboss.system.ServiceMBeanSupport.jbossInternalCreate(ServiceMBeanSupport.java:245)
       at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:228)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:245)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
       at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:943)
       at $Proxy0.create(Unknown Source)
       at org.jboss.system.ServiceController.create(ServiceController.java:341)
       at org.jboss.system.ServiceController.create(ServiceController.java:284)
       at sun.reflect.GeneratedMethodAccessor4.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:245)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
       at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:176)
       at $Proxy10.create(Unknown Source)
       at org.jboss.ejb3.EJB3Deployer.create(EJB3Deployer.java:208)
       at sun.reflect.GeneratedMethodAccessor172.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:245)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
       at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:176)
       at $Proxy11.create(Unknown Source)
       at org.jboss.deployment.MainDeployer.create(MainDeployer.java:935)
       at org.jboss.deployment.MainDeployer.create(MainDeployer.java:925)
       at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:789)
       at org.jboss.deployment.MainDeployer.deploy(MainDeployer.java:753)
       at sun.reflect.GeneratedMethodAccessor7.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
       at org.jboss.mx.interceptor.AbstractInterceptor.invoke(AbstractInterceptor.java:118)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
       at org.jboss.mx.interceptor.ModelMBeanOperationInterceptor.invoke(ModelMBeanOperationInterceptor.java:127)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:245)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
       at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:176)
       at $Proxy6.deploy(Unknown Source)
       at org.jboss.deployment.scanner.URLDeploymentScanner.deploy(URLDeploymentScanner.java:319)
       at org.jboss.deployment.scanner.URLDeploymentScanner.scan(URLDeploymentScanner.java:489)
       at org.jboss.deployment.scanner.AbstractDeploymentScanner$ScannerThread.doScan(AbstractDeploymentScanner.java:192)
       at org.jboss.deployment.scanner.AbstractDeploymentScanner$ScannerThread.loop(AbstractDeploymentScanner.java:203)
       at org.jboss.deployment.scanner.AbstractDeploymentScanner$ScannerThread.run(AbstractDeploymentScanner.java:182)
      


      2:
      Is it possible to achieve the same result as annotating a class with @SecurityDomain by using a deployment descriptor? This way the sourcecode would be free of EJB 3 - provider-specific classes. What would such descriptor look like? And what is the correct location to put it?

      thanx in advance.

      regards, milan wölke

        • 1. Re: Security with JBoss EJB3

          add the following section into the login-config.xml file just above the last line.
          The login-config.xml file is located in jboss/server/all/config folder:
          ###########################################################################
          <application-policy name = "???????????????????">

          <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
          flag = "required">
          <module-option name = "dsJndiName"> ?????????????????? </module-option>
          <module-option name = "principalsQuery">SELECT password FROM ????????????????????</module-option>
          <module-option name = "rolesQuery">
          SELECT ???????????????????????????????????
          </module-option>
          </login-module>

          </application-policy>
          ###########################################################################
          note: changes into login-config.xml file requires jboss restart.

          • 2. Re: Security with JBoss EJB3
            bill.burke

            As marcu said, you haven't declared a security domain in login-config.xml. in @SecurityDomain use the base name, not "java:/jaas/xxx"


            With the next release (next week sometime) You will be able to do:

            jboss.xml

            <jboss>
             <security-domain>xxx</security-domain>
            </jboss>
            


            until then...


            • 3. Re: Security with JBoss EJB3
              mwoelke

              In fact, I did declare a security domain in login-config.xml:

              <application-policy name = "soja">
               <authentication>
               <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
               flag = "required" />
               </authentication>
               </application-policy>


              And I used @SecurityDomain("soja") for the base class of the session bean, but I got the mentioned exception.

              Anyways, thanks a lot for the information about jboss.xml. I've tried this before but nothing happened. I'm glad to hear it will be working in next weeks release.

              regards, milan wölke

              • 4. Re: Security with JBoss EJB3
                sbivol

                I've tried the jboss.xml below in RC5, it does not seem to work, the default login module gets invoked. Am I missing anything? To be precise, my jboss.xml is:

                <?xml version='1.0' encoding='UTF-8' ?>
                <jboss>
                <security-domain>MySecurityDomain</security-domain>
                </jboss>
                

                I also tried <security-domain>java:/jaas/MySecurityDomain</security-domain> with same result. However, the login module defined for MySecurityDomain does get invoked if I use @SecurityDomain in the code.

                On a different topic, is there an equivalent for the @RemoteBindings annotation in the jboss.xml?

                Thanks

                "bill.burke@jboss.com" wrote:
                As marcu said, you haven't declared a security domain in login-config.xml. in @SecurityDomain use the base name, not "java:/jaas/xxx"


                With the next release (next week sometime) You will be able to do:

                jboss.xml
                <jboss>
                 <security-domain>xxx</security-domain>
                </jboss>
                


                until then...



                • 5. Re: Security with JBoss EJB3
                  mwoelke

                  Im also using jboss.xml to specify a default security domain. It works, at least with jboss 4.0.4 (which as far as I know contains EJB 3.0 RC 5). I assume you have configured a security domain in your login-config.xml.
                  How are you packaging your application? We are storing jboss.xml in the META-INF directory of the package containing the session beans which should be secured.

                  Hope I could help a little.

                  Regards, Milan Wölke

                  • 6. Re: Security with JBoss EJB3
                    sbivol

                    We are using 4.0.3 with upgraded EJB 3.0 container (RC5).

                    I also have the jboss.xml in the META-INF of my ejb jar file, and have configured the security domain in login-config.xml (in server/default/conf), and it seems to be correct (since it works if I annotate my bean with @SecurityDomain).

                    I deploy the ejb jar directly, not packaged in any ear. Will try 4.0.4.