3 Replies Latest reply on Jan 16, 2008 3:03 PM by sappenin

@Service + @Managment + @SecurityDomain throws Authorization

sappenin Jan 11, 2008 11:35 PM

I have a secured EJB3 @Service bean as follows:

@Service
@Management(MyClassInterfaceManagement.class)
@Local(MyClassInterface.class)
@SecurityDomain("myrealm")
@RolesAllowed( {
 "admin", "system"
})
@RunAs("system")
public class MyClass implements MyClassInterface, MyClassInterfaceManagement
{ ... }

I have the proper things setup in my login-conf.xml file, but when I deploy this class, I get an exception stating:

21:11:05,887 WARN [ServiceController] Problem creating service jboss.j2ee:ear=MyEar.ear,jar=MyJar.jar,name=MyClass,service=EJB3,type=ManagementInterface
javax.ejb.EJBAccessException: Authorization failure
 at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor.invoke(RoleBasedAuthorizationInterceptor.java:113)

What's wierd is that I can comment out the "@SecurityDomain("mydomain")" annotation, and I don't receive the exception when I start the server, and everything works fine. This seems like a bug, although I'm not sure. Any Idea what is going on?

My assumption is that by commenting out the @SecurityDomain annotation, the Management/Service is defaulting to the security domain specified in my jboss-app.xml file in my ear, which says:


<jboss-app>
 <security-domain>myrealm</security-domain>
 .....
</jboss-app>

The applicable login-conf.xml snippets are below. Thoughts?


 <application-policy name = "myrealm">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
 <module-option name = "dsJndiName">java:/myDS</module-option>
 <module-option name = "principalsQuery">select PASSWORD from SYSTEM_USER where USER_ID=?</module-option>
 <module-option name = "rolesQuery">select SYSTEM_USER_ROLE.ROLE_NAME, 'Roles' from SYSTEM_USER_ROLE, SYSTEM_USER_SYSTEM_USER_ROLE, SYSTEM_USER where ((SYSTEM_USER_SYSTEM_USER_ROLE.ROLES_ID = SYSTEM_USER_ROLE.ID) and (SYSTEM_USER_SYSTEM_USER_ROLE.USERS_ID = SYSTEM_USER.ID) AND (SYSTEM_USER.USER_ID = ?))
 </module-option>
 <module-option name = "unauthenticatedIdentity">guest</module-option>
 </login-module>
 <!-- Add this line to your login-config.xml to include the ClientLoginModule propogation -->
 <login-module code="org.jboss.security.ClientLoginModule" flag="required" />
 </authentication>


<application-policy name = "other">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
 <module-option name = "dsJndiName">java:/myDS</module-option>
 <module-option name = "principalsQuery">select PASSWORD from SYSTEM_USER where USER_ID=?</module-option>
 <module-option name = "rolesQuery">select SYSTEM_USER_ROLE.ROLE_NAME, 'Roles' from SYSTEM_USER_ROLE, SYSTEM_USER_SYSTEM_USER_ROLE, SYSTEM_USER where ((SYSTEM_USER_SYSTEM_USER_ROLE.ROLES_ID = SYSTEM_USER_ROLE.ID) and (SYSTEM_USER_SYSTEM_USER_ROLE.USERS_ID = SYSTEM_USER.ID) AND (SYSTEM_USER.USER_ID = ?))
 </module-option>
 <module-option name = "unauthenticatedIdentity">guest</module-option>
 </login-module>
 </authentication>

1. Re: @Service + @Managment + @SecurityDomain throws Authoriza

wolfgangknauf Jan 16, 2008 9:04 AM (in response to sappenin)

Hi !

I would suggest you activate logging in the security layer. See http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQ, question 4. Hope this gives you further information about what fails.

Best regards

Wolfgang
Actions

2. Re: @Service + @Managment + @SecurityDomain throws Authoriza

sappenin Jan 16, 2008 2:53 PM (in response to sappenin)

Thanks for your suggestion. I should have added this into the initial thread. I'm getting an Authorization exception because the prinicipal and role are null, but only if I specify a @SecurityDomain.

Here's the stack trace:


2:48:11,650 ERROR [RoleBasedAuthorizationInterceptor] Insufficient permissions, principal=null, req
iredRoles=[system, admin], principalRoles=null
2:48:11,651 DEBUG [RoleBasedAuthorizationInterceptor] Authorization failure
ava.lang.SecurityException: Insufficient permissions, principal=null, requiredRoles=[system, admin]
 principalRoles=null
 at org.jboss.aspects.security.RoleBasedAuthorizationInterceptor.invoke(RoleBasedAuthorizatio
Interceptor.java:149)
 at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor.invoke(RoleBasedAuthorizationIn
erceptor.java:108)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:1
6)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
 at org.jboss.ejb3.service.ServiceContainer.localInvoke(ServiceContainer.java:309)
 at org.jboss.ejb3.service.ServiceContainer.localInvoke(ServiceContainer.java:274)
 at org.jboss.ejb3.service.ServiceMBeanDelegate.invoke(ServiceMBeanDelegate.java:215)
 at org.jboss.mx.server.RawDynamicInvoker.invoke(RawDynamicInvoker.java:164)
 at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
 at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:995)
 at $Proxy0.create(Unknown Source)

3. Re: @Service + @Managment + @SecurityDomain throws Authoriza

sappenin Jan 16, 2008 3:03 PM (in response to sappenin)

With regard to the post above, this still seems like a bug(?). The principal role should, at the very least, be my unauthenticated identity, no? In reality, I would expect the role to be system or admin.

If I omit the security domain, it appears that my role is in fact "system", which is what I would expect.

Thoughts?
Actions

Go to original post