6 Replies Latest reply on Dec 23, 2009 10:59 AM by sanches

JBoss 5.0.1: Call secured EJB from MDB annotated with @RunAs

sanches Dec 16, 2009 12:58 PM

Hello All,

I am trying to invoke my EJB secured with @RolesAllowed annotation from the onMessage() method of MDB. EJB is injected into MDB.

I added @Runas("myrole") annotation to the MDB, but on the line where EJB method is invoked, I get EJBSecurityException with the message "Invalid User"

I've seen number of claims on JIRA here regarding similar topics, but they are closed/fixed and late enough.

The same approach works well when I invoke the secured EJB from the servlet annotated with @RunAs. EJB is JNDI looked up in that case.

Is that still a bug in MDB or I am missing a point?

Thanks,

Alex.

1. Re: Call secured EJB from MDB annotated with @RunAs goes thru LoginModule and fails

sanches Dec 17, 2009 10:08 AM (in response to sanches)

I've realized that Invalid User Exception is due to invocation of my own LoginModule.

Here is my MDB:

@RunAs("myrole")
@SecurityDomain("mydomain")
@MessageDriven
public class SampleMDB implements MessageListener {

@EJB
SecuredBeanI sb;

@Override
public void onMessage(Message arg0) {
System.out.println("Hey! Message arrived, invoking secured bean");

sb.callMe(); // - here it fails!

}
}

At the line
sb.callMe(); // - here it fails!
container invokes my own LoginModule and tries to perform authentication.
Is that normal and intended behavior? (I thought that @RunAs annotation should tell container to skip authentication)

My implementation of LoginModule is based on UsernamePasswordLoginModule, which basically fails in its UsernamePasswordLoginModule.login() and propagates exception up to resulting "javax.ejb.EJBAccessException: Invalid User"

Thus, invocation of secured EJB fails.

If the behavior to invoke LoginModule is as intended, then does it [class LoginModule] have any means to detect that RunAs is attached?

Thank you,
Alex.
Actions
2. Re: Call secured EJB from MDB annotated with @RunAs goes thru LoginModule and fails

sanches Dec 23, 2009 9:58 AM (in response to sanches)

I applied the following workaround:

MDB calls non-secured EJB A which has only local interface and is annotated with @RunAs.
That EJB A is able to invoke secured EJB B which has remote interface.

Thus trouble is solved by the invention of the mediator EJB A.
Actions
3. Re: Call secured EJB from MDB annotated with @RunAs goes thru LoginModule and fails

jaikiran Dec 23, 2009 10:33 AM (in response to sanches)

sanches wrote:

I've realized that Invalid User Exception is due to invocation of my own LoginModule.

Here is my MDB:

@RunAs("myrole")
@SecurityDomain("mydomain")
@MessageDriven
public class SampleMDB implements MessageListener {

I don't think you should have the @SecurityDomain on that MDB. Just the @RunAs should be enough.
Actions
4. Re: Call secured EJB from MDB annotated with @RunAs goes thru LoginModule and fails

sanches Dec 23, 2009 10:42 AM (in response to jaikiran)

Hi jaikiran,

Thanks for your guess. I actually tried both variants, none worked.
Actions
5. Re: Call secured EJB from MDB annotated with @RunAs goes thru LoginModule and fails

jaikiran Dec 23, 2009 10:51 AM (in response to sanches)
With the following config:

@RunAs("myrole") @MessageDriven public class SampleMDB implements MessageListener {

Can you post the exception stacktrace and the TRACE level logs as explained in Q4 here http://community.jboss.org/docs/DOC-12198
Actions
6. Re: Call secured EJB from MDB annotated with @RunAs goes thru LoginModule and fails

sanches Dec 23, 2009 10:59 AM (in response to jaikiran)

Sure, I just need time to roll back and gather info.
Actions

Go to original post