3 Replies Latest reply on Jan 29, 2010 11:06 AM by emuckenhuber

    Remote Access to Profile Service

    rareddy
    rareddy Jan 27, 2010 2:48 PM

      In an another discussion Emanuel pointed out that

       

      <emanuel>

      The link you posted about remote access to ProfileService seems to be out of date. I need to validate that, but AFAIK you don't need to specify the SecureProfileService anymore. Security can be enabled with some server side settings using the same references - i'll update that. Thanks!

      </emanuel>

       

      I am running into this above situation now. I can not seem to get a reference to remote Profile Service through "SecureProfileService" reference, and at the same time on "ProfileService" reference I am not sure how to turn on the security on the server side? Can somebody please give me some hints.

       

      There is little blurb in the "profileservice-jboss-beans.xml", I can not seem to make that work.

       

      Thank you.

      • 9024 Views
      • Tags:
        • 1. Re: Remote Access to Profile Service
          emuckenhuber
          emuckenhuber Jan 28, 2010 9:17 AM (in response to rareddy)

          You would need to enable the server side authentication interceptors: in deploy/profileservice-jboss-beans.xml

           

          <bean name="ProfileServiceProxyFactory" class="org.jboss.profileservice.remoting.ProxyFactory">
        <!-- Server side security interceptor stack -->
        <property name="serverProxyInterceptors">
            <list>
                <bean class="org.jboss.aspects.security.AuthenticationInterceptor">
                    <constructor>
                        <parameter>
                            <value-factory bean="JNDIBasedSecurityManagement" method="getAuthenticationManager"
                            parameter="jmx-console"/>
                        </parameter>
                    </constructor>
                </bean>
                <bean class="org.jboss.aspects.security.RoleBasedAuthorizationInterceptor">
                    <constructor>
                        <parameter>
                            <value-factory bean="JNDIBasedSecurityManagement" method="getAuthenticationManager"
                                parameter="jmx-console"/>
                        </parameter>
                        <parameter>
                            <value-factory bean="JNDIBasedSecurityManagement" method="getAuthenticationManager"
                                parameter="jmx-console"/>
                        </parameter>
                    </constructor>
                </bean>
            </list>
        </property>
</bean>

           

           

          You then still lookup a ProfileService, however calling methods like getViewManager() - should fail with a java.lang.SecurityException.

            • Actions
          • 2. Re: Remote Access to Profile Service
            rareddy
            rareddy Jan 28, 2010 11:39 AM (in response to emuckenhuber)

            The above in JBoss 5.1.0 GA does not work, as is. There were couple issues.

             

            The  property name should be "proxyInterceptors" instead of "serverProxyInterceptors", and this property fragment needs to be added as additional property under "ProfileServiceProxyFactory" rather then replacing the whole bean fragment. Then when I started the the AS, I am getting the following errors

             

             

            Caused by: java.io.NotSerializableException: org.jboss.aspects.security.AuthenticationInterceptor
    at java.io.ObjectOutputStream.writeObject0(ObjectOutputStream.java:1156)
    at java.io.ObjectOutputStream.writeObject(ObjectOutputStream.java:326)
    at java.util.ArrayList.writeObject(ArrayList.java:570)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
    at java.lang.reflect.Method.invoke(Method.java:597)

             

            So, then I thought, I will extend the following classes and add "Serializable" interface to them and replace them in the XML fragment

             

            org.jboss.aspects.security.AuthenticationInterceptor
            org.jboss.aspects.security.RoleBasedAuthorizationInterceptor

             

            Then I found that the constructor for "RoleBasedAuthorizationInterceptor" with signature

             

             

               public RoleBasedAuthorizationInterceptor(AuthenticationManager authManager, AuthorizationManager authzManager)
   {
      this.authenticationManager = authManager;
      this.authorizationManager = authzManager;
   }

             

            was not added until version 1.0.1 of "jboss-security-aspects.jar" file, but the version of jar bundled with JBoss AS 5.1.0 is 1.0.0 GA. This version has a constructor

             

               public RoleBasedAuthorizationInterceptor(AuthenticationManager manager, RealmMapping realmMapping)
   {
      this.securityManager = manager;
      this.realmMapping = realmMapping;
   }

             

            Here I was not sure what I can pass as "RealmMapping" object, do you have any suggestions?

             

            Thanks.

              • Actions
            • 3. Re: Remote Access to Profile Service
              emuckenhuber
              emuckenhuber Jan 29, 2010 11:06 AM (in response to rareddy)

              Ah yes, sorry. Yeah in 5.1.0.GA there is still this ejb3 facade to secure profileservice, the deployment is also called secured-profileservice.jar, well as far as i can remember. This has been removed in EAP and JBoss AS6 - this was the configuration i was referring to.

                • Actions