PicketLink STS EJB Example fails: Princial anonymous ?
bkrisler Jul 29, 2010 5:23 PMHi,
I am trying to get the example working from the SAML EJB Integration with PicketLink STS article. The article was very clear and informative,
however when using the attached components, I can not get a successful run.
Running the Test code from the example, I get the following output:
Invoking token service to get SAML assertion for UserA
SAML assertion for UserA successfully obtained!
Invoking secure EJB3 session bean with UserA SAML assertion
User UserA is not authorized to call administrative method!
User UserA is not authorized to call regular method!
User anonymous successfully called unprotected method!
User UserA is not authorized to call unavailable method!
Invoking token service to get SAML assertion for UserB
SAML assertion for UserB successfully obtained!
Invoking secure EJB3 session bean with UserB SAML assertion
User UserB is not authorized to call administrative method!
User UserB is not authorized to call regular method!
User anonymous successfully called unprotected method!
User UserB is not authorized to call unavailable method!
Invoking token service to get SAML assertion for UserC
SAML assertion for UserC successfully obtained!
Invoking secure EJB3 session bean with UserC SAML assertion
User UserC is not authorized to call administrative method!
User UserC is not authorized to call regular method!
User anonymous successfully called unprotected method!
User UserC is not authorized to call unavailable method!
It is clear that I am obtaining SAML from STS, however the second validation fails because all users are seen as Anonymous.
Log excerpt:
2010-07-29 17:11:17,648 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-1) Setting threadlocal:null
2010-07-29 17:11:17,648 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-1) Setting threadlocal:null
2010-07-29 17:11:17,923 TRACE [org.jboss.security.SecurityRolesAssociation] (WorkerThread#1[127.0.0.1:37241]) Setting threadlocal:{}
2010-07-29 17:11:17,924 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (WorkerThread#1[127.0.0.1:37241]) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
2010-07-29 17:11:17,924 TRACE [org.jboss.security.authorization.modules.ejb.EJBPolicyModuleDelegate] (WorkerThread#1[127.0.0.1:37241]) method=public java.security.Principal org.jboss.test.security.ejb3.SimpleStatelessSessionBean.invokeAdministrativeMethod(), interface=Remote, requiredRoles=Roles(Administrator,)
2010-07-29 17:11:17,924 TRACE [org.jboss.security.authorization.modules.ejb.EJBPolicyModuleDelegate] (WorkerThread#1[127.0.0.1:37241]) Exception:Insufficient method permissions, principal=null, ejbName=SimpleStatelessSessionBean, method=invokeAdministrativeMethod, interface=Remote, requiredRoles=Roles(Administrator,), principalRoles=Roles()
2010-07-29 17:11:17,924 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (WorkerThread#1[127.0.0.1:37241]) REQUIRED failed for Name=org.jboss.security.authorization.modules.DelegatingAuthorizationModule:subject=Subject:
Principal: anonymous
:role=Roles()
The incoming SOAP message has the correct user:
...
<Subject>
<NameID NameQualifier='urn:picketlink:identity-federation'>UserA</NameID>
<SubjectConfirmation Method='urn:oasis:names:tc:SAML:2.0:cm:bearer'/>
</Subject>....
Is there something that I am missing?
Thanks for any help
Brian