9 Replies Latest reply on May 4, 2011 2:11 PM by t3chris

Startup Singleton with security

thomas10 Mar 19, 2011 9:48 AM

Hi,

I have problems securing my EJBs.

I implemented a singleton annoted with @Startup @Singleton @RunAs("SYSTEM") and performing some calls on other EJBs that I'd like to secure with @RolesAllowed({ "SYSTEM" }) @SecurityDomain("system-domain").

In my login-config.xml I added a policy

<application-policy name="system-domain">

<login-module code="org.jboss.security.auth.spi.IdentityLoginModule" flag="required">

<module-option name="principal">SYSTEM</module-option>

<module-option name="roles">SYSTEM</module-option>

</login-module>

</application-policy>

Apart from the annotations I have not written any xml deployment descriptors etc. The project is deployed as an EAR.

From the documentation I understand that should be all that is needed. But when JBoss starts up, it fails with "javax.ejb.EJBAccessException: Invalid User".

The IdentityLoginModule is performing authentication (I debugged it) but for some reason my call fails.

Can anybody spot my error?

If my description is not enough, I can post the full source of my little test-project (eclipse).

I am using JBoss 6.0.0 final.

Thanks for your help !

-Thomas

1. Startup Singleton with security

wdfink Mar 19, 2011 10:18 AM (in response to thomas10)

Could you activate TRACE of org.jboss.security and attach the logfile?
Actions
2. Re: Startup Singleton with security

thomas10 Mar 19, 2011 6:33 PM (in response to wdfink)
Thank you for helping,

Find attached the log files. Also, the test project.
The log clearly states that my application policy is not picked up correctly. JBoss (or jaas?) is trying to load some property files with user/role definitions... I should have noticed before. But I still cannot see what is causing this behavior.

23:24:33,526 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files: java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
    at org.jboss.security.auth.spi.Util.loadProperties(Util.java:201) [:3.0.0.CR2]
    at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186) [:3.0.0.CR2]
    at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200) [:3.0.0.CR2]
    at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127) [:3.0.0.CR2]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [:1.6.0_24]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [:1.6.0_24]

-Thomas

login-config.zip 1.2 KB

service.zip 5.2 KB

log.zip 10.4 KB
Actions
3. Startup Singleton with security

t3chris Apr 4, 2011 10:59 AM (in response to thomas10)

Hello!

I'm facing a similar problem here.
The annotation @SecurityDomain("foobar") doesn't seem to work on @Singleton EJBs (regardless if they are marked with @Startup or not).

Trying to access them from a client results in
Exception in thread "main" java.lang.IllegalStateException: Security Context has not been set
        at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:151)
        at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
        at org.jboss.ejb3.async.impl.interceptor.AsynchronousClientInterceptor.invoke(AsynchronousClientInterceptor.java:143)
        ...

The same configuration with the same annotations works perfectly on @Stateless EJBs.

Is there any progress or new information on this issue?

Thanks in advance,

christian
Actions
4. Startup Singleton with security

jaikiran Apr 5, 2011 2:50 AM (in response to t3chris)

Which version of JBoss AS are you using? And what exactly is the package of @SecurityDomain that you are using? It should be @org.jboss.ejb3.annotation.SecurityDomain. Also please post a bit more details including the EJB code.
Actions
5. Startup Singleton with security

thomas10 Apr 5, 2011 11:17 AM (in response to thomas10)

I have come up with a workaround. Don't know if this is how it should work. The @PostConstruct method of my @Singleton is executed using some SecurityContext I don't remember (could check if needed). But ejbs called from there are using the correct identity (the one I specified in @RunAs). Also, I had to tweak my jaas authentication to handle the 'special' identity used in @RunAs. It seems that JBoss is just doing a ordinary authentication. Currently I have two different SecurityContexts: one for integrated logins and one for the actual users. But I think this is not an optimal solution.
Actions
6. Startup Singleton with security

t3chris Apr 5, 2011 12:08 PM (in response to jaikiran)

jaikiran pai schrieb:

Which version of JBoss AS are you using? And what exactly is the package of @SecurityDomain that you are using? It should be @org.jboss.ejb3.annotation.SecurityDomain. Also please post a bit more details including the EJB code.

I'm using JBoss AS 6.0.0.Final and the annotation comes from the package you specified.

If it helps, i can provide a example tomorrow.
Actions
7. Startup Singleton with security

t3chris Apr 6, 2011 2:56 AM (in response to jaikiran)

As I am not really sure if both problems are completely the same, I've started a new thread with a short and simple example:

@SecurityDomain doesn't work with @Singleton
http://community.jboss.org/message/598080

Best Regards,

christian
Actions
8. Startup Singleton with security

twieden May 2, 2011 9:16 AM (in response to thomas10)

Hello,

maybe this threads also helps:

http://community.jboss.org/message/602965#602965

Best regards,
Timo
Actions
9. Re: Startup Singleton with security

t3chris May 4, 2011 2:11 PM (in response to twieden)

Timo Wiedenmann schrieb:

http://community.jboss.org/message/602965#602965

Thanks Timo! That's a great idea!

Best Regards,
chris
Actions

Go to original post