1 2 Previous Next 21 Replies Latest reply on Sep 2, 2014 1:57 AM by bhagyesh.bhatewara Go to original post
      • 15. Re: How to disable the SecurityClient login in Jboss 5.1
        jaikiran

        Anil Mathew wrote:

         

        Below is more from my stacktrace:

         

                at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityContext(SecurityInterceptor.java:368)
                at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:243)
                at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:205)
                at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:136)
                at org.jboss.ejb.plugins.security.PreSecurityInterceptor.invokeHome(PreSecurityInterceptor.java:88)

         

        Since i don't have a "security domain" setup, I would expect the "securityManager" to be null. But in my case if it is not null. Looking further in SecurityInterceptor.java, I could see we get the securityManager from Container class.

         

        What you really have to check is, why does it reach line 136 of PreSecurityInterceptor in the process() method. Because if you take a look at the PreSecurityInterceptor.process() method's line 93 through 99 here http://www.docjar.com/html/api/org/jboss/ejb/plugins/security/PreSecurityInterceptor.java.html you'll notice that it can't reach line 136 if the securityDomain is null.

        • 16. Re: How to disable the SecurityClient login in Jboss 5.1
          amathewjboss1

          Thank You for your thoughts.

           

          Like you said, the exact issue is on the line 93 through 99 in PreSecurityInterceptor.java.html. With this I was able to debug/trace more today. My trace says Jboss is setting the security domain from "jboss-ejb-policy"

           

          2011-11-03 16:51:53,195 TRACE [org.jboss.ejb.plugins.StatelessSessionInstancePool] (main) Constructing
          2011-11-03 16:51:53,195 INFO  [org.jboss.ejb.EjbModule] (main) Deploying msecworker.MsecWorkerHome
          2011-11-03 16:51:53,196 TRACE [org.jboss.ejb.StatelessSessionContainer] (main) Constructing
          2011-11-03 16:51:53,196 DEBUG [org.jboss.ejb.EjbModule] (main) Creating WebClassLoader of class org.jboss.web.WebClassLoader
          2011-11-03 16:51:53,308 DEBUG [org.jboss.ejb.EjbModule] (main) Setting security domain from: jboss-ejb-policy

           

          Also it seems like JBoss is setting the security domain during the deployment of my EJB. I digged more to see from where Jboss is getting "jboss-ejb-policy" and no luck on that yet. I will continue to dig on this more (assuming that Container is setting the security domain from  jboss-ejb-policy even though we didn't define one on the jboss.xml).

           

          Any thoughts on this will be helpful to me.

           

          Also I wonder does JBoss has a seperate "security forum" like this?

           

          Thanks

          Anil Mathew.

           

           

           

          • 17. Re: How to disable the SecurityClient login in Jboss 5.1
            jaikiran

            Anil Mathew wrote:

             


            2011-11-03 16:51:53,308 DEBUG [org.jboss.ejb.EjbModule] (main) Setting security domain from: jboss-ejb-policy

             

            Also it seems like JBoss is setting the security domain during the deployment of my EJB. I digged more to see from where Jboss is getting "jboss-ejb-policy" and no luck on that yet.

             

             

             

            It's a deployer level setting in JBOSS_HOME/server/<servername>/deployers/ejb-deployer-jboss-beans.xml:

             

             

             

            <bean name="EJB2xDeployer" class="org.jboss.ejb.deployers.EjbDeployer">    
            ...
                   <!-- Specify a SecurityDomain as fallback -->
                   <property name="defaultSecurityDomain">jboss-ejb-policy</property>
            

             

             

            I think all this was done to enable security when the ejb-jar.xml contains the method-permission section and when the jboss.xml doesn't specify a security-domain. See this https://issues.jboss.org/browse/JBAS-5960

             

            Apparently, setting a empty string to the security-domain in jboss.xml is an indication of disabling security. So you might want to give that a try.

            • 18. Re: How to disable the SecurityClient login in Jboss 5.1
              jaikiran

              Anil Mathew wrote:

               

               

              Also I wonder does JBoss has a seperate "security forum" like this?

               


               

              http://community.jboss.org/en/picketbox?view=discussions

              • 19. Re: How to disable the SecurityClient login in Jboss 5.1
                amathewjboss1

                IT WORKED!!!!!!!

                 

                i.e i added <security-domain></security-domain> to the jboss.xml and it worked like a charm! Thank You so much to JaiKiran and Wolfgang. Really appreciate your time and help.

                 

                I do have a suggestion to the Jboss team: I would say a missing <security-domain> node in the jboss.xml should be treated as an explicit bypass of security using securiy-domain. I am pretty sure this is how it was for JBoss 4.x and also many applications may only have method-permission section in ejb-jar.xml and don't care much about "security-domain" based security.

                 

                So for other users who happen to have the same issue and if they use Jboss5.1, below is what it is:

                 

                "When the ejb-jar.xml contains the method-permission section and when the jboss.xml doesn't specify a security-domain, the JBoss 5.1 AS will use the DEFAULT_EJB_APPLICATION_POLICY and we get errors when a client tries to invoke a EJB bean. So in order to do an explicit bypass of security domain, we need to add "<security-domain></security-domain>" in the jboss.xml.

                 

                Thanks Again

                Anil Mathew

                • 20. Re: How to disable the SecurityClient login in Jboss 5.1
                  jaikiran

                  Anil Mathew wrote:

                   

                   

                  I do have a suggestion to the Jboss team: I would say a missing <security-domain> node in the jboss.xml should be treated as an explicit bypass of security using securiy-domain. I am pretty sure this is how it was for JBoss 4.x and also many applications may only have method-permission section in ejb-jar.xml and don't care much about "security-domain" based security.

                   

                  I thought that's how it was supposed to behave too and it did look right, until I saw this JIRA. I'm not sure why the empty value was considered as an indication of disabling security instead of a missing security-domain element.

                  • 21. Re: How to disable the SecurityClient login in Jboss 5.1
                    bhagyesh.bhatewara

                    We've <security-domain></security-domain> domain defined in the jboss.xml. However, we are still getting this exception intermittently.

                    Not sure why it's coming. Any help will be highly appreciated. We are using JBoss EAP 5.1.1. JDK 1.6.45

                    Let me know if you need more inputs.

                    1 2 Previous Next