3 Replies Latest reply on Jan 7, 2012 7:55 AM by snelders

    Issue with RolesAllowed annotation in JBoss 7.1 CR1

    lszymik
    lszymik Jan 6, 2012 1:17 AM

      Hello,

       

       

      I have started investigation of JBoss 7.1 CR1. I followed instruction from Developer Guide -> "EJB invocations from a remote client using JNDI" and I have built a prototype application containing 4 projects: EJB, API, EAR project and remote client. I am using eclipse.

       

      The prototype works fine, I am able to deploy EAR, connect from remote client and invoke business methods. I want to extend the prototype with security so I have added org.jboss.security.annotation.SecurityDomain annotation with login module name. I have also added RolesAllowed annotation with role name ("manager") to the business method.

       

      After that changes and redeploy I am still able to connect from remote client and execute business methods, even if I did not add any login code. I have started JBoss in debug mode and I got results that:

      • SessionContext.getCallerPrincipal().getName() returns "annonymous"
      • SessionContext.isCallerInRole("manager") return false, however method execution was not rejected due to RolesAllowed("manager") annotation.

       

      I have even tested it with fake SecurityDomain and still logged user is annonumous however login module does not exists in standalone.xml file.

       

      Could you please help with figuring out what is going on. Am I missing some additional configuration in JBoss 7.1? Is this something what is still under developemnt? If yes, than should I wait till final release or is there any possibility to get it working faster.

       

      This is blocking me with further investigation of JBoss 7.1

      Thank you in advance for any help, suggestion or other information.

       

      Lukasz

        • 1. Re: Issue with RolesAllowed annotation in JBoss 7.1 CR1
          snelders
          snelders Jan 6, 2012 4:00 AM (in response to lszymik)

          You should use org.jboss.ejb3.annotation.SecurityDomain

           

          Let me know if you get the remote login working since this is something I'm strugling with.

            • Actions
          • 2. Re: Issue with RolesAllowed annotation in JBoss 7.1 CR1
            lszymik
            lszymik Jan 7, 2012 6:38 AM (in response to snelders)

            I have added a additional JAR file: jboss-ejb3-ext-api-2.0.0-beta-2.jar and I was able to add org.jboss.ejb3.annotation.SecurityDomain annotation. After that changes my session beans are secured and I am getting Invalid User exception.

             

            Thank you for good tip.

            Now I am not able to perform login in my remote client application. I am trying to check that code:

             

            CallbackHandler callbackHandler = new AppCallbackHandler("user", "userpass".toCharArray());

            loginContext = new LoginContext("logincontextname", callbackHandler);

            loginContext.login();

             

            The credentials are somehow not passed to the application container.

            Is something changed in JBoss7.1? Maybe I should use another login code?

             

            Thanks

            LUkasz

              • Actions
            • 3. Re: Issue with RolesAllowed annotation in JBoss 7.1 CR1
              snelders
              snelders Jan 7, 2012 7:55 AM (in response to lszymik)

              So far I also didn't get further as the Invalid User Exception (http://community.jboss.org/thread/176963?tstart=0).

               

              Can you try enable trace logging for JBoss security modules by editing the standalone.xml to something like this to see what's going on on the server side:

               

               

              <subsystem xmlns="urn:jboss:domain:logging:1.1">
            <console-handler name="CONSOLE">
                <level name="TRACE"/>
                <formatter>
                    <pattern-formatter pattern="%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n"/>
                </formatter>
            </console-handler>
            <periodic-rotating-file-handler name="FILE">
                <formatter>
                    <pattern-formatter pattern="%d{HH:mm:ss,SSS} %-5p [%c] (%t) %s%E%n"/>
                </formatter>
                <file relative-to="jboss.server.log.dir" path="server.log"/>
                <suffix value=".yyyy-MM-dd"/>
                <append value="true"/>
            </periodic-rotating-file-handler>
            <logger category="com.arjuna">
                <level name="WARN"/>
            </logger>
            <logger category="org.apache.tomcat.util.modeler">
                <level name="WARN"/>
            </logger>
            <logger category="sun.rmi">
                <level name="WARN"/>
            </logger>
            <logger category="jacorb">
                <level name="WARN"/>
            </logger>
            <logger category="jacorb.config">
                <level name="ERROR"/>
            </logger>
            <logger category="org.jboss.security">
                <level name="TRACE"/>
            </logger>
            <root-logger>
                <level name="INFO"/>
                <handlers>
                    <handler name="CONSOLE"/>
                    <handler name="FILE"/>
                </handlers>
            </root-logger>
        </subsystem>

               

              In my case I found out that the username and password end up somehow hashed/encoded or encrypted when they reach my server login-module.

               

              They look like "db80497a-0e75-4d7b-8261-4bb6faf7c9b4" (username) & "d89e062f-4740-4529-a3c9-beb84d73589" (password) but also change every time I login (maybe there is a challenge involved?).

               

              I didn't manage to get this issue fixed or answered so far, I hope you get better results.

                • Actions