SecurityException when accessing (ejb2-) session bean via lo
smeier Feb 18, 2009 2:39 AMI have the following problem with an EJB 2 SessionBean when deploying in JBoss 5:
The SessionBean (called LVSKeepAliveDispatcher) requires a specific user role (called "LVSUser"), specified by
<method-permission > <description></description> <role-name>LVSUser</role-name> <method > <description></description> <ejb-name>LVSKeepAliveDispatcher</ejb-name> <method-name>*</method-name> </method> </method-permission>
in ejb-jar.xml. I now want to access this SessionBean from a Service (i.e. a class implementing the org.jboss.varia.scheduler.Schedulable interface that is then registered as a service) running inside the same JBoss instance. This is my jboss-service.xml:
<server> <mbean code="org.jboss.varia.scheduler.Scheduler" name="lvs:service=TranslationService"> <attribute name="StartAtStartup">true</attribute> <attribute name="SchedulableClass">de.repower.lvs.server.service.translation.TranslationService</attribute> <attribute name="SchedulableArguments"></attribute> <attribute name="SchedulableArgumentTypes"></attribute> <attribute name="InitialStartDate">NOW</attribute> <attribute name="SchedulePeriod">60000</attribute> <attribute name="InitialRepetitions">1</attribute> <attribute name="TimerName">jboss:service=Timer,name=TranslationServiceTimer</attribute> <depends><mbean code="javax.management.timer.Timer" name="jboss:service=Timer,name=TranslationServiceTimer"/></depends> <depends>jboss.j2ee:service=EJB,jndiName=de/repower/lvs/i18n/sessionbeans/LVSTranslation</depends> </mbean> </server>
As the service is deployed in the same vm as the session bean I want to call the session bean via the local interface, but I get a SecurityException when I try to create an instance. When instead I do a lookup of the RemoteInterface it works. This is the code inside the perform method of my service class:
public void perform(Date now, long remainingRepetitions) { try { final UsernamePasswordHandler handler = new UsernamePasswordHandler(USERNAME, PASSWORD); final LoginContext lc = new LoginContext("cli`enter code here`ent-login", handler); lc.login(); // Trying to instantiate an LVSKeepAliveDispatcher via remote interface // This part works LVSKeepAliveDispatcher localvHome = LVSKeepAliveDispatcherUtil.getHome().create(); LOGGER.info("Successfully instantiated an LVSKeepAliveDispatcher " + localvHome.toString()); // Trying to instantiate an LVSKeepAliveDispatcherLocal via local interface LVSKeepAliveDispatcherLocal localvLocalHome = LVSKeepAliveDispatcherUtil.getLocalHome().create(); // this code is unforunately never reached LOGGER.info("Successfully instantiated an LVSKeepAliveDispatcherLocal " + localvLocalHome.toString()); lc.logout(); } catch (final Exception ex) { LOGGER.error("Error: ", ex); } }
Exception:
2009-02-17 10:38:02,266 INFO [lvsi18n] (Timer-2) Successfully instantiated an LVSKeepAliveDispatcher de/repower/lvs/server/service/alive/sessionbeans/LVSKeepAliveDispatcher:Stateless 2009-02-17 10:38:02,297 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] (Timer-2) Error in Security Interceptor java.lang.SecurityException: Authentication exception, principal=internalSystemUser at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityContext(SecurityInterceptor.java:321) at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:243) at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:205) at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:136) at org.jboss.ejb.plugins.security.PreSecurityInterceptor.invokeHome(PreSecurityInterceptor.java:88) at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:132) at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:107) at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:639) at org.jboss.ejb.Container.invoke(Container.java:1046) at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invokeHome(BaseLocalProxyFactory.java:362) at org.jboss.ejb.plugins.local.LocalHomeProxy.invoke(LocalHomeProxy.java:133) at $Proxy193.create(Unknown Source) at de.repower.lvs.server.service.translation.TranslationService.perform(TranslationService.java:68) at org.jboss.varia.scheduler.Scheduler$PojoScheduler.invoke(Scheduler.java:1267) at org.jboss.varia.scheduler.Scheduler$BaseListener.handleNotification(Scheduler.java:1235) at sun.reflect.GeneratedMethodAccessor281.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.jboss.mx.notification.NotificationListenerProxy.invoke(NotificationListenerProxy.java:153) at $Proxy87.handleNotification(Unknown Source) at javax.management.NotificationBroadcasterSupport.handleNotification(NotificationBroadcasterSupport.java:257) at javax.management.NotificationBroadcasterSupport$SendNotifJob.run(NotificationBroadcasterSupport.java:322) at javax.management.NotificationBroadcasterSupport$1.execute(NotificationBroadcasterSupport.java:307) at javax.management.NotificationBroadcasterSupport.sendNotification(NotificationBroadcasterSupport.java:229) at javax.management.timer.Timer.sendNotification(Timer.java:1234) at javax.management.timer.Timer.notifyAlarmClock(Timer.java:1203) at javax.management.timer.TimerAlarmClock.run(Timer.java:1286) at java.util.TimerThread.mainLoop(Timer.java:512) at java.util.TimerThread.run(Timer.java:462)
To further diagnose the error I debugged through the SecurityInterceptor and found that in the first case (successful creating an instance via the remote interface) the security context "lvs-security" (which I defined in login-config.xml) is being used whereas in the second case (failure when creating an instance via the local interface) the generic security context "CLIENT-LOGIN" is being used.
This is the definition of the securit context "lvs-security" in login-config.xml:
<application-policy name = "lvs-security"> <authentication> <login-module code = "org.jboss.security.ClientLoginModule" flag = "required"> </login-module> <login-module code = "de.repower.lvs.security.UsersRolesLoginModule" flag = "sufficient"> </login-module> <login-module code = "de.repower.lvs.security.login.LVSLoginModule" flag = "required"> <module-option name = "lvs-jboss-host">localhost</module-option> <module-option name = "lvs-jboss-jndi-port">1099</module-option> </login-module> </authentication> </application-policy>
I'm now kind of stuck and hope someone can give me a hint about where to further look for the cause of the problem. This worked fine in JBoss 3.2.7.