5 Replies Latest reply on Feb 18, 2009 10:24 AM by smeier

    SecurityException when accessing (ejb2-) session bean via lo

      I have the following problem with an EJB 2 SessionBean when deploying in JBoss 5:

      The SessionBean (called LVSKeepAliveDispatcher) requires a specific user role (called "LVSUser"), specified by

      <method-permission >
       <description></description>
       <role-name>LVSUser</role-name>
       <method >
       <description></description>
       <ejb-name>LVSKeepAliveDispatcher</ejb-name>
       <method-name>*</method-name>
       </method>
       </method-permission>
      

      in ejb-jar.xml. I now want to access this SessionBean from a Service (i.e. a class implementing the org.jboss.varia.scheduler.Schedulable interface that is then registered as a service) running inside the same JBoss instance. This is my jboss-service.xml:

      <server>
       <mbean code="org.jboss.varia.scheduler.Scheduler" name="lvs:service=TranslationService">
       <attribute name="StartAtStartup">true</attribute>
       <attribute name="SchedulableClass">de.repower.lvs.server.service.translation.TranslationService</attribute>
       <attribute name="SchedulableArguments"></attribute>
       <attribute name="SchedulableArgumentTypes"></attribute>
       <attribute name="InitialStartDate">NOW</attribute>
       <attribute name="SchedulePeriod">60000</attribute>
       <attribute name="InitialRepetitions">1</attribute>
       <attribute name="TimerName">jboss:service=Timer,name=TranslationServiceTimer</attribute>
      
       <depends><mbean code="javax.management.timer.Timer" name="jboss:service=Timer,name=TranslationServiceTimer"/></depends>
       <depends>jboss.j2ee:service=EJB,jndiName=de/repower/lvs/i18n/sessionbeans/LVSTranslation</depends>
       </mbean>
      
      </server>
      



      As the service is deployed in the same vm as the session bean I want to call the session bean via the local interface, but I get a SecurityException when I try to create an instance. When instead I do a lookup of the RemoteInterface it works. This is the code inside the perform method of my service class:

      public void perform(Date now, long remainingRepetitions) {
      
       try {
       final UsernamePasswordHandler handler = new UsernamePasswordHandler(USERNAME, PASSWORD);
       final LoginContext lc = new LoginContext("cli`enter code here`ent-login", handler);
       lc.login();
      
       // Trying to instantiate an LVSKeepAliveDispatcher via remote interface
       // This part works
       LVSKeepAliveDispatcher localvHome = LVSKeepAliveDispatcherUtil.getHome().create();
       LOGGER.info("Successfully instantiated an LVSKeepAliveDispatcher " + localvHome.toString());
      
       // Trying to instantiate an LVSKeepAliveDispatcherLocal via local interface
       LVSKeepAliveDispatcherLocal localvLocalHome = LVSKeepAliveDispatcherUtil.getLocalHome().create();
      
       // this code is unforunately never reached
       LOGGER.info("Successfully instantiated an LVSKeepAliveDispatcherLocal " + localvLocalHome.toString());
      
       lc.logout();
       } catch (final Exception ex) {
       LOGGER.error("Error: ", ex);
       }
       }
      


      Exception:

      2009-02-17 10:38:02,266 INFO [lvsi18n] (Timer-2) Successfully instantiated an LVSKeepAliveDispatcher de/repower/lvs/server/service/alive/sessionbeans/LVSKeepAliveDispatcher:Stateless
       2009-02-17 10:38:02,297 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] (Timer-2) Error in Security Interceptor
       java.lang.SecurityException: Authentication exception, principal=internalSystemUser
       at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityContext(SecurityInterceptor.java:321)
       at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:243)
       at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:205)
       at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:136)
       at org.jboss.ejb.plugins.security.PreSecurityInterceptor.invokeHome(PreSecurityInterceptor.java:88)
       at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:132)
       at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:107)
       at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:639)
       at org.jboss.ejb.Container.invoke(Container.java:1046)
       at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invokeHome(BaseLocalProxyFactory.java:362)
       at org.jboss.ejb.plugins.local.LocalHomeProxy.invoke(LocalHomeProxy.java:133)
       at $Proxy193.create(Unknown Source)
       at de.repower.lvs.server.service.translation.TranslationService.perform(TranslationService.java:68)
       at org.jboss.varia.scheduler.Scheduler$PojoScheduler.invoke(Scheduler.java:1267)
       at org.jboss.varia.scheduler.Scheduler$BaseListener.handleNotification(Scheduler.java:1235)
       at sun.reflect.GeneratedMethodAccessor281.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at org.jboss.mx.notification.NotificationListenerProxy.invoke(NotificationListenerProxy.java:153)
       at $Proxy87.handleNotification(Unknown Source)
       at javax.management.NotificationBroadcasterSupport.handleNotification(NotificationBroadcasterSupport.java:257)
       at javax.management.NotificationBroadcasterSupport$SendNotifJob.run(NotificationBroadcasterSupport.java:322)
       at javax.management.NotificationBroadcasterSupport$1.execute(NotificationBroadcasterSupport.java:307)
       at javax.management.NotificationBroadcasterSupport.sendNotification(NotificationBroadcasterSupport.java:229)
       at javax.management.timer.Timer.sendNotification(Timer.java:1234)
       at javax.management.timer.Timer.notifyAlarmClock(Timer.java:1203)
       at javax.management.timer.TimerAlarmClock.run(Timer.java:1286)
       at java.util.TimerThread.mainLoop(Timer.java:512)
       at java.util.TimerThread.run(Timer.java:462)
      

      To further diagnose the error I debugged through the SecurityInterceptor and found that in the first case (successful creating an instance via the remote interface) the security context "lvs-security" (which I defined in login-config.xml) is being used whereas in the second case (failure when creating an instance via the local interface) the generic security context "CLIENT-LOGIN" is being used.

      This is the definition of the securit context "lvs-security" in login-config.xml:

      <application-policy name = "lvs-security">
       <authentication>
       <login-module code = "org.jboss.security.ClientLoginModule" flag = "required">
       </login-module>
      
       <login-module code = "de.repower.lvs.security.UsersRolesLoginModule" flag = "sufficient">
       </login-module>
       <login-module code = "de.repower.lvs.security.login.LVSLoginModule" flag = "required">
       <module-option name = "lvs-jboss-host">localhost</module-option>
       <module-option name = "lvs-jboss-jndi-port">1099</module-option>
       </login-module>
       </authentication>
       </application-policy>
      


      I'm now kind of stuck and hope someone can give me a hint about where to further look for the cause of the problem. This worked fine in JBoss 3.2.7.



        • 1. Re: SecurityException when accessing (ejb2-) session bean vi
          jaikiran

          Please post the contents of your jboss.xml.

          Also

          new LoginContext("cli`enter code here`ent-login", handler);


          where is the "cli`enter code here`ent-login" login configuration stack declared?

          From what i see, you should be using:


          new LoginContext("lvs-security", handler);



          • 2. Re: SecurityException when accessing (ejb2-) session bean vi

             

            where is the "cli`enter code here`ent-login" login configuration stack declared?


            Sorry, I somehow messed up this line in my post. It's supposed to be:

            final LoginContext lc = new LoginContext("client-login", handler);
            


            and this is defined in the login-config.xml (comes with jboss installation):

            <application-policy name = "client-login">
             <authentication>
             <login-module code = "org.jboss.security.ClientLoginModule"
             flag = "required">
             <!-- Any existing security context will be restored on logout -->
             <module-option name="restore-login-identity">true</module-option>
             </login-module>
             </authentication>
             </application-policy>
            


            From what i see, you should be using:

            new LoginContext("lvs-security", handler);
            


            I will try this and post the results.

            Please post the contents of your jboss.xml.


            This is the part, that's is related to the bean involved in this problem:

            <?xml version="1.0" encoding="UTF-8"?>
            <!DOCTYPE jboss PUBLIC "-//JBoss//DTD JBOSS 3.2//EN" "http://www.jboss.org/j2ee/dtd/jboss_3_2.dtd">
            <jboss>
             <security-domain>java:/jaas/lvs-security</security-domain>
             <unauthenticated-principal>nobody</unauthenticated-principal>
            
             <enterprise-beans>
             <session>
             <ejb-name>LVSKeepAliveDispatcher</ejb-name>
             <jndi-name>de/repower/lvs/server/service/alive/sessionbeans/LVSKeepAliveDispatcher</jndi-name>
             <local-jndi-name>LVSKeepAliveDispatcherLocal</local-jndi-name>
            
             <method-attributes>
             </method-attributes>
             </session>
             </enterprise-beans>
            </jboss>
            




            • 3. Re: SecurityException when accessing (ejb2-) session bean vi

               


              From what i see, you should be using:


              new LoginContext("lvs-security", handler);



              I tried it and had the exact same behaviour as before. It might be important to mention that the lc.login() call always leads to a call of my UserRolesLoginModule (defined in the "lvs-security" application policy), reguardless of whether I use "lvs-security" or "client-login" to create the LoginContext.



              • 4. Re: SecurityException when accessing (ejb2-) session bean vi
                jaikiran

                Enable TRACE level logging of jboss security package as explained in Q4 at http://www.jboss.org/community/docs/DOC-12198. That will show the authentication process that is being followed.


                • 5. Re: SecurityException when accessing (ejb2-) session bean vi

                  Hi jaikiran,

                  I turned on the tracing and got the following results:

                  During the deployment of my jar file containing the SessionBean the security domain "lvs-security" is being initialized:

                  ...

                  2009-02-18 14:44:41,843 INFO [org.jboss.ejb.deployers.EjbDeployer] (main) jndi:LVSTranslationLocal
                  2009-02-18 14:44:41,843 INFO [org.jboss.ejb.deployers.EjbDeployer] (main) installing bean: ejb/#LVSWindTurbineUnitAliveManager,uid27849618
                  2009-02-18 14:44:41,843 INFO [org.jboss.ejb.deployers.EjbDeployer] (main) with dependencies:
                  2009-02-18 14:44:41,843 INFO [org.jboss.ejb.deployers.EjbDeployer] (main) and supplies:
                  2009-02-18 14:44:41,843 INFO [org.jboss.ejb.deployers.EjbDeployer] (main) jndi:de/repower/lvs/server/service/alive/sessionbeans/LVSWindTurbineUnitAliveManagerBean
                  2009-02-18 14:44:41,843 INFO [org.jboss.ejb.deployers.EjbDeployer] (main) jndi:de/repower/lvs/server/service/alive/sessionbeans/LVSWindTurbineUnitAliveManagerBeanLocal
                  2009-02-18 14:44:41,896 INFO [org.jboss.ejb3.deployers.JBossASKernel] (main) Created KernelDeployment for: fop.jar
                  2009-02-18 14:44:41,909 INFO [org.jboss.ejb3.deployers.JBossASKernel] (main) installing bean: jboss.j2ee:ear=repowerLvsData.jar,jar=fop.jar,name=fop,service=EJB3
                  2009-02-18 14:44:41,913 INFO [org.jboss.ejb3.deployers.JBossASKernel] (main) with dependencies:
                  2009-02-18 14:44:41,913 INFO [org.jboss.ejb3.deployers.JBossASKernel] (main) and demands:
                  2009-02-18 14:44:41,913 INFO [org.jboss.ejb3.deployers.JBossASKernel] (main) and supplies:
                  2009-02-18 14:44:41,913 INFO [org.jboss.ejb3.deployers.JBossASKernel] (main) Added bean(jboss.j2ee:ear=repowerLvsData.jar,jar=fop.jar,name=fop,service=EJB3) to KernelDeployment of: fop.jar
                  2009-02-18 14:44:42,742 INFO [org.jboss.ejb3.clientmodule.ClientENCInjectionContainer] (main) STARTED CLIENT ENC CONTAINER: fop
                  2009-02-18 14:44:42,948 INFO [org.jboss.ejb.EjbModule] (main) Deploying LVSSystemConfiguration
                  
                  2009-02-18 14:44:42,971 DEBUG [org.jboss.security.integration.JNDIBasedSecurityManagement] (main) Creating SDC for domain=lvs-security
                  2009-02-18 14:44:42,972 DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.lvs-security] (main) CallbackHandler: org.jboss.security.auth.callback.JBossCallbackHandler@189fc46
                  2009-02-18 14:44:42,972 DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.lvs-security] (main) CachePolicy set to: org.jboss.util.TimedCachePolicy@117840
                  2009-02-18 14:44:42,972 DEBUG [org.jboss.security.integration.JNDIBasedSecurityManagement] (main) setCachePolicy, c=org.jboss.util.TimedCachePolicy@117840
                  
                  2009-02-18 14:44:43,021 INFO [org.jboss.ejb.EjbModule] (main) Deploying LVSServerConfiguration
                  2009-02-18 14:44:43,038 INFO [org.jboss.ejb.EjbModule] (main) Deploying LVSDescriptionLocalisationDefault
                  2009-02-18 14:44:43,054 INFO [org.jboss.ejb.EjbModule] (main) Deploying LVSFormatLocalisationGerman
                  2009-02-18 14:44:43,070 INFO [org.jboss.ejb.EjbModule] (main) Deploying LVSFormatLocalisationFrench
                  ...


                  Just before I try to create the LVSKeepAliveDispatcherLocal instance a different security context "CLIENT_LOGIN_MODULE" is being initialized which uses the org.jboss.security.auth.spi.UsersRolesLoginModule to authenticate the user. This fails because this login module doesn't use my users.properties file.

                  2009-02-18 14:45:06,976 WARN [lvsSecurity.UsersRolesLoginModule] (Timer-2) UsersRolesLoginModule called from de.repower.lvs.server.service.translation.Translat
                  ionService.perform(TranslationService.java:65)
                  2009-02-18 14:45:06,977 WARN [lvsSecurity.UsersRolesLoginModule] (Timer-2) super.login succesful...
                  2009-02-18 14:45:06,977 WARN [lvsSecurity.UsersRolesLoginModule] (Timer-2) successfully logged in: internalSystemUser
                  2009-02-18 14:45:07,091 INFO [lvsi18n] (Timer-2) Successfully instantiated an LVSKeepAliveDispatcher de/repower/lvs/server/service/alive/sessionbeans/LVSKeepAliveDispatcher:Stateless
                  2009-02-18 14:45:07,109 DEBUG [org.jboss.security.integration.JNDIBasedSecurityManagement] (Timer-2) Creating SDC for domain=CLIENT_LOGIN_MODULE
                  2009-02-18 14:45:07,110 DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.CLIENT_LOGIN_MODULE] (Timer-2) CallbackHandler: org.jboss.security.auth.callback.JBossCallbackHandler@21657f
                  2009-02-18 14:45:07,110 DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.CLIENT_LOGIN_MODULE] (Timer-2) CachePolicy set to: org.jboss.util.TimedCachePolicy@8e74ea
                  2009-02-18 14:45:07,110 DEBUG [org.jboss.security.integration.JNDIBasedSecurityManagement] (Timer-2) setCachePolicy, c=org.jboss.util.TimedCachePolicy@8e74ea
                  2009-02-18 14:45:07,123 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] (Timer-2) Loaded properties, users=[admin]
                  2009-02-18 14:45:07,124 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] (Timer-2) Loaded properties, users=[admin]
                  2009-02-18 14:45:07,124 DEBUG [org.jboss.security.auth.spi.UsersRolesLoginModule] (Timer-2) Bad password for username=internalSystemUser
                  2009-02-18 14:45:07,125 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] (Timer-2) Error in Security Interceptor
                  java.lang.SecurityException: Authentication exception, principal=internalSystemUser
                   at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityContext(SecurityInterceptor.java:321)
                   at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:243)
                   at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:205)
                   at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:136)
                   at org.jboss.ejb.plugins.security.PreSecurityInterceptor.invokeHome(PreSecurityInterceptor.java:88)
                   at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:132)
                   at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:107)
                   at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:639)
                   at org.jboss.ejb.Container.invoke(Container.java:1046)
                   at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invokeHome(BaseLocalProxyFactory.java:362)
                   at org.jboss.ejb.plugins.local.LocalHomeProxy.invoke(LocalHomeProxy.java:133)
                   at $Proxy193.create(Unknown Source)
                   at de.repower.lvs.server.service.translation.TranslationService.perform(TranslationService.java:70)
                  
                  
                  By the way, thanks for you support.