Skip navigation

This project is read only now. Read more.

8 Replies Latest reply on Mar 2, 2012 10:35 AM by jaikiran

is this a defect for processing org.jboss.ejb3.annotation.SecurityDomain ?

wutongjoe Feb 29, 2012 9:55 PM

Hi all,

I have the following simple code which is not working

@Stateless(name = "wutong_test_hello")

@Clustered

@Remote(HellowWorldRemote.class)

@Local(HellowWorldLocal.class)

@SecurityDomain(value = "my-security-domain")

public class HellowWorldImpl implements HellowWorldRemote, HellowWorldLocal {

@RolesAllowed(value = { "testuserrole" })

public String hello(String name) {

String ret = "hello: " + name ;

log.info(ret + "，hashcode:" + hashCode());

return ret;

}

every time I invoke hello method from remote standalone app, server print the following stacks

10:14:33,204 INFO [org.jboss.ejb.client.ClusterContext] Added a new EJB receiver in cluster context ejb for node joe-pc. Total nodes in cluster context = 1

10:14:33,480 INFO [org.jboss.ejb.client.remoting.ChannelAssociation] Discarding result for invocation id 0 since no waiting context found

javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public abstract java.lang.String com.biz.ejb.face.HellowWorldRemote.hello(java.lang.String) of bean: wutong_test_hello is not allowed

at org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:101)

at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)

at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:76)

at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)

at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59)

at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)

at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)

at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)

at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45)

at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)

at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)

at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165)

at org.jboss.as.ejb3.remote.protocol.versionone.MethodInvocationMessageHandler.invokeMethod(MethodInvocationMessageHandler.java:300)

at org.jboss.as.ejb3.remote.protocol.versionone.MethodInvocationMessageHandler.access$200(MethodInvocationMessageHandler.java:64)

at org.jboss.as.ejb3.remote.protocol.versionone.MethodInvocationMessageHandler$1.run(MethodInvocationMessageHandler.java:194)

at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)

at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)

at java.util.concurrent.FutureTask.run(FutureTask.java:138)

at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)

at java.lang.Thread.run(Thread.java:662)

at org.jboss.threads.JBossThread.run(JBossThread.java:122)

I then place the @SecurityDomain on both HellowWorldLocal and HellowWorldRemote like

@SecurityDomain(value = "my-security-domain")

public interface HellowWorldRemote {

String hello(String name);

}

and remove the annotation from HellowWorldImpl, the server never print any exception and method returned successfully but AuthorizationInterceptor is not in the stack

API doc of org.jboss.ejb3.annotation.SecurityDomain does not indicate that it should be placed on interfaces and some demos on internet also put @SecurityDomain on concrete class but not interface.Did I make any mistake on api ? or misunderstand some concepts?

EJBs are running on JBAS 7.1 final with standalone-ha-full conf

Thank you very much

1. Re: is this a defect for processing org.jboss.ejb3.annotation.SecurityDomain ?

jaikiran Feb 29, 2012 10:02 PM (in response to wutongjoe)

Joseph Wu wrote:

I then place the @SecurityDomain on both HellowWorldLocal and HellowWorldRemote like

@SecurityDomain(value = "my-security-domain")
public interface HellowWorldRemote {
String hello(String name);
}

and remove the annotation from HellowWorldImpl, the server never print any exception and method returned successfully but AuthorizationInterceptor is not in the stack

I believe the security interceptors are just skipped in this case. Which means that all calls go through. As for the original issue, what does your security domain configuration look like?
Actions
2. Re: is this a defect for processing org.jboss.ejb3.annotation.SecurityDomain ?

wutongjoe Feb 29, 2012 11:19 PM (in response to jaikiran)

            <security-realm name="ApplicationRealm">
                <authentication>
                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
            </security-realm>
...
        <subsystem xmlns="urn:jboss:domain:remoting:1.1">
            <connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>
        </subsystem>
...
                <security-domain name="my-security-domain" cache-type="default">
                    <authentication>
                        <login-module code="Remoting" flag="optional">
                            <module-option name="password-stacking" value="useFirstPass"/>
                        </login-module>
                        <login-module code="RealmUsersRoles" flag="required">
                            <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
                            <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
                            <module-option name="realm" value="ApplicationRealm"/>
                            <module-option name="password-stacking" value="useFirstPass"/>
                        </login-module>
                    </authentication>
                </security-domain>
Actions
3. Re: is this a defect for processing org.jboss.ejb3.annotation.SecurityDomain ?

jaikiran Mar 1, 2012 1:09 AM (in response to wutongjoe)

What user are you using to invoke and what role does he belong to? Can you post the contents of the application-users.properties and application-roles.properties. Also try enabling TRACE level logging of org.jboss.as.security, org.jboss.as.ejb3 and org.jboss.security packages and attach those logs when you see this exception.
Actions
4. Re: is this a defect for processing org.jboss.ejb3.annotation.SecurityDomain ?

wutongjoe Mar 1, 2012 5:31 AM (in response to jaikiran)

=====================server side stuff below ===================

modification to "standalone-full-ha.xml"

            <security-realm name="ApplicationRealm">
                <authentication>
                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
            </security-realm>
....

        <subsystem xmlns="urn:jboss:domain:remoting:1.1">
            <connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm">
                <sasl>
                    <policy>
                        <no-anonymous value="true"/>
                        <no-plain-text value="false"/>
                        <pass-credentials value="true"/>
                    </policy>
                </sasl>
            </connector>
        </subsystem>

....

                <security-domain name="my-security-domain" cache-type="default">
                    <authentication>
                        <login-module code="Remoting" flag="optional">
                            <module-option name="password-stacking" value="useFirstPass"/>
                        </login-module>
                        <login-module code="RealmUsersRoles" flag="required">
                            <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
                            <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
                            <module-option name="realm" value="ApplicationRealm"/>
                            <module-option name="password-stacking" value="useFirstPass"/>
                        </login-module>
                    </authentication>
                </security-domain>

-------------------------------------------------------------------------------------------------------------
application-roles.properties:

test123=aabdd69afca03e09fc05b7539c62818d
-------------------------------------------------------------------------------------------------------------
application-users.properties:

test123=testrole
------------------------------------------------------------------------------------------------------------

@Stateless(name = "wutong_test_hello")
@Clustered
@Remote(HellowWorldRemote.class)
@Local(HellowWorldLocal.class)
@SecurityDomain(value = "my-security-domain")
public class HellowWorldImpl implements HellowWorldRemote, HellowWorldLocal {

@RolesAllowed(value = { "testrole" })
public String hello(String name) {
String ret = "hello: " + name +" , "+ctx.getCallerPrincipal().getName();
log.info(ret + "，hashcode:" + hashCode());
return ret;
}
}

----------------------------------------------------------------------------------------------------------------------------
public interface HellowWorldRemote {
String hello(String name);
}

----------------------------------------------------------------------------------------------------------------------------
public interface HellowWorldLocal {
String hello(String name);
}

=========================client side stuff below=================================
jboss-ejb-client.properties:

endpoint.name=my_end_point
remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false
remote.connections=default
remote.connection.default.host=127.0.0.1
remote.connection.default.port=4447
remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=true
remote.connection.default.username=test123
remote.connection.default.password=test

remote.clusters=ejb
remote.cluster.ejb.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=true
remote.cluster.ejb.username=test123
remote.cluster.ejb.password=test

------------------------------------------------------------------------------------------------

Properties props = new Properties();
props.put(Context.URL_PKG_PREFIXES,"org.jboss.ejb.client.naming");
context = new InitialContext(props);


   HellowWorldRemote remo=(HellowWorldRemote)context.lookup("ejb:/testEJB//wutong_test_hello!com.biz.ejb.face.HellowWorldRemote", HellowWorldRemote.class);
   log.info(remo.hello(Long.toString(System.currentTimeMillis())));

------------------------------------------------------------------------------------------------

I always get the following exception stacks bath on server side and client side :

16:58:53,157 ERROR [org.jboss.ejb3.invocation] (EJB default - 2) JBAS014134: EJB Invocation failed on component wutong_test_hello for method public abstract java.lang.String com.biz.ejb.face.HellowWorldRemote.hello(java.lang.String): javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public abstract java.lang.String com.biz.ejb.face.HellowWorldRemote.hello(java.lang.String) of bean: wutong_test_hello is not allowed
at org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:101) [jboss-as-ejb3-7.1.0.Final.jar:7.1.0.Final]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:76) [jboss-as-ejb3-7.1.0.Final.jar:7.1.0.Final]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [jboss-as-ejb3-7.1.0.Final.jar:7.1.0.Final]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) [jboss-as-ee-7.1.0.Final.jar:7.1.0.Final]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) [jboss-as-ee-7.1.0.Final.jar:7.1.0.Final]
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165) [jboss-as-ee-7.1.0.Final.jar:7.1.0.Final]
at org.jboss.as.ejb3.remote.protocol.versionone.MethodInvocationMessageHandler.invokeMethod(MethodInvocationMessageHandler.java:300) [jboss-as-ejb3-7.1.0.Final.jar:7.1.0.Final]
at org.jboss.as.ejb3.remote.protocol.versionone.MethodInvocationMessageHandler.access$200(MethodInvocationMessageHandler.java:64) [jboss-as-ejb3-7.1.0.Final.jar:7.1.0.Final]
at org.jboss.as.ejb3.remote.protocol.versionone.MethodInvocationMessageHandler$1.run(MethodInvocationMessageHandler.java:194) [jboss-as-ejb3-7.1.0.Final.jar:7.1.0.Final]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441) [rt.jar:1.6.0_25]
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303) [rt.jar:1.6.0_25]
at java.util.concurrent.FutureTask.run(FutureTask.java:138) [rt.jar:1.6.0_25]
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [rt.jar:1.6.0_25]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [rt.jar:1.6.0_25]
at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_25]
at org.jboss.threads.JBossThread.run(JBossThread.java:122)

the principal name from org.jboss.as.security.service.SimpleSecurityManager.getCallerPrincipal() is "$local" ,so that I doubt I did not pass username "test123" to remote server successfully.
it drives me mad >_<
Actions
5. Re: is this a defect for processing org.jboss.ejb3.annotation.SecurityDomain ?

jaikiran Mar 1, 2012 5:51 AM (in response to wutongjoe)

Add the following properties to your jboss-ejb-client.properties
remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false

remote.cluster.ejb.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER
remote.cluster.ejb.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false

That'll disable the $local scheme used for authentication
Actions
6. Re: is this a defect for processing org.jboss.ejb3.annotation.SecurityDomain ?

wutongjoe Mar 1, 2012 8:10 PM (in response to jaikiran)

Hi jaikiran,you are an awsome reply machine indeed and it worked ! Could you please tell me where can I find reference docs for JBAS 7.1 final ? such as how to use "SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER" and "SASL_POLICY_NOPLAINTEXT=false"? I think there are so much background knowledge for me to catch up .

Thank you very much
Actions
7. Re: is this a defect for processing org.jboss.ejb3.annotation.SecurityDomain ?

dlofthouse Mar 2, 2012 6:07 AM (in response to wutongjoe)

That documentation is currently in the process of being written - if anyone that we have helped with these settings has some time to quickly put together an article within this space showing the settings needed on the client side to connect to the default secured server that would be much appreciated.
Actions
8. Re: is this a defect for processing org.jboss.ejb3.annotation.SecurityDomain ?

jaikiran Mar 2, 2012 10:35 AM (in response to wutongjoe)

Good to know you got it working!

Joseph Wu wrote:

Could you please tell me where can I find reference docs for JBAS 7.1 final ? such as how to use "SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER" and "SASL_POLICY_NOPLAINTEXT=false"?

Unfortunately, at this point there isn't a comprehensive documentation for this. There are some forum discussions but yeah we need to put up the documentation for this covering all these cases. My plan was to work solely on documentation after the 7.1.0.Final tasks were done, but I'm caught up in some other important tasks right now and haven't yet been able to spend time on documentation. I've stopped promising it will be out there "soon" But yeah, it will be up as soon as I find some time to work on it.
1 of 1 people found this helpful
Actions

Go to original post