JBoss AS 7.1.2 - Trouble getting Remote EJB calls to work - anonymous login doesn't have the role need to authorize
thealey Oct 24, 2012 3:00 PMHere is the error:
[java] blah.blah.exception.AuthorizationException: Authorization failed: anonymous does not have role Admin Reader User
[java] at blah.blah.blah.session.base.BeanBase.callerMustHaveRole(BeanBase.java:81)
[java] error getting admin user:blah.blah.exception.AuthorizationException: Authorization failed: anonymous does not have role Admin Reader User
We appear to have everything set up the way it should be to get Remote EJB calls to work, but even though it appears the container knows the principal and roles of that principle it is not passing that information to the bean so our attempts to call the bean are failing with an Authorization error "anonymous does not have role <Insert our rolename>...". It is critical we move forward here, can anyone help?
I am logging in with admin2.
Here is an example of our annotations for security and we use xdoclet to generate the proxies, local and localhome interfaces.
/**
* @ejb.bean type="Stateless" transaction-type="Bean" view-type="both" jndi-name="${product}AdminManagement"
* @ejb.permission unchecked="false"
* @blah.ejb business-interface="blah.blah.blah.business.AdminManagementMethods"
* @SecurityDomain("EJBRealm1")
*/
Here is our role checking function - it is custom as at one we thought this was a better way to go.
protected void callerMustHaveRole(String login, Integer roleId) throws SystemException {
UsersDataAccessor accessor = null;
try {
accessor = Accessor.getUsersDataAccessor();
checks the roles table - the problem here is that the login is anonymous
if (!accessor.loginHasRole(login, roleId)) {
// Throwing AuthorizationException subclass of SystemException does not result in a runtime error.
throw new AuthorizationException(makeAuthorizionError(login, roleId));
}
} finally {
Accessor.disposeUsersDataAccessor(accessor);
}
}
the jboss-ejb-client.properties file is
endpoint.name=client-endpoint
remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false
remote.connections=default
remote.connection.default.host=localhost
remote.connection.default.port = 24447
remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false
remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=true
remote.connection.default.username=guest
remote.connection.default.password=guest
security realm:
<security-realm name="EJBRealm1">
<authentication>
<jaas name="career"/>
</authentication>
</security-realm>
Here is the security domain definition:
<security-domain name="career" cache-type="default">
<authentication>
<login-module code="blah.blah.jboss.authentication.DardenDatabaseLoginModule" module="tapestry" flag="sufficient">
<module-option name="dsJndiName" value="java:/StudentDS"/>
<module-option name="principalsQuery" value="select password from Users where login=?"/>
<module-option name="rolesQuery" value="SELECT Roles.role_name, 'Roles' FROM Users INNER JOIN Users_Roles ON Users.user_id = Users_Roles.user_id INNER JOIN Roles ON Users_Roles.role_id = Roles.role_id where Users.login = ? AND (Users.access_denied IS NULL OR Users.access_denied = 0)"/>
<module-option name="hashUserPassword" value="true"/>
<module-option name="unauthenticatedIdentity" value="nobody"/>
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
remoting:
<connector name="remoting-connector-career" socket-binding="remoting-career" security-realm="EJBRealm1"/>
Socket binding:
<socket-binding name="remoting-career" port="24447"/>
The log is:
13:59:13,706 INFO [org.jboss.as] (Controller Boot Thread) JBAS015951: Admin console listening on http://127.0.0.1:9990
13:59:13,708 INFO [org.jboss.as] (Controller Boot Thread) JBAS015874: JBoss EAP 6.0.0.GA (AS 7.1.2.Final-redhat-1) started in 13418ms - Started 2103 of 2196 services (89 services are passive or on-demand)
13:59:32,330 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (Remoting "blah-mb-pro" task-1) Begin isValid, principal:admin2, cache entry: null
13:59:32,336 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (Remoting "blah-mb-pro" task-1) defaultLogin, principal=admin2
13:59:32,338 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (Remoting "blah-mb-pro" task-1) Begin getAppConfigurationEntry(career), size=6
13:59:32,350 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (Remoting "blah-mb-pro" task-1) End getAppConfigurationEntry(career), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: blah.blah.jboss.authentication.BlahDatabaseLoginModule
ControlFlag: LoginModuleControlFlag: sufficient
Options:
name=hashUserPassword, value=true
name=principalsQuery, value=select password from Users where login=?
name=unauthenticatedIdentity, value=nobody
name=dsJndiName, value=java:/StudentDS
name=password-stacking, value=useFirstPass
name=rolesQuery, value=SELECT Roles.role_name, 'Roles' FROM Users INNER JOIN Users_Roles ON Users.user_id = Users_Roles.user_id INNER JOIN Roles ON Users_Roles.role_id = Roles.role_id where Users.login = ? AND (Users.access_denied IS NULL OR Users.access_denied = 0)
13:59:32,452 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (Remoting "blah-mb-pro" task-1) defaultLogin, lc=javax.security.auth.login.LoginContext@5cbaa656, subject=Subject(1170799313).principals=org.jboss.security.SimplePrincipal@1557271138(admin2)org.jboss.security.SimpleGroup@1214619182(CallerPrincipal(members:admin2))org.jboss.security.SimpleGroup@1214619182(Roles(members:StudentCoreEditor,CareerAdminGeneral,CareerAdminReader,CareerScheduleAdmin,ContactManager,dev,CareerResourceEditor,AdminStudentManager,CareerCounselor,CareerAdminSuper,JobOfferManager))
13:59:32,453 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (Remoting "blah-mb-pro" task-1) updateCache, inputSubject=Subject(1170799313).principals=org.jboss.security.SimplePrincipal@1557271138(admin2)org.jboss.security.SimpleGroup@1214619182(CallerPrincipal(members:admin2))org.jboss.security.SimpleGroup@1214619182(Roles(members:StudentCoreEditor,CareerAdminGeneral,CareerAdminReader,CareerScheduleAdmin,ContactManager,dev,CareerResourceEditor,AdminStudentManager,CareerCounselor,CareerAdminSuper,JobOfferManager)), cacheSubject=Subject(972328005).principals=org.jboss.security.SimplePrincipal@1557271138(admin2)org.jboss.security.SimpleGroup@1214619182(CallerPrincipal(members:admin2))org.jboss.security.SimpleGroup@1214619182(Roles(members:StudentCoreEditor,CareerAdminGeneral,CareerAdminReader,CareerScheduleAdmin,ContactManager,dev,CareerResourceEditor,AdminStudentManager,CareerCounselor,CareerAdminSuper,JobOfferManager))
13:59:32,454 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (Remoting "blah-mb-pro" task-1) Inserted cache info: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@68cef11c
13:59:32,455 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (Remoting "blah-mb-pro" task-1) End isValid, true
13:59:32,571 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (Remoting "blah-mb-pro" task-4) Begin isValid, principal:guest, cache entry: null
13:59:32,571 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (Remoting "blah-mb-pro" task-4) defaultLogin, principal=guest
13:59:32,572 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (Remoting "healeyt-mb-pro" task-4) Begin getAppConfigurationEntry(career), size=6
13:59:32,572 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (Remoting "healeyt-mb-pro" task-4) End getAppConfigurationEntry(career), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: blah.blah.jboss.authentication.BlahDatabaseLoginModule
ControlFlag: LoginModuleControlFlag: sufficient
Options:
name=hashUserPassword, value=true
name=principalsQuery, value=select password from Users where login=?
name=unauthenticatedIdentity, value=nobody
name=dsJndiName, value=java:/StudentDS
name=password-stacking, value=useFirstPass
name=rolesQuery, value=SELECT Roles.role_name, 'Roles' FROM Users INNER JOIN Users_Roles ON Users.user_id = Users_Roles.user_id INNER JOIN Roles ON Users_Roles.role_id = Roles.role_id where Users.login = ? AND (Users.access_denied IS NULL OR Users.access_denied = 0)
13:59:32,579 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (Remoting "blah-mb-pro" task-4) defaultLogin, lc=javax.security.auth.login.LoginContext@3675c9a2, subject=Subject(1862846108).principals=org.jboss.security.SimplePrincipal@1557271138(guest)org.jboss.security.SimpleGroup@1214619182(CallerPrincipal(members:guest))org.jboss.security.SimpleGroup@1214619182(Roles(members))
13:59:32,579 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (Remoting "blah-mb-pro" task-4) updateCache, inputSubject=Subject(1862846108).principals=org.jboss.security.SimplePrincipal@1557271138(guest)org.jboss.security.SimpleGroup@1214619182(CallerPrincipal(members:guest))org.jboss.security.SimpleGroup@1214619182(Roles(members)), cacheSubject=Subject(690447543).principals=org.jboss.security.SimplePrincipal@1557271138(guest)org.jboss.security.SimpleGroup@1214619182(CallerPrincipal(members:guest))org.jboss.security.SimpleGroup@1214619182(Roles(members))
13:59:32,579 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (Remoting "blah-mb-pro" task-4) Inserted cache info: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@59453f7c
13:59:32,579 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (Remoting "blah-mb-pro" task-4) End isValid, true
13:59:32,741 INFO [org.jboss.ejb.client] (pool-4-thread-1) JBoss EJB Client version 1.0.10.Final-redhat-1
Notice that admin2 is authenticated and looks to be authorized but notice also that guest also looks to be authenticated and authorized.
So the problem is that the principal "admin2" is not getting to our callerMustHaveRole function even though the container knows about it and its roles.
What other parts of my standalone.xml can be helpful?
What other info can I provide to help?
Help please.