1 2 3 Previous Next 30 Replies Latest reply on Aug 1, 2013 4:02 AM by ejb3workshop

    Accessing EJB from web application packaged within same EAR

    ejb3workshop

      Our application consists of a JAR file which contains the EJBs and multiple WAR files. In previous release of JBoss this worked great, however since migrating to JBoss 7 we are getting errors when invoking the EJBs from the web applications.

       

      12:34:01,141 INFO  [org.hornetq.ra] (default-threads - 1) HQ151001: Attempting to reconnect org.hornetq.ra.inflow.HornetQActivationSpec(ra=org.hornetq.ra.HornetQResourceAdapter@28665087 destination=java:/queue/DLQ destinationType=javax.jms.Queue ack=Auto-acknowledge durable=false clientID=null user=

      null maxSession=1)

      12:40:48,707 ERROR [org.jboss.as.ejb3.invocation] (http-/127.0.0.1:8080-2) JBAS014134: EJB Invocation failed on component AdministratorBean for method public abstract java.util.List com.abc.backend.services.AdministratorService.getBatchStatusSummary(com.abc.backend.pojo.PageViewConfi

      g): javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public abstract java.util.List com.abc.backend.services.AdministratorService.getSummary(com.abc.backend.pojo.PageViewConfig) of bean: AdministratorBean is not allowed

              at org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:114) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

              at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:76) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

              at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

              at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

              at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) [jboss-as-ee-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

              at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

              at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) [jboss-as-ee-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

              at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

              at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165) [jboss-as-ee-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

              at org.jboss.as.ejb3.remote.LocalEjbReceiver.processInvocation(LocalEjbReceiver.java:222) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

              at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:181) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

              at org.jboss.ejb.client.EJBObjectInterceptor.handleInvocation(EJBObjectInterceptor.java:58) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

              at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

              at org.jboss.ejb.client.EJBHomeInterceptor.handleInvocation(EJBHomeInterceptor.java:83) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

              at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

              at org.jboss.ejb.client.TransactionInterceptor.handleInvocation(TransactionInterceptor.java:42) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

              at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

              at org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(ReceiverInterceptor.java:125) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

              at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

              at org.jboss.ejb.client.EJBInvocationHandler.sendRequestWithPossibleRetries(EJBInvocationHandler.java:253) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

              at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:198) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

              at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:181) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

              at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:144) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

              at com.sun.proxy.$Proxy21.getSummary(Unknown Source)

      We are declaing the security domain in both jboss-web.xml

       

      <?xml version="1.0" encoding="UTF-8"?>

      <jboss-web>

      ...

      <security-domain flushOnSessionInvalidation="true">ABCAdministration</security-domain>

      </jboss-web>

      as well as jboss-ejb3.xml

      <?xml version="1.1" encoding="UTF-8"?>

      <jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee"

                     xmlns="http://java.sun.com/xml/ns/javaee"

                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                     xmlns:c="urn:clustering:1.0"

                     xmlns:s="urn:security"

                     xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_1.xsd"

                     version="3.1"

                     impl-version="2.0">

        <assembly-descriptor>

          <s:security>

            <ejb-name>*</ejb-name>

            <s:security-domain>ABCAdministration</s:security-domain>

          </s:security>

        </assembly-descriptor> 

        <enterprise-beans>

      ...

        </enterprise-beans>

      </jboss:ejb-jar>

      Any suggestions on how to resolve this issue.

        • 1. Re: Accessing EJB from web application packaged withing same EAR
          ybxiang.china

          g): javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public abstract java.util.List com.abc.backend.services.AdministratorService.getSummary(com.abc.backend.pojo.PageViewConfig) of bean: AdministratorBean is not allowed

          ~~~~~~~~This is the root cause.

           

          Pleaes NOTE that:

           

           

          (1) Before JBoss AS 7.1.1, any EJB method is allowed to be called by default.


          <subsystem xmlns="urn:jboss:domain:ejb3:1.4">

          ...

          <iiop enable-by-default="false" use-qualified-name="false"/>

          </subsystem>

           

           

          (2) Since JBoss AS 7.2 , any EJB method is NOT allowed to be called by default.


          <subsystem xmlns="urn:jboss:domain:ejb3:1.3">

          ...

          <iiop enable-by-default="false" use-qualified-name="false"/>

          <default-security-domain value="other"/>

          <default-missing-method-permissions-deny-access value="true"/>

          </subsystem>

           

           

           

           

          Two kinds of solutions:

          (a) Fast but NOT good:

          in standalone.xml, change

          <default-missing-method-permissions-deny-access value="true"/>

          to

          <default-missing-method-permissions-deny-access value="false"/>

           

          This is the fast way to make your app works. But this will cause security issue: by default, any of your EJB mehtods can be called by any caller.

           

           

          (b) Add annotations to your "not allowed method":

          @PermitAll()

          or

          @RolesAllowed({"some.role(s).allowed.to.call.this.method"})

          • 2. Re: Accessing EJB from web application packaged withing same EAR
            ejb3workshop

            Is there no other option which would allow the web application to run as a "trusted" client to the EJB with the trust being based on both applications originating from the same ear? Ideally what I am after it to configure the EJB to require authentication and the web application to provide the authentication without specifying username and password withing the web application.

            • 3. Re: Accessing EJB from web application packaged withing same EAR
              ybxiang.china

              Is there no other option which would allow the web application to run as a "trusted" client to the EJB with the trust being based on both applications originating from the same ear?

              ~~~~~ Ignoring security is bad. I had given you a bad solution and a good solution.

               

              Ideally what I am after it to configure the EJB to require authentication and the web application to provide the authentication without specifying username and password withing the web application.

              ~~~~~~~~~~ Are you kidding? .In my mind, unsecured app(here, your web app) should never access secured app (here, your ejb app).

                                      Can/Should you (unsecured) take away money from bank(secured) without any restriction?

              • 4. Re: Accessing EJB from web application packaged withing same EAR
                ejb3workshop

                Thanks for your help with this. Would it not be possilbe to confgure role based access on the EJB using either the @PermitAll for un-secured methods and @RolesAllowed for secured ones.

                @PermitAll()

                or

                @RolesAllowed({"some.role(s).allowed.to.call.this.method"})

                and then to defined the run-as role / princical in the web.xml or jboss-web.xml files ? Could this resolve my problem ? I found this link (http://docs.jboss.org/jbossas/docs/Server_Configuration_Guide/4/html/J2EE_Declarative_Security_Overview-Security_Identity.html) which goes back quite a while. Hopefully there is still something equivalend in the newer JEE specification. Any suggestions ?

                • 5. Re: Accessing EJB from web application packaged withing same EAR
                  jaikiran

                  javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public abstract java.util.List com.abc.backend.services.AdministratorService.getSummary(com.abc.backend.pojo.PageViewConfig) of bean: AdministratorBean is not allowed

                  What does that method look like? Please include any annotations you have used on that method.

                   

                  If you want that method to be accessible to all clients you can just mark it as @PermitAll. Isn't that working?

                   

                  Having said that, I don't understand one of your posts here which says that the access should be granted because it's part of the same .ear. We never had that "feature". Access is always granted based on the incoming roles and the roles associated with the method being invoked.

                  • 6. Re: Accessing EJB from web application packaged withing same EAR
                    jaikiran

                    By the way, which exact version of JBoss AS7 or WildFly is this?

                    • 7. Re: Accessing EJB from web application packaged withing same EAR
                      ybxiang.china

                      and then to defined the run-as role / princical in the web.xml or jboss-web.xml files ?

                      ~~~~~~~~Of course you can replace any EJB annotation with an xml element in jboss-ejb3.xml.

                      • 8. Re: Accessing EJB from web application packaged withing same EAR
                        ybxiang.china

                        I will write an article about the security setting before 2013-08-10 and post it to jboss forum.

                        I think too many people need it.

                        • 9. Re: Accessing EJB from web application packaged withing same EAR
                          ejb3workshop

                          Thanks looking forward to the article.

                           

                          I now have a couple of options:

                           

                          Startup bean using @RunAs and @RolesAllowed

                          @Stateless(name = "AdministratorBean")

                          @RolesAllowed("AdministrationRole")

                          public class AdministratorBean extends AbstractManagedBean implements AdministratorRemote, AdministratorLocal

                          {

                            public Properties getConfigurationProperties() {

                              Properties properties = new Properties();

                              ...

                              return properties;

                            }

                          }

                          and

                          @Startup

                          @RunAs("AdministrationRole")

                          @Singleton

                          public class StartupBean

                          {

                            @EJB

                            private AdministratorLocal m_administatorService;

                           

                            @PostConstruct

                            public void init()

                            {

                              Properties properties = m_administatorService.getConfigurationProperties();

                            }

                          }

                          However this still resulted in the original error. Only once I added @PermitAll to the getConfigurationProperties method did things start to work.

                           

                          Using a startup servlet instead of the StartupBean and specifying the RunAs role fails with a different exception:

                          @RunAs("AdministrationRole")

                          public class StartupServlet extends HttpServlet {

                          Exception using StartupServlet:

                          13:24:29,750 ERROR [org.jboss.as.ejb3.invocation] (ServerService Thread Pool -- 79) JBAS014134: EJB Invocation failed on component AdministratorBean for method public abstract java.util.Properties com.abc.backend.services.AdministratorService.getConfigurationProperties(): java.lang.RuntimeEx

                          ception: java.lang.IllegalStateException: PBOX000075: The property AuthorizationManager is null

                                  at org.jboss.as.security.service.SimpleSecurityManager.authorize(SimpleSecurityManager.java:258) [jboss-as-security-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

                                  at org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:112) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

                                  at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

                                  at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:76) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

                                  at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

                                  at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

                                  at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

                                  at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

                                  at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

                                  at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) [jboss-as-ee-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

                                  at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

                                  at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

                                  at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

                                  at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) [jboss-as-ee-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

                                  at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

                                  at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

                                  at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165) [jboss-as-ee-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

                                  at org.jboss.as.ejb3.remote.LocalEjbReceiver.processInvocation(LocalEjbReceiver.java:222) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

                                  at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:181) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

                                  at org.jboss.ejb.client.EJBObjectInterceptor.handleInvocation(EJBObjectInterceptor.java:58) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

                                  at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

                                  at org.jboss.ejb.client.EJBHomeInterceptor.handleInvocation(EJBHomeInterceptor.java:83) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

                                  at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

                                  at org.jboss.ejb.client.TransactionInterceptor.handleInvocation(TransactionInterceptor.java:42) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

                                  at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

                                  at org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(ReceiverInterceptor.java:125) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

                                  at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

                                  at org.jboss.ejb.client.EJBInvocationHandler.sendRequestWithPossibleRetries(EJBInvocationHandler.java:253) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

                                  at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:198) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

                                  at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:181) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

                                  at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:144) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

                                  at com.sun.proxy.$Proxy26.getConfigurationProperties(Unknown Source)

                          It looks like the only option of getting this working it to add @PermitAll either to the method(s) or the class. Maybe I am doing something wrong and don't propertly understand @RunAs. Any pointers on getting this resolved are greatly appreciated.

                           

                          I am JBEAP 6.1.0 (7.2.0).

                          • 10. Re: Accessing EJB from web application packaged withing same EAR
                            ybxiang.china

                            I think @RunAs("AdministrationRole") can NOT be used on JSF MBean or Servlet.

                            @RunAs, @RolesAllowed can ONLY be used on EJB.

                             

                            When you login your web application(form or basic style) wich username and password, your role(s) is ALREADY decidedautomatically by JAAS through your username.

                            How could you assign a role to a JSF MBean dynamically?

                             

                            You are abusing them!

                             

                            • 11. Re: Accessing EJB from web application packaged withing same EAR
                              ejb3workshop

                              I got the idea from here: http://docs.oracle.com/cd/E19226-01/820-7627/bnbyr/index.html

                               

                              Looks like I am not the first one to try this either : https://community.jboss.org/thread/175108

                              • 12. Re: Accessing EJB from web application packaged withing same EAR
                                ybxiang.china

                                However this still resulted in the original error.

                                ~~~~~~~~~~Have you logged in your web application with username(associated with some roles) and password?

                                 

                                Only once I added @PermitAll to the getConfigurationProperties method did things start to work.

                                ~~~~~~~~~~I think you did wrong things in login step and do NOT master enough JAAS info..

                                 

                                If you can wait, please add @PermitAll to your method temporarily to make your application work temporarily.

                                You need a good understand of the JAAS. I will post the JBoss 7 JAAS configureation article in 5 days, you can learn from it.

                                Indeed, there is few article about the full JAAS configuration in JBoss 7.

                                • 13. Re: Accessing EJB from web application packaged withing same EAR
                                  ejb3workshop

                                  Looking forward to the article.

                                  • 14. Re: Accessing EJB from web application packaged withing same EAR
                                    ybxiang.china

                                    Maybe I am wrong about the @RunAs descriptioin.

                                     

                                    I replaced all RunAs with @PermitAll or @RolesAllowed in my code long long ago, I just could NOT understand/use it well.

                                    But I still can make my web/ejb/ear applications work well through JAAS without .

                                     

                                    JAAS is really good!

                                     

                                    1 2 3 Previous Next