6 Replies Latest reply on Oct 3, 2013 4:33 PM by elsimo

Issue in JBoss AS 7 fine grained authorization using picketbox/picketlink XACML

deepak.sambrani Aug 22, 2013 11:45 AM

I'm trying to use the fine grained authorization using XACML in Jboss AS 7.1, I'm getting following error. The config files used are under WEB-INF are

WEB-INF/

jboss-web.xml

jbossxacml-config.xml

jboss-xacml-policy.xml

web.xml

Also I've attached the web app war file and the standalone.xml. By the error it seems the policy registration has not happened. Can anyone guide me in in resolving this error.

Thanks in advance.

23:53:43,406 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (http--127.0.0.1-8080-1) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.XACMLAuthorizationModule:{}REQUIRED}is:[REQUIRED]

23:53:43,416 DEBUG [org.jboss.security.authorization.modules.XACMLAuthorizationModule] (http--127.0.0.1-8080-1) Error with delegate:: java.lang.IllegalStateException: PB00015: Null Value:PolicyRegistration passed is null

at org.jboss.security.authorization.modules.web.WebXACMLPolicyModuleDelegate.authorize(WebXACMLPolicyModuleDelegate.java:86) [picketbox-4.0.6.final.jar:]

at org.jboss.security.authorization.modules.AbstractAuthorizationModule.invokeDelegate(AbstractAuthorizationModule.java:147) [picketbox-4.0.6.final.jar:]

at org.jboss.security.authorization.modules.XACMLAuthorizationModule.authorize(XACMLAuthorizationModule.java:53) [picketbox-4.0.6.final.jar:]

at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:244) [picketbox-4.0.6.final.jar:]

at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$0(JBossAuthorizationContext.java:227) [picketbox-4.0.6.final.jar:]

at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:157) [picketbox-4.0.6.final.jar:]

at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.6.0_33]

at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:153) [picketbox-4.0.6.final.jar:]

at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:441) [picketbox-4.0.6.final.jar:]

at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:119) [picketbox-4.0.6.final.jar:]

at org.jboss.security.plugins.javaee.WebAuthorizationHelper.hasUserDataPermission(WebAuthorizationHelper.java:273) [picketbox-4.0.6.final.jar:]

at org.jboss.as.web.security.JBossWebRealm.hasUserDataPermission(JBossWebRealm.java:623) [jboss-as-web-7.1.0.Final.jar:7.1.0.Final]

at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:425) [jbossweb-7.0.10.Final.jar:]

at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:154) [jboss-as-web-7.1.0.Final.jar:7.1.0.Final]

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:155) [jbossweb-7.0.10.Final.jar:]

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [jbossweb-7.0.10.Final.jar:]

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [jbossweb-7.0.10.Final.jar:]

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:368) [jbossweb-7.0.10.Final.jar:]

at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:877) [jbossweb-7.0.10.Final.jar:]

at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:671) [jbossweb-7.0.10.Final.jar:]

at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:930) [jbossweb-7.0.10.Final.jar:]

at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_33]

xacml-requestattrib.war 5.3 KB
standalone.xml 22.0 KB

1. Re: Issue in JBoss AS 7 fine grained authorization using picketbox/picketlink XACML

anil.saldhana Aug 22, 2013 11:48 AM (in response to deepak.sambrani)

We do not support EJB or Web Authorization using XACML in JBAS7+. We want to guage developer demand for this feature.

We integrate the XACML engine only. So you have to use the xacml engine in your apps directly. So best is to write a filter where you load up the policies and do enforcement.
Actions
2. Re: Issue in JBoss AS 7 fine grained authorization using picketbox/picketlink XACML

anil.saldhana Aug 22, 2013 11:49 AM (in response to deepak.sambrani)

Starting JBossAS7+, we do not support the use case of xacml authorization for ejb and web applications. We want to guage developer interest in this feature.

XACML engine is available though. So you can directly make use of the xacml interfaces to do authorization for your web apps directly. Maybe via servlet filter.
Actions
3. Re: Issue in JBoss AS 7 fine grained authorization using picketbox/picketlink XACML

jcacek Aug 28, 2013 2:36 AM (in response to deepak.sambrani)

Hi Deepak,
you can implement your own Authorization module, which initializes PDP itself, as a workaround.
Look at this implementation in the testsuite:
https://github.com/wildfly/wildfly/blob/master/testsuite/integration/basic/src/test/java/org/jboss/as/test/integration/s…

Add the implementation to your classes in the war file and configure security-domain to use it.

It seems, there is still missing support in Undertow (web server in Wildfly 8), but I have no problem to use it with JBoss web (AS 7.x, EAP 6.x).
Actions
4. Re: Issue in JBoss AS 7 fine grained authorization using picketbox/picketlink XACML

elsimo Sep 30, 2013 11:54 AM (in response to jcacek)

Hi Josef,
Can you please elaborate more on your suggestion of using a custom authorization module? How can I plug it in with PicketBox to provide authorization for web resources?

Thanks,
Simo
Actions
5. Re: Re: Issue in JBoss AS 7 fine grained authorization using picketbox/picketlink XACML

jcacek Oct 3, 2013 8:35 AM (in response to elsimo)

Have a look at this project: https://github.com/jboss-security-qe/as7-xacml-demo
Actions
6. Re: Re: Issue in JBoss AS 7 fine grained authorization using picketbox/picketlink XACML

elsimo Oct 3, 2013 4:33 PM (in response to jcacek)

Thanks a lot Josef, this is exactly what I need.
Actions

Go to original post