5 Replies Latest reply on Dec 8, 2014 6:53 AM by falkdresden

    JBoss eap 6.2 - Why is roleGroup in SimpleSecurityManager.isCallerInRole null?

    falkdresden
    falkdresden Nov 7, 2014 10:03 AM

      Hi,

       

      I got an NullPointerException in 'org.jboss.as.security.service.SimpleSecurityManager.isCallerInRole(SimpleSecurityManager.java:207) [jboss-as-security-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]'

       

      the line 207 is:  List<Role> roles = roleGroup.getRoles();

       

      code before line 207 is:

       

      if (runAs != null && runAs instanceof RunAsIdentity) {

                  RunAsIdentity runAsIdentity = (RunAsIdentity) runAs;

                  roleGroup = runAsIdentity.getRunAsRolesAsRoleGroup();

      } else {

                  AuthorizationManager am = securityContext.getAuthorizationManager();

                  SecurityContextCallbackHandler scb = new SecurityContextCallbackHandler(securityContext);

                  roleGroup = am.getSubjectRoles(securityContext.getSubjectInfo().getAuthenticatedSubject(), scb);

      }

      List<Role> roles = roleGroup.getRoles();

       

      I'm working with Win7 and eclipse Luna. My standalone.xml contains the following:

      ...

      </security-domain>

      <security-domain name="other" cache-type="default">

            <authentication>

                  <login-module code="Remoting" flag="optional">

                       <module-option name="password-stacking" value="useFirstPass"/>

                  </login-module>

                  <login-module code="RealmDirect" flag="required">

                       <module-option name="password-stacking" value="useFirstPass"/>

                  </login-module>

             </authentication>

        </security-domain>

                      <security-domain name="jboss-web-policy" cache-type="default">

      ...

       

      and I added a user with two roles by executing 'add-user.bat'.

       

      Does someone knows why there is roleGroup null?

       

      Falk

        • 1. Re: JBoss eap 6.2 - Why is roleGroup in SimpleSecurityManager.isCallerInRole null?
          jaikiran
          jaikiran Nov 8, 2014 12:51 AM (in response to falkdresden)

          Please post the entire exception stacktrace and more details on what users were added and to what roles. Also what resource is being authenticated (call to an EJB?) and how?

            • Actions
          • 2. Re: Re: JBoss eap 6.2 - Why is roleGroup in SimpleSecurityManager.isCallerInRole null?
            falkdresden
            falkdresden Nov 10, 2014 3:54 AM (in response to jaikiran)

            Hi,

             

            my code of the enterprise java bean is as follows:

             

            @Stateless

            @LocalBean

            public class RuleEvaluator {

                @Resource

                private SessionContext sessionContext;

                @EJB

                RuleProvider ruleProvider;

                ...


                public RuleResult evaluate(Rule topRule) {

                    return evaluateRule(topRule);

                }

             

                private RuleResult evaluateRule(Rule rule) {

                    // call 'evaluateLogicRule' or ''evaluateLogicRule'

                }

             

                private final static class RoleValidatingCallback extends SessionAwareCallback {

                    private final Rule comparingRule;

             

                    private RoleValidatingCallback(SessionContext session, Rule comparingRule) {

                        super(session);

                        this.comparingRule = comparingRule;

                    }

             

                @Override

                    public RuleResult methode(String value) {

                        RuleResult result = RuleResult.ERROR;

                        RuleType ruleType = comparingRule.getType();

             

                        if (ruleType == RuleType.COMPARING_EQUAL || ruleType == RuleType.COMPARING_NOTEQUAL) {

                            result = (session.isCallerInRole(value)) ? RuleResult.TRUE : RuleResult.FALSE;

                        }

                        result = invertResultForRuleTypeNotEqualAndNegated(result, comparingRule);

                        return result;

                    }

                }

             

                ...

             

                private static abstract class SessionAwareCallback implements Callback {

                    protected final SessionContext session;

             

                    public SessionAwareCallback(SessionContext session) {

                        this.session = session;

                    }

                }

              

                private void injectCallbackMethods(final Rule comparingRule) {

                    Placeholder currentUserRole = Placeholder.getByLiteral("<current user role>");

                    currentUserRole.injectCallbackMethode(new RoleValidatingCallback(sessionContext,comparingRule));

                }

             

                private RuleResult evaluateComparingRule(final Rule comparingRule) {

                    ...

                    injectCallbackMethods(comparingRule);

                    ...

                    // execute callback method if present

                    if (searchResult.hasCallbackMethode()) {

                        result = searchResult.executeInjectedCallbackMethode(operands.get(SECOND_ELEMENT).getValue());

                    ...

                }

             

                private RuleResult evaluateLogicRule(Rule rule, RuleResult abortCriteriaForSubRule) {

                    ...

                    currentSubResult = evaluateRule(subRule);

                    ...

                }

            }

             

            // other java file:

            public interface Callback {

                RuleResult methode(String value);

            }


            As you see, the method, who cause the NullPointerException were injected as an callback and executed later. Inside the callback method the session context is stored because it will be needed later when calling 'session.isCallerInRole'.


            You can read my lightly modified stack trace here:


            09:27:07,257 ERROR [org.jboss.as.ejb3] (http-localhost/127.0.0.1:8080-1) javax.ejb.EJBTransactionRolledbackException

            09:27:07,257 ERROR [org.jboss.as.ejb3.invocation] (http-localhost/127.0.0.1:8080-1) JBAS014134: EJB-Aufruf an Komponente RuleEvaluator für Methode public ... .RuleResult ... .RuleEvaluator.evaluate(... .Rule) fehlgeschlagen: javax.ejb.EJBTransactionRolledbackException

              at org.jboss.as.ejb3.tx.CMTTxInterceptor.handleInCallerTx(CMTTxInterceptor.java:162) [jboss-as-ejb3-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

              at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInCallerTx(CMTTxInterceptor.java:252) [jboss-as-ejb3-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

              at org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:341) [jboss-as-ejb3-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

              at org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:238) [jboss-as-ejb3-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]

              at org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) [jboss-as-ejb3-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]

              at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) [jboss-as-ejb3-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]

              at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [jboss-as-ejb3-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]

              at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) [jboss-as-ee-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]

              at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55) [jboss-as-ejb3-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]

              at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) [jboss-as-ee-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]

              at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]

              at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165) [jboss-as-ee-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

              at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:182) [jboss-as-ee-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]

              at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]

              at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72) [jboss-as-ee-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

              at ... .RuleEvaluator$$$view12.evaluate(Unknown Source) [... .dataService.jar:]

              at ... .RestfulEjbCallerClient.findAndEvaluateRule(RestfulEjbCallerClient.java:325)

              at ... .RestfulEjbCallerClient.evaluateRules(RestfulEjbCallerClient.java:274)

              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_67]

              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_67]

              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_67]

              at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_67]

              ...

              ...

              at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72) [jboss-as-ee-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

              at ... .RestfulEjbCallerClient$$$view7.evaluateRules(Unknown Source)

              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_67]

              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_67]

              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_67]

              at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_67]

              at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2]

              at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269) [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2]

              at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227) [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2]

              at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:216) [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2]

              at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542) [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2]

              at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524) [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2]

              at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126) [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2]

              at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208) [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2]

              at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2]

              at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50) [resteasy-jaxrs-2.3.7.Final-redhat-2.jar:2.3.7.Final-redhat-2]

              at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]

              at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)

              at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)

              at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)

              at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)

              at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

              at org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) [jboss-as-jpa-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

              at org.jboss.security.negotiation.NegotiationAuthenticator$WrapperValve.invoke(NegotiationAuthenticator.java:336) [jboss-negotiation-common-2.2.6.Final-redhat-1.jar:2.2.6.Final-redhat-1]

              at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:407)

              at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)

              at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)

              at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)

              at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)

              at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:336)

              at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)

              at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)

              at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:920)

              at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_67]

            Caused by: java.lang.NullPointerException

              at org.jboss.as.security.service.SimpleSecurityManager.isCallerInRole(SimpleSecurityManager.java:207) [jboss-as-security-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

              at org.jboss.as.ejb3.component.EJBComponent.isCallerInRole(EJBComponent.java:378) [jboss-as-ejb3-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

              at org.jboss.as.ejb3.context.EJBContextImpl.isCallerInRole(EJBContextImpl.java:113) [jboss-as-ejb3-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

              at ... .RuleEvaluator$RoleValidatingCallback.methode(RuleEvaluator.java:135) [... .jar:]

              at ... .Placeholder$3.executeInjectedCallbackMethode(Placeholder.java:93) [... .jar:]

              at ... .RuleEvaluator.evaluateComparingRule(RuleEvaluator.java:202) [... .jar:]

              at ... .RuleEvaluator.evaluateRule(RuleEvaluator.java:74) [... .jar:]

              at ... .RuleEvaluator.evaluate(RuleEvaluator.java:50) [... .jar:]

              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_67]

              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_67]

              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_67]

              at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_67]

              at org.jboss.as.ee.component.ManagedReferenceMethodInterceptorFactory$ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptorFactory.java:72) [jboss-as-ee-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]

              at org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53) [jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]

              at org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:58) [jboss-as-ee-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]

              at org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53) [jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]

              at org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:58) [jboss-as-ee-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]

              at org.jboss.as.ejb3.component.invocationmetrics.ExecutionTimeInterceptor.processInvocation(ExecutionTimeInterceptor.java:43) [jboss-as-ejb3-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]

              at org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47) [jboss-as-jpa-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]

              at org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21) [jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]

              at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]

              at org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53) [jboss-as-ee-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]

              at org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51) [jboss-as-ejb3-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.2.Final-redhat-1.jar:1.1.2.Final-redhat-1]

              at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInCallerTx(CMTTxInterceptor.java:250) [jboss-as-ejb3-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

              ... 102 more

             

            the user who is added: 'mainUser' with roles 'Moderator' and 'SuperAdmin' are stored in the configuration folder of JBoss.

             

            I hope, I added all information you need.

             

             

            Falk


              • Actions
            • 3. Re: JBoss eap 6.2 - Why is roleGroup in SimpleSecurityManager.isCallerInRole null?
              jaikiran
              jaikiran Nov 11, 2014 12:35 AM (in response to falkdresden)

              The NullPointerException isn't a good sign. Can you enable TRACE level logs of the security packages (especially org.jboss.security package) and post those logs here?

                • Actions
              • 4. Re: JBoss eap 6.2 - Why is roleGroup in SimpleSecurityManager.isCallerInRole null?
                jaysensharma
                jaysensharma Nov 13, 2014 5:44 AM (in response to falkdresden)

                Falk,  Can you try the same application on EAP 6.3 , It should not throw NullPointerException there.

                 

                Caused by: java.lang.NullPointerException

                  at org.jboss.as.security.service.SimpleSecurityManager.isCallerInRole(SimpleSecurityManager.java:207) [jboss-as-security-7.3.0.Final-redhat-14.jar:7.3.0.Final-redhat-14]

                 

                Check for : CVE-2014-3472

                  • Actions
                • 5. Re: JBoss eap 6.2 - Why is roleGroup in SimpleSecurityManager.isCallerInRole null?
                  falkdresden
                  falkdresden Dec 8, 2014 6:53 AM (in response to jaysensharma)

                  Sorry I made a lot of changes, and don't know which solved the problem.

                   

                  One possibility is: The <security-constraint> Tag in the web.xml was missing, but I'm not sure.

                   

                  When this is absolutely no reason, then please delete this discussion.

                   

                  Falk

                    • Actions