2 Replies Latest reply on Jan 29, 2017 5:36 PM by karlnicholas

EJB Security Fails when app deployed in EAR format (but ok in WAR format)

karlnicholas Jan 29, 2017 12:31 PM

I cannot get EJB security to work when deploying as an EAR. It works on the same server when deployed as a WEB.

Code when deployed as a WAR . Using a Database authentication configuration. At this point in the logs the code is calling the "merge" function in a @Stateless bean.

2017-01-29 09:14:49,708 DEBUG [org.jboss.security] (default task-11) PBOX00291: Method: merge, interface: Local, required roles: Roles(USER,)

2017-01-29 09:14:49,708 TRACE [org.jboss.security.audit] (default task-11) [Success]Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=null}:method=public model.User service.UserSessionBean.merge(model.User):ejbMethodInterface=Local:ejbName=UserSessionBean:ejbPrincipal=org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@bdaf3b8d:MethodRoles=Roles(USER,):securityRoleReferences=null:callerSubject=Subject:

Principal: XXXXXXXX@outlook.com

Principal: Roles(members:USER)

Principal: CallerPrincipal(members:XXXXXXX@outlook.com)

:callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=2.0];Action=authorization;Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;policyRegistration=null;

2017-01-29 09:14:49,721 TRACE [org.jboss.security] (default task-11) PBOX00354: Setting security roles ThreadLocal: null

2017-01-29 09:14:49,732 TRACE [org.jboss.security] (default task-11) PBOX00354: Setting security roles ThreadLocal: null

2017-01-29 09:14:53,489 TRACE [org.jboss.security] (default task-12) PBOX00200: Begin isValid, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@bdaf3b8d, cache entry: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@57ee7d60

This code is deployed as an EAR. if I call something annotated with @PermitAll then it's allowed, but when annotationed with @RolesAllowed("USER") then I get this failure.

2017-01-29 08:50:11,797 DEBUG [org.jboss.security] (default task-12) PBOX00291: Method: merge, interface: Local, required roles: Roles(USER,)

2017-01-29 08:50:11,797 DEBUG [org.jboss.security] (default task-12) PBOX00292: Insufficient method permissions [principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@7d289613, EJB name: UserService, method: merge, interface: Local, required roles: Roles(USER,), principal roles: Roles(**,), run-as roles: null]

2017-01-29 08:50:11,798 DEBUG [org.jboss.security] (default task-12) PBOX00299: Required module org.jboss.security.authorization.modules.DelegatingAuthorizationModule failed

2017-01-29 08:50:11,798 DEBUG [org.jboss.security] (default task-12) PBOX00325: Authorization processing error: org.jboss.security.authorization.AuthorizationException: PBOX00017: Acces denied: authorization failed

at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:274)

1. Re: EJB Security Fails when app deployed in EAR format (but ok in WAR format)

karlnicholas Jan 29, 2017 5:03 PM (in response to karlnicholas)

To add some followup and more information: It seems to be related to authorization in the security-domain portion of standalone.xml. I can add a authorization tag and set the policy-module to code PermitAll and then it starts working, but that is circumvention the ejb-security and just allowing everything to go through. It's not a remoting issue because as the logs show the interface is "Local".

I've tried most everything I can find for suggestions, but it's just not working. I don't know how to setup authorization as a Database login module, but I should think I don't need to do that. There are no obvious examples in the quickstarts.

This on Wildfly 10. Another output from the logs .. hopefully more detail.

2017-01-29 13:59:27,630 DEBUG [org.jboss.security] (default task-12) PBOX00291: Method: merge, interface: Local, required roles: Roles(USER,)
2017-01-29 13:59:27,630 DEBUG [org.jboss.security] (default task-12) PBOX00292: Insufficient method permissions [principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@7d289613, EJB name: UserService, method: merge, interface: Local, required roles: Roles(USER,), principal roles: Roles(**,), run-as roles: null]
2017-01-29 13:59:27,630 DEBUG [org.jboss.security] (default task-12) PBOX00299: Required module org.jboss.security.authorization.modules.DelegatingAuthorizationModule failed
2017-01-29 13:59:27,630 DEBUG [org.jboss.security] (default task-12) PBOX00325: Authorization processing error: org.jboss.security.authorization.AuthorizationException: PBOX00017: Acces denied: authorization failed
at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:274)
at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:71)
at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:147)
at java.security.AccessController.doPrivileged(Native Method)

then ..

2017-01-29 13:59:27,631 TRACE [org.jboss.security.audit] (default task-12) [Failure]Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=null}:method=public opca.model.User opca.service.UserService.merge(opca.model.User):ejbMethodInterface=Local:ejbName=UserService:ejbPrincipal=org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@7d289613:MethodRoles=Roles(USER,):securityRoleReferences=null:callerSubject=Subject:
Principal: test@test.com
Principal: roles(members:USER)
Principal: CallerPrincipal(members:test@test.com)
:callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=2.0];Action=authorization;Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;policyRegistration=null;Exception:=PBOX00017: Acces denied: authorization failed ;
2017-01-29 13:59:27,631 TRACE [org.jboss.security] (default task-12) PBOX00354: Setting security roles ThreadLocal: null
2017-01-29 13:59:27,632 ERROR [org.jboss.as.ejb3.invocation] (default task-12) WFLYEJB0034: EJB Invocation failed on component UserService for method public opca.model.User opca.service.UserService.merge(opca.model.User): javax.ejb.EJBAccessException: WFLYEJB0364: Invocation on method: public opca.model.User opca.service.UserService.merge(opca.model.User) of bean: UserService is not allowed
at org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:134)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
at org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22)
at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)
Actions
2. Re: EJB Security Fails when app deployed in EAR format (but ok in WAR format)

karlnicholas Jan 29, 2017 5:36 PM (in response to karlnicholas)

The answer was to change

<module-option name="rolesQuery" value="select r.role, 'roles' from user_role ur inner join role r on r.id = ur.roles_id inner join user u on u.id = ur.user_id where u.email = ?"/>

to

<module-option name="rolesQuery" value="select r.role, 'Roles' from user_role ur inner join role r on r.id = ur.roles_id inner join user u on u.id = ur.user_id where u.email = ?"/>
Actions

Go to original post