3 Replies Latest reply on Nov 29, 2017 7:56 AM by irfan.dogar

    Session Context is Anonymous when called from MDB

    irfan.dogar

      Hi All,

      We have recently migrated our application to from JBoss 4.2.3 to Wildlfy 10.0.Final. Everything is working fine but we are facing an issue with SessionContext propagation from our MDB. The SessionContext principle is always anonymous. We have our custom security domain defined in our standalone.xml

       

      <security-domain name="acegi-simple">

      <authentication>

      <login-module code="com.os.sp.undertow.extension.CustomSpringSecurityModule" flag="required">

      <module-option name="dsJndiName" value="java:/OSSPDS"/>

      <module-option name="hashAlgorithm" value="MD5"/>

      <module-option name="hashEncoding" value="hex"/>

                                  <module-option name="appContextLocation" value="META-INF/acegi-simple.xml"/>

      <module-option name="key" value="required_key"/>

      </login-module>

      </authentication>

                          <authorization>

      <policy-module code="com.os.sp.undertow.extension.CustomSpringSecurityModule" flag="required">

      <module-option name="dsJndiName" value="java:/OSSPDS"/>

      <module-option name="hashAlgorithm" value="MD5"/>

      <module-option name="hashEncoding" value="hex"/>

      <module-option name="appContextLocation" value="META-INF/acegi-simple.xml"/>

      <module-option name="key" value="required_key"/>

      </policy-module>

      </authorization>

      </security-domain>

      The initial context initialisation is successful and we are passing dynamic values in username / passowerd:

       

      @TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED)

      public void onMessage(Message message) {

      try {

                  if (message instanceof ObjectMessage) {

                      Object obj = ((ObjectMessage) message).getObject();

       

                      if (obj instanceof ImportActivatorMessage) {

                          ImportActivatorMessage icmessage = (ImportActivatorMessage) obj;

                          if (LOG.isDebugEnabled()) {

                              LOG.debug("onMessage(): Received %s message. Processing...", icmessage);

                          }

                         

                          context = ImportProcessingUtils.initContext(icmessage.getContact());

                          switch (icmessage.getType()) {

                          case ImportActivatorMessage.ACTION_PROCESSLINES:

                              if (LOG.isDebugEnabled()) {

                                  LOG.debug("Import processing started for schedule - %s", icmessage.getScheduledFileName());

                              }

                              startImport(icmessage);

       

       

      if (!getSecurityProfilesBean().checkCurrentContactPermission(AccessArea.IMPORT,

                      SecurityAction.SECURITY_ACTION_ID_PERFORM)) {

                  throw new CorruptedImportException("import.seecurityPoint.prohibitPerform", null);

       

      }

       

      private SecurityProfilesFacadeLocal getSecurityProfilesBean() {

       

      if (securityProfilesBean == null) {

                  securityProfilesBean = (SecurityProfilesFacadeLocal) FacadeLocatorUtils.getFacade(

                          OFSLookUpUtils.StatelessSecurityProfilesFacadeBean, false, context);

      }

       

      return securityProfilesBean;

      }

       

      Our security profile bean (StatelessSecurityProfileBean) is found successfully, but inside our security profile bean we try to access SessionContext, which always returns anonymous.

       

          @Resource

      private transient SessionContext context;

       

       

      Anybody have any idea what is the problem in this approach, btw this works fine in Jboss 4.2.3?

        • 1. Re: Session Context is Anonymous when called from MDB
          jaikiran

          MDB's onMessage gets invoked by the container and doesn't have caller role associated with it. You'll have to use @RunAs annotation RunAs (Java EE 6 )  to have it use a specific role for its outgoing calls.

          • 2. Re: Session Context is Anonymous when called from MDB
            irfan.dogar

            Thank you Jaikiran for taking time and answering my question.

             

            I understand that onMessage is invoked by container. In my case I am creating a InitialContext inside onMessage, and I pass it dynamic username / password like:

             

            public static Context initContext(Contact byContact) {

            Context initialContext;

                    try {

             

                        Properties properties = new Properties();

                        properties.put(InitialContext.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");

                        properties.put(InitialContext.PROVIDER_URL, "remote://localhost:4447");

                        properties.put(InitialContext.SECURITY_AUTHENTICATION, "simple");

                        properties.put(

                                 InitialContext.SECURITY_PRINCIPAL,

                                CredentialsManager.getInstance().formInternalPrincipalForImport(byContact.getUsername(),

                                        byContact.getId(), byContact.getCompany().getId()));

                        properties.put(InitialContext.SECURITY_CREDENTIALS, byContact.getPassword()

                                + GlobalConstants.INTERNAL_LOGIN_SUFFIX);

                        //properties.put("jboss.naming.client.ejb.context", true);

                        properties.put(InitialContext.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");

                        initialContext = new InitialContext(properties);

             

            } catch (Exception e) {

                        LOG.error("Authenticated initial context hasn't been intialized for %s as internal one", byContact.getUsername());

                        LOG.error(e);

                        throw new EJBException(e);

            }

             

             

            if (LOG.isDebugEnabled()){

                        LOG.debug("Authenticated initial context intialized for %s as internal one", byContact.getUsername());

            }

             

             

            return initialContext;

            }

             

            Then inside my onMessage I invoke an EJB (in original post it is StatelessSecurityProfileFacadeBean), this EJB has @Resource annotation for session context. But that object always return “anonymous”.

            I have defined my own security-domain “acegi-simple” for authentication (please see original post).

            If I use @RunAs, is it going to create a SessionContext? How can I pass dynamic username to @RunAs annotcation?

            Or am I missing any configuration in Wildfly which creates SessionContext automatically when InitialContext in created?

            • 3. Re: Session Context is Anonymous when called from MDB
              irfan.dogar

              Finally got this working by adding the following configuration in my custom login:


              <login-module code="org.jboss.security.ClientLoginModule" flag="required" > 

              <module-option name="multi-threaded" value="true"/>

              <module-option name="restore-login-identity" value="true"/>

              </login-module>

               

              Got the hint from following URL, please read answer numberr 3

              SecurityFAQ