6 Replies Latest reply on Dec 27, 2005 3:16 PM by Bill Burke

    Can't get method permissions to work on a session bean

    Jimi H Newbie

      Hi,

      I'm trying to limit access to a method in a session bean, but it doesn't work. Can someone show me an simple example maybe? Using annotations... Or just take a look at my files, and tell me what I'm doing wrong.

      I have a working web application, with all the beans working. And I have configured a working authentication policy (<application-policy name="recruit">...) using MySQL. All this works like a charm.

      And in one of my session beans, I wanted to limit access to a specific method, so that only users of the admin role can use the method. This is what it looks like:

      import org.jboss.annotation.security.SecurityDomain;
      import org.jboss.aspects.security.Permissions;

      @Remote ({ProfileManager.class})
      @Stateless
      @SecurityDomain("recruit")
      public class ProfileManagerBean implements ProfileManager
      {
      ....

      @Permissions({"admin"})
      public String getTheSecret()
      {
      return "the secret2";
      }
      }

      And then, in another session bean (a facade), I do:

      ....
      public void testAuthentication()
      {
      InitialContext ctx = new InitialContext();
      ProfileManager profileManager =
      (ProfileManager)ctx.lookup(ProfileManager.class.getName());
      System.out.println("Secret: " + profileManager.getTheSecret());
      }

      And this method is called from a struts action. And even though I haven't logged in, the getTheSecret method gets called. Why isn't the authentication checked? What am I doing wrong?


      Also, maybe I should tell you what I eventually want to do... I want a webservice to access this session bean facade, and only allow the user to call methods that he has the right to, by checking the roles.

      Regards
      /Jimi

        • 1. Re: Can't get method permissions to work on a session bean
          Jimi H Newbie

          I forgot to mention one thing...

          First I tried using org.jboss.aspects.security.SecurityDomain, but then when I deployed the application, the JBoss console window printed "ProfileManagerBean has no @SecurityDomain - skipping JACC configuration". Then I tried org.jboss.annotation.security.SecurityDomain instead, and that resulted in:

          [JaccHelper] ProfileManagerBean has @SecurityDomain - peforming JACC configuration
          [JaccHelper] Creating permission: (javax.security.jacc.EJBMethodPermission ProfileManagerBean getTheSecret,,)[*:getTheSecret()]
          [JaccHelper] JACC Policy Configuration for deployment has been put in service

          But when I tried the application, the method still gets called, as if no restriction was there.

          I use JBoss 4.0.3SP1.

          /Jimi

          • 3. Re: Can't get method permissions to work on a session bean
            psmith Newbie

            I seem to be having the same problem as well. I've configured the web application with the correct Security Domain and added the annotation to the SLSB but I still see the following in the deployment log:

            20:36:41,562 INFO [Ejb3AnnotationHandler] found EJB3: ejbName=au.com.pulse.online.ejb3.creditcard.CreditCardFacadeBean, class=au.com.pulse.online.ejb3.creditcard.CreditCardFacadeBean, type=STATELESS
            20:36:41,687 INFO [JaccHelper] au.com.pulse.online.ejb3.creditcard.CreditCardFacadeBean has no @SecurityDomain - skipping JACC configuration
            20:36:41,718 INFO [Ejb3AnnotationHandler] found EJB3: ejbName=au.com.pulse.online.ejb3.entity.EntityFacadeBean, class=au.com.pulse.online.ejb3.entity.EntityFacadeBean, type=STATELESS
            20:36:41,796 INFO [JaccHelper] au.com.pulse.online.ejb3.entity.EntityFacadeBean has no @SecurityDomain - skipping JACC configuration
            20:36:41,812 INFO [JaccHelper] JACC Policy Configuration for deployment has been put in service
            20:36:41,812 INFO [Ejb3Deployment] EJB3 deployment time took: 297

            Yet the code has:

            import org.apache.commons.logging.Log;
            import org.apache.commons.logging.LogFactory;
            import org.jboss.aspects.security.SecurityDomain;

            import au.com.pulse.online.ejb3.AbstractFacadeBean;
            import au.com.pulse.online.ejb3.ValidationException;
            import au.com.pulse.online.ejb3.bi.creditcard.ICreditCardFacade;
            import au.com.pulse.online.persistence.ejb.crm.CreditCardDetail;

            @Stateless
            @SecurityDomain ("pulse-domain")
            public class CreditCardFacadeBean extends AbstractFacadeBean implements ICreditCardFacade {

            My main issue is that I get an IllegalStateException when I call getCallerPrincipal().

            Anybody got any ideas?

            • 4. how to configure my EJB to work over SSL connections?
              joselitol Newbie

              hi people,

              I´ve been looking the JBoss 4.0 documentation and I couldn´t make my EJB work with SSL. I configured the jboss.xml and jboss-service.xml files and I put the annotation @SecurityDomain at the Bean just like the documentation describbed.

              My EJB:

              package serpro.safe.server.operations;
              
              import java.util.Date;
              
              import javax.ejb.Remote;
              import javax.ejb.Stateless;
              import javax.ejb.TransactionAttribute;
              import javax.ejb.TransactionAttributeType;
              
              import org.jboss.aspects.security.SecurityDomain;
              
              import serpro.safe.negocio.calendario.feriado.Feriado;
              import serpro.safe.negocio.calendario.feriado.IControladorFeriado;
              import serpro.safe.server.operations.SafeOperations;
              import serpro.safe.util.exception.NegocioException;
              import serpro.safe.util.proxy.ControladorFactory;
              
              @Remote(SafeOperations.class)
              @Stateless
              public @SecurityDomain("RMI+SSL") class SafeOperationsBean implements SafeOperations {
              
               @TransactionAttribute(TransactionAttributeType.REQUIRED)
               public void inserirFeriado(Feriado feriado) throws NegocioException{
               try {
              
               IControladorFeriado controlador = (IControladorFeriado)ControladorFactory.criar(IControladorFeriado.class);
               controlador.inserirFeriado(feriado);
               } catch (Exception e) {
               throw new NegocioException(e);
               }
               }
              
              
              }



              jboss-service.xml:


              <server>
              
               <mbean code="org.jboss.security.plugins.JaasSecurityDomain"
               name="jboss.security:service=JaasSecurityDomain,domain=RMI+SSL">
               <constructor>
               <arg type="java.lang.String" value="RMI+SSL" />
               </constructor>
               <attribute name="KeyStoreURL">certs.keystore</attribute>
               <attribute name="KeyStorePass">taylor</attribute>
               </mbean>
              
               <mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker"
               name="jboss:service=invoker,type=jrmp,socketType=SSL">
               <attribute name="RMIObjectPort">14445</attribute>
               <attribute name="RMIClientSocketFactory">
               org.jboss.security.ssl.RMISSLClientSocketFactory
               </attribute>
               <attribute name="RMIServerSocketFactory">
               org.jboss.security.ssl.RMISSLServerSocketFactory
               </attribute>
               <attribute name="SecurityDomain">java:/jaas/RMI+SSL</attribute>
               <depends>
               jboss.security:service=JaasSecurityDomain,domain=RMI+SSL
               </depends>
               </mbean>
              </server>




              jboss.xml:

              <jboss>
               <enterprise-beans>
               <session>
               <ejb-name>SafeOperations</ejb-name>
               <configuration-name>Standard Stateless SessionBean</configuration-name>
               <invoker-bindings>
               <invoker>
               <invoker-proxy-binding-name>stateless-ssl-invoker</invoker-proxy-binding-name>
               </invoker>
               </invoker-bindings>
               </session>
               </enterprise-beans>
              
               <invoker-proxy-bindings>
               <invoker-proxy-binding>
               <name>stateless-ssl-invoker</name>
               <invoker-mbean>jboss:service=invoker,type=jrmp,socketType=SSL</invoker-mbean>
               <proxy-factory>org.jboss.proxy.ejb.ProxyFactory</proxy-factory>
               <proxy-factory-config>
               <client-interceptors>
               <home>
               <interceptor>org.jboss.proxy.ejb.HomeInterceptor</interceptor>
               <interceptor>org.jboss.proxy.SecurityInterceptor</interceptor>
               <interceptor>org.jboss.proxy.TransactionInterceptor</interceptor>
               <interceptor>org.jboss.invocation.InvokerInterceptor</interceptor>
               </home>
               <bean>
               <interceptor>org.jboss.proxy.ejb.StatelessSessionInterceptor</interceptor>
               <interceptor>org.jboss.proxy.SecurityInterceptor</interceptor>
               <interceptor>org.jboss.proxy.TransactionInterceptor</interceptor>
               <interceptor>org.jboss.invocation.InvokerInterceptor</interceptor>
               </bean>
               </client-interceptors>
               </proxy-factory-config>
               </invoker-proxy-binding>
               </invoker-proxy-bindings>
              </jboss>



              I´ve got the following messages on JBoss console:

              13:32:07,279 INFO [JaccHelper] Initialising JACC Context for deployment: safe-beans.ejb3
              13:32:07,310 INFO [Ejb3AnnotationHandler] found EJB3: ejbName=OperacaoBean, class=OperacaoBean, type=STATELESS
              13:32:07,560 INFO [JaccHelper] OperacaoBean has no @SecurityDomain - skipping JACC configuration
              13:32:07,591 INFO [Ejb3AnnotationHandler] found EJB3: ejbName=serpro.safe.server.operations.SafeOperationsBean, class=serpro.safe.server.operations.SafeOperationsBean, type=STATELESS
              13:32:07,638 INFO [JaccHelper] serpro.safe.server.operations.SafeOperationsBean has no @SecurityDomain - skipping JACC configuration
              13:32:07,654 INFO [JaccHelper] JACC Policy Configuration for deployment has been put in service
              13:32:07,654 INFO [Ejb3Deployment] EJB3 deployment time took: 375
              13:32:07,794 INFO [ProxyDeployer] no declared remote bindings for : OperacaoBean
              13:32:07,794 INFO [ProxyDeployer] there is remote interfaces for OperacaoBean
              13:32:07,794 INFO [ProxyDeployer] default remote binding has jndiName of Operacao
              13:32:07,919 INFO [ProxyDeployer] no declared remote bindings for : serpro.safe.server.operations.SafeOperationsBean
              13:32:07,919 INFO [ProxyDeployer] there is remote interfaces for serpro.safe.server.operations.SafeOperationsBean
              13:32:07,919 INFO [ProxyDeployer] default remote binding has jndiName of serpro.safe.server.operations.SafeOperations
              13:32:07,966 INFO [EJB3Deployer] Deployed: file:/C:/jboss-4.0.3SP1/server/default/deploy/safe-beans.ejb3
              13:33:38,513 INFO [JaccHelper] Initialising JACC Context for deployment: safe-beans.ejb3
              13:33:38,560 INFO [Ejb3AnnotationHandler] found EJB3: ejbName=OperacaoBean, class=OperacaoBean, type=STATELESS
              13:33:38,607 INFO [JaccHelper] OperacaoBean has no @SecurityDomain - skipping JACC configuration
              13:33:38,685 INFO [Ejb3AnnotationHandler] found EJB3: ejbName=serpro.safe.server.operations.SafeOperationsBean, class=serpro.safe.server.operations.SafeOperationsBean, type=STATELESS
              13:33:38,732 INFO [JaccHelper] serpro.safe.server.operations.SafeOperationsBean has no @SecurityDomain - skipping JACC configuration
              13:33:38,732 INFO [JaccHelper] JACC Policy Configuration for deployment has been put in service
              13:33:38,732 INFO [Ejb3Deployment] EJB3 deployment time took: 219
              13:33:38,779 INFO [ProxyDeployer] no declared remote bindings for : OperacaoBean
              13:33:38,779 INFO [ProxyDeployer] there is remote interfaces for OperacaoBean
              13:33:38,779 INFO [ProxyDeployer] default remote binding has jndiName of Operacao
              13:33:38,872 INFO [ProxyDeployer] no declared remote bindings for : serpro.safe.server.operations.SafeOperationsBean
              13:33:38,872 INFO [ProxyDeployer] there is remote interfaces for serpro.safe.server.operations.SafeOperationsBean
              13:33:38,872 INFO [ProxyDeployer] default remote binding has jndiName of serpro.safe.server.operations.SafeOperations
              13:33:38,919 INFO [EJB3Deployer] Deployed: file:/C:/jboss-4.0.3SP1/server/default/deploy/safe-beans.ejb3




              • 5. Re: Can't get method permissions to work on a session bean
                joselitol Newbie

                 

                "jimih" wrote:
                I forgot to mention one thing...

                First I tried using org.jboss.aspects.security.SecurityDomain, but then when I deployed the application, the JBoss console window printed "ProfileManagerBean has no @SecurityDomain - skipping JACC configuration". Then I tried org.jboss.annotation.security.SecurityDomain instead, and that resulted in:

                [JaccHelper] ProfileManagerBean has @SecurityDomain - peforming JACC configuration
                [JaccHelper] Creating permission: (javax.security.jacc.EJBMethodPermission ProfileManagerBean getTheSecret,,)[*:getTheSecret()]
                [JaccHelper] JACC Policy Configuration for deployment has been put in service

                But when I tried the application, the method still gets called, as if no restriction was there.

                I use JBoss 4.0.3SP1.

                /Jimi


                Hi have you found the solution about it? I´m having the same problem...

                • 6. Re: Can't get method permissions to work on a session bean
                  Bill Burke Master

                  we have not documented yet on how to use SSL with EJB3. THere is a unit test case for it within CVS if you need it now.

                  You are looking at the EJB 2.1 container way to configure SSL. This will not work AT ALL and don't even attempt it.