3 Replies Latest reply on Jan 16, 2008 3:03 PM by sappenin

    @Service + @Managment + @SecurityDomain throws Authorization

    sappenin Novice

      I have a secured EJB3 @Service bean as follows:

      @Service
      @Management(MyClassInterfaceManagement.class)
      @Local(MyClassInterface.class)
      @SecurityDomain("myrealm")
      @RolesAllowed( {
       "admin", "system"
      })
      @RunAs("system")
      public class MyClass implements MyClassInterface, MyClassInterfaceManagement
      { ... }
      
      


      I have the proper things setup in my login-conf.xml file, but when I deploy this class, I get an exception stating:

      21:11:05,887 WARN [ServiceController] Problem creating service jboss.j2ee:ear=MyEar.ear,jar=MyJar.jar,name=MyClass,service=EJB3,type=ManagementInterface
      javax.ejb.EJBAccessException: Authorization failure
       at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor.invoke(RoleBasedAuthorizationInterceptor.java:113)
      


      What's wierd is that I can comment out the "@SecurityDomain("mydomain")" annotation, and I don't receive the exception when I start the server, and everything works fine. This seems like a bug, although I'm not sure. Any Idea what is going on?

      My assumption is that by commenting out the @SecurityDomain annotation, the Management/Service is defaulting to the security domain specified in my jboss-app.xml file in my ear, which says:

      
      <jboss-app>
       <security-domain>myrealm</security-domain>
       .....
      </jboss-app>
      
      


      The applicable login-conf.xml snippets are below. Thoughts?


      
       <application-policy name = "myrealm">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
       <module-option name = "dsJndiName">java:/myDS</module-option>
       <module-option name = "principalsQuery">select PASSWORD from SYSTEM_USER where USER_ID=?</module-option>
       <module-option name = "rolesQuery">select SYSTEM_USER_ROLE.ROLE_NAME, 'Roles' from SYSTEM_USER_ROLE, SYSTEM_USER_SYSTEM_USER_ROLE, SYSTEM_USER where ((SYSTEM_USER_SYSTEM_USER_ROLE.ROLES_ID = SYSTEM_USER_ROLE.ID) and (SYSTEM_USER_SYSTEM_USER_ROLE.USERS_ID = SYSTEM_USER.ID) AND (SYSTEM_USER.USER_ID = ?))
       </module-option>
       <module-option name = "unauthenticatedIdentity">guest</module-option>
       </login-module>
       <!-- Add this line to your login-config.xml to include the ClientLoginModule propogation -->
       <login-module code="org.jboss.security.ClientLoginModule" flag="required" />
       </authentication>
      
      


      
      <application-policy name = "other">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
       <module-option name = "dsJndiName">java:/myDS</module-option>
       <module-option name = "principalsQuery">select PASSWORD from SYSTEM_USER where USER_ID=?</module-option>
       <module-option name = "rolesQuery">select SYSTEM_USER_ROLE.ROLE_NAME, 'Roles' from SYSTEM_USER_ROLE, SYSTEM_USER_SYSTEM_USER_ROLE, SYSTEM_USER where ((SYSTEM_USER_SYSTEM_USER_ROLE.ROLES_ID = SYSTEM_USER_ROLE.ID) and (SYSTEM_USER_SYSTEM_USER_ROLE.USERS_ID = SYSTEM_USER.ID) AND (SYSTEM_USER.USER_ID = ?))
       </module-option>
       <module-option name = "unauthenticatedIdentity">guest</module-option>
       </login-module>
       </authentication>
      
      



        • 1. Re: @Service + @Managment + @SecurityDomain throws Authoriza
          Wolfgang Knauf Master

          Hi !

          I would suggest you activate logging in the security layer. See http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQ, question 4. Hope this gives you further information about what fails.

          Best regards

          Wolfgang

          • 2. Re: @Service + @Managment + @SecurityDomain throws Authoriza
            sappenin Novice

            Thanks for your suggestion. I should have added this into the initial thread. I'm getting an Authorization exception because the prinicipal and role are null, but only if I specify a @SecurityDomain.

            Here's the stack trace:

            
            2:48:11,650 ERROR [RoleBasedAuthorizationInterceptor] Insufficient permissions, principal=null, req
            iredRoles=[system, admin], principalRoles=null
            2:48:11,651 DEBUG [RoleBasedAuthorizationInterceptor] Authorization failure
            ava.lang.SecurityException: Insufficient permissions, principal=null, requiredRoles=[system, admin]
             principalRoles=null
             at org.jboss.aspects.security.RoleBasedAuthorizationInterceptor.invoke(RoleBasedAuthorizatio
            Interceptor.java:149)
             at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor.invoke(RoleBasedAuthorizationIn
            erceptor.java:108)
             at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
             at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
             at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
             at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:1
            6)
             at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
             at org.jboss.ejb3.service.ServiceContainer.localInvoke(ServiceContainer.java:309)
             at org.jboss.ejb3.service.ServiceContainer.localInvoke(ServiceContainer.java:274)
             at org.jboss.ejb3.service.ServiceMBeanDelegate.invoke(ServiceMBeanDelegate.java:215)
             at org.jboss.mx.server.RawDynamicInvoker.invoke(RawDynamicInvoker.java:164)
             at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
             at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:995)
             at $Proxy0.create(Unknown Source)
            
            
            


            • 3. Re: @Service + @Managment + @SecurityDomain throws Authoriza
              sappenin Novice

              With regard to the post above, this still seems like a bug(?). The principal role should, at the very least, be my unauthenticated identity, no? In reality, I would expect the role to be system or admin.

              If I omit the security domain, it appears that my role is in fact "system", which is what I would expect.

              Thoughts?