1 Reply Latest reply on Jan 1, 2008 9:25 PM by Shane Bryzak

    Seam EJB3 authorization

    desa nocra Newbie

      i have a application with java webstart frontend which uses security restriction with @RolesAlowed annotation. Now i want to add a seam frontend. My Problem is that i can login but cant call any restricted EJB methods.

      The Application stores the user passwords encrypted. This is the reason why the Java-Swing-Webstart Frontend store uses this piece of code to login:

       public LoginContext createLoginContext(final String inUsername, char[] inPassword, Subject inSubject) {
       try {
       mIsAdmin = false;
       mUsername=inUsername;
       mPassword= new char[inPassword.length];
       System.arraycopy(inPassword, 0, mPassword, 0, inPassword.length);
       mLoginContext = new LoginContext("myrealm", inSubject, new CallbackHandler(){
      
       public void handle(Callback[] callbacks) throws IOException, UnsupportedCallbackException {
       for(int i = 0; i < callbacks.length; i++) {
       if (callbacks instanceof NameCallback) {
       NameCallback nameCallback = (NameCallback)callbacks;
       nameCallback.setName(inUsername);
       } else if (callbacks instanceof PasswordCallback) {
       PasswordCallback pwCallback = (PasswordCallback)callbacks;
       String aEncPwd = SecurityUtils.getCryptedPwd(mUsername, mPassword);
       for(int j=0; j < mPassword.length; j++) {
       mPassword[j] = ' ';
       }
       pwCallback.setPassword(aEncPwd.toCharArray());
       } else throw new UnsupportedCallbackException(callbacks);
       }
       }
       }
       );
       } catch (LoginException e) {
       getLogger().log(LogLevel.ERROR, CommonResources.getMsg("auth.LoginModule.login.context.creation.failed"), e);
       return null;
       }
       return mLoginContext;
       }
      
       public User getUser(final String inUsername) {
       try {
       String aAuthCtrlRemote = CommonResources.getBeanJndiNames().getString("controller.authentication");
       getLogger().log(LogLevel.DEBUG, "Using AuthenticationController Bean: {0}", aAuthCtrlRemote);
       AuthenticationController aBean = (AuthenticationController) CommonFactory.getInitialContext().lookup(aAuthCtrlRemote);
       if(inUsername != null) {
       try {
       User aUser = aBean.qryUser(inUsername);
       return aUser;
       }catch(javax.ejb.EJBAccessException e) {
       getLogger().log(LogLevel.ERROR, "Error: {0}", e);
       }
       }
       } catch (Exception e) {
       getLogger().log(LogLevel.ERROR, "Error: {0}", e);
       }
       return null;
       }
      
       public boolean login(final String inUsername, char[] inPassword) {
       if(mLoginContext != null) {
       logout();
       }
       LoginContext aLoginContext = createLoginContext(inUsername, inPassword, new Subject());
      
       // Durchführung des Logins
       try {
       if(aLoginContext != null) {
       aLoginContext.login();
       }
       } catch (LoginException e) {
       getLogger().log(LogLevel.DEBUG, CommonResources.getMsg("view.LoginView.auth.failed"), e);
       return false;
      
       }
      
       try {
       String aClientSessionCtrl = CommonResources.getBeanJndiNames().getString("controller.clientsession");
       getLogger().log(LogLevel.DEBUG, "Using ClientSessionController Bean: {0}", aClientSessionCtrl);
       ClientSessionController bean = (ClientSessionController) CommonFactory.getInitialContext().lookup(aClientSessionCtrl);
       //TODO locale session
       bean.startLocaleSession("a");
      
       User aUser = getUser(mUsername);
       if(aUser != null) {
       mIsAdmin = aUser.getRole().isAdmin();
       } else {
       mIsAdmin = false;
       }
      
       } catch (RuntimeException e) {
       getLogger().log(LogLevel.ERROR, "{0}", e);
       return false;
       } catch (NamingException e) {
       getLogger().log(LogLevel.ERROR, "{0}", e);
       return false;
       }
      
       fireEvent(true);
       return true;
       }
      


      After execution the Java-Swing-Webstart client can call any restircted EJB method for the role of the logged-in user. For Example
       String aClientSessionCtrl = CommonResources.getBeanJndiNames().getString("controller.clientsession");
       getLogger().log(LogLevel.DEBUG, "Using ClientSessionController Bean: {0}", aClientSessionCtrl);
       ClientSessionController bean = (ClientSessionController) CommonFactory.getInitialContext().lookup(aClientSessionCtrl);
       bean.startLocaleSession("a");
      
      


      I use the same mechanism for seam. I wrote an Authenticator.

      @Stateful
      @Name("authenticator")
      @Local( { SeamAuthenticator.class })
      public class SeamAuthenticatorImpl implements SeamAuthenticator {
      
       public SeamAuthenticatorImpl() {
      
       }
      
       @SuppressWarnings("unchecked")
       @PermitAll
       public boolean login() {
       Identity aIdentity = Identity.instance();
       String aUsername = aIdentity.getUsername();
       String aPassword = aIdentity.getPassword();
       Identity.setSecurityEnabled(true);
       if (aPassword == null) {
       aPassword = "admin";
       aIdentity.setPassword(aPassword);
       }
       mCtrl = ClientFactory.getClientLoginCtrl();
       LoginContext aLoginContext = mCtrl.createLoginContext(aUsername, aPassword.toCharArray(), aIdentity.getSubject());
       if(aLoginContext != null) {
       try {
       aIdentity.authenticate(aLoginContext);
       try{
       String aClientSessionCtrl = CommonResources.getBeanJndiNames().getString("controller.clientsession");
       getLogger().log(LogLevel.DEBUG, "Using ClientSessionController Bean: {0}", aClientSessionCtrl);
       ClientSessionController bean = (ClientSessionController) CommonFactory.getInitialContext().lookup(aClientSessionCtrl);
       bean.startLocaleSession("a");
       }
       }catch(NamingException e) {
       getLogger().log(LogLevel.ERROR, "{0}", e);
       e.printStackTrace();
       }
       return aIdentity.isLoggedIn();
       } catch (LoginException e) {
       getLogger().log(LogLevel.ERROR, "{0}", e);
       e.printStackTrace();
       return false;
       }
       }
       return false;
       }
      
       @Destroy @Remove
       public void destroy() {}
      
       /*
       * with the @Out annotation this bean can change the value of the <code>user</code>
       * context variable and make the new instance available to other session
       * beans and JSF pages
       */
       @SuppressWarnings("unused")
       @Out(required = false, scope = SESSION)
       private User user;
      
       private ClientLoginController mCtrl;
      
       static Logger getLogger() {
       return CommonFactory.getLogManager().getLogger(
       SeamAuthenticatorImpl.class.getName());
       }
      }


      The authentication works , Identity.isLoggedIn() == true, but the call bean.startLocaleSession("a"); fails. with
      23:42:40,468 ERROR [ClientLoginCtrlImpl] Error: javax.ejb.EJBAccessException: Authorization failure|utab
      javax.ejb.EJBAccessException: Authorization failure
       at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor.invoke(RoleBasedAuthorizationInterceptor.java:120)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
       at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:77)
       at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
       at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
       at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
       at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:240)
       at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:210)
       at org.jboss.ejb3.stateless.StatelessLocalProxy.invoke(StatelessLocalProxy.java:84)
       at $Proxy343.qryUser(Unknown Source)
       at impl.x.x.common.client.ctrl.ClientLoginCtrlImpl.getUser(ClientLoginCtrlImpl.java:89)
       at impl.x.x.server.ctrl.SeamAuthenticatorImpl.login(SeamAuthenticatorImpl.java:67)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:112)
       at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:166)
       at org.jboss.seam.intercept.EJBInvocationContext.proceed(EJBInvocationContext.java:44)
       at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:56)
       at org.jboss.seam.core.BijectionInterceptor.aroundInvoke(BijectionInterceptor.java:46)
       at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
       at org.jboss.seam.persistence.ManagedEntityIdentityInterceptor.aroundInvoke(ManagedEntityIdentityInterceptor.java:48)
       at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
       at org.jboss.seam.transaction.RollbackInterceptor.aroundInvoke(RollbackInterceptor.java:31)
       at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
       at org.jboss.seam.core.MethodContextInterceptor.aroundInvoke(MethodContextInterceptor.java:42)
       at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
       at org.jboss.seam.persistence.EntityManagerProxyInterceptor.aroundInvoke(EntityManagerProxyInterceptor.java:26)
       at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
       at org.jboss.seam.persistence.HibernateSessionProxyInterceptor.aroundInvoke(HibernateSessionProxyInterceptor.java:27)
       at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
       at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107)
       at org.jboss.seam.intercept.SessionBeanInterceptor.aroundInvoke(SessionBeanInterceptor.java:50)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.jboss.ejb3.interceptor.InvocationContextImpl.proceed(InvocationContextImpl.java:118)
       at org.jboss.ejb3.interceptor.EJB3InterceptorsInterceptor.invoke(EJB3InterceptorsInterceptor.java:63)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
       at org.jboss.ejb3.entity.ExtendedPersistenceContextPropagationInterceptor.invoke(ExtendedPersistenceContextPropagationInterceptor
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
       at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:54)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
       at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
       at org.jboss.aspects.tx.TxPolicy.invokeInCallerTx(TxPolicy.java:126)
       at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:195)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
       at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:95)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
       at org.jboss.ejb3.stateful.StatefulInstanceInterceptor.invoke(StatefulInstanceInterceptor.java:83)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
       at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:77)
       at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
       at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
       at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
       at org.jboss.ejb3.stateful.StatefulContainer.localInvoke(StatefulContainer.java:206)
       at org.jboss.ejb3.stateful.StatefulLocalProxy.invoke(StatefulLocalProxy.java:119)
       at $Proxy322.login(Unknown Source)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.jboss.seam.util.Reflections.invoke(Reflections.java:21)
       at org.jboss.seam.intercept.RootInvocationContext.proceed(RootInvocationContext.java:31)
       at org.jboss.seam.intercept.ClientSideInterceptor$1.proceed(ClientSideInterceptor.java:76)
       at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:56)
       at org.jboss.seam.ejb.RemoveInterceptor.aroundInvoke(RemoveInterceptor.java:41)
       at org.jboss.seam.intercept.SeamInvocationContext.proceed(SeamInvocationContext.java:68)
       at org.jboss.seam.intercept.RootInterceptor.invoke(RootInterceptor.java:107)
       at org.jboss.seam.intercept.ClientSideInterceptor.invoke(ClientSideInterceptor.java:54)
       at org.javassist.tmp.java.lang.Object_$$_javassist_2.login(Object_$$_javassist_2.java)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:329)
       at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:342)
       at org.jboss.el.parser.AstPropertySuffix.invoke(AstPropertySuffix.java:58)
       at org.jboss.el.parser.AstValue.invoke(AstValue.java:96)
       at org.jboss.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:276)
       at org.jboss.seam.core.Expressions$2.invoke(Expressions.java:174)
       at org.jboss.seam.security.jaas.SeamLoginModule.login(SeamLoginModule.java:108)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
       at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
       at javax.security.auth.login.LoginContext$5.run(LoginContext.java:706)
       at java.security.AccessController.doPrivileged(Native Method)
       at javax.security.auth.login.LoginContext.invokeCreatorPriv(LoginContext.java:703)
       at javax.security.auth.login.LoginContext.login(LoginContext.java:575)
       at org.jboss.seam.security.Identity.authenticate(Identity.java:259)
       at org.jboss.seam.security.Identity.authenticate(Identity.java:248)
       at org.jboss.seam.security.Identity.login(Identity.java:205)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:329)
       at org.jboss.el.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:342)
       at org.jboss.el.parser.AstPropertySuffix.invoke(AstPropertySuffix.java:58)
       at org.jboss.el.parser.AstValue.invoke(AstValue.java:96)
       at org.jboss.el.MethodExpressionImpl.invoke(MethodExpressionImpl.java:276)
       at com.sun.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:68)
       at javax.faces.component.MethodBindingMethodExpressionAdapter.invoke(MethodBindingMethodExpressionAdapter.java:77)
       at com.sun.faces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:91)
       at javax.faces.component.UICommand.broadcast(UICommand.java:383)
       at org.ajax4jsf.component.AjaxViewRoot.processEvents(AjaxViewRoot.java:184)
       at org.ajax4jsf.component.AjaxViewRoot.broadcastEvents(AjaxViewRoot.java:162)
       at org.ajax4jsf.component.AjaxViewRoot.processApplication(AjaxViewRoot.java:350)
       at com.sun.faces.lifecycle.InvokeApplicationPhase.execute(InvokeApplicationPhase.java:97)
       at com.sun.faces.lifecycle.LifecycleImpl.phase(LifecycleImpl.java:251)
       at com.sun.faces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:117)
       at javax.faces.webapp.FacesServlet.service(FacesServlet.java:244)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
       at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:83)
       at org.jboss.seam.debug.hot.HotDeployFilter.doFilter(HotDeployFilter.java:68)
       at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
       at org.jboss.seam.web.MultipartFilter.doFilter(MultipartFilter.java:85)
       at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
       at org.jboss.seam.web.ExceptionFilter.doFilter(ExceptionFilter.java:64)
       at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
       at org.jboss.seam.web.RedirectFilter.doFilter(RedirectFilter.java:45)
       at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
       at org.ajax4jsf.webapp.BaseXMLFilter.doXmlFilter(BaseXMLFilter.java:141)
       at org.ajax4jsf.webapp.BaseFilter.doFilter(BaseFilter.java:281)
       at org.jboss.seam.web.Ajax4jsfFilter.doFilter(Ajax4jsfFilter.java:60)
       at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
       at org.jboss.seam.web.LoggingFilter.doFilter(LoggingFilter.java:58)
       at org.jboss.seam.servlet.SeamFilter$FilterChainImpl.doFilter(SeamFilter.java:69)
       at org.jboss.seam.servlet.SeamFilter.doFilter(SeamFilter.java:158)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
       at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
       at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
       at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
       at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
       at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
       at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
       at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
       at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
       at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
       at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
       at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
       at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
       at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
       at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
       at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
       at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
       at java.lang.Thread.run(Thread.java:595)
      


      Whats wrong ? Why i cant call a restricted EJB method ?