9 Replies Latest reply on Aug 12, 2010 3:32 PM by Stefan Guilhen

    PicketLink STS EJB Example fails: Princial anonymous ?

    Brian Krisler Newbie

      Hi,

       

      I am trying to get the example working from the SAML EJB Integration with PicketLink STS article. The article was very clear and informative,

      however when using the attached components, I can not get a successful run.

       

      Running the Test code from the example, I get the following output:

       

      Invoking token service to get SAML assertion for UserA
      SAML assertion for UserA successfully obtained!
      Invoking secure EJB3 session bean with UserA SAML assertion
      User UserA is not authorized to call administrative method!
      User UserA is not authorized to call regular method!
      User anonymous successfully called unprotected method!
      User UserA is not authorized to call unavailable method!

       

      Invoking token service to get SAML assertion for UserB
      SAML assertion for UserB successfully obtained!
      Invoking secure EJB3 session bean with UserB SAML assertion
      User UserB is not authorized to call administrative method!
      User UserB is not authorized to call regular method!
      User anonymous successfully called unprotected method!
      User UserB is not authorized to call unavailable method!

       

      Invoking token service to get SAML assertion for UserC
      SAML assertion for UserC successfully obtained!
      Invoking secure EJB3 session bean with UserC SAML assertion
      User UserC is not authorized to call administrative method!
      User UserC is not authorized to call regular method!
      User anonymous successfully called unprotected method!
      User UserC is not authorized to call unavailable method!

       

      It is clear that I am obtaining SAML from STS, however the second validation fails because all users are seen as Anonymous.

       

      Log excerpt:

       

      2010-07-29 17:11:17,648 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-1) Setting threadlocal:null
      2010-07-29 17:11:17,648 TRACE [org.jboss.security.SecurityRolesAssociation] (http-127.0.0.1-8080-1) Setting threadlocal:null
      2010-07-29 17:11:17,923 TRACE [org.jboss.security.SecurityRolesAssociation] (WorkerThread#1[127.0.0.1:37241]) Setting threadlocal:{}
      2010-07-29 17:11:17,924 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (WorkerThread#1[127.0.0.1:37241]) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
      2010-07-29 17:11:17,924 TRACE [org.jboss.security.authorization.modules.ejb.EJBPolicyModuleDelegate] (WorkerThread#1[127.0.0.1:37241]) method=public java.security.Principal org.jboss.test.security.ejb3.SimpleStatelessSessionBean.invokeAdministrativeMethod(), interface=Remote, requiredRoles=Roles(Administrator,)
      2010-07-29 17:11:17,924 TRACE [org.jboss.security.authorization.modules.ejb.EJBPolicyModuleDelegate] (WorkerThread#1[127.0.0.1:37241]) Exception:Insufficient method permissions, principal=null, ejbName=SimpleStatelessSessionBean, method=invokeAdministrativeMethod, interface=Remote, requiredRoles=Roles(Administrator,), principalRoles=Roles()
      2010-07-29 17:11:17,924 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] (WorkerThread#1[127.0.0.1:37241]) REQUIRED failed for Name=org.jboss.security.authorization.modules.DelegatingAuthorizationModule:subject=Subject:
              Principal: anonymous
      :role=Roles()

       

      The incoming SOAP message has the correct user:

      ...

      <Subject>
             <NameID NameQualifier='urn:picketlink:identity-federation'>UserA</NameID>
             <SubjectConfirmation Method='urn:oasis:names:tc:SAML:2.0:cm:bearer'/>
      </Subject>

      ....

       

      Is there something that I am missing?

       

      Thanks for any help

       

      Brian