0 Replies Latest reply on Jan 19, 2011 9:02 AM by Sergiu Pienar

    Security problem after JIRA fix

    Sergiu Pienar Expert

      Hi,

       

      Before upgrading to jboss2.0.4SP4.jar and jboss-security-spi2.0.4SP4.jar to solve the bug here : https://issues.jboss.org/browse/SECURITY-483?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel we were getting :

       

      DEBUG [DelegatingAuthorizationModule] Error with delegate:

      java.util.ConcurrentModificationException

             at java.util.AbstractList$Itr.checkForComodification(AbstractList.java:372)

             at java.util.AbstractList$Itr.next(AbstractList.java:343)

             at

      org.jboss.security.identity.plugins.SimpleRoleGroup.containsAtleastOneRole(SimpleRoleGroup.java:168)

             at

      org.jboss.security.authorization.modules.ejb.EJBPolicyModuleDelegate.process(EJBPolicyModuleDelegate.java:156)

             at

      org.jboss.security.authorization.modules.ejb.EJBPolicyModuleDelegate.authorize(EJBPolicyModuleDelegate.java:112)

             at

      org.jboss.security.authorization.modules.AbstractAuthorizationModule.invokeDelegate(AbstractAuthorizationModule.java:143)

             at

      org.jboss.security.authorization.modules.DelegatingAuthorizationModule.authorize(DelegatingAuthorizationModule.java:53)

             at

      org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:220)

             at

      org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:67)

             at

      org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:152)

             at java.security.AccessController.doPrivileged(Native Method)

             at

      org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:148)

             at

      org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:474)

             at

      org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:124)

             at

      org.jboss.security.plugins.javaee.EJBAuthorizationHelper.authorize(EJBAuthorizationHelper.java:116)

             at

      org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:189)

             at

      org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)

             at

      org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186)

             at

      org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)

             at

      org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)

             at

      org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)

             at

      org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)

             at

      org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)

             at

      org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)

             at

      org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)

             at

      org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:176)

             at

      org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:216)

             at

      org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:207)

             at

      org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:164)

             at $Proxy608.queryByReceivedAndGreaterThanValidUntil(Unknown Source)

             at

      org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:549)

       

      After using the jars that are fixing this bug : jbosssx2.0.4SP4.jar and jboss-security-job2.0.4SP4.jar we are getting :

       

      [JobRunShell] Job DEFAULT.job_-1_6com.company.jobSchedule.FileReaderJob threw an unhandled Exception:
      javax.ejb.EJBE
      ion: java.lang.RuntimeException: javax.ejb.EJBAccessException: Caller unauthorized
              at org.quartz.core.JobRunShell.run(JobRunShell.java:216)
              at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:549)
      Caused by: javax.ejb.EJBAccessException: Caller unauthorized
              at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:199)
              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
              at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186)
              at org.jboss.aop.joinpoint.MethodInvo
      xceptcation.invokeNext(MethodInvocation.java:102)
              at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
              at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
              at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
              at org.jboss.ejb

      3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:176)
              at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:216)
              at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:207)
              at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:164)
              at $Proxy436.getClientPreferences(Unknown Source)

      org.quartz.SchedulerException: Job threw an unhandled exception. [See nested exception: javax.ejb.EJBException: java.lang.RuntimeException: javax.ejb.EJBAccessException: Caller unauthorized]
              at org.quartz.core.JobRunShell.run(JobRunShell.java:227)
              at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:549)
      Caused by: javax.ejb.EJBAccessException: Caller unauthorized
              at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:199)
              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
              at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186)
              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
              at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
              at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
              at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
              at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:176)
              at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:216)
              at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:207)
              at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:164)
              at $Proxy436.getClientPreferences(Unknown Source)
              ... 3 more