9 Replies Latest reply on May 4, 2011 2:11 PM by Christian Reiter

    Startup Singleton with security

    thomas10 Newbie

      Hi,

       

      I have problems securing my EJBs.

       

      I implemented a singleton annoted with @Startup @Singleton @RunAs("SYSTEM") and performing some calls on other EJBs that I'd like to secure with @RolesAllowed({ "SYSTEM" }) @SecurityDomain("system-domain").

       

      In my login-config.xml I added a policy

       

          <application-policy name="system-domain">

              <login-module code="org.jboss.security.auth.spi.IdentityLoginModule" flag="required">

                  <module-option name="principal">SYSTEM</module-option>

                  <module-option name="roles">SYSTEM</module-option>

              </login-module>

          </application-policy>

       

      Apart from the annotations I have not written any xml deployment descriptors etc. The project is deployed as an EAR.

       

      From the documentation I understand that should be all that is needed. But when JBoss starts up, it fails with "javax.ejb.EJBAccessException: Invalid User".

       

      The IdentityLoginModule is performing authentication (I debugged it) but for some reason my call fails.

       

      Can anybody spot my error?

       

      If my description is not enough, I can post the full source of my little test-project (eclipse).

       

      I am using JBoss 6.0.0 final.

       

       

      Thanks for your help !

       

      -Thomas

        • 1. Startup Singleton with security
          Wolf-Dieter Fink Master

          Could you activate TRACE of org.jboss.security and attach the logfile?

          • 2. Re: Startup Singleton with security
            thomas10 Newbie

            Thank you for helping,

             

            Find attached the log files. Also, the test project.

            The log clearly states that my application policy is not picked up correctly. JBoss (or jaas?) is trying to load some property files with user/role definitions... I should have noticed before. But I still cannot see what is causing this behavior.

             

            23:24:33,526 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files: java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found

                at org.jboss.security.auth.spi.Util.loadProperties(Util.java:201) [:3.0.0.CR2]

                at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186) [:3.0.0.CR2]

                at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200) [:3.0.0.CR2]

                at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127) [:3.0.0.CR2]

                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [:1.6.0_24]

                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [:1.6.0_24]

             

              -Thomas

            • 3. Startup Singleton with security
              Christian Reiter Newbie

              Hello!

               

              I'm facing a similar problem here.

              The annotation @SecurityDomain("foobar") doesn't seem to work on @Singleton EJBs (regardless if they are marked with @Startup or not).

               

              Trying to access them from a client results in

              Exception in thread "main" java.lang.IllegalStateException: Security Context has not been set

                      at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:151)

                      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)

                      at org.jboss.ejb3.async.impl.interceptor.AsynchronousClientInterceptor.invoke(AsynchronousClientInterceptor.java:143)

                      ...

               

              The same configuration with the same annotations works perfectly on @Stateless EJBs.

               

              Is there any progress or new information on this issue?

               

              Thanks in advance,

               

              christian

              • 4. Startup Singleton with security
                jaikiran pai Master

                Which version of JBoss AS are you using? And what exactly is the package of @SecurityDomain that you are using? It should be @org.jboss.ejb3.annotation.SecurityDomain. Also please post a bit more details including the EJB code.

                • 5. Startup Singleton with security
                  thomas10 Newbie

                  I have come up with a workaround. Don't know if this is how it should work. The @PostConstruct method of my @Singleton is executed using some SecurityContext I don't remember (could check if needed). But ejbs called from there are using the correct identity (the one I specified in @RunAs). Also, I had to tweak my jaas authentication to handle the 'special' identity used in @RunAs. It seems that JBoss is just doing a ordinary authentication. Currently I have two different SecurityContexts: one for integrated logins and one for the actual users. But I think this is not an optimal solution.

                  • 6. Startup Singleton with security
                    Christian Reiter Newbie

                    jaikiran pai schrieb:

                     

                    Which version of JBoss AS are you using? And what exactly is the package of @SecurityDomain that you are using? It should be @org.jboss.ejb3.annotation.SecurityDomain. Also please post a bit more details including the EJB code.

                     

                    I'm using JBoss AS 6.0.0.Final and the annotation comes from the package you specified.

                     

                    If it helps, i can provide a example tomorrow.

                    • 7. Startup Singleton with security
                      Christian Reiter Newbie

                      As I am not really sure if both problems are completely the same, I've started a new thread with a short and simple example:

                       

                      @SecurityDomain doesn't work with @Singleton

                      http://community.jboss.org/message/598080

                       

                      Best Regards,

                       

                      christian

                      • 8. Startup Singleton with security
                        Timo Wiedenmann Newbie

                        Hello,

                         

                        maybe this threads also helps:

                         

                        http://community.jboss.org/message/602965#602965

                         

                        Best regards,

                        Timo

                        • 9. Re: Startup Singleton with security
                          Christian Reiter Newbie

                          Timo Wiedenmann schrieb:

                           

                          http://community.jboss.org/message/602965#602965

                           

                          Thanks Timo! That's a great idea!

                           

                          Best Regards,

                          chris