-
1. Re: Can't get SessionContext.isCallerInRole(...) to work from remote call.
Since I did not get any reply on this post I thought I explain a little better. I would like to get some feedback before I report this as a bug because I don't know if I have missed something.
When I access a stateless bean from outside of JBoss via its remote interface from a Java client SessionContext.isCallerInRole(...) always return false. How ever when I access the same bean from a JSP running in the same JBoss SessionContext.isCallerInRole(...) works correctly. This behavior is in JBoss 5 & 6. In JBoss 4 it works OK for both cases.
In my small test case I have a stateless bean interface named Test. It have only one method checkRole(). This method should return true if the caller have the role administrator.
@Remote public interface Test { public boolean checkRole(); }The implementation of the role is as follows below. It uses the security domain zert and the only method return the result of SessionContext.isCallerInRole("administrator").
@Stateless @Remote({Test.class}) @SecurityDomain("zert") @DeclareRoles({"administrator", "producer", "consumer"}) public class TestBean implements Test { @Resource private SessionContext context; @Override public boolean checkRole() { return context.isCallerInRole("administrator"); } }The security domain zert has only one user called admin. The admin user is in the roles, administrator, producer and consumer. This can be seen in the listing below.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE server PUBLIC "-//JBoss//DTD MBean Service 4.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-service_4_0.dtd"> <server> <mbean code="org.jboss.security.auth.login.DynamicLoginConfig" name="jboss:service=DynamicLoginConfig"> <attribute name="PolicyConfig" serialDataType="jbxb"> <jaas:policy xsi:schemaLocation="urn:jboss:security-config:4.1 resource:security-config_4_1.xsd" xmlns:jaas="urn:jboss:security-config:4.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <jaas:application-policy name="zert"> <jaas:authentication> <jaas:login-module code="org.jboss.security.auth.spi.XMLLoginModule" flag="required"> <jaas:module-option name="userInfo"> <ur:users xsi:schemaLocation="urn:jboss:user-roles:1.0 resource:user-roles_1_0.xsd" xmlns:ur="urn:jboss:user-roles:1.0"> <ur:user name="admin" password="test"> <ur:role name="administrator"></ur:role> <ur:role name="producer"></ur:role> <ur:role name="consumer"></ur:role> </ur:user> </ur:users> </jaas:module-option> <jaas:module-option name="unauthenticatedIdentity">guest</jaas:module-option> </jaas:login-module> </jaas:authentication> </jaas:application-policy> </jaas:policy> </attribute> <depends optional-attribute-name="LoginConfigService">jboss.security:service=XMLLoginConfig</depends> <depends optional-attribute-name="SecurityManagerService">jboss.security:service=JaasSecurityManager</depends> </mbean> </server>
When the Test bean is accessed via the remote interface using the following test client, then SessionContext.isCallerInRole(...) always return false. For me this looks like a bug!
public class TestClient { public static void main(String[] argv) { try { System.setProperty("java.security.auth.login.config", "auth.conf"); ConnectionHandler connectionHandler = new ConnectionHandler("admin", "test"); LoginContext loginContext = new LoginContext("zert", connectionHandler); loginContext.login(); System.out.println(runTest()); loginContext.logout(); } catch (Exception e) { e.printStackTrace(); } } public static String runTest() throws Exception { Hashtable<String, String> env = new Hashtable<String, String>(); env.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.NamingContextFactory"); env.put(Context.PROVIDER_URL, "localhost"); InitialContext context = new InitialContext(env); Test test = (Test)context.lookup("zert/TestBean/remote"); return "Is administrator: " + test.checkRole(); } ... }How ever when I access the same bean the following JSP the method workd correctly and returns true.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd"> <%@page contentType="text/html; charset=UTF-8" %> <%@page import="se.zert.test.*"%> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>Test</title> </head> <body> <%=TestClient.runTest()%> </body> </html>
Does anyone have a good answer to why the bean reacts different when accessed from outside of JBoss than inside of JBoss?
Thanks in advance!
/Krister
-
3. Re: Can't get SessionContext.isCallerInRole(...) to work from remote call.
The test client is setting the property java.security.auth.login.config to the file auth.conf that have the following content:
zert { org.jboss.security.ClientLoginModule required; };Shouldn't that be enough? I don't have any security domain called zert in my login-confix.xml. Instead I have deployed the security config listed above in my EAR-file.
-
4. Re: Can't get SessionContext.isCallerInRole(...) to work from remote call.
I tested adding org.jboss.security.ClientLoginModule to my security domain so now the file looks as listed below. This did not change anything. Is still do not work.
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE server PUBLIC "-//JBoss//DTD MBean Service 4.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-service_4_0.dtd"> <server> <mbean code="org.jboss.security.auth.login.DynamicLoginConfig" name="jboss:service=DynamicLoginConfig"> <attribute name="PolicyConfig" serialDataType="jbxb"> <jaas:policy xsi:schemaLocation="urn:jboss:security-config:4.1 resource:security-config_4_1.xsd" xmlns:jaas="urn:jboss:security-config:4.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <jaas:application-policy name="zert"> <jaas:authentication> <jaas:login-module code="org.jboss.security.ClientLoginModule" flag="required"> </jaas:login-module> <jaas:login-module code="org.jboss.security.auth.spi.XMLLoginModule" flag="required"> <jaas:module-option name="userInfo"> <ur:users xsi:schemaLocation="urn:jboss:user-roles:1.0 resource:user-roles_1_0.xsd" xmlns:ur="urn:jboss:user-roles:1.0"> <ur:user name="admin" password="test"> <ur:role name="administrator"></ur:role> <ur:role name="producer"></ur:role> <ur:role name="consumer"></ur:role> </ur:user> </ur:users> </jaas:module-option> <jaas:module-option name="unauthenticatedIdentity">guest</jaas:module-option> </jaas:login-module> </jaas:authentication> </jaas:application-policy> </jaas:policy> </attribute> <depends optional-attribute-name="LoginConfigService">jboss.security:service=XMLLoginConfig</depends> <depends optional-attribute-name="SecurityManagerService">jboss.security:service=JaasSecurityManager</depends> </mbean> </server>
-
5. Can't get SessionContext.isCallerInRole(...) to work from remote call.
Hi Krister,
two things that come into my mind:
a) does your EJB have any "secured" method?
@RolesAllowed(value={"administrator"} )
public void myMethod()
{
}
Maybe you have to add such a security declaration to "checkRole". Otherwise JBoss might think that you are accessing unsecured content and is not performing login.
b) did you activate logging of the security layer? See http://community.jboss.org/wiki/SecurityFAQ - question 4. If there is some config error, this might help.
The rest of your config looks OK.
Best regards
Wolfgang
-
6. Re: Can't get SessionContext.isCallerInRole(...) to work from remote call.
Thanks for your help!
I activated trace and got the following:
13:19:11,436 TRACE [org.jboss.security.plugins.mapping.JBossMappingManager] Application Policy not found for domain=CLIENT_LOGIN_MODULE.Mapping framework will use the default domain:other 13:19:11,437 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] Application Policy not obtained for domain=CLIENT_LOGIN_MODULE. Trying to obtain the App policy for the default domain of the layer:EJB 13:19:11,437 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED] 13:19:11,437 TRACE [org.jboss.security.authorization.modules.ejb.EJBPolicyModuleDelegate] no match found for security role administrator in the deployment descriptor for ejb TestBeanSo now I need to figure out why the wrong security domain is used. Do you have any clue?
-
7. Re: Can't get SessionContext.isCallerInRole(...) to work from remote call.
Hi,
could you try to config your security domain / policy in the standard "login-config.xml", avoiding the DynamicXMLLoginConfig? Thus, we can reduce the complexity and the number of error situations...
Best regards
Wolfgang
-
8. Re: Can't get SessionContext.isCallerInRole(...) to work from remote call.
Hi,
I have already tested moving the configuration of the zert security domain to login-config.xml but that made no difference. I still get the trace information that the domain CLIENT_LOGIN_MODULE can't be found.
I even tried to add a security domain called CLIENT_LOGIN_CONFIG to login-confix.xml as described here https://issues.jboss.org/browse/JBAS-7037. After doing this I did not get the trace info about the missing domain but the call to isCallerInRole(...) still failes. The strange thing is that the trace shows that the user is not in the role administrator but the method is ecexuted anyway even after adding @RolesAllowed(value={"administrator"} ).
The full trace of a call after moving the security domain to login-config.xml is:
10:47:45,847 INFO [org.jboss.bootstrap.impl.base.server.AbstractServer] JBossAS [6.0.0.Final "Neo"] Started in 22s:961ms 10:48:03,266 INFO [STDOUT] In checkRole() 10:48:03,281 TRACE [org.jboss.security.plugins.mapping.JBossMappingManager] Application Policy not found for domain=CLIENT_LOGIN_MODULE.Mapping framework will use the default domain:other 10:48:03,287 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] Application Policy not obtained for domain=CLIENT_LOGIN_MODULE. Trying to obtain the App policy for the default domain of the layer:EJB 10:48:03,287 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED] 10:48:03,299 TRACE [org.jboss.security.authorization.modules.ejb.EJBPolicyModuleDelegate] no match found for security role administrator in the deployment descriptor for ejb TestBean 10:48:03,300 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] REQUIRED failed for Name=org.jboss.security.authorization.modules.DelegatingAuthorizationModule:subject=Subject: Principal: admin :role=Roles() 10:48:03,300 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] Error in authorize:: org.jboss.security.authorization.AuthorizationException: Authorization Failed: at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:271) [:3.0.0.CR2] at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:70) [:3.0.0.CR2] at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:154) [:3.0.0.CR2] at java.security.AccessController.doPrivileged(Native Method) [:1.6.0_24] at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:150) [:3.0.0.CR2] at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:474) [:6.0.0.Final] at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:125) [:6.0.0.Final] at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.isCallerInRole(EJBAuthorizationHelper.java:256) [:3.0.0.CR2] at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.isCallerInRole(EJBAuthorizationHelper.java:146) [:3.0.0.CR2] at org.jboss.ejb3.security.helpers.EJBContextHelper.isCallerInRole(EJBContextHelper.java:176) [:1.0.2] at org.jboss.ejb3.EJBContextImpl.isCallerInRole(EJBContextImpl.java:164) [:1.7.17] at se.zert.test.TestBean.checkRole(TestBean.java:21) [:] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [:1.6.0_24] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [:1.6.0_24] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [:1.6.0_24] at java.lang.reflect.Method.invoke(Method.java:597) [:1.6.0_24] at org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122) [jboss-aop.jar:2.2.1.GA] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.interceptors.container.ContainerMethodInvocationWrapper.invokeNext(ContainerMethodInvocationWrapper.java:72) [:1.1.3] at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:76) [:1.1.3] at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:62) [:1.1.3] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [:1.6.0_24] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [:1.6.0_24] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [:1.6.0_24] at java.lang.reflect.Method.invoke(Method.java:597) [:1.6.0_24] at org.jboss.aop.advice.PerJoinpointAdvice.invoke(PerJoinpointAdvice.java:174) [jboss-aop.jar:2.2.1.GA] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.fillMethod(InvocationContextInterceptor.java:74) [:1.1.3] at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_fillMethod_13158105.invoke(InvocationContextInterceptor_z_fillMethod_13158105.java) [:] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.setup(InvocationContextInterceptor.java:90) [:1.1.3] at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_setup_13158105.invoke(InvocationContextInterceptor_z_setup_13158105.java) [:] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.async.impl.interceptor.AsynchronousServerInterceptor.invoke(AsynchronousServerInterceptor.java:128) [:1.7.17] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:62) [:1.7.17] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:56) [:1.7.17] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47) [:1.7.17] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42) [:1.0.3] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:68) [:1.7.17] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.core.context.SessionInvocationContextAdapter.proceed(SessionInvocationContextAdapter.java:95) [:1.7.17] at org.jboss.ejb3.tx2.impl.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:247) [:0.0.1] at org.jboss.ejb3.tx2.impl.CMTTxInterceptor.required(CMTTxInterceptor.java:349) [:0.0.1] at org.jboss.ejb3.tx2.impl.CMTTxInterceptor.invoke(CMTTxInterceptor.java:209) [:0.0.1] at org.jboss.ejb3.tx2.aop.CMTTxInterceptorWrapper.invoke(CMTTxInterceptorWrapper.java:52) [:0.0.1] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76) [:1.0.0.GA] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42) [:1.0.3] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:182) [:1.7.17] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41) [:1.7.17] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67) [:1.7.17] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.core.context.CurrentInvocationContextInterceptor.invoke(CurrentInvocationContextInterceptor.java:47) [:1.7.17] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67) [:1.0.1] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86) [:1.7.17] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:392) [:1.7.17] at org.jboss.ejb3.session.InvokableContextClassProxyHack._dynamicInvoke(InvokableContextClassProxyHack.java:53) [:1.7.17] at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:91) [jboss-aop.jar:2.2.1.GA] at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82) [:1.0.1.GA] at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:898) [:6.0.0.Final] at org.jboss.remoting.transport.socket.ServerThread.completeInvocation(ServerThread.java:791) [:6.0.0.Final] at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:744) [:6.0.0.Final] at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:548) [:6.0.0.Final] at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:234) [:6.0.0.Final] 10:48:03,333 TRACE [org.jboss.security.plugins.javaee.EJBAuthorizationHelper] administrator::isCallerInRole check failed:Authorization Failed: : org.jboss.security.authorization.AuthorizationException: Authorization Failed: at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:271) [:3.0.0.CR2] at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:70) [:3.0.0.CR2] at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:154) [:3.0.0.CR2] at java.security.AccessController.doPrivileged(Native Method) [:1.6.0_24] at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:150) [:3.0.0.CR2] at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:474) [:6.0.0.Final] at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:125) [:6.0.0.Final] at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.isCallerInRole(EJBAuthorizationHelper.java:256) [:3.0.0.CR2] at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.isCallerInRole(EJBAuthorizationHelper.java:146) [:3.0.0.CR2] at org.jboss.ejb3.security.helpers.EJBContextHelper.isCallerInRole(EJBContextHelper.java:176) [:1.0.2] at org.jboss.ejb3.EJBContextImpl.isCallerInRole(EJBContextImpl.java:164) [:1.7.17] at se.zert.test.TestBean.checkRole(TestBean.java:21) [:] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [:1.6.0_24] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [:1.6.0_24] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [:1.6.0_24] at java.lang.reflect.Method.invoke(Method.java:597) [:1.6.0_24] at org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122) [jboss-aop.jar:2.2.1.GA] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.interceptors.container.ContainerMethodInvocationWrapper.invokeNext(ContainerMethodInvocationWrapper.java:72) [:1.1.3] at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:76) [:1.1.3] at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:62) [:1.1.3] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [:1.6.0_24] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [:1.6.0_24] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [:1.6.0_24] at java.lang.reflect.Method.invoke(Method.java:597) [:1.6.0_24] at org.jboss.aop.advice.PerJoinpointAdvice.invoke(PerJoinpointAdvice.java:174) [jboss-aop.jar:2.2.1.GA] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.fillMethod(InvocationContextInterceptor.java:74) [:1.1.3] at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_fillMethod_13158105.invoke(InvocationContextInterceptor_z_fillMethod_13158105.java) [:] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.setup(InvocationContextInterceptor.java:90) [:1.1.3] at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_setup_13158105.invoke(InvocationContextInterceptor_z_setup_13158105.java) [:] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.async.impl.interceptor.AsynchronousServerInterceptor.invoke(AsynchronousServerInterceptor.java:128) [:1.7.17] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:62) [:1.7.17] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:56) [:1.7.17] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47) [:1.7.17] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42) [:1.0.3] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:68) [:1.7.17] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.core.context.SessionInvocationContextAdapter.proceed(SessionInvocationContextAdapter.java:95) [:1.7.17] at org.jboss.ejb3.tx2.impl.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:247) [:0.0.1] at org.jboss.ejb3.tx2.impl.CMTTxInterceptor.required(CMTTxInterceptor.java:349) [:0.0.1] at org.jboss.ejb3.tx2.impl.CMTTxInterceptor.invoke(CMTTxInterceptor.java:209) [:0.0.1] at org.jboss.ejb3.tx2.aop.CMTTxInterceptorWrapper.invoke(CMTTxInterceptorWrapper.java:52) [:0.0.1] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76) [:1.0.0.GA] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42) [:1.0.3] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:182) [:1.7.17] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41) [:1.7.17] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67) [:1.7.17] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.core.context.CurrentInvocationContextInterceptor.invoke(CurrentInvocationContextInterceptor.java:47) [:1.7.17] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67) [:1.0.1] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86) [:1.7.17] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA] at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:392) [:1.7.17] at org.jboss.ejb3.session.InvokableContextClassProxyHack._dynamicInvoke(InvokableContextClassProxyHack.java:53) [:1.7.17] at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:91) [jboss-aop.jar:2.2.1.GA] at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82) [:1.0.1.GA] at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:898) [:6.0.0.Final] at org.jboss.remoting.transport.socket.ServerThread.completeInvocation(ServerThread.java:791) [:6.0.0.Final] at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:744) [:6.0.0.Final] at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:548) [:6.0.0.Final] at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:234) [:6.0.0.Final]/Krister
-
9. Re: Can't get SessionContext.isCallerInRole(...) to work from remote call.
Hi,
that's strange: it seems the server is not finding your application policy:
"
Application Policy not found for domain=CLIENT_LOGIN_MODULE.Mapping framework will use the default domain:other"Did you restart the JBoss server after changing "login-config.xml"? This file is not dynamically refreshed in a running server.
Could you post the current config snippets, which were changed since your initial post (e.g. "login-config.xml" file or the security declarations of your bean)?
Best regards
Wolfgang
-
10. Re: Can't get SessionContext.isCallerInRole(...) to work from remote call.
Hi,
I have added the following to login-config.xml:
... <policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:jboss:user-roles:1.0 resource:user-roles_1_0.xsd" xmlns:ur="urn:jboss:user-roles:1.0"> <application-policy name="zert"> <authentication> <login-module code="org.jboss.security.auth.spi.XMLLoginModule" flag="required"> <module-option name="userInfo"> <ur:users> <ur:user name="admin" password="test"> <ur:role name="administrator"></ur:role> <ur:role name="producer"></ur:role> <ur:role name="consumer"></ur:role> </ur:user> </ur:users> </module-option> <module-option name="unauthenticatedIdentity">guest</module-option> </login-module> </authentication> </application-policy> ...
And my bean look like this:
@Stateless @Remote({Test.class}) @SecurityDomain("zert") @DeclareRoles({"administrator", "producer", "consumer"}) public class TestBean implements Test { @Resource private SessionContext context; @Override @RolesAllowed(value={"administrator"}) public boolean checkRole() { System.out.println("In checkRole()"); return context.isCallerInRole("administrator"); } }/Krister
-
11. Can't get SessionContext.isCallerInRole(...) to work from remote call.
Hi,
this seems to be fine and should work....
One idea: which "imports" statement do you use for the annotation "@SecurityDomain"? As far as I know, JBoss contains a class named "SecurityDomain" in two different packages, but only one will work. It should be "org.jboss.ejb3.annotation.SecurityDomain".
In my own (really simple) security sample, there is one difference: I did not place the "@Remote (Test.class)" annotation on the EJB itself, but on the interface, and without the class name as value:
@Stateless
@SecurityDomain("zert")
@DeclareRoles({"administrator", "producer", "consumer"})
public class TestBean implements Test {
@Remote
public interface Test {
Best regards
Wolfgang
-
12. Re: Can't get SessionContext.isCallerInRole(...) to work from remote call.
Hi Wolfgang,
Thanks a lot for your help! I was using @SecurityDomain from the wrong package. Strangely this works fine in JBoss 4.
Best regards
Krister
-
13. Re: Can't get SessionContext.isCallerInRole(...) to work from remote call.
Darn, I should have thought about this earlier ;-).
The annotation package was changed some time ago - a really, really bad decision...
Best regards
Wolfgang
