13 Replies Latest reply on May 11, 2011 6:19 PM by Wolfgang Knauf

    Can't get SessionContext.isCallerInRole(...) to work from remote call.

    Krister Wicksell Newbie

      Hi,

       

      I have a stateless bean that I access both from within JBoss via the web container and also from outside JBoss via a remote interface. When I access the bean from within JBoss SessionContext.isCallerInRole(...) works fine but when accessed from the outside of JBoss SessionContext.isCallerInRole(...) always return false.

       

      This works fine in JBoss 4 but when I updated and ported my code to JBoss 6 it stopped working. I also tested in JBoss 5 without success.

       

      I have attached a a small test case for both JBoss 4.2.3 and JBoss 6.0.0. When accessing the TestBean from index.jsp it always work but when accessing it by executing TestClient from outside of JBoss it do not work for JBoss 6.

       

      What am I doing wrong or is this a bug?

        • 1. Re: Can't get SessionContext.isCallerInRole(...) to work from remote call.
          Krister Wicksell Newbie

          Since I did not get any reply on this post I thought I explain a little better. I would like to get some feedback before I report this as a bug because I don't know if I have missed something.

           

          When I access a stateless bean from outside of JBoss via its remote interface from a Java client SessionContext.isCallerInRole(...) always return false. How ever when I access the same bean from a JSP running in the same JBoss SessionContext.isCallerInRole(...) works correctly. This behavior is in JBoss 5 & 6. In JBoss 4 it works OK for both cases.

           

          In my small test case I have a stateless bean interface named Test. It have only one method checkRole(). This method should return true if the caller have the role administrator.

           

          @Remote
          public interface Test {
            public boolean checkRole();
          }
          

           

          The implementation of the role is as follows below. It uses the security domain zert and the only method return the result of SessionContext.isCallerInRole("administrator").

           

          @Stateless
          @Remote({Test.class})
          @SecurityDomain("zert")
          @DeclareRoles({"administrator", "producer", "consumer"})
          public class TestBean implements Test {
            @Resource 
            private SessionContext context;
          
            @Override
            public boolean checkRole() {
              return context.isCallerInRole("administrator");    
            }
          }
          

           

          The security domain zert has only one user called admin. The admin user is in the roles, administrator, producer and consumer. This can be seen in the listing below.

           

          <?xml version="1.0" encoding="UTF-8"?>
          <!DOCTYPE server PUBLIC "-//JBoss//DTD MBean Service 4.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-service_4_0.dtd">
          
          <server>
            <mbean code="org.jboss.security.auth.login.DynamicLoginConfig" name="jboss:service=DynamicLoginConfig">
              <attribute name="PolicyConfig" serialDataType="jbxb">
                <jaas:policy
                  xsi:schemaLocation="urn:jboss:security-config:4.1 resource:security-config_4_1.xsd"
                  xmlns:jaas="urn:jboss:security-config:4.1"
                  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
          
                  <jaas:application-policy name="zert">
                    <jaas:authentication>
                      <jaas:login-module code="org.jboss.security.auth.spi.XMLLoginModule" flag="required">
                        <jaas:module-option name="userInfo">
                          <ur:users
                            xsi:schemaLocation="urn:jboss:user-roles:1.0 resource:user-roles_1_0.xsd"
                            xmlns:ur="urn:jboss:user-roles:1.0">
                            <ur:user name="admin" password="test">
                              <ur:role name="administrator"></ur:role>
                              <ur:role name="producer"></ur:role>
                              <ur:role name="consumer"></ur:role>
                            </ur:user>
                          </ur:users>
                        </jaas:module-option>
                        <jaas:module-option name="unauthenticatedIdentity">guest</jaas:module-option>
                      </jaas:login-module>
                    </jaas:authentication>
                  </jaas:application-policy>        
                </jaas:policy>         
              </attribute>
              <depends optional-attribute-name="LoginConfigService">jboss.security:service=XMLLoginConfig</depends> 
              <depends optional-attribute-name="SecurityManagerService">jboss.security:service=JaasSecurityManager</depends>
            </mbean>
          </server>
          
          

           

          When the Test bean is accessed via the remote interface using the following test client, then SessionContext.isCallerInRole(...) always return false. For me this looks like a bug!

           

          public class TestClient {
            public static void main(String[] argv) {
              try {
                System.setProperty("java.security.auth.login.config", "auth.conf");
          
                ConnectionHandler connectionHandler = new ConnectionHandler("admin", "test");
                LoginContext loginContext = new LoginContext("zert", connectionHandler);
                loginContext.login();
          
                System.out.println(runTest());
          
                loginContext.logout();
              } catch (Exception e) {
                e.printStackTrace();
              }
            }
          
          
            public static String runTest() throws Exception {
              Hashtable<String, String> env = new Hashtable<String, String>();
              env.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.NamingContextFactory");
              env.put(Context.PROVIDER_URL, "localhost");
          
          
              InitialContext context = new InitialContext(env);
          
          
              Test test = (Test)context.lookup("zert/TestBean/remote");
          
          
              return "Is administrator: " + test.checkRole();
            }
          
            ...
          }
          

           

          How ever when I access the same bean the following JSP the method workd correctly and returns true.

           

          <?xml version="1.0" encoding="UTF-8"?>
          <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
          
          <%@page contentType="text/html; charset=UTF-8" %>
          <%@page import="se.zert.test.*"%>
          
          <html xmlns="http://www.w3.org/1999/xhtml">
            <head>
              <title>Test</title>
            </head>
            <body>
              <%=TestClient.runTest()%>
            </body>
          </html>
          
          

           

          Does anyone have a good answer to why the bean reacts different when accessed from outside of JBoss than inside of JBoss?

           

          Thanks in advance!

          /Krister

          • 3. Re: Can't get SessionContext.isCallerInRole(...) to work from remote call.
            Krister Wicksell Newbie

            The test client is setting the property java.security.auth.login.config to the file auth.conf that have the following content:

             

            zert {
               org.jboss.security.ClientLoginModule required;
            };
            

             

            Shouldn't that be enough? I don't have any security domain called zert in my login-confix.xml. Instead I have deployed the security config listed above in my EAR-file.

            • 4. Re: Can't get SessionContext.isCallerInRole(...) to work from remote call.
              Krister Wicksell Newbie

              I tested adding org.jboss.security.ClientLoginModule to my security domain so now the file looks as listed below. This did not change anything. Is still do not work.

               

               

              <?xml version="1.0" encoding="UTF-8"?>
              <!DOCTYPE server PUBLIC
              "-//JBoss//DTD MBean Service 4.0//EN"
              "http://www.jboss.org/j2ee/dtd/jboss-service_4_0.dtd">
              
              
              <server>
                <mbean code="org.jboss.security.auth.login.DynamicLoginConfig" name="jboss:service=DynamicLoginConfig">
                  <attribute name="PolicyConfig" serialDataType="jbxb">
                    <jaas:policy
                      xsi:schemaLocation="urn:jboss:security-config:4.1 resource:security-config_4_1.xsd"
                      xmlns:jaas="urn:jboss:security-config:4.1"
                      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
              
                      <jaas:application-policy name="zert">
                        <jaas:authentication>
                          <jaas:login-module code="org.jboss.security.ClientLoginModule" flag="required">
                          </jaas:login-module>
              
                          <jaas:login-module code="org.jboss.security.auth.spi.XMLLoginModule" flag="required">
                            <jaas:module-option name="userInfo">
                              <ur:users
                                xsi:schemaLocation="urn:jboss:user-roles:1.0 resource:user-roles_1_0.xsd"
                                xmlns:ur="urn:jboss:user-roles:1.0">
                                <ur:user name="admin" password="test">
                                  <ur:role name="administrator"></ur:role>
                                  <ur:role name="producer"></ur:role>
                                  <ur:role name="consumer"></ur:role>
                                </ur:user>
                              </ur:users>
                            </jaas:module-option>
                            <jaas:module-option name="unauthenticatedIdentity">guest</jaas:module-option>
                          </jaas:login-module>
                        </jaas:authentication>
                      </jaas:application-policy>        
                    </jaas:policy>         
                  </attribute>
                  <depends optional-attribute-name="LoginConfigService">jboss.security:service=XMLLoginConfig</depends> 
                  <depends optional-attribute-name="SecurityManagerService">jboss.security:service=JaasSecurityManager</depends>
                </mbean>
              </server>
              
              
              • 5. Can't get SessionContext.isCallerInRole(...) to work from remote call.
                Wolfgang Knauf Master

                Hi Krister,

                 

                two things that come into my mind:

                 

                a) does your EJB have any "secured" method?

                   @RolesAllowed(value={"administrator"} )

                   public void myMethod()

                   {

                   }

                 

                Maybe you have to add such a security declaration to "checkRole". Otherwise JBoss might think that you are accessing unsecured content and is not performing login.

                 

                b) did you activate logging of the security layer? See http://community.jboss.org/wiki/SecurityFAQ - question 4. If there is some config error, this might help.

                 

                The rest of your config looks OK.

                 

                Best regards

                 

                Wolfgang

                • 6. Re: Can't get SessionContext.isCallerInRole(...) to work from remote call.
                  Krister Wicksell Newbie

                  Thanks for your help!

                   

                  I activated trace and got the following:

                   

                  13:19:11,436 TRACE [org.jboss.security.plugins.mapping.JBossMappingManager] Application Policy not found for domain=CLIENT_LOGIN_MODULE.Mapping framework will use the default domain:other
                  13:19:11,437 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] Application Policy not obtained for domain=CLIENT_LOGIN_MODULE. Trying to obtain the App policy for the default domain of the layer:EJB
                  13:19:11,437 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
                  13:19:11,437 TRACE [org.jboss.security.authorization.modules.ejb.EJBPolicyModuleDelegate] no match found for security role administrator in the deployment descriptor for ejb TestBean
                  

                   

                  So now I need to figure out why the wrong security domain is used. Do you have any clue?

                  • 7. Re: Can't get SessionContext.isCallerInRole(...) to work from remote call.
                    Wolfgang Knauf Master

                    Hi,

                     

                    could you try to config your security domain / policy in the standard "login-config.xml", avoiding the DynamicXMLLoginConfig? Thus, we can reduce the complexity and the number of error situations...

                     

                    Best regards

                     

                    Wolfgang

                    • 8. Re: Can't get SessionContext.isCallerInRole(...) to work from remote call.
                      Krister Wicksell Newbie

                      Hi,

                       

                      I have already tested moving the configuration of the zert security domain to login-config.xml but that made no difference. I still get the trace information that the domain CLIENT_LOGIN_MODULE can't be found.

                       

                      I even tried to add a security domain called CLIENT_LOGIN_CONFIG to login-confix.xml as described here https://issues.jboss.org/browse/JBAS-7037. After doing this I did not get the trace info about the missing domain but the call to isCallerInRole(...) still failes. The strange thing is that the trace shows that the user is not in the role administrator but the method is ecexuted anyway even after adding @RolesAllowed(value={"administrator"} ).

                       

                      The full trace of a call after moving the security domain to login-config.xml is:

                       

                      10:47:45,847 INFO  [org.jboss.bootstrap.impl.base.server.AbstractServer] JBossAS [6.0.0.Final "Neo"] Started in 22s:961ms
                      10:48:03,266 INFO  [STDOUT] In checkRole()
                      10:48:03,281 TRACE [org.jboss.security.plugins.mapping.JBossMappingManager] Application Policy not found for domain=CLIENT_LOGIN_MODULE.Mapping framework will use the default domain:other
                      10:48:03,287 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] Application Policy not obtained for domain=CLIENT_LOGIN_MODULE. Trying to obtain the App policy for the default domain of the layer:EJB
                      10:48:03,287 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
                      10:48:03,299 TRACE [org.jboss.security.authorization.modules.ejb.EJBPolicyModuleDelegate] no match found for security role administrator in the deployment descriptor for ejb TestBean
                      10:48:03,300 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] REQUIRED failed for Name=org.jboss.security.authorization.modules.DelegatingAuthorizationModule:subject=Subject:
                              Principal: admin
                      :role=Roles()
                      10:48:03,300 TRACE [org.jboss.security.plugins.authorization.JBossAuthorizationContext] Error in authorize:: org.jboss.security.authorization.AuthorizationException: Authorization Failed: 
                              at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:271) [:3.0.0.CR2]
                              at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:70) [:3.0.0.CR2]
                              at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:154) [:3.0.0.CR2]
                              at java.security.AccessController.doPrivileged(Native Method) [:1.6.0_24]
                              at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:150) [:3.0.0.CR2]
                              at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:474) [:6.0.0.Final]
                              at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:125) [:6.0.0.Final]
                              at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.isCallerInRole(EJBAuthorizationHelper.java:256) [:3.0.0.CR2]
                              at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.isCallerInRole(EJBAuthorizationHelper.java:146) [:3.0.0.CR2]
                              at org.jboss.ejb3.security.helpers.EJBContextHelper.isCallerInRole(EJBContextHelper.java:176) [:1.0.2]
                              at org.jboss.ejb3.EJBContextImpl.isCallerInRole(EJBContextImpl.java:164) [:1.7.17]
                              at se.zert.test.TestBean.checkRole(TestBean.java:21) [:]
                              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [:1.6.0_24]
                              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [:1.6.0_24]
                              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [:1.6.0_24]
                              at java.lang.reflect.Method.invoke(Method.java:597) [:1.6.0_24]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.interceptors.container.ContainerMethodInvocationWrapper.invokeNext(ContainerMethodInvocationWrapper.java:72) [:1.1.3]
                              at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:76) [:1.1.3]
                              at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:62) [:1.1.3]
                              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [:1.6.0_24]
                              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [:1.6.0_24]
                              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [:1.6.0_24]
                              at java.lang.reflect.Method.invoke(Method.java:597) [:1.6.0_24]
                              at org.jboss.aop.advice.PerJoinpointAdvice.invoke(PerJoinpointAdvice.java:174) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.fillMethod(InvocationContextInterceptor.java:74) [:1.1.3]
                              at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_fillMethod_13158105.invoke(InvocationContextInterceptor_z_fillMethod_13158105.java) [:]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.setup(InvocationContextInterceptor.java:90) [:1.1.3]
                              at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_setup_13158105.invoke(InvocationContextInterceptor_z_setup_13158105.java) [:]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.async.impl.interceptor.AsynchronousServerInterceptor.invoke(AsynchronousServerInterceptor.java:128) [:1.7.17]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:62) [:1.7.17]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:56) [:1.7.17]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47) [:1.7.17]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42) [:1.0.3]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:68) [:1.7.17]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.core.context.SessionInvocationContextAdapter.proceed(SessionInvocationContextAdapter.java:95) [:1.7.17]
                              at org.jboss.ejb3.tx2.impl.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:247) [:0.0.1]
                              at org.jboss.ejb3.tx2.impl.CMTTxInterceptor.required(CMTTxInterceptor.java:349) [:0.0.1]
                              at org.jboss.ejb3.tx2.impl.CMTTxInterceptor.invoke(CMTTxInterceptor.java:209) [:0.0.1]
                              at org.jboss.ejb3.tx2.aop.CMTTxInterceptorWrapper.invoke(CMTTxInterceptorWrapper.java:52) [:0.0.1]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76) [:1.0.0.GA]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42) [:1.0.3]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:182) [:1.7.17]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41) [:1.7.17]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67) [:1.7.17]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.core.context.CurrentInvocationContextInterceptor.invoke(CurrentInvocationContextInterceptor.java:47) [:1.7.17]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67) [:1.0.1]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86) [:1.7.17]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:392) [:1.7.17]
                              at org.jboss.ejb3.session.InvokableContextClassProxyHack._dynamicInvoke(InvokableContextClassProxyHack.java:53) [:1.7.17]
                              at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:91) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82) [:1.0.1.GA]
                              at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:898) [:6.0.0.Final]
                              at org.jboss.remoting.transport.socket.ServerThread.completeInvocation(ServerThread.java:791) [:6.0.0.Final]
                              at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:744) [:6.0.0.Final]
                              at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:548) [:6.0.0.Final]
                              at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:234) [:6.0.0.Final]
                      
                      
                      10:48:03,333 TRACE [org.jboss.security.plugins.javaee.EJBAuthorizationHelper] administrator::isCallerInRole check failed:Authorization Failed: : org.jboss.security.authorization.AuthorizationException: Authorization Failed: 
                              at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:271) [:3.0.0.CR2]
                              at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:70) [:3.0.0.CR2]
                              at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:154) [:3.0.0.CR2]
                              at java.security.AccessController.doPrivileged(Native Method) [:1.6.0_24]
                              at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:150) [:3.0.0.CR2]
                              at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:474) [:6.0.0.Final]
                              at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:125) [:6.0.0.Final]
                              at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.isCallerInRole(EJBAuthorizationHelper.java:256) [:3.0.0.CR2]
                              at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.isCallerInRole(EJBAuthorizationHelper.java:146) [:3.0.0.CR2]
                              at org.jboss.ejb3.security.helpers.EJBContextHelper.isCallerInRole(EJBContextHelper.java:176) [:1.0.2]
                              at org.jboss.ejb3.EJBContextImpl.isCallerInRole(EJBContextImpl.java:164) [:1.7.17]
                              at se.zert.test.TestBean.checkRole(TestBean.java:21) [:]
                              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [:1.6.0_24]
                              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [:1.6.0_24]
                              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [:1.6.0_24]
                              at java.lang.reflect.Method.invoke(Method.java:597) [:1.6.0_24]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.interceptors.container.ContainerMethodInvocationWrapper.invokeNext(ContainerMethodInvocationWrapper.java:72) [:1.1.3]
                              at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:76) [:1.1.3]
                              at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:62) [:1.1.3]
                              at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [:1.6.0_24]
                              at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [:1.6.0_24]
                              at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [:1.6.0_24]
                              at java.lang.reflect.Method.invoke(Method.java:597) [:1.6.0_24]
                              at org.jboss.aop.advice.PerJoinpointAdvice.invoke(PerJoinpointAdvice.java:174) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.fillMethod(InvocationContextInterceptor.java:74) [:1.1.3]
                              at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_fillMethod_13158105.invoke(InvocationContextInterceptor_z_fillMethod_13158105.java) [:]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.setup(InvocationContextInterceptor.java:90) [:1.1.3]
                              at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_setup_13158105.invoke(InvocationContextInterceptor_z_setup_13158105.java) [:]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.async.impl.interceptor.AsynchronousServerInterceptor.invoke(AsynchronousServerInterceptor.java:128) [:1.7.17]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:62) [:1.7.17]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:56) [:1.7.17]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47) [:1.7.17]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42) [:1.0.3]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:68) [:1.7.17]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.core.context.SessionInvocationContextAdapter.proceed(SessionInvocationContextAdapter.java:95) [:1.7.17]
                              at org.jboss.ejb3.tx2.impl.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:247) [:0.0.1]
                              at org.jboss.ejb3.tx2.impl.CMTTxInterceptor.required(CMTTxInterceptor.java:349) [:0.0.1]
                              at org.jboss.ejb3.tx2.impl.CMTTxInterceptor.invoke(CMTTxInterceptor.java:209) [:0.0.1]
                              at org.jboss.ejb3.tx2.aop.CMTTxInterceptorWrapper.invoke(CMTTxInterceptorWrapper.java:52) [:0.0.1]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76) [:1.0.0.GA]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42) [:1.0.3]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:182) [:1.7.17]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41) [:1.7.17]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67) [:1.7.17]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.core.context.CurrentInvocationContextInterceptor.invoke(CurrentInvocationContextInterceptor.java:47) [:1.7.17]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67) [:1.0.1]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86) [:1.7.17]
                              at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:392) [:1.7.17]
                              at org.jboss.ejb3.session.InvokableContextClassProxyHack._dynamicInvoke(InvokableContextClassProxyHack.java:53) [:1.7.17]
                              at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:91) [jboss-aop.jar:2.2.1.GA]
                              at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82) [:1.0.1.GA]
                              at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:898) [:6.0.0.Final]
                              at org.jboss.remoting.transport.socket.ServerThread.completeInvocation(ServerThread.java:791) [:6.0.0.Final]
                              at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:744) [:6.0.0.Final]
                              at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:548) [:6.0.0.Final]
                              at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:234) [:6.0.0.Final]
                      

                       

                      /Krister

                      • 9. Re: Can't get SessionContext.isCallerInRole(...) to work from remote call.
                        Wolfgang Knauf Master

                        Hi,

                         

                        that's strange: it seems the server is not finding your application policy:

                        "Application Policy not found for domain=CLIENT_LOGIN_MODULE.Mapping framework will use the default domain:other"

                         

                        Did you restart the JBoss server after changing "login-config.xml"? This file is not dynamically refreshed in a running server.

                         

                         

                        Could you post the current config snippets, which were changed since your initial post (e.g. "login-config.xml" file or the security declarations of your bean)?

                         

                        Best regards

                         

                        Wolfgang

                        • 10. Re: Can't get SessionContext.isCallerInRole(...) to work from remote call.
                          Krister Wicksell Newbie

                          Hi,

                           

                          I have added the following to login-config.xml:

                           

                          ...
                          <policy 
                            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" 
                            xsi:schemaLocation="urn:jboss:user-roles:1.0 resource:user-roles_1_0.xsd"
                            xmlns:ur="urn:jboss:user-roles:1.0">
                          
                            <application-policy name="zert">
                              <authentication>
                                <login-module code="org.jboss.security.auth.spi.XMLLoginModule" flag="required">
                                  <module-option name="userInfo">
                                    <ur:users>
                                      <ur:user name="admin" password="test">
                                        <ur:role name="administrator"></ur:role>
                                        <ur:role name="producer"></ur:role>
                                        <ur:role name="consumer"></ur:role>
                                      </ur:user>
                                    </ur:users>
                                  </module-option>
                                  <module-option name="unauthenticatedIdentity">guest</module-option>
                                </login-module>
                              </authentication>
                            </application-policy> 
                          ...
                          

                           

                          And my bean look like this:

                           

                           

                          @Stateless
                          @Remote({Test.class})
                          @SecurityDomain("zert")
                          @DeclareRoles({"administrator", "producer", "consumer"})
                          public class TestBean implements Test {
                            @Resource 
                            private SessionContext context;
                          
                            @Override
                            @RolesAllowed(value={"administrator"})  
                            public boolean checkRole() {
                              System.out.println("In checkRole()");
                              return context.isCallerInRole("administrator");    
                            }
                          }
                          

                           

                          /Krister

                          • 11. Can't get SessionContext.isCallerInRole(...) to work from remote call.
                            Wolfgang Knauf Master

                            Hi,

                             

                            this seems to be fine and should work....

                             

                            One idea: which "imports" statement do you use for the annotation "@SecurityDomain"? As far as I know, JBoss contains a class named "SecurityDomain" in two different packages, but only one will work. It should be "org.jboss.ejb3.annotation.SecurityDomain".

                             

                            In my own (really simple) security sample, there is one difference: I did not place the "@Remote (Test.class)" annotation on the EJB itself, but on the interface, and without the class name as value:

                             

                            @Stateless

                            @SecurityDomain("zert")

                            @DeclareRoles({"administrator", "producer", "consumer"})

                            public class TestBean implements Test {

                             

                            @Remote

                            public interface Test {

                             

                             

                            Best regards

                             

                            Wolfgang

                            • 12. Re: Can't get SessionContext.isCallerInRole(...) to work from remote call.
                              Krister Wicksell Newbie

                              Hi Wolfgang,

                               

                              Thanks a lot for your help! I was using @SecurityDomain from the wrong package. Strangely this works fine in JBoss 4.

                               

                              Best regards

                               

                              Krister

                              • 13. Re: Can't get SessionContext.isCallerInRole(...) to work from remote call.
                                Wolfgang Knauf Master

                                Darn, I should have thought about this earlier ;-).

                                 

                                The annotation package was changed some time ago - a really, really bad decision...

                                 

                                Best regards

                                 

                                Wolfgang