5 Replies Latest reply on Nov 20, 2011 4:54 PM by henk de boer

    @RolesAllowed ignored by JBoss AS 6.10/7.02?

    henk de boer Master

      It seems @RolesAllowed is ignored by JBoss AS 6.10 and 7.02.

       

      Given the following simple bean:

       

       

      import javax.annotation.security.DeclareRoles;
      import javax.annotation.security.RolesAllowed;
      import javax.ejb.Stateless;
      
      @Stateless
      @DeclareRoles({"FOO"})
      public class FooBean {
      
          @RolesAllowed({"FOO"})
          public void test() {
              System.out.println("In test method");
          }    
      }
      

       

      Calling this in a basic hello world application from e.g. a JSF managed bean, without any authentication having being done, succeeds in JBoss AS 6.10 and JBoss AS 7.02, but throws the expected exception that a client is not allowed to access the method in Glassfish 3.1.1.

       

      Am I misunderstanding how @RolesAllowed works, or is this a major bug in JBoss AS?

        • 1. Re: @RolesAllowed ignored by JBoss AS 6.10/7.02?
          jaikiran pai Master

          Without any @org.jboss.ejb3.annotation.SecurityDomain, the security is disabled on the bean.

          • 2. Re: @RolesAllowed ignored by JBoss AS 6.10/7.02?
            henk de boer Master

            jaikiran pai wrote:

             

            Without any @org.jboss.ejb3.annotation.SecurityDomain, the security is disabled on the bean.

             

            I see. Thanks!

             

            I wonder, is this spec compliant? I mean, obviously the @org.jboss.ejb3.annotation.SecurityDomain annotation is JBoss specific, but does the spec allow this behavior, or is there some unclarity here? I've yet to check the actual spec, but neither the books Enterprise JavaBeans (O'Reailly) or EJB3 in action (manning)  mention that there is anything container specific needed to make @RolesAllowed work.

            • 3. Re: @RolesAllowed ignored by JBoss AS 6.10/7.02?
              henk de boer Master

              jaikiran pai wrote:

               

              Without any @org.jboss.ejb3.annotation.SecurityDomain, the security is disabled on the bean.

              p.s.

               

              This one doesn't seem to be put on the buildpath in Eclipse by JBoss Tools. There's only org.jboss.security.annotation.SecurityDomain there. The JBoss AS 6.x runtime does expose org.jboss.ejb3.annotation.SecurityDomain.

              • 4. Re: @RolesAllowed ignored by JBoss AS 6.10/7.02?
                henk de boer Master

                To followup, with the annotation mentioned by jaikiran it does work.

                 

                For those also stuck with this and having found this via search, what I did was the following:

                 

                Create a dynamic web project in Eclipse called 'rolesAllowedTest', target JBoss AS 6.x runtime, create a 'com.example' package and add the following two files:

                 

                 

                RolesTestEJB.java

                 

                package com.example;
                
                import javax.annotation.security.DeclareRoles;
                import javax.annotation.security.RolesAllowed;
                import javax.ejb.Stateless;
                
                import org.jboss.ejb3.annotation.SecurityDomain;
                
                @Stateless
                @DeclareRoles({"FOO"})
                @SecurityDomain("something")
                public class RolesTestEJB {
                
                    @RolesAllowed({"FOO"})
                    public void securedMethod() {
                        System.out.println("In secured method");
                    }
                        
                }
                
                

                 

                 

                 

                RolesTestServlet.java

                 

                package com.example;
                
                import java.io.IOException;
                
                import javax.ejb.EJB;
                import javax.servlet.ServletException;
                import javax.servlet.ServletRequest;
                import javax.servlet.ServletResponse;
                import javax.servlet.annotation.WebServlet;
                import javax.servlet.http.HttpServlet;
                
                @WebServlet(urlPatterns="/test")
                public class RolesTestServlet extends HttpServlet {
                    
                    private static final long serialVersionUID = 1L;
                    
                    @EJB
                    private RolesTestEJB rolesTestEJB;
                    
                    @Override
                    public void service(ServletRequest request, ServletResponse response) throws ServletException, IOException {
                        rolesTestEJB.securedMethod();
                    }
                    
                }
                
                

                 

                 

                Nothing else was done, no web.xml or other xml file was added. Deploy this to the server, and browse to http://localhost:8080/rolesAllowedTest/test

                 

                JBoss AS 6.10 will respond with:

                javax.ejb.EJBAccessException: Invalid User
                

                 

                JBoss AS 7.02 will respond with:

                javax.ejb.EJBAccessException: Invocation on method: public void com.example.RolesTestEJB.securedMethod() of bean: RolesTestEJB is not allowed
                

                 

                Glassfish 3.1.1 will respond with:

                javax.ejb.EJBAccessException 
                Caused by: javax.ejb.AccessLocalException: Client not authorized for this invocation.
                

                 

                 

                The earlier question does still stand, is it spec compliant to require this extra annotation?

                • 5. Re: @RolesAllowed ignored by JBoss AS 6.10/7.02?
                  henk de boer Master

                  I discovered one other oddity. On JBoss AS 6.10, in an EAR with only an EJB module, I can add a META-INF/jboss.xml that defines the security domain as follows:

                   

                  META-INF/jboss.xml

                  <?xml version="1.0" ?>
                  <jboss xmlns="http://www.jboss.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss_5_0.xsd" version="5.0">
                       <security-domain>something</security-domain> 
                  </jboss>
                  

                   

                  If the secured EJB is injected into an MDB, it can call the secured methods without having the @SecurityDomain annotation.

                   

                  However, if the application consists of only a web module (like the example being given in the previous post), then this trick does not seem to work. Neither does adding a WEB-INF/jboss-web.xml help, like:

                   

                  WEB-INF/jboss-web.xml

                  <?xml version="1.0" encoding="UTF-8"?>
                  <!DOCTYPE jboss-web PUBLIC "-//JBoss//DTD Web Application 5.0//EN" "http://www.jboss.org/j2ee/dtd/jboss-web_5_0.dtd">
                  <jboss-web>
                      <security-domain>something</security-domain>
                  </jboss-web>
                  

                   

                  In case of the web module, I also created a web.xml with a security-constraint and security-role in it (this is often needed to 'activate' security, even if the constraint or roles aren't used).

                   

                  Any idea why the .xml file works in the EJB module, but not in the web module for JBoss AS 6.10?

                   

                   

                  In AS 7 the trick doesn't work at all for the web module, since JBoss suddenly complains there's no realm:

                   

                   [org.jboss.as.server.controller] (DeploymentScanner-threads - 2) Deployment of "rolesAllowedTest.war" was rolled back with failure message {"Services with missing/unavailable dependencies" => ["jboss.web.deployment.default-host./rolesAllowedTest.realm missing [ jboss.security.security-domain.something ]"]}
                  
                  

                   

                  So if the annotation is used, JBoss AS 7 doesn't need a realm to be defined somewhere else, but if an xml file is used it needs an extra definition somewhere?