5 Replies Latest reply on Dec 19, 2013 2:18 AM by jaikiran pai

    @RunAs does not work with @Startup @Singleton

    henk de boer Master

      On both JBoss AS 6.10 and 7.02, @RunAs does not work with a singleton session bean.

       

      A web application consisting out of only 2 files can reproduce this:

       

      RolesTestEJB.java

      package com.example;
      
      import javax.annotation.Resource;
      import javax.annotation.security.DeclareRoles;
      import javax.annotation.security.RolesAllowed;
      import javax.ejb.SessionContext;
      import javax.ejb.Stateless;
      
      import org.jboss.ejb3.annotation.SecurityDomain;
      
      @Stateless
      @DeclareRoles({ "FOO" })
      @SecurityDomain("something")
      public class RolesTestEJB {
      
          @Resource
          private SessionContext sessionContext;
      
          @RolesAllowed({ "FOO" })
          public void securedMethod() {
              System.out.println("In secured RolesTestEJB.securedMethod");
              System.out.println("RolesTestEJB.isCallerInRole( \"FOO\" ): " + sessionContext.isCallerInRole("FOO") + " (expect 'true')");
          } 
      }
      

       

       

      RolesTestStartupSingleton.java

      package com.example;
      
      import javax.annotation.PostConstruct;
      import javax.annotation.security.RunAs;
      import javax.ejb.EJB;
      import javax.ejb.Singleton;
      import javax.ejb.Startup;
      
      @RunAs("FOO")
      @Startup
      @Singleton
      public class RolesTestStartupSingleton {
      
          @EJB
          private RolesTestEJB rolesTestEJB;    
          
          @PostConstruct
          public void init() {
              rolesTestEJB.securedMethod();
              
          }    
      }
      

       

       

      On JBoss AS 6.10, this generates the following exception:

       

      Caused by: java.lang.IllegalStateException: Local Call: Security Context is null
                at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:109) [:1.7.21]
                at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.2.GA]
                at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41) [:1.7.21]
                at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.2.GA]
                at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67) [:1.7.21]
                at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.2.GA]
                at org.jboss.ejb3.core.context.CurrentInvocationContextInterceptor.invoke(CurrentInvocationContextInterceptor.java:47) [:1.7.21]
                at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.2.GA]
                at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67) [:1.0.1]
                at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.2.GA]
                at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86) [:1.7.21]
                at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102) [jboss-aop.jar:2.2.2.GA]
                at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:333) [:1.7.21]
                at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:158) [:1.7.21]
                at org.jboss.ejb3.nointerface.impl.invocationhandler.NoInterfaceViewInvocationHandler.invokeEndpoint(NoInterfaceViewInvocationHandler.java:143) [:6.1.0.Final]
                at org.jboss.ejb3.nointerface.impl.invocationhandler.NoInterfaceViewInvocationHandler.access$000(NoInterfaceViewInvocationHandler.java:54) [:6.1.0.Final]
                at org.jboss.ejb3.nointerface.impl.invocationhandler.NoInterfaceViewInvocationHandler$1.invoke(NoInterfaceViewInvocationHandler.java:103) [:6.1.0.Final]
                at org.jboss.ejb3.sis.reflect.InterceptorInvocationHandler$1.proceed(InterceptorInvocationHandler.java:84) [:1.0.0-alpha-1]
                at org.jboss.ejb3.sis.InterceptorAssembly$1.proceed(InterceptorAssembly.java:82) [:1.0.0-alpha-1]
                at org.jboss.ejb3.nointerface.impl.async.AsyncClientInterceptor.invoke(AsyncClientInterceptor.java:119) [:6.1.0.Final]
                at org.jboss.ejb3.sis.InterceptorAssembly$1.proceed(InterceptorAssembly.java:74) [:1.0.0-alpha-1]
                at org.jboss.ejb3.nointerface.impl.invocationhandler.ObjectMethodsInterceptor.invoke(ObjectMethodsInterceptor.java:78) [:6.1.0.Final]
                at org.jboss.ejb3.sis.InterceptorAssembly$1.proceed(InterceptorAssembly.java:74) [:1.0.0-alpha-1]
                at org.jboss.ejb3.sis.InterceptorAssembly.invoke(InterceptorAssembly.java:90) [:1.0.0-alpha-1]
                at org.jboss.ejb3.sis.reflect.InterceptorInvocationHandler.invoke(InterceptorInvocationHandler.java:110) [:1.0.0-alpha-1]
                at org.jboss.ejb3.nointerface.impl.invocationhandler.NoInterfaceViewInvocationHandler.invoke(NoInterfaceViewInvocationHandler.java:115) [:6.1.0.Final]
                at org.jboss.ejb3.proxy.javassist.JavassistInvocationHandlerAdapter.invoke(JavassistInvocationHandlerAdapter.java:71) [:1.0.0]
                at com.example.RolesTestEJB_$$_javassist_3.securedMethod(RolesTestEJB_$$_javassist_3.java)
                at com.example.RolesTestStartupSingleton.init(RolesTestStartupSingleton.java:19)
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [:1.6.0_20]
                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [:1.6.0_20]
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [:1.6.0_20]
                at java.lang.reflect.Method.invoke(Method.java:597) [:1.6.0_20]
                at org.jboss.ejb3.interceptors.aop.LifecycleCallbackBeanMethodInterceptor.invoke(LifecycleCallbackBeanMethodInterceptor.java:69) [:1.1.3]
                at org.jboss.aop.joinpoint.ConstructionInvocation.invokeNext(ConstructionInvocation.java:80) [jboss-aop.jar:2.2.2.GA]
                at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:56) [:1.7.21]
                at org.jboss.aop.joinpoint.ConstructionInvocation.invokeNext(ConstructionInvocation.java:80) [jboss-aop.jar:2.2.2.GA]
                at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42) [:1.0.4]
                at org.jboss.aop.joinpoint.ConstructionInvocation.invokeNext(ConstructionInvocation.java:80) [jboss-aop.jar:2.2.2.GA]
                at org.jboss.ejb3.singleton.aop.impl.ConstructionInvocationContextAdapter.proceed(ConstructionInvocationContextAdapter.java:106) [:1.0.2]
                at org.jboss.ejb3.tx2.impl.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:247) [:0.0.2]
                ... 119 more
      
      

       

       

      On JBoss AS 7.02 this generates the following exception:

       

      Caused by: javax.ejb.EJBAccessException: Invocation on method: public void com.example.RolesTestEJB.securedMethod() of bean: RolesTestEJB is not allowed
           at org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:109)
           at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:287) [jboss-invocation-1.1.0.Final.jar:1.1.0.Final]
           at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:68)
           at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:287) [jboss-invocation-1.1.0.Final.jar:1.1.0.Final]
           at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.0.Final.jar:1.1.0.Final]
           at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:146)
           at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:287) [jboss-invocation-1.1.0.Final.jar:1.1.0.Final]
           at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.0.Final.jar:1.1.0.Final]
           at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:76)
           at com.example.RolesTestEJB$$$view2.securedMethod(Unknown Source)
           at com.example.RolesTestStartupSingleton.init(RolesTestStartupSingleton.java:19)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [:1.6.0_20]
           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) [:1.6.0_20]
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) [:1.6.0_20]
           at java.lang.reflect.Method.invoke(Method.java:597) [:1.6.0_20]
           at org.jboss.as.ee.component.ManagedReferenceLifecycleMethodInterceptor.processInvocation(ManagedReferenceLifecycleMethodInterceptor.java:70)
           at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:287) [jboss-invocation-1.1.0.Final.jar:1.1.0.Final]
           at org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53) [jboss-invocation-1.1.0.Final.jar:1.1.0.Final]
           at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:287) [jboss-invocation-1.1.0.Final.jar:1.1.0.Final]
           at org.jboss.as.ee.component.ManagedReferenceFieldInjectionInterceptor.processInvocation(ManagedReferenceFieldInjectionInterceptor.java:65)
           at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:287) [jboss-invocation-1.1.0.Final.jar:1.1.0.Final]
           at org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53) [jboss-invocation-1.1.0.Final.jar:1.1.0.Final]
           at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:287) [jboss-invocation-1.1.0.Final.jar:1.1.0.Final]
           at org.jboss.as.ee.component.ManagedReferenceInterceptor.processInvocation(ManagedReferenceInterceptor.java:53)
           at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:287) [jboss-invocation-1.1.0.Final.jar:1.1.0.Final]
           at org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53) [jboss-invocation-1.1.0.Final.jar:1.1.0.Final]
           at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:287) [jboss-invocation-1.1.0.Final.jar:1.1.0.Final]
           at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:44)
           at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:287) [jboss-invocation-1.1.0.Final.jar:1.1.0.Final]
           at org.jboss.as.ejb3.component.session.SessionInvocationContextInterceptor$CustomSessionInvocationContext.proceed(SessionInvocationContextInterceptor.java:126)
           at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:211)
           at org.jboss.as.ejb3.tx.CMTTxInterceptor.requiresNew(CMTTxInterceptor.java:313)
           at org.jboss.as.ejb3.tx.SingletonLifecycleCMTTxInterceptor.processInvocation(SingletonLifecycleCMTTxInterceptor.java:56)
           at org.jboss.as.ejb3.tx.SingletonLifecycleCMTTxInterceptor.processInvocation(SingletonLifecycleCMTTxInterceptor.java:42)
           at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:287) [jboss-invocation-1.1.0.Final.jar:1.1.0.Final]
           at org.jboss.as.ejb3.component.session.SessionInvocationContextInterceptor.processInvocation(SessionInvocationContextInterceptor.java:71)
           at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:287) [jboss-invocation-1.1.0.Final.jar:1.1.0.Final]
           at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45)
           at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:287) [jboss-invocation-1.1.0.Final.jar:1.1.0.Final]
           at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.0.Final.jar:1.1.0.Final]
           at org.jboss.as.ee.component.BasicComponent.constructComponentInstance(BasicComponent.java:152)
           ... 9 more
      
      

       

       

      On Glassfish 3.1.1 there is no exception and the following is printed:

       

      INFO: In secured RolesTestEJB.securedMethod
      INFO: RolesTestEJB.isCallerInRole( "FOO" ): true (expect 'true')
      
      
        • 1. Re: @RunAs does not work with @Startup @Singleton
          henk de boer Master

          To test that the secured EJB bean can be called at all on JBoss AS, I removed the @Startup annotation and added the following servlet:

           

          RolesTestServlet.java

          package com.example;
          
          import java.io.IOException;
          
          import javax.annotation.security.RunAs;
          import javax.ejb.EJB;
          import javax.servlet.ServletException;
          import javax.servlet.ServletRequest;
          import javax.servlet.ServletResponse;
          import javax.servlet.annotation.WebServlet;
          import javax.servlet.http.HttpServlet;
          import javax.servlet.http.HttpServletRequest;
          
          @RunAs("FOO")
          @WebServlet(urlPatterns="/test")
          public class RolesTestServlet extends HttpServlet {
              
              private static final long serialVersionUID = 1L;
              
              @EJB
              private RolesTestEJB rolesTestEJB;
              
              @Override
              public void service(ServletRequest request, ServletResponse response) throws ServletException, IOException {
                  System.out.println("RolesTestServlet.isUserInRole( \"FOO\" ): " + ((HttpServletRequest) request).isUserInRole("FOO") + " (expect 'false')");
                  rolesTestEJB.securedMethod();
              }    
          }
          

           

           

          This works correctly (as expected, since it's the same as http://community.jboss.org/message/637368#637368) on both JBoss AS 6.10 and 7.02 and prints the following:

           

          23:32:39,191 INFO  [STDOUT] RolesTestServlet.isUserInRole( "FOO" ): false (expect 'false')
          23:32:39,337 INFO  [STDOUT] In secured RolesTestEJB.securedMethod
          23:32:39,353 INFO  [STDOUT] RolesTestEJB.isCallerInRole( "Foo" ): true (expect 'true')
          

           

          So it seems the problem is really with the @Startup @Singleton session bean.

          • 2. Re: @RunAs does not work with @Startup @Singleton
            henk de boer Master

            As it appears, the problem is a little more general. @Startup @Singleton beans cannot call any secured bean, regardless of whether a @RunAs or @RolesAllowed annotation is used.

             

            If the exact same example as given in the openings post is modified to remove @RunAs and @RolesAllowed, the same exceptions happen.

            • 3. Re: @RunAs does not work with @Startup @Singleton
              Alexander Hartner Expert

              Thanks for this post. I am having the same problem with JBEAP 6.1 (JBoss 7.2). Did you find any other work-around for this ?

              • 4. Re: @RunAs does not work with @Startup @Singleton
                Thomas Newman Newbie

                I am using Wildfly beta 1.

                 

                I can get a singleton startup bean to call a secured bean by creating a timer on @PostContruct. The @Timeout method then successfully calls the secured bean.

                 

                @SecurityDomain("somedomain")

                @RunAs("somerole")

                @Singleton

                @Startup

                public class StartUpBean {

                  

                    private static final Logger LOGGER = Logger.getLogger(StartUpBean.class);

                  

                    @Inject

                    private SecuredBean securedBean; //Requires "somerole"

                  

                    @Resource

                    private TimerService timerService;

                 

                    public StartUpBean() {

                    }

                  

                    @PostConstruct

                    public void startControlBeans()

                    {

                        LOGGER.debug("");      

                        timerService.createTimer(5 * 1000, "");      

                    }

                  

                    @Timeout

                    public void startStuff() {

                 

                        try {

                            securedBean.start();

                        } catch (Throwable e){

                            LOGGER.error("Could not start", e);

                        }

                      

                    }

                 

                }

                • 5. Re: @RunAs does not work with @Startup @Singleton
                  jaikiran pai Master

                  Thomas, this was a bug which will be available as a fix in the next version to be released [WFLY-981] @RunAs/@RunAsPrincipal are ignored for @Startup/@Singleton bean - JBoss Issue Tracker. In the meantime, you can give the WildFly nightly build a try WildFly nightly builds available since it contains the fix.