8 Replies Latest reply on Mar 2, 2012 10:35 AM by jaikiran pai

    is this a defect for processing org.jboss.ejb3.annotation.SecurityDomain ?

    Joseph Wu Newbie

      Hi all,

       

       

      I have the following simple code which is not working

       

      @Stateless(name = "wutong_test_hello")

      @Clustered

      @Remote(HellowWorldRemote.class)

      @Local(HellowWorldLocal.class)

      @SecurityDomain(value = "my-security-domain")

      public class HellowWorldImpl implements HellowWorldRemote, HellowWorldLocal {

       

      @RolesAllowed(value = { "testuserrole" })

      public String hello(String name) {

        String ret = "hello: " + name ;

        log.info(ret + ",hashcode:" + hashCode());

        return ret;

      }

       

       

      every time I invoke hello method from remote standalone app, server  print the following stacks

       

       

      10:14:33,204 INFO  [org.jboss.ejb.client.ClusterContext] Added a new EJB receiver in cluster context ejb for node joe-pc. Total nodes in cluster context = 1

      10:14:33,480 INFO  [org.jboss.ejb.client.remoting.ChannelAssociation] Discarding result for invocation id 0 since no waiting context found

      javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public abstract java.lang.String com.biz.ejb.face.HellowWorldRemote.hello(java.lang.String) of bean: wutong_test_hello is not allowed

      at org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:101)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)

      at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:76)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)

      at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)

      at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)

      at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)

      at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)

      at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165)

      at org.jboss.as.ejb3.remote.protocol.versionone.MethodInvocationMessageHandler.invokeMethod(MethodInvocationMessageHandler.java:300)

      at org.jboss.as.ejb3.remote.protocol.versionone.MethodInvocationMessageHandler.access$200(MethodInvocationMessageHandler.java:64)

      at org.jboss.as.ejb3.remote.protocol.versionone.MethodInvocationMessageHandler$1.run(MethodInvocationMessageHandler.java:194)

      at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)

      at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)

      at java.util.concurrent.FutureTask.run(FutureTask.java:138)

      at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)

      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)

      at java.lang.Thread.run(Thread.java:662)

      at org.jboss.threads.JBossThread.run(JBossThread.java:122)

       

       

      I then place the @SecurityDomain on both HellowWorldLocal and HellowWorldRemote like

       

      @SecurityDomain(value = "my-security-domain")

      public interface HellowWorldRemote {

      String hello(String name);

      }

       

      and remove the annotation from HellowWorldImpl, the server never print any exception and method returned successfully but AuthorizationInterceptor is not in the stack

       

      API doc  of  org.jboss.ejb3.annotation.SecurityDomain does not indicate that it should be placed on interfaces and some demos on internet also put  @SecurityDomain on concrete class but not interface.Did I make any mistake on api ? or misunderstand some concepts?

       

      EJBs are running on JBAS 7.1 final with standalone-ha-full conf

       

       

      Thank you very much

        • 1. Re: is this a defect for processing org.jboss.ejb3.annotation.SecurityDomain ?
          jaikiran pai Master

          Joseph Wu wrote:

           

          I then place the @SecurityDomain on both HellowWorldLocal and HellowWorldRemote like

           

          @SecurityDomain(value = "my-security-domain")

          public interface HellowWorldRemote {

          String hello(String name);

          }

           

          and remove the annotation from HellowWorldImpl, the server never print any exception and method returned successfully but AuthorizationInterceptor is not in the stack

           

          I believe the security interceptors are just skipped in this case. Which means that all calls go through. As for the original issue, what does your security domain configuration look like?

          • 2. Re: is this a defect for processing org.jboss.ejb3.annotation.SecurityDomain ?
            Joseph Wu Newbie

                        <security-realm name="ApplicationRealm">
                            <authentication>
                                <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                            </authentication>
                        </security-realm>

            ...

                    <subsystem xmlns="urn:jboss:domain:remoting:1.1">
                        <connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>
                    </subsystem>

            ...

                            <security-domain name="my-security-domain" cache-type="default">
                                <authentication>
                                    <login-module code="Remoting" flag="optional">
                                        <module-option name="password-stacking" value="useFirstPass"/>
                                    </login-module>
                                    <login-module code="RealmUsersRoles" flag="required">
                                        <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
                                        <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
                                        <module-option name="realm" value="ApplicationRealm"/>
                                        <module-option name="password-stacking" value="useFirstPass"/>
                                    </login-module>
                                </authentication>
                            </security-domain>

            • 3. Re: is this a defect for processing org.jboss.ejb3.annotation.SecurityDomain ?
              jaikiran pai Master

              What user are you using to invoke and what role does he belong to? Can you post the contents of the application-users.properties and application-roles.properties. Also try enabling TRACE level logging of org.jboss.as.security, org.jboss.as.ejb3 and org.jboss.security packages and attach those logs when you see this exception.

              • 4. Re: is this a defect for processing org.jboss.ejb3.annotation.SecurityDomain ?
                Joseph Wu Newbie

                =====================server side stuff below ===================

                 

                modification to "standalone-full-ha.xml"

                 

                            <security-realm name="ApplicationRealm">
                                <authentication>
                                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                                </authentication>
                            </security-realm>

                ....

                 

                        <subsystem xmlns="urn:jboss:domain:remoting:1.1">
                            <connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm">
                                <sasl>
                                    <policy>
                                        <no-anonymous value="true"/>
                                        <no-plain-text value="false"/>
                                        <pass-credentials value="true"/>
                                    </policy>
                                </sasl>
                            </connector>
                        </subsystem>

                 

                ....

                 

                                <security-domain name="my-security-domain" cache-type="default">
                                    <authentication>
                                        <login-module code="Remoting" flag="optional">
                                            <module-option name="password-stacking" value="useFirstPass"/>
                                        </login-module>
                                        <login-module code="RealmUsersRoles" flag="required">
                                            <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
                                            <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
                                            <module-option name="realm" value="ApplicationRealm"/>
                                            <module-option name="password-stacking" value="useFirstPass"/>
                                        </login-module>
                                    </authentication>
                                </security-domain>

                 

                -------------------------------------------------------------------------------------------------------------

                application-roles.properties:


                test123=aabdd69afca03e09fc05b7539c62818d

                -------------------------------------------------------------------------------------------------------------

                application-users.properties:

                 

                test123=testrole

                ------------------------------------------------------------------------------------------------------------


                @Stateless(name = "wutong_test_hello")
                @Clustered
                @Remote(HellowWorldRemote.class)
                @Local(HellowWorldLocal.class)
                @SecurityDomain(value = "my-security-domain")
                public class HellowWorldImpl implements HellowWorldRemote, HellowWorldLocal {

                 

                @RolesAllowed(value = { "testrole" })
                public String hello(String name) {
                  String ret = "hello: " + name +" , "+ctx.getCallerPrincipal().getName();
                log.info(ret + ",hashcode:" + hashCode());
                  return ret;
                }

                }

                 

                 

                ----------------------------------------------------------------------------------------------------------------------------

                public interface HellowWorldRemote {
                String hello(String name);
                }

                 

                ----------------------------------------------------------------------------------------------------------------------------

                public interface HellowWorldLocal {
                String hello(String name);
                }

                 

                 

                 

                =========================client side stuff below=================================

                jboss-ejb-client.properties:

                 

                endpoint.name=my_end_point
                remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false

                remote.connections=default
                remote.connection.default.host=127.0.0.1
                remote.connection.default.port=4447
                remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=true

                remote.connection.default.username=test123
                remote.connection.default.password=test


                remote.clusters=ejb

                remote.cluster.ejb.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=true
                remote.cluster.ejb.username=test123
                remote.cluster.ejb.password=test

                 

                ------------------------------------------------------------------------------------------------

                 

                  Properties props = new Properties();
                  props.put(Context.URL_PKG_PREFIXES,"org.jboss.ejb.client.naming");
                  context = new InitialContext(props);

                 

                  
                   HellowWorldRemote remo=(HellowWorldRemote)context.lookup("ejb:/testEJB//wutong_test_hello!com.biz.ejb.face.HellowWorldRemote", HellowWorldRemote.class);
                   log.info(remo.hello(Long.toString(System.currentTimeMillis())));

                 

                 

                ------------------------------------------------------------------------------------------------

                 

                I always get the following exception stacks bath on server side and client side :

                 

                 

                16:58:53,157 ERROR [org.jboss.ejb3.invocation] (EJB default - 2) JBAS014134: EJB Invocation failed on component wutong_test_hello for method public abstract java.lang.String com.biz.ejb.face.HellowWorldRemote.hello(java.lang.String): javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public abstract java.lang.String com.biz.ejb.face.HellowWorldRemote.hello(java.lang.String) of bean: wutong_test_hello is not allowed
                at org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:101) [jboss-as-ejb3-7.1.0.Final.jar:7.1.0.Final]
                at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
                at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:76) [jboss-as-ejb3-7.1.0.Final.jar:7.1.0.Final]
                at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
                at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [jboss-as-ejb3-7.1.0.Final.jar:7.1.0.Final]
                at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
                at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) [jboss-as-ee-7.1.0.Final.jar:7.1.0.Final]
                at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
                at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) [jboss-as-ee-7.1.0.Final.jar:7.1.0.Final]
                at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
                at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final.jar:1.1.1.Final]
                at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165) [jboss-as-ee-7.1.0.Final.jar:7.1.0.Final]
                at org.jboss.as.ejb3.remote.protocol.versionone.MethodInvocationMessageHandler.invokeMethod(MethodInvocationMessageHandler.java:300) [jboss-as-ejb3-7.1.0.Final.jar:7.1.0.Final]
                at org.jboss.as.ejb3.remote.protocol.versionone.MethodInvocationMessageHandler.access$200(MethodInvocationMessageHandler.java:64) [jboss-as-ejb3-7.1.0.Final.jar:7.1.0.Final]
                at org.jboss.as.ejb3.remote.protocol.versionone.MethodInvocationMessageHandler$1.run(MethodInvocationMessageHandler.java:194) [jboss-as-ejb3-7.1.0.Final.jar:7.1.0.Final]
                at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441) [rt.jar:1.6.0_25]
                at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303) [rt.jar:1.6.0_25]
                at java.util.concurrent.FutureTask.run(FutureTask.java:138) [rt.jar:1.6.0_25]
                at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886) [rt.jar:1.6.0_25]
                at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908) [rt.jar:1.6.0_25]
                at java.lang.Thread.run(Thread.java:662) [rt.jar:1.6.0_25]
                at org.jboss.threads.JBossThread.run(JBossThread.java:122)


                the principal name from org.jboss.as.security.service.SimpleSecurityManager.getCallerPrincipal() is "$local" ,so that I doubt I did not pass username "test123" to remote server successfully.

                it drives me mad >_<

                • 5. Re: is this a defect for processing org.jboss.ejb3.annotation.SecurityDomain ?
                  jaikiran pai Master

                  Add the following properties to your jboss-ejb-client.properties


                  remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER
                  remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false

                   

                  remote.cluster.ejb.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER

                  remote.cluster.ejb.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false

                   

                  That'll disable the $local scheme used for authentication

                  • 6. Re: is this a defect for processing org.jboss.ejb3.annotation.SecurityDomain ?
                    Joseph Wu Newbie

                    Hi jaikiran,you are an awsome reply machine indeed and it worked ! Could you please tell me where can I find reference docs  for  JBAS 7.1 final ? such as how to use "SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER" and "SASL_POLICY_NOPLAINTEXT=false"? I think there are so much background knowledge for me to catch up .

                     

                    Thank you very much

                    • 7. Re: is this a defect for processing org.jboss.ejb3.annotation.SecurityDomain ?
                      Darran Lofthouse Master

                      That documentation is currently in the process of being written - if anyone that we have helped with these settings has some time to quickly put together an article within this space showing the settings needed on the client side to connect to the default secured server that would be much appreciated.

                      • 8. Re: is this a defect for processing org.jboss.ejb3.annotation.SecurityDomain ?
                        jaikiran pai Master

                        Good to know you got it working!

                         

                         

                        Joseph Wu wrote:

                         

                        Could you please tell me where can I find reference docs  for  JBAS 7.1 final ? such as how to use "SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER" and "SASL_POLICY_NOPLAINTEXT=false"?

                         

                        Unfortunately, at this point there isn't a comprehensive documentation for this. There are some forum discussions but yeah we need to put up the documentation for this covering all these cases. My plan was to work solely on documentation after the 7.1.0.Final tasks were done, but I'm caught up in some other important tasks right now and haven't yet been able to spend time on documentation. I've stopped promising it will be out there "soon" But yeah, it will be up as soon as I find some time to work on it.

                        1 of 1 people found this helpful