1 2 3 Previous Next 30 Replies Latest reply on Aug 1, 2013 4:02 AM by Alexander Hartner

    Accessing EJB from web application packaged within same EAR

    Alexander Hartner Expert

      Our application consists of a JAR file which contains the EJBs and multiple WAR files. In previous release of JBoss this worked great, however since migrating to JBoss 7 we are getting errors when invoking the EJBs from the web applications.

       

      12:34:01,141 INFO  [org.hornetq.ra] (default-threads - 1) HQ151001: Attempting to reconnect org.hornetq.ra.inflow.HornetQActivationSpec(ra=org.hornetq.ra.HornetQResourceAdapter@28665087 destination=java:/queue/DLQ destinationType=javax.jms.Queue ack=Auto-acknowledge durable=false clientID=null user=

      null maxSession=1)

      12:40:48,707 ERROR [org.jboss.as.ejb3.invocation] (http-/127.0.0.1:8080-2) JBAS014134: EJB Invocation failed on component AdministratorBean for method public abstract java.util.List com.abc.backend.services.AdministratorService.getBatchStatusSummary(com.abc.backend.pojo.PageViewConfi

      g): javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public abstract java.util.List com.abc.backend.services.AdministratorService.getSummary(com.abc.backend.pojo.PageViewConfig) of bean: AdministratorBean is not allowed

              at org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:114) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

              at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:76) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

              at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

              at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

              at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) [jboss-as-ee-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

              at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

              at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) [jboss-as-ee-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

              at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

              at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

              at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165) [jboss-as-ee-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

              at org.jboss.as.ejb3.remote.LocalEjbReceiver.processInvocation(LocalEjbReceiver.java:222) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

              at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:181) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

              at org.jboss.ejb.client.EJBObjectInterceptor.handleInvocation(EJBObjectInterceptor.java:58) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

              at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

              at org.jboss.ejb.client.EJBHomeInterceptor.handleInvocation(EJBHomeInterceptor.java:83) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

              at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

              at org.jboss.ejb.client.TransactionInterceptor.handleInvocation(TransactionInterceptor.java:42) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

              at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

              at org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(ReceiverInterceptor.java:125) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

              at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

              at org.jboss.ejb.client.EJBInvocationHandler.sendRequestWithPossibleRetries(EJBInvocationHandler.java:253) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

              at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:198) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

              at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:181) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

              at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:144) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

              at com.sun.proxy.$Proxy21.getSummary(Unknown Source)

      We are declaing the security domain in both jboss-web.xml

       

      <?xml version="1.0" encoding="UTF-8"?>

      <jboss-web>

      ...

      <security-domain flushOnSessionInvalidation="true">ABCAdministration</security-domain>

      </jboss-web>

      as well as jboss-ejb3.xml

      <?xml version="1.1" encoding="UTF-8"?>

      <jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee"

                     xmlns="http://java.sun.com/xml/ns/javaee"

                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"

                     xmlns:c="urn:clustering:1.0"

                     xmlns:s="urn:security"

                     xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_1.xsd"

                     version="3.1"

                     impl-version="2.0">

        <assembly-descriptor>

          <s:security>

            <ejb-name>*</ejb-name>

            <s:security-domain>ABCAdministration</s:security-domain>

          </s:security>

        </assembly-descriptor> 

        <enterprise-beans>

      ...

        </enterprise-beans>

      </jboss:ejb-jar>

      Any suggestions on how to resolve this issue.

        • 1. Re: Accessing EJB from web application packaged withing same EAR
          xiang yingbing Master

          g): javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public abstract java.util.List com.abc.backend.services.AdministratorService.getSummary(com.abc.backend.pojo.PageViewConfig) of bean: AdministratorBean is not allowed

          ~~~~~~~~This is the root cause.

           

          Pleaes NOTE that:

           

           

          (1) Before JBoss AS 7.1.1, any EJB method is allowed to be called by default.


          <subsystem xmlns="urn:jboss:domain:ejb3:1.4">

          ...

          <iiop enable-by-default="false" use-qualified-name="false"/>

          </subsystem>

           

           

          (2) Since JBoss AS 7.2 , any EJB method is NOT allowed to be called by default.


          <subsystem xmlns="urn:jboss:domain:ejb3:1.3">

          ...

          <iiop enable-by-default="false" use-qualified-name="false"/>

          <default-security-domain value="other"/>

          <default-missing-method-permissions-deny-access value="true"/>

          </subsystem>

           

           

           

           

          Two kinds of solutions:

          (a) Fast but NOT good:

          in standalone.xml, change

          <default-missing-method-permissions-deny-access value="true"/>

          to

          <default-missing-method-permissions-deny-access value="false"/>

           

          This is the fast way to make your app works. But this will cause security issue: by default, any of your EJB mehtods can be called by any caller.

           

           

          (b) Add annotations to your "not allowed method":

          @PermitAll()

          or

          @RolesAllowed({"some.role(s).allowed.to.call.this.method"})

          • 2. Re: Accessing EJB from web application packaged withing same EAR
            Alexander Hartner Expert

            Is there no other option which would allow the web application to run as a "trusted" client to the EJB with the trust being based on both applications originating from the same ear? Ideally what I am after it to configure the EJB to require authentication and the web application to provide the authentication without specifying username and password withing the web application.

            • 3. Re: Accessing EJB from web application packaged withing same EAR
              xiang yingbing Master

              Is there no other option which would allow the web application to run as a "trusted" client to the EJB with the trust being based on both applications originating from the same ear?

              ~~~~~ Ignoring security is bad. I had given you a bad solution and a good solution.

               

              Ideally what I am after it to configure the EJB to require authentication and the web application to provide the authentication without specifying username and password withing the web application.

              ~~~~~~~~~~ Are you kidding? .In my mind, unsecured app(here, your web app) should never access secured app (here, your ejb app).

                                      Can/Should you (unsecured) take away money from bank(secured) without any restriction?

              • 4. Re: Accessing EJB from web application packaged withing same EAR
                Alexander Hartner Expert

                Thanks for your help with this. Would it not be possilbe to confgure role based access on the EJB using either the @PermitAll for un-secured methods and @RolesAllowed for secured ones.

                @PermitAll()

                or

                @RolesAllowed({"some.role(s).allowed.to.call.this.method"})

                and then to defined the run-as role / princical in the web.xml or jboss-web.xml files ? Could this resolve my problem ? I found this link (http://docs.jboss.org/jbossas/docs/Server_Configuration_Guide/4/html/J2EE_Declarative_Security_Overview-Security_Identity.html) which goes back quite a while. Hopefully there is still something equivalend in the newer JEE specification. Any suggestions ?

                • 5. Re: Accessing EJB from web application packaged withing same EAR
                  jaikiran pai Master

                  javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public abstract java.util.List com.abc.backend.services.AdministratorService.getSummary(com.abc.backend.pojo.PageViewConfig) of bean: AdministratorBean is not allowed

                  What does that method look like? Please include any annotations you have used on that method.

                   

                  If you want that method to be accessible to all clients you can just mark it as @PermitAll. Isn't that working?

                   

                  Having said that, I don't understand one of your posts here which says that the access should be granted because it's part of the same .ear. We never had that "feature". Access is always granted based on the incoming roles and the roles associated with the method being invoked.

                  • 6. Re: Accessing EJB from web application packaged withing same EAR
                    jaikiran pai Master

                    By the way, which exact version of JBoss AS7 or WildFly is this?

                    • 7. Re: Accessing EJB from web application packaged withing same EAR
                      xiang yingbing Master

                      and then to defined the run-as role / princical in the web.xml or jboss-web.xml files ?

                      ~~~~~~~~Of course you can replace any EJB annotation with an xml element in jboss-ejb3.xml.

                      • 8. Re: Accessing EJB from web application packaged withing same EAR
                        xiang yingbing Master

                        I will write an article about the security setting before 2013-08-10 and post it to jboss forum.

                        I think too many people need it.

                        • 9. Re: Accessing EJB from web application packaged withing same EAR
                          Alexander Hartner Expert

                          Thanks looking forward to the article.

                           

                          I now have a couple of options:

                           

                          Startup bean using @RunAs and @RolesAllowed

                          @Stateless(name = "AdministratorBean")

                          @RolesAllowed("AdministrationRole")

                          public class AdministratorBean extends AbstractManagedBean implements AdministratorRemote, AdministratorLocal

                          {

                            public Properties getConfigurationProperties() {

                              Properties properties = new Properties();

                              ...

                              return properties;

                            }

                          }

                          and

                          @Startup

                          @RunAs("AdministrationRole")

                          @Singleton

                          public class StartupBean

                          {

                            @EJB

                            private AdministratorLocal m_administatorService;

                           

                            @PostConstruct

                            public void init()

                            {

                              Properties properties = m_administatorService.getConfigurationProperties();

                            }

                          }

                          However this still resulted in the original error. Only once I added @PermitAll to the getConfigurationProperties method did things start to work.

                           

                          Using a startup servlet instead of the StartupBean and specifying the RunAs role fails with a different exception:

                          @RunAs("AdministrationRole")

                          public class StartupServlet extends HttpServlet {

                          Exception using StartupServlet:

                          13:24:29,750 ERROR [org.jboss.as.ejb3.invocation] (ServerService Thread Pool -- 79) JBAS014134: EJB Invocation failed on component AdministratorBean for method public abstract java.util.Properties com.abc.backend.services.AdministratorService.getConfigurationProperties(): java.lang.RuntimeEx

                          ception: java.lang.IllegalStateException: PBOX000075: The property AuthorizationManager is null

                                  at org.jboss.as.security.service.SimpleSecurityManager.authorize(SimpleSecurityManager.java:258) [jboss-as-security-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

                                  at org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:112) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

                                  at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

                                  at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:76) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

                                  at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

                                  at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

                                  at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

                                  at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

                                  at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

                                  at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) [jboss-as-ee-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

                                  at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

                                  at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

                                  at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

                                  at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) [jboss-as-ee-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

                                  at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

                                  at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) [jboss-invocation-1.1.1.Final-redhat-2.jar:1.1.1.Final-redhat-2]

                                  at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165) [jboss-as-ee-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

                                  at org.jboss.as.ejb3.remote.LocalEjbReceiver.processInvocation(LocalEjbReceiver.java:222) [jboss-as-ejb3-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

                                  at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:181) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

                                  at org.jboss.ejb.client.EJBObjectInterceptor.handleInvocation(EJBObjectInterceptor.java:58) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

                                  at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

                                  at org.jboss.ejb.client.EJBHomeInterceptor.handleInvocation(EJBHomeInterceptor.java:83) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

                                  at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

                                  at org.jboss.ejb.client.TransactionInterceptor.handleInvocation(TransactionInterceptor.java:42) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

                                  at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

                                  at org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(ReceiverInterceptor.java:125) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

                                  at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

                                  at org.jboss.ejb.client.EJBInvocationHandler.sendRequestWithPossibleRetries(EJBInvocationHandler.java:253) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

                                  at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:198) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

                                  at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:181) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

                                  at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:144) [jboss-ejb-client-1.0.21.Final-redhat-1.jar:1.0.21.Final-redhat-1]

                                  at com.sun.proxy.$Proxy26.getConfigurationProperties(Unknown Source)

                          It looks like the only option of getting this working it to add @PermitAll either to the method(s) or the class. Maybe I am doing something wrong and don't propertly understand @RunAs. Any pointers on getting this resolved are greatly appreciated.

                           

                          I am JBEAP 6.1.0 (7.2.0).

                          • 10. Re: Accessing EJB from web application packaged withing same EAR
                            xiang yingbing Master

                            I think @RunAs("AdministrationRole") can NOT be used on JSF MBean or Servlet.

                            @RunAs, @RolesAllowed can ONLY be used on EJB.

                             

                            When you login your web application(form or basic style) wich username and password, your role(s) is ALREADY decidedautomatically by JAAS through your username.

                            How could you assign a role to a JSF MBean dynamically?

                             

                            You are abusing them!

                             

                            • 12. Re: Accessing EJB from web application packaged withing same EAR
                              xiang yingbing Master

                              However this still resulted in the original error.

                              ~~~~~~~~~~Have you logged in your web application with username(associated with some roles) and password?

                               

                              Only once I added @PermitAll to the getConfigurationProperties method did things start to work.

                              ~~~~~~~~~~I think you did wrong things in login step and do NOT master enough JAAS info..

                               

                              If you can wait, please add @PermitAll to your method temporarily to make your application work temporarily.

                              You need a good understand of the JAAS. I will post the JBoss 7 JAAS configureation article in 5 days, you can learn from it.

                              Indeed, there is few article about the full JAAS configuration in JBoss 7.

                              • 14. Re: Accessing EJB from web application packaged withing same EAR
                                xiang yingbing Master

                                Maybe I am wrong about the @RunAs descriptioin.

                                 

                                I replaced all RunAs with @PermitAll or @RolesAllowed in my code long long ago, I just could NOT understand/use it well.

                                But I still can make my web/ejb/ear applications work well through JAAS without .

                                 

                                JAAS is really good!

                                 

                                1 2 3 Previous Next