2 Replies Latest reply on Jan 29, 2017 5:36 PM by karlnicholas

    EJB Security Fails when app deployed in EAR format (but ok in WAR format)

    karlnicholas

      I cannot get EJB security to work when deploying as an EAR. It works on the same server when deployed as a WEB.

       

      Code when deployed as a WAR . Using a Database authentication configuration. At this point in the logs the code is calling the "merge" function in a @Stateless bean.

       

      2017-01-29 09:14:49,708 DEBUG [org.jboss.security] (default task-11) PBOX00291: Method: merge, interface: Local, required roles: Roles(USER,)

      2017-01-29 09:14:49,708 TRACE [org.jboss.security.audit] (default task-11) [Success]Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=null}:method=public model.User service.UserSessionBean.merge(model.User):ejbMethodInterface=Local:ejbName=UserSessionBean:ejbPrincipal=org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@bdaf3b8d:MethodRoles=Roles(USER,):securityRoleReferences=null:callerSubject=Subject:

        Principal: XXXXXXXX@outlook.com

        Principal: Roles(members:USER)

        Principal: CallerPrincipal(members:XXXXXXX@outlook.com)

      :callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=2.0];Action=authorization;Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;policyRegistration=null;

      2017-01-29 09:14:49,721 TRACE [org.jboss.security] (default task-11) PBOX00354: Setting security roles ThreadLocal: null

      2017-01-29 09:14:49,732 TRACE [org.jboss.security] (default task-11) PBOX00354: Setting security roles ThreadLocal: null

      2017-01-29 09:14:53,489 TRACE [org.jboss.security] (default task-12) PBOX00200: Begin isValid, principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@bdaf3b8d, cache entry: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@57ee7d60

       

      This code is deployed as an EAR. if I call something annotated with @PermitAll then it's allowed, but when annotationed with @RolesAllowed("USER") then I get this failure.

       

      2017-01-29 08:50:11,797 DEBUG [org.jboss.security] (default task-12) PBOX00291: Method: merge, interface: Local, required roles: Roles(USER,)

      2017-01-29 08:50:11,797 DEBUG [org.jboss.security] (default task-12) PBOX00292: Insufficient method permissions [principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@7d289613, EJB name: UserService, method: merge, interface: Local, required roles: Roles(USER,), principal roles: Roles(**,), run-as roles: null]

      2017-01-29 08:50:11,798 DEBUG [org.jboss.security] (default task-12) PBOX00299: Required module org.jboss.security.authorization.modules.DelegatingAuthorizationModule failed

      2017-01-29 08:50:11,798 DEBUG [org.jboss.security] (default task-12) PBOX00325: Authorization processing error: org.jboss.security.authorization.AuthorizationException: PBOX00017: Acces denied: authorization failed

        at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:274)

        • 1. Re: EJB Security Fails when app deployed in EAR format (but ok in WAR format)
          karlnicholas

          To add some followup and more information: It seems to be related to authorization in the security-domain portion of standalone.xml. I can add a authorization tag and set the policy-module to code PermitAll and then it starts working, but that is circumvention the ejb-security and just allowing everything to go through. It's not a remoting issue because as the logs show the interface is "Local".

           

          I've tried most everything I can find for suggestions, but it's just not working. I don't know how to setup authorization as a Database login module, but I should think I don't need to do that. There are no obvious examples in the quickstarts.

           

          This on Wildfly 10. Another output from the logs .. hopefully more detail.

           

          2017-01-29 13:59:27,630 DEBUG [org.jboss.security] (default task-12) PBOX00291: Method: merge, interface: Local, required roles: Roles(USER,)

          2017-01-29 13:59:27,630 DEBUG [org.jboss.security] (default task-12) PBOX00292: Insufficient method permissions [principal: org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@7d289613, EJB name: UserService, method: merge, interface: Local, required roles: Roles(USER,), principal roles: Roles(**,), run-as roles: null]

          2017-01-29 13:59:27,630 DEBUG [org.jboss.security] (default task-12) PBOX00299: Required module org.jboss.security.authorization.modules.DelegatingAuthorizationModule failed

          2017-01-29 13:59:27,630 DEBUG [org.jboss.security] (default task-12) PBOX00325: Authorization processing error: org.jboss.security.authorization.AuthorizationException: PBOX00017: Acces denied: authorization failed

            at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:274)

            at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:71)

            at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:147)

            at java.security.AccessController.doPrivileged(Native Method)

           

          then ..

           

          2017-01-29 13:59:27,631 TRACE [org.jboss.security.audit] (default task-12) [Failure]Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=null}:method=public opca.model.User opca.service.UserService.merge(opca.model.User):ejbMethodInterface=Local:ejbName=UserService:ejbPrincipal=org.wildfly.extension.undertow.security.AccountImpl$AccountPrincipal@7d289613:MethodRoles=Roles(USER,):securityRoleReferences=null:callerSubject=Subject:

            Principal: test@test.com

            Principal: roles(members:USER)

            Principal: CallerPrincipal(members:test@test.com)

          :callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=2.0];Action=authorization;Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;policyRegistration=null;Exception:=PBOX00017: Acces denied: authorization failed ;

          2017-01-29 13:59:27,631 TRACE [org.jboss.security] (default task-12) PBOX00354: Setting security roles ThreadLocal: null

          2017-01-29 13:59:27,632 ERROR [org.jboss.as.ejb3.invocation] (default task-12) WFLYEJB0034: EJB Invocation failed on component UserService for method public opca.model.User opca.service.UserService.merge(opca.model.User): javax.ejb.EJBAccessException: WFLYEJB0364: Invocation on method: public opca.model.User opca.service.UserService.merge(opca.model.User) of bean: UserService is not allowed

            at org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:134)

            at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)

            at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100)

            at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)

            at org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22)

            at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)

          • 2. Re: EJB Security Fails when app deployed in EAR format (but ok in WAR format)
            karlnicholas

            The answer was to change

             

            <module-option name="rolesQuery" value="select r.role, 'roles' from user_role ur inner join role r on r.id = ur.roles_id inner join user u on u.id = ur.user_id where u.email = ?"/>

             

            to

             

            <module-option name="rolesQuery" value="select r.role, 'Roles' from user_role ur inner join role r on r.id = ur.roles_id inner join user u on u.id = ur.user_id where u.email = ?"/>