8 Replies Latest reply on Sep 16, 2001 9:53 AM by callum

    principal=null or requiredRoles=null causing a SecurityExcep

    callum
    callum Aug 16, 2001 10:54 AM

      Hi all,

      I have seen many posts regarding this issue but no solutions, as yet.

      I am using JBoss 2.2.2 and Tomcat 3.2.2.

      I receive this error when calling Session beans from java classes accessed via JSPs. Authentication and authorisation work fine with most actions, however sometimes JBoss appears to drop either the principal or required roles which are clearly listed in the roles.properties and users.properties files.

      Is there a solution to this? it appears unlikely that the application is incorrect as the security is declarative and also works in SilverStream

      >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

      [MatrixEntity] Insufficient method permissions, principal=callumw, method=findByCollection, requiredRoles
      =null
      [TheSearchService] TRANSACTION ROLLBACK EXCEPTION:checkSecurityAssociation; nested exception is:
      java.lang.SecurityException: Insufficient method permissions, principal=callumw, method=findByCol
      lection, requiredRoles=null; nested exception is:
      java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
      java.lang.SecurityException: Insufficient method permissions, principal=callumw, method=findByCol
      lection, requiredRoles=null
      [TheSearchService] java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
      [TheSearchService] java.lang.SecurityException: Insufficient method permissions, principal=callumw,
      method=findByCollection, requiredRoles=null
      [TheSearchService] java.lang.SecurityException: Insufficient method permissions, principal=callumw, metho
      d=findByCollection, requiredRoles=null
      [TheSearchService] at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInt
      erceptor.java:232)
      [TheSearchService] at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:
      144)
      [TheSearchService] at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:106)
      [TheSearchService] at org.jboss.ejb.EntityContainer.invokeHome(EntityContainer.java:316)
      [TheSearchService] at org.jboss.ejb.plugins.jrmp.server.JRMPContainerInvoker.invokeHome(JRMPContaine
      rInvoker.java:436)
      [TheSearchService] at org.jboss.ejb.plugins.jrmp.interfaces.HomeProxy.invoke(HomeProxy.java:212)
      [TheSearchService] at $Proxy72.findByCollection(Unknown Source)
      [TheSearchService] at uk.co.mfl.app.common.search.ejb.service.SearchServiceEJB.search(SearchServiceE
      JB.java:109)
      [TheSearchService] at java.lang.reflect.Method.invoke(Native Method)
      [TheSearchService] at org.jboss.ejb.StatefulSessionContainer$ContainerInterceptor.invoke(StatefulSes
      sionContainer.java:570)
      [TheSearchService] at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:190)

      [TheSearchService] at org.jboss.ejb.plugins.StatefulSessionInstanceInterceptor.invoke(StatefulSessio

      • 16787 Views
      • Tags:
        • 1. Re: principal=null or requiredRoles=null causing a SecurityE
          dhinojosa
          dhinojosa Aug 19, 2001 7:32 PM (in response to callum)

          YAHOO! I solved my situation. In the ejb-jar file the <assembly-descriptor> should be the direct child of the <ejb-jar> tag. I had the <assembly-descriptor> inside the <enterprise-beans> tag which is why mine didn't work. In answer to your original problem, give us a gander of your ejb-jar.xml. Another thing that I learned is that when you do:

          <ejb-name>MyBean</ejb-name>
          <method-name>*</method-name>

          That applies security on all methods on the home and remote interface. Otherwise you will have to place some special tags into your ejb-jar xml to specify which method you are referring to.

          Danno

            • Actions
          • 2. Re: principal=null or requiredRoles=null causing a SecurityE
            ko5tik
            ko5tik Aug 20, 2001 5:53 AM (in response to callum)

            And if you would use XDoclet, all the desriptors would be generated for you...
            ( http://www.sourceforge.net/projects/xdoclet )
            Strange thiung is that jboss verifier did not complained on dtd violation...

              • Actions
            • 3. Re: principal=null or requiredRoles=null causing a SecurityE
              callum
              callum Aug 21, 2001 8:51 AM (in response to callum)

              After further exploration it appears that the security context is dropped when using EJB handles on consecutive requests.

              A portion of our code obtains a handle to a stateful EJB and stores it in memory for later use. Subsequent uses of this handle cause the error listed. When the handle is replaced with the EJB object and later used, the error does not occur.

              Thus our tentative solution is to replace the use of handles with EJB objects. This certainly does appear, at this stage, to be a bug in the JBoss code base but I'm not sure if this is fixed in the following releases.

              Callum

                • Actions
              • 4. Re: principal=null or requiredRoles=null causing a SecurityE
                dhinojosa
                dhinojosa Aug 21, 2001 10:48 AM (in response to callum)

                Mine is working fine, My transaction spans through a servlet, session, then to a CMP entity. I have to make sure that the security is set up with the same role through out the transaction. In other words if a servlet is used by a role called "Admin", then the session bean methods need to be "locked" by "Admin" and the entity bean methods need to be locked by "Admin". Can you give us a sample of the security portion of your web.xml and ejb-jar.xml?

                  • Actions
                • 5. Re: principal=null or requiredRoles=null causing a SecurityE
                  callum
                  callum Aug 25, 2001 9:25 AM (in response to callum)

                  dhinojosa,

                  you say "mine is working fine, my transaction spans through a servlet, session, then to a CMP entity". This doesn't show that you are using EJB handles.

                  To clarify, it appears that the use of a javax.ejb.Handle object will cause the principal to be dropped after the first use. This does not occur when using javax.ejb.EJBObject. We have changed the offending bean to use the EJBObject rather than the handle with no changes in the deployment descriptor and the problem goes away.

                  As an addtional note the "requiredRoles=null" is a separate problem, due usually to missing method permissions in the deployment descriptor. The user logs in, obtains their credentials in the web tier, attempts to access a resource in the EJB tier and due to the missing descriptor for the resource (EJB method) the authenticated user cannot be authorised as the required roles are not defined for the method.

                  Cheers

                  Callum

                    • Actions
                  • 6. Re: principal=null or requiredRoles=null causing a SecurityE
                    lrem
                    lrem Sep 4, 2001 4:59 AM (in response to callum)

                    Callum,

                    For what it's worth, I totally agree. javax.ejb.Handle does indeed lose the Security Principal as you explained.

                    JBoss guys, is this a bug that is going to be fixed?

                    thanks,

                    lachlan

                      • Actions
                    • 7. Re: principal=null or requiredRoles=null causing a SecurityE
                      callum
                      callum Sep 16, 2001 9:53 AM (in response to callum)

                      Just a follow up, but check out the post dated "Sep 5, 2001 2:14 AM Security Bug" in this forum for more replies

                        • Actions
                      • 8. principal=null or requiredRoles=null causing a SecurityExcep
                        dhinojosa
                        dhinojosa Nov 10, 2002 12:00 AM (in response to callum)

                        Hi all,

                        I have seen many posts regarding this issue but no solutions, as yet.

                        I am using JBoss 2.2.2 and Tomcat 3.2.2.

                        I receive this error when calling Session beans from java classes accessed via JSPs. Authentication and authorisation work fine with most actions, however sometimes JBoss appears to drop either the principal or required roles which are clearly listed in the roles.properties and users.properties files.

                        Is there a solution to this? it appears unlikely that the application is incorrect as the security is declarative and also works in SilverStream

                        >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

                        [MatrixEntity] Insufficient method permissions, principal=callumw, method=findByCollection, requiredRoles
                        =null
                        [TheSearchService] TRANSACTION ROLLBACK EXCEPTION:checkSecurityAssociation; nested exception is:
                        java.lang.SecurityException: Insufficient method permissions, principal=callumw, method=findByCol
                        lection, requiredRoles=null; nested exception is:
                        java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
                        java.lang.SecurityException: Insufficient method permissions, principal=callumw, method=findByCol
                        lection, requiredRoles=null
                        [TheSearchService] java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
                        [TheSearchService] java.lang.SecurityException: Insufficient method permissions, principal=callumw,
                        method=findByCollection, requiredRoles=null
                        [TheSearchService] java.lang.SecurityException: Insufficient method permissions, principal=callumw, metho
                        d=findByCollection, requiredRoles=null
                        [TheSearchService] at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInt
                        erceptor.java:232)
                        [TheSearchService] at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:
                        144)
                        [TheSearchService] at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:106)
                        [TheSearchService] at org.jboss.ejb.EntityContainer.invokeHome(EntityContainer.java:316)
                        [TheSearchService] at org.jboss.ejb.plugins.jrmp.server.JRMPContainerInvoker.invokeHome(JRMPContaine
                        rInvoker.java:436)
                        [TheSearchService] at org.jboss.ejb.plugins.jrmp.interfaces.HomeProxy.invoke(HomeProxy.java:212)
                        [TheSearchService] at $Proxy72.findByCollection(Unknown Source)
                        [TheSearchService] at uk.co.mfl.app.common.search.ejb.service.SearchServiceEJB.search(SearchServiceE
                        JB.java:109)
                        [TheSearchService] at java.lang.reflect.Method.invoke(Native Method)
                        [TheSearchService] at org.jboss.ejb.StatefulSessionContainer$ContainerInterceptor.invoke(StatefulSes
                        sionContainer.java:570)
                        [TheSearchService] at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:190)

                        [TheSearchService] at org.jboss.ejb.plugins.StatefulSessionInstanceInterceptor.invoke(StatefulSessio

                          • Actions