8 Replies Latest reply on Sep 16, 2001 9:53 AM by callumw

    principal=null or requiredRoles=null causing a SecurityExcep

    callumw Newbie

      Hi all,

      I have seen many posts regarding this issue but no solutions, as yet.

      I am using JBoss 2.2.2 and Tomcat 3.2.2.

      I receive this error when calling Session beans from java classes accessed via JSPs. Authentication and authorisation work fine with most actions, however sometimes JBoss appears to drop either the principal or required roles which are clearly listed in the roles.properties and users.properties files.

      Is there a solution to this? it appears unlikely that the application is incorrect as the security is declarative and also works in SilverStream

      >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

      [MatrixEntity] Insufficient method permissions, principal=callumw, method=findByCollection, requiredRoles
      =null
      [TheSearchService] TRANSACTION ROLLBACK EXCEPTION:checkSecurityAssociation; nested exception is:
      java.lang.SecurityException: Insufficient method permissions, principal=callumw, method=findByCol
      lection, requiredRoles=null; nested exception is:
      java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
      java.lang.SecurityException: Insufficient method permissions, principal=callumw, method=findByCol
      lection, requiredRoles=null
      [TheSearchService] java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
      [TheSearchService] java.lang.SecurityException: Insufficient method permissions, principal=callumw,
      method=findByCollection, requiredRoles=null
      [TheSearchService] java.lang.SecurityException: Insufficient method permissions, principal=callumw, metho
      d=findByCollection, requiredRoles=null
      [TheSearchService] at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInt
      erceptor.java:232)
      [TheSearchService] at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:
      144)
      [TheSearchService] at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:106)
      [TheSearchService] at org.jboss.ejb.EntityContainer.invokeHome(EntityContainer.java:316)
      [TheSearchService] at org.jboss.ejb.plugins.jrmp.server.JRMPContainerInvoker.invokeHome(JRMPContaine
      rInvoker.java:436)
      [TheSearchService] at org.jboss.ejb.plugins.jrmp.interfaces.HomeProxy.invoke(HomeProxy.java:212)
      [TheSearchService] at $Proxy72.findByCollection(Unknown Source)
      [TheSearchService] at uk.co.mfl.app.common.search.ejb.service.SearchServiceEJB.search(SearchServiceE
      JB.java:109)
      [TheSearchService] at java.lang.reflect.Method.invoke(Native Method)
      [TheSearchService] at org.jboss.ejb.StatefulSessionContainer$ContainerInterceptor.invoke(StatefulSes
      sionContainer.java:570)
      [TheSearchService] at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:190)

      [TheSearchService] at org.jboss.ejb.plugins.StatefulSessionInstanceInterceptor.invoke(StatefulSessio

        • 1. Re: principal=null or requiredRoles=null causing a SecurityE
          Daniel Hinojosa Master

          YAHOO! I solved my situation. In the ejb-jar file the <assembly-descriptor> should be the direct child of the <ejb-jar> tag. I had the <assembly-descriptor> inside the <enterprise-beans> tag which is why mine didn't work. In answer to your original problem, give us a gander of your ejb-jar.xml. Another thing that I learned is that when you do:

          <ejb-name>MyBean</ejb-name>
          <method-name>*</method-name>

          That applies security on all methods on the home and remote interface. Otherwise you will have to place some special tags into your ejb-jar xml to specify which method you are referring to.

          Danno

          • 2. Re: principal=null or requiredRoles=null causing a SecurityE
            Konstantin Newbie

            And if you would use XDoclet, all the desriptors would be generated for you...
            ( http://www.sourceforge.net/projects/xdoclet )
            Strange thiung is that jboss verifier did not complained on dtd violation...

            • 3. Re: principal=null or requiredRoles=null causing a SecurityE
              callumw Newbie

              After further exploration it appears that the security context is dropped when using EJB handles on consecutive requests.

              A portion of our code obtains a handle to a stateful EJB and stores it in memory for later use. Subsequent uses of this handle cause the error listed. When the handle is replaced with the EJB object and later used, the error does not occur.

              Thus our tentative solution is to replace the use of handles with EJB objects. This certainly does appear, at this stage, to be a bug in the JBoss code base but I'm not sure if this is fixed in the following releases.

              Callum

              • 4. Re: principal=null or requiredRoles=null causing a SecurityE
                Daniel Hinojosa Master

                Mine is working fine, My transaction spans through a servlet, session, then to a CMP entity. I have to make sure that the security is set up with the same role through out the transaction. In other words if a servlet is used by a role called "Admin", then the session bean methods need to be "locked" by "Admin" and the entity bean methods need to be locked by "Admin". Can you give us a sample of the security portion of your web.xml and ejb-jar.xml?

                • 5. Re: principal=null or requiredRoles=null causing a SecurityE
                  callumw Newbie

                  dhinojosa,

                  you say "mine is working fine, my transaction spans through a servlet, session, then to a CMP entity". This doesn't show that you are using EJB handles.

                  To clarify, it appears that the use of a javax.ejb.Handle object will cause the principal to be dropped after the first use. This does not occur when using javax.ejb.EJBObject. We have changed the offending bean to use the EJBObject rather than the handle with no changes in the deployment descriptor and the problem goes away.

                  As an addtional note the "requiredRoles=null" is a separate problem, due usually to missing method permissions in the deployment descriptor. The user logs in, obtains their credentials in the web tier, attempts to access a resource in the EJB tier and due to the missing descriptor for the resource (EJB method) the authenticated user cannot be authorised as the required roles are not defined for the method.

                  Cheers

                  Callum

                  • 6. Re: principal=null or requiredRoles=null causing a SecurityE
                    Lachlan Macpherson Newbie

                    Callum,

                    For what it's worth, I totally agree. javax.ejb.Handle does indeed lose the Security Principal as you explained.

                    JBoss guys, is this a bug that is going to be fixed?

                    thanks,

                    lachlan

                    • 7. Re: principal=null or requiredRoles=null causing a SecurityE
                      callumw Newbie

                      Just a follow up, but check out the post dated "Sep 5, 2001 2:14 AM Security Bug" in this forum for more replies

                      • 8. principal=null or requiredRoles=null causing a SecurityExcep
                        Daniel Hinojosa Master

                        Hi all,

                        I have seen many posts regarding this issue but no solutions, as yet.

                        I am using JBoss 2.2.2 and Tomcat 3.2.2.

                        I receive this error when calling Session beans from java classes accessed via JSPs. Authentication and authorisation work fine with most actions, however sometimes JBoss appears to drop either the principal or required roles which are clearly listed in the roles.properties and users.properties files.

                        Is there a solution to this? it appears unlikely that the application is incorrect as the security is declarative and also works in SilverStream

                        >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

                        [MatrixEntity] Insufficient method permissions, principal=callumw, method=findByCollection, requiredRoles
                        =null
                        [TheSearchService] TRANSACTION ROLLBACK EXCEPTION:checkSecurityAssociation; nested exception is:
                        java.lang.SecurityException: Insufficient method permissions, principal=callumw, method=findByCol
                        lection, requiredRoles=null; nested exception is:
                        java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
                        java.lang.SecurityException: Insufficient method permissions, principal=callumw, method=findByCol
                        lection, requiredRoles=null
                        [TheSearchService] java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
                        [TheSearchService] java.lang.SecurityException: Insufficient method permissions, principal=callumw,
                        method=findByCollection, requiredRoles=null
                        [TheSearchService] java.lang.SecurityException: Insufficient method permissions, principal=callumw, metho
                        d=findByCollection, requiredRoles=null
                        [TheSearchService] at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInt
                        erceptor.java:232)
                        [TheSearchService] at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:
                        144)
                        [TheSearchService] at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:106)
                        [TheSearchService] at org.jboss.ejb.EntityContainer.invokeHome(EntityContainer.java:316)
                        [TheSearchService] at org.jboss.ejb.plugins.jrmp.server.JRMPContainerInvoker.invokeHome(JRMPContaine
                        rInvoker.java:436)
                        [TheSearchService] at org.jboss.ejb.plugins.jrmp.interfaces.HomeProxy.invoke(HomeProxy.java:212)
                        [TheSearchService] at $Proxy72.findByCollection(Unknown Source)
                        [TheSearchService] at uk.co.mfl.app.common.search.ejb.service.SearchServiceEJB.search(SearchServiceE
                        JB.java:109)
                        [TheSearchService] at java.lang.reflect.Method.invoke(Native Method)
                        [TheSearchService] at org.jboss.ejb.StatefulSessionContainer$ContainerInterceptor.invoke(StatefulSes
                        sionContainer.java:570)
                        [TheSearchService] at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:190)

                        [TheSearchService] at org.jboss.ejb.plugins.StatefulSessionInstanceInterceptor.invoke(StatefulSessio