2 Replies Latest reply on Nov 12, 2001 8:21 AM by Jim Rand

    Scott Stark How-To Example - Private Session Bean

    Jim Rand Newbie

      When running example 1, I get the following results:

      ++ Running SessionClient with username=java, password=echoman, example=example1
      Created LoginContext
      Found PublicSession home
      Created PublicSession
      Bean.echo('Hello') -> Hello
      Found PrivateSession home
      java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
      javax.transaction.TransactionRolledbackException: checkSecurityAssociation; nested exception is:
      java.lang.SecurityException: Insufficient method permissions, principal=java, method=create, requiredRoles=[InternalUser], principalRoles=[Echo]; nested exception is:
      java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
      java.lang.SecurityException: Insufficient method permissions, principal=java, method=create, requiredRoles=[InternalUser], principalRoles=[Echo]
      Failed to create PrivateSession as expected
      -------------------------------------------------

      When running as Echo, the public session bean is unable to run-as Internal user.

      ejb-jar.xml contains:


      A trival stateless session echo bean
      <ejb-name>PublicSession</ejb-name>
      org.jboss.docs.jaas.howto.SessionHome
      org.jboss.docs.jaas.howto.Session
      <ejb-class>org.jboss.docs.jaas.howto.PublicSessionBean</ejb-class>
      <session-type>Stateless</session-type>
      <transaction-type>Container</transaction-type>
      <ejb-ref>
      <ejb-ref-name>ejb/PrivateSession</ejb-ref-name>
      <ejb-ref-type>Session</ejb-ref-type>
      org.jboss.docs.jaas.howto.SessionHome
      org.jboss.docs.jaas.howto.Session
      <ejb-link>PrivateSession</ejb-link>
      </ejb-ref>
      <security-role-ref>
      <role-name>EchoUser</role-name>
      <role-link>Echo</role-link>
      </security-role-ref>
      <security-identity>
      <run-as>
      <role-name>InternalUser</role-name>
      </run-as>
      </security-identity>


        • 1. Re: Scott Stark How-To Example - Private Session Bean
          Allen Fogleson Newbie

          can you give a bit more information?

          your auth.conf would be helpful, along with your jboss-web and jboss.xml and deployment descriptors.

          I honestly never tried the example, i just went and did security in my application. I myself am using the database login modules, and not the properties files one, but it works with properties files too.

          if you can provide the info i mentioned it will be easier to track this.

          Al

          • 2. Re: Scott Stark How-To Example - Private Session Bean
            Jim Rand Newbie

            Thanks in advance for looking into this for me.

            All the configuration files were straight from the sample code with no modifications. Both the properties file approach and the database login approach produced identical results.

            Note: the Ant 1.4 substitution works - ie, @example@ becomes example1 for:








            auth.conf
            =========

            // The JBoss server side JAAS login config file for the examples

            example1 {
            // A properties file LoginModule that supports CallerPrincipal mapping
            org.jboss.security.auth.spi.UsersRolesLoginModule required
            unauthenticatedIdentity=nobody
            ;
            };

            example2 {
            /* A JDBC based LoginModule
            LoginModule options:
            dsJndiName: The name of the DataSource of the database containing the Principals, Roles tables
            principalsQuery: The prepared statement query equivalent to:
            "select Password from Principals where PrincipalID=?"
            rolesQuery: The prepared statement query equivalent to:
            "select Role, RoleGroup from Roles where PrincipalID=?"
            */
            org.jboss.security.auth.spi.DatabaseServerLoginModule required
            dsJndiName="java:/DefaultDS"
            principalsQuery="select Password from Principals where PrincipalID=?"
            rolesQuery="select Role, RoleGroup from Roles where PrincipalID=?"
            unauthenticatedIdentity=nobody
            ;
            };


            ejb-jar.xml
            ===========

            <?xml version = "1.0" encoding = "UTF-8"?>
            <!DOCTYPE ejb-jar
            PUBLIC "-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 1.1//EN"
            "http://java.sun.com/dtd/ejb-jar_2_0.dtd">

            <ejb-jar>
            <display-name>SecurityTests</display-name>
            <enterprise-beans>

            A trival stateless session echo bean
            <ejb-name>PublicSession</ejb-name>
            org.jboss.docs.jaas.howto.SessionHome
            org.jboss.docs.jaas.howto.Session
            <ejb-class>org.jboss.docs.jaas.howto.PublicSessionBean</ejb-class>
            <session-type>Stateless</session-type>
            <transaction-type>Container</transaction-type>
            <ejb-ref>
            <ejb-ref-name>ejb/PrivateSession</ejb-ref-name>
            <ejb-ref-type>Session</ejb-ref-type>
            org.jboss.docs.jaas.howto.SessionHome
            org.jboss.docs.jaas.howto.Session
            <ejb-link>PrivateSession</ejb-link>
            </ejb-ref>
            <security-role-ref>
            <role-name>EchoUser</role-name>
            <role-link>Echo</role-link>
            </security-role-ref>
            <security-identity>
            <run-as>
            <role-name>InternalUser</role-name>
            </run-as>
            </security-identity>



            A trival stateful session echo bean
            <ejb-name>PrivateSession</ejb-name>
            org.jboss.docs.jaas.howto.SessionHome
            org.jboss.docs.jaas.howto.Session
            <ejb-class>org.jboss.docs.jaas.howto.PrivateSessionBean</ejb-class>
            <session-type>Stateful</session-type>
            <transaction-type>Container</transaction-type>
            <security-role-ref>
            <role-name>InternalUser</role-name>
            <role-link>InternalUser</role-link>
            </security-role-ref>

            </enterprise-beans>

            <assembly-descriptor>
            <security-role>
            <role-name>Coder</role-name>
            </security-role>
            <security-role>
            <role-name>Echo</role-name>
            </security-role>
            <security-role>
            <role-name>InternalUser</role-name>
            </security-role>

            <method-permission>
            <role-name>Echo</role-name>

            <ejb-name>PublicSession</ejb-name>
            <method-name>*</method-name>

            </method-permission>
            <method-permission>
            <role-name>InternalUser</role-name>

            <ejb-name>PrivateSession</ejb-name>
            <method-name>*</method-name>

            </method-permission>
            <method-permission>
            <role-name>Coder</role-name>

            <ejb-name>PublicSession</ejb-name>
            <method-name>create</method-name>


            <ejb-name>PublicSession</ejb-name>
            <method-name>remove</method-name>

            </method-permission>
            <method-permission>


            <ejb-name>PublicSession</ejb-name>
            <method-name>noop</method-name>

            </method-permission>

            <exclude-list>
            Methods that cannot be used in this
            deployment

            <ejb-name>PublicSession</ejb-name>
            <method-name>restricted</method-name>

            </exclude-list>
            </assembly-descriptor>
            </ejb-jar>

            jboss.xml
            =========
            <?xml version="1.0" encoding="UTF-8"?>


            <!-- All bean containers use this security manager by default -->
            <security-domain>java:/jaas/@security-domain@</security-domain>

            <enterprise-beans>

            <ejb-name>PublicSession</ejb-name>
            <jndi-name>@example@/PublicSession</jndi-name>



            <ejb-name>PrivateSession</ejb-name>
            <jndi-name>@example@/PrivateSession</jndi-name>

            </enterprise-beans>



            jboss-web.xml
            =============
            <?xml version="1.0" encoding="UTF-8"?>

            <jboss-web>
            <security-domain>java:/jaas/@security-domain@</security-domain>

            <ejb-ref>
            <ejb-ref-name>ejb/SecuredEJB</ejb-ref-name>
            <jndi-name>@example@/PublicSession</jndi-name>
            </ejb-ref>
            <ejb-ref>
            <ejb-ref-name>ejb/PrivateEJB</ejb-ref-name>
            <jndi-name>@example@/PrivateSession</jndi-name>
            </ejb-ref>
            </jboss-web>