6 Replies Latest reply on Jul 31, 2003 5:48 PM by Prabhakar Krishnaswami

    Invoking "unchecked" method from servlet init()

    Shai Almog Newbie

      Hi,
      I am trying to invoke a method on the startup of the application server in order to setup a default user within the database so the administrator can log in and start modifying users. I use the servlet init() method to get started and I invoke a stateless session beans initialize() method which is marked as "unchecked".
      The problem is I get a Security Exception:
      java.lang.SecurityException: Authentication exception, principal=null

      I read about this in other postings around here and the general solution was, go through the login module. The problem is:
      1. I'm already in the server.
      2. I don't have any users yet that can login.

      So sure I can write a special case login module that if the db
      is empty lets the user login with a hardcoded username/password and this will probably work. However this is cumbersom and if thats the length I have to go to I'd rather insert into the database directly and avoid the whole JBoss specific login (yes I know JAAS is a standard, but its incomplete and you need to use org.jboss classes).

      Anyway I tried to work around this by calling SecurityAssociation.setPrincipal() via reflection (to avoid JBoss dependancy) and this changed the null principal to be the one I set, but produced the same exception.

        • 1. Re: Invoking "unchecked" method from servlet init()
          Juha Lindfors Master

          Try setting unathenticatedIdentity for your login module.

          -- Juha

          • 2. Re: Invoking "unchecked" method from servlet init()
            Shai Almog Newbie

            Thanks for the quick reply. Where do I set unathenticatedIdentity?

            I searched the forums, google and the source code and found nothing on the subject. I'll try setting it as a parameter to the login module.

            • 3. Re: Invoking "unchecked" method from servlet init()
              Shai Almog Newbie

              Just a second after posting this turns out I already have this code in my login-config.xml:
              <login-module code="org.jboss.security.auth.spi.AnonLoginModule" flag="required">
              <module-option name="unauthenticatedIdentity">guest</module-option>
              </login-module>


              You must have miss spelled the string. Anyway this obviously doesn't help since I don't go through the login module during the servlet init() method.

              • 4. Re: Invoking "unchecked" method from servlet init()
                Shai Almog Newbie

                Okay, I wrote a workaround. Its crap and I didn't want to do this but apparently its the only way that works that doesn't ivolve getting deep into the guts of JBoss.

                I created a servlet that starts a thread in the init() method and calls itself over by requesting its own URL. Then the servlet service method that is running as a guest user can perform the initialization.

                This sucks! While it works its:

                1. Insecure, since initialization can be a lengthly process people over on the internet can use it as a DoS attack by simply requesting the servlet (they couldn't do the same with a session bean, even a remote session bean won't be accessible VIA the firewall).

                2. I have to wait 1 second within the init() in order to do the callback. So JBoss may claim that it finished initialization when in fact it hasn't.

                I think the whole JBoss security module is really problematic, someone tried to make it elegant and instead made it too complex and almost useless.

                • 5. Re: Invoking "unchecked" method from servlet init()
                  Shai Almog Newbie

                  Even this doensn't work and I'm getting tired of this whole thing.
                  By using unauthenticatedIdentity the servlet gets the guest role but whenever my webclient tries to enter the page (with Basic authentication) it gets back the wrong http reply (as if the permission is denied rather than authentication is required).

                  • 6. Re: Invoking "unchecked" method from servlet init()
                    Prabhakar Krishnaswami Newbie

                    I have similar problem where I am using some login modules. The method permission is set to unchecked for a create, but get an exception 17:42:06,787 ERROR [LogInterceptor] EJBException, causedBy:
                    java.lang.SecurityException: Insufficient method permissions, principal=Eric, me
                    thod=create, interface=HOME, requiredRoles=[], principalRoles=null

                    Any help will be appreciated.