1 Reply Latest reply on Jul 7, 2004 4:32 PM by Scott Stark

    Problem on ClientLoginModule to Secure EJB Layer

    leo Newbie

      Hi,

      I have been put my EJB under JAAS protection and remote call by a disturbed standalone client. My ejb-jar.xml is as following
      <ejb-jar>
      <enterprise-beans>

      <ejb-name>MyBeanSLSB</ejb-name>
      MyBeanHome
      MyBeanRemote
      <ejb-class>MyBean</ejb-class>
      <session-type>Stateless</session-type>
      <transaction-type>Container</transaction-type>

      <assembly-descriptor>
      <security-role>
      <role-name>ADMINISTRATOR</role-name>
      </security-role>
      <method-permission>
      <role-name>ADMINISTRATOR</role-name>

      <ejb-name>MyBeanSLSB</ejb-name>
      <method-name>*</method-name>

      </method-permission>
      <method-permission>
      <role-name>ADMINISTRATOR</role-name>

      <ejb-name>MyBeanSLSB</ejb-name>
      <method-intf>Home</method-intf>
      <method-name>create</method-name>

      </method-permission>
      </assembly-descriptor>
      </enterprise-beans>
      </ejb-jar>

      I have use the ClientLoginModule and LoginInitialContextFactory to run on the standalone client and is sucessfully authenicate by the server. However, when I success lookup the Home interface and call create to get the Remote Object. I get the following exception

      11:43:54,170 ERROR [SecurityInterceptor] No method permissions assigned to metho
      d=create, interface=HOME
      11:43:54,170 ERROR [LogInterceptor] EJBException, causedBy:
      java.lang.SecurityException: No method permissions assigned to method=create, in
      terface=HOME
      at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(Se
      curityInterceptor.java:185)
      at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityIntercep
      tor.java:83)
      at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:1
      20)
      at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyF
      actoryFinderInterceptor.java:93)
      at org.jboss.ejb.StatelessSessionContainer.internalInvokeHome(StatelessS
      essionContainer.java:319)
      at org.jboss.ejb.Container.invoke(Container.java:743)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.
      java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces
      sorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:324)
      at org.jboss.mx.server.ReflectedDispatcher.dispatch(ReflectedDispatcher.
      java:60)
      at org.jboss.mx.server.Invocation.dispatch(Invocation.java:61)
      at org.jboss.mx.server.Invocation.dispatch(Invocation.java:53)
      at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
      at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.
      java:185)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:473)
      at org.jboss.invocation.jrmp.server.JRMPInvoker.invoke(JRMPInvoker.java:
      360)

      I been work on both jboss-3.2.2 and jboss-3.2.5 and produce the same error. Meanwhile, I have put security-role/security-role-ref in the session bean descriptor but produce same result. Also I have try to put <method-intf>bahbahbah</method-intf> instead of <method-intf>Home</method-intf> but the server remain deploy success without warning or error. The server seem ignore the method-permission tag setting.



      Thanks in advance on what wrong on my setting.