5 Replies Latest reply on Sep 16, 2004 4:45 PM by Dan Thompson

    Q: SecurityException for getEJBObject method

    Ed Hillmann Newbie

      I'm using JBoss 3.2.5, and I have a Stateful Session EJB which is acting as a Facade for client API into my server. The Bean returns a javax.ejb.Handle instance which is used by the client to hold as a reference to its server connection. The server code is as follows:

      public Handle createDataClient() throws CreateException, RemoteException {
       DataRemoteHome dataHome = null;
       try {
       dataHome = lookup.getDataRemoteHome();
       } catch (NamingException ex) {
       throw new EJBException("Unable to get DataRemoteHome reference", ex);
       }
       DataRemote data = dataHome.create(userSettings);
       return data.getHandle();
       }
      

      The above it a method in the Session EJB for the Client, and it returns a Handle for another Stateful Session Bean for the Client. The Client code calling this is...

      public DataClient createDataClient() throws ServerAccessException {
       validateState();
       try {
       Handle dataHandle = userRemote.createDataClient();
       EJBObject ejbObject = dataHandle.getEJBObject();
       return new DataClientImplementation((DataRemote) ejbObject);
       } catch (CreateException ce) {
       throw new ServerAccessException(ce);
       } catch (RemoteException re) {
       throw new ServerAccessException(re);
       }
       }
      


      So, the client is getting the Handle, calling the getEJBObject() method which should return the EJBObject. Then use the EJBObject. I get a SecurityException when I call the getEJBObject method of the returned Handle object....

      java.rmi.ServerException: Could not get EJBObject; nested exception is:
       java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
       java.rmi.ServerException: EJBException:; nested exception is:
       javax.ejb.EJBException: checkSecurityAssociation; nested exception is: java.lang.SecurityException: No method permissions assigned to method=getEJBObject, interface=HOME" type="com.bh.bplan.client.ServerAccessException">com.bh.bplan.client.ServerAccessException: java.rmi.ServerException: Could not get EJBObject; nested exception is:
       java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
       java.rmi.ServerException: EJBException:; nested exception is:
       javax.ejb.EJBException: checkSecurityAssociation; nested exception is: java.lang.SecurityException: No method permissions assigned to method=getEJBObject, interface=HOME
       at com.bh.bplan.client.UserContextImplementation.createDataClient(UserContextImplementation.java:107)
       at com.bh.bplan.client.UserContextTest.testCreateClients(UserContextTest.java:42)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      Caused by: java.rmi.ServerException: Could not get EJBObject; nested exception is:
       java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
       java.rmi.ServerException: EJBException:; nested exception is:
       javax.ejb.EJBException: checkSecurityAssociation; nested exception is: java.lang.SecurityException: No method permissions assigned to method=getEJBObject, interface=HOME
       at org.jboss.proxy.ejb.handle.StatefulHandleImpl.getEJBObject(StatefulHandleImpl.java:158)
       at com.bh.bplan.client.UserContextImplementation.createDataClient(UserContextImplementation.java:102)
       ... 16 more
      Caused by: java.rmi.ServerException: RemoteException occurred in server thread; nested exception is:
       java.rmi.ServerException: EJBException:; nested exception is:
       javax.ejb.EJBException: checkSecurityAssociation; nested exception is: java.lang.SecurityException: No method permissions assigned to method=getEJBObject, interface=HOME
       at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:292)
       at sun.rmi.transport.Transport$1.run(Transport.java:148)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.rmi.transport.Transport.serviceCall(Transport.java:144)
       at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:460)
       at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:701)
       at java.lang.Thread.run(Thread.java:534)
       at sun.rmi.transport.StreamRemoteCall.exceptionReceivedFromServer(StreamRemoteCall.java:247)
       at sun.rmi.transport.StreamRemoteCall.executeCall(StreamRemoteCall.java:223)
       at sun.rmi.server.UnicastRef.invoke(UnicastRef.java:133)
       at org.jboss.invocation.jrmp.server.JRMPInvoker_Stub.invoke(Unknown Source)
       at org.jboss.invocation.jrmp.interfaces.JRMPInvokerProxy.invoke(JRMPInvokerProxy.java:135)
       at org.jboss.proxy.ejb.handle.StatefulHandleImpl.getEJBObject(StatefulHandleImpl.java:154)
       ... 17 more
      Caused by: java.rmi.ServerException: EJBException:; nested exception is:
       javax.ejb.EJBException: checkSecurityAssociation; nested exception is: java.lang.SecurityException: No method permissions assigned to method=getEJBObject, interface=HOME
       at org.jboss.ejb.plugins.LogInterceptor.handleException(LogInterceptor.java:347)
       at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:124)
       at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:93)
       at org.jboss.ejb.StatefulSessionContainer.internalInvokeHome(StatefulSessionContainer.java:404)
       at org.jboss.ejb.Container.invoke(Container.java:743)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at org.jboss.mx.server.ReflectedDispatcher.dispatch(ReflectedDispatcher.java:60)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:61)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:53)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:86)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:185)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:473)
       at org.jboss.invocation.jrmp.server.JRMPInvoker.invoke(JRMPInvoker.java:360)
       at sun.reflect.GeneratedMethodAccessor76.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:261)
       at sun.rmi.transport.Transport$1.run(Transport.java:148)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.rmi.transport.Transport.serviceCall(Transport.java:144)
       at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:460)
       at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:701)
       at java.lang.Thread.run(Thread.java:534)
      Caused by: javax.ejb.EJBException: checkSecurityAssociation; nested exception is: java.lang.SecurityException: No method permissions assigned to method=getEJBObject, interface=HOME
       at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:186)
       at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:83)
       at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invokeHome(CachedConnectionInterceptor.java:205)
       at org.jboss.ejb.plugins.StatefulSessionInstanceInterceptor.invokeHome(StatefulSessionInstanceInterceptor.java:102)
       at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:88)
       at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:341)
       at org.jboss.ejb.plugins.TxInterceptorCMT.invokeHome(TxInterceptorCMT.java:128)
       at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:120)
       ... 24 more
      


      So, the server security interceptor is complaining because it can't find any security for that method. I've been able to go through and (in my deployment descriptor) set up method security for all my Bean methods. But I can't see where I do this for getEJBObject(), which is the method the javax.ejb.Handle interface which is created by JBoss, and not me.

      My beans are using the org.jboss.security.auth.spi.UsersRolesLoginModule Authentication module. Is there some way I can configure it to ignore certain methods? Or am I barkingup the wrong tree and should be approaching this some other way? I'm stumped, as I can't see how to set this up...

      Any help would be appreciated.

      Thanks,
      Ed