My application has a rather complicated set of permissions, involving a large number of roles. Typically there is at least one role required for each EJB in my app. I'm trying to get MDBs to be able to call these methods. I'm pretty sure that I could simply create a special role, allow that role to call all of the necessary methods, and assign the role to the MDB via the <run-as> tag in ejb-jar.xml. However, WebLogic seems to allow me to tell a MDB to run as a particular principle and the security system will load in all of the roles associated with that principal through the security provider. I have been experimenting with trying to accomplish this in JBoss.
Through endless trial and error, I've been able to tell a MDB to run as a particular principal. When the MDB runs, the principal and all of the role associations are picked up by the server. Along with having the roles defined in the security provider, sometimes I need to also assign then via <security-role> definitions in jboss.xml, like this:
<security-role> <role-name>ManageMDBRole</role-name> <principal-name>JMSReceiver</principal-name> </security-role>
I'm not sure why this is necessary, but it seems that I only need to do with for methods in EJBs that are in the same jar file. If the EJB is in a different jar file (all within the same ear, of course), I don't need to specify it.
Here are some of the log entries that show that the security system is doing something interesting when the onMessage method runs:
2004-10-13 16:54:49,944 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(rms-test), size=11
2004-10-13 16:54:49,944 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(rms-test), authInfo=AppConfigurationEntry:
LoginModule Class: org.jboss.security.auth.spi.IdentityLoginModule
ControlFlag: LoginModuleControlFlag: required
2004-10-13 16:54:49,944 TRACE [org.jboss.security.auth.spi.IdentityLoginModule] initialize
2004-10-13 16:54:49,944 TRACE [org.jboss.security.auth.spi.IdentityLoginModule] login
2004-10-13 16:54:49,944 TRACE [org.jboss.security.auth.spi.IdentityLoginModule] commit, loginOk=true
2004-10-13 16:54:49,944 TRACE [org.jboss.security.plugins.JaasSecurityManager.rms-test] updateCache, subject=Subject:
Every time a method is called, the log contains an entry showing the principal and all of the roles. Everything seems to work fine.
I subsequently wrote a test application. The test app uses the same security domain and server config as the main application. However, whenever the MDB runs, the security system does not appear to be engaging. Here are some log entries:
2004-10-13 17:19:03,379 INFO [STDOUT] Received message!
2004-10-13 17:19:03,379 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] Insufficient method permissions, runAsPrincipal=JMSReceiver, method=runQuery, interface=LOCAL, requiredRoles=[ManageGatewayManagementRole], runAsRoles=[ManageMDBRole]
2004-10-13 17:19:03,379 ERROR [org.jboss.ejb.plugins.LogInterceptor] EJBException in method: public abstract void com.corenetworks.jbosstest.ejb.DataSourceTestLocal.runQuery(), causedBy:
java.lang.SecurityException: Insufficient method permissions, runAsPrincipal=JMSReceiver, method=runQuery, interface=LOCAL, requiredRoles=[ManageGatewayManagementRole], runAsRoles=[ManageMDBRole]
And that's it. There's nothing in there that shows the MDB attempting some sort of login like the main application.
I've been staring at this stuff for weeks now, which may be why I'm unable to see the problem. Why would a MDB perform a login in one instance, but not in another? In both cases, I've defined the following for the MDB in ejb-jar.xml:
<security-identity> <run-as> <role-name>ManageMDBRole</role-name> </run-as> </security-identity>
and have the following in jboss.xml:
<security-identity> <run-as-principal>JMSReceiver</run-as-principal> </security-identity>
Does anyone have any idea why I'm seeing what I'm seeing here?