2 Replies Latest reply on Feb 3, 2005 4:47 PM by John Vandale

    Security system works sometimes, but not others?

    Mike Digdon Newbie

      My application has a rather complicated set of permissions, involving a large number of roles. Typically there is at least one role required for each EJB in my app. I'm trying to get MDBs to be able to call these methods. I'm pretty sure that I could simply create a special role, allow that role to call all of the necessary methods, and assign the role to the MDB via the <run-as> tag in ejb-jar.xml. However, WebLogic seems to allow me to tell a MDB to run as a particular principle and the security system will load in all of the roles associated with that principal through the security provider. I have been experimenting with trying to accomplish this in JBoss.

      Through endless trial and error, I've been able to tell a MDB to run as a particular principal. When the MDB runs, the principal and all of the role associations are picked up by the server. Along with having the roles defined in the security provider, sometimes I need to also assign then via <security-role> definitions in jboss.xml, like this:


      <security-role>
       <role-name>ManageMDBRole</role-name>
       <principal-name>JMSReceiver</principal-name>
       </security-role>
      


      I'm not sure why this is necessary, but it seems that I only need to do with for methods in EJBs that are in the same jar file. If the EJB is in a different jar file (all within the same ear, of course), I don't need to specify it.

      Here are some of the log entries that show that the security system is doing something interesting when the onMessage method runs:


      2004-10-13 16:54:49,944 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(rms-test), size=11
      2004-10-13 16:54:49,944 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(rms-test), authInfo=AppConfigurationEntry[]:
      [0]
      LoginModule Class: org.jboss.security.auth.spi.IdentityLoginModule
      ControlFlag: LoginModuleControlFlag: required
      Options:name=principal, value=JMSReceiver
      name=roles, value=ManageMDBRole,ManageGatewayManagementRole,ManageDeviceRegistrationManagerRole,ViewIPNetworkManagerRole
      2004-10-13 16:54:49,944 TRACE [org.jboss.security.auth.spi.IdentityLoginModule] initialize
      2004-10-13 16:54:49,944 TRACE [org.jboss.security.auth.spi.IdentityLoginModule] login
      2004-10-13 16:54:49,944 TRACE [org.jboss.security.auth.spi.IdentityLoginModule] commit, loginOk=true
      2004-10-13 16:54:49,944 TRACE [org.jboss.security.plugins.JaasSecurityManager.rms-test] updateCache, subject=Subject:
      Principal: JMSReceiver
      Principal: Roles(members:ManageGatewayManagementRole,ManageMDBRole,ManageDeviceRegistrationManagerRole,ViewIPNetworkManagerRole)



      Every time a method is called, the log contains an entry showing the principal and all of the roles. Everything seems to work fine.

      I subsequently wrote a test application. The test app uses the same security domain and server config as the main application. However, whenever the MDB runs, the security system does not appear to be engaging. Here are some log entries:


      2004-10-13 17:19:03,379 INFO [STDOUT] Received message!
      2004-10-13 17:19:03,379 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] Insufficient method permissions, runAsPrincipal=JMSReceiver, method=runQuery, interface=LOCAL, requiredRoles=[ManageGatewayManagementRole], runAsRoles=[ManageMDBRole]
      2004-10-13 17:19:03,379 ERROR [org.jboss.ejb.plugins.LogInterceptor] EJBException in method: public abstract void com.corenetworks.jbosstest.ejb.DataSourceTestLocal.runQuery(), causedBy:
      java.lang.SecurityException: Insufficient method permissions, runAsPrincipal=JMSReceiver, method=runQuery, interface=LOCAL, requiredRoles=[ManageGatewayManagementRole], runAsRoles=[ManageMDBRole]


      And that's it. There's nothing in there that shows the MDB attempting some sort of login like the main application.

      I've been staring at this stuff for weeks now, which may be why I'm unable to see the problem. Why would a MDB perform a login in one instance, but not in another? In both cases, I've defined the following for the MDB in ejb-jar.xml:

       <security-identity>
       <run-as>
       <role-name>ManageMDBRole</role-name>
       </run-as>
       </security-identity>
      


      and have the following in jboss.xml:

       <security-identity>
       <run-as-principal>JMSReceiver</run-as-principal>
       </security-identity>
      


      Does anyone have any idea why I'm seeing what I'm seeing here?

      Thanks.


        • 1. Re: Security system works sometimes, but not others?
          Scott Stark Master

          Its the security-domain and login module configuration of the target ejb that would initiate a login. MDBs have no notion of a login since they have no defined security context. Have you read the JAAS Howto in this forum?

          You would need to assign the ManageGatewayManagementRole to the MDB using the jboss.xml security-role mapping as shown here where the RunAsWithRolesMDBPrincipal run-as principal is assigned the roles ProjectAdmin, CreateFolder and DeleteFolder:

          <jboss>
          ...
           <message-driven>
           <ejb-name>RunAsWithRolesMDB</ejb-name>
           <destination-jndi-name>queue/C</destination-jndi-name>
           <security-identity>
           <run-as-principal>RunAsWithRolesMDBPrincipal</run-as-principal>
           </security-identity>
           <resource-ref>
           <res-ref-name>jms/QueFactory</res-ref-name>
           <jndi-name>ConnectionFactory</jndi-name>
           </resource-ref>
           </message-driven>
          
           </enterprise-beans>
          
           <assembly-descriptor>
           <security-role>
           <role-name>ProjectAdmin</role-name>
           <principal-name>RunAsWithRolesMDBPrincipal</principal-name>
           </security-role>
           <security-role>
           <role-name>CreateFolder</role-name>
           <principal-name>RunAsWithRolesMDBPrincipal</principal-name>
           </security-role>
           <security-role>
           <role-name>DeleteFolder</role-name>
           <principal-name>RunAsWithRolesMDBPrincipal</principal-name>
           </security-role>
           </assembly-descriptor>
          



          • 2. Re: Security system works sometimes, but not others?
            John Vandale Newbie

            Mapping a role to a principal for an MDB as described here is not mentioned in the JAAS HowTo for this forum at all. I just downloaded it again to make sure my copy is up to date. Search for run-as-principal and you get no hits. Search for security-identity and you only see it described in the context of ejb-jar.xml to to run-as/role-name. Nothing about it for jboss.xml for the purposes you describe here.

            Furthermore when I try this I get this exception upon deployment:

            16:32:37,998 ERROR [XmlFileLoader] failed to load jboss.xml. There could be a syntax error.

            There is no syntax error. My XMLSPY verifies it as ok. In fact if I just comment out the security-identity for the message bean it deploys fine. I copied it exactly as you have it in this post and just changed the principal name. Here it is, just comment it out and I can deploy. Uncomment it and I get the above error. Is it possible there is a bug in 4.0.1RC1 where it chokes on a security-identity specification?

            <security-identity>
            <run-as-principal>myPrincipal</run-as-principal>
            </security-identity>