8 Replies Latest reply on Nov 6, 2004 11:20 AM by Scott Stark

    Problem with roles: principalRoles=null

    Robert Butera Newbie

      Have been attempting to solve this problem for two days with absolutely no success, would greatly appreciate some advice

      Am trying to access a session bean using BASIC auth and the UsersRoles login module under jboss 4.0.0. Everything appears to work fine except intermittently the following Exception is thrown:


      java.lang.SecurityException: Insufficient method permissions, principal=cam, method=create, interface=HOME, requiredRoles=[Administrator, User], principalRoles=null
      at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:219)
      at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:96)
      at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:120)
      at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:93)
      at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:613)
      at org.jboss.ejb.Container.invoke(Container.java:876)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:324)
      at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
      at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
      at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
      at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:242)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:642)
      at org.jboss.invocation.local.LocalInvoker$MBeanServerAction.invoke(LocalInvoker.java:155)
      at org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:104)
      at org.jboss.invocation.MarshallingInvokerInterceptor.invoke(MarshallingInvokerInterceptor.java:55)
      at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:46)
      at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:55)
      at org.jboss.proxy.ejb.HomeInterceptor.invoke(HomeInterceptor.java:169)
      at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:86)
      at $Proxy93.create(Unknown Source)
      at au.edu.vut.esubmit.webcontainer.web.subject.SubjectListingAction.execute(SubjectListingAction.java:36)
      at org.apache.struts.action.RequestProcessor.processActionPerform(RequestProcessor.java:484)
      at org.apache.struts.action.RequestProcessor.process(RequestProcessor.java:274)
      at org.apache.struts.action.ActionServlet.process(ActionServlet.java:1482)
      at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:507)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:697)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
      at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:75)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:186)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:157)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:214)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
      at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardContextValve.java:198)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:152)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
      at org.jboss.web.tomcat.security.CustomPrincipalValve.invoke(CustomPrincipalValve.java:66)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:540)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
      at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:169)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:118)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:102)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveContext.java:104)
      at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:520)
      at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)
      at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:799)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processConnection(Http11Protocol.java:705)
      at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:577)
      at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
      at java.lang.Thread.run(Thread.java:536)


      The exception is thrown just after authorisation and then everything is generally fine for the rest of the session. I attempted the same under jboss 4.0.1RC1 which only succeeded in turning the intermittent problem into a permanent one, the exception is thrown on every request.

      I have included some excerpts from the relevant files below. Any advice would be greatly appreciated. I have looked through the forum, however a more common problem appears to be the "principal=null" one, I am not sure if this is related.

      ejb-jar.xml
      --------------

      <![CDATA[Facade for Subject entity]]>
      <display-name>SubjectFacade</display-name>
      <ejb-name>SubjectFacade</ejb-name>
      au.edu.vut.esubmit.common.interfaces.domain.SubjectFacadeHome
      au.edu.vut.esubmit.common.interfaces.domain.SubjectFacade
      <ejb-class>au.edu.vut.esubmit.ejbcontainer.services.domain.ejb.SubjectFacadeSession</ejb-class>
      <session-type>Stateless</session-type>
      <transaction-type>Container</transaction-type>

      <ejb-local-ref >
      <ejb-ref-name>ejb/SubjectLocal</ejb-ref-name>
      <ejb-ref-type>Entity</ejb-ref-type>
      <local-home>au.edu.vut.esubmit.ejbcontainer.domain.interfaces.SubjectLocalHome</local-home>
      au.edu.vut.esubmit.ejbcontainer.domain.interfaces.SubjectLocal
      <ejb-link>Subject</ejb-link>
      </ejb-local-ref>
      <ejb-local-ref >
      <ejb-ref-name>ejb/UserLocal</ejb-ref-name>
      <ejb-ref-type>Entity</ejb-ref-type>
      <local-home>au.edu.vut.esubmit.ejbcontainer.domain.interfaces.UserLocalHome</local-home>
      au.edu.vut.esubmit.ejbcontainer.domain.interfaces.UserLocal
      <ejb-link>User</ejb-link>
      </ejb-local-ref>

      <security-role-ref>
      <role-name>Administrator</role-name>
      <role-link>Administrator</role-link>
      </security-role-ref>
      <security-role-ref>
      <role-name>User</role-name>
      <role-link>User</role-link>
      </security-role-ref>



        • 1. Re: authentication from transport layer (TLS, SSL)?
          Scott Stark Master

          Only tomcat has a proper notion of authentication based on the ssl certificate since is required by the servlet spec. You can do something similar for the ejb invokers, but you have to use a custom socket factory to get access to the ssl cert info. The authentication happens at the ssl level, and jboss is not involved with this, but if you want to use the client cert as credentials for authentication at the ejb container level then this has to be extracted from the transport layer and propagated to the to the container with the call invocation payload.

          • 2. Re: Problem with roles: principalRoles=null
            Robert Butera Newbie

            Appologies, here is the rest of the post:

            ejb-jar (cont)
            ----------------
            <assembly-descriptor >
            <!--
            To add additional assembly descriptor info here, add a file to your
            XDoclet merge directory called assembly-descriptor.xml that contains
            the <assembly-descriptor></assembly-descriptor> markup.
            -->
            <security-role>
            <![CDATA[description not supported yet by ejbdoclet]]>
            <role-name>User</role-name>
            </security-role>
            <security-role>
            <![CDATA[description not supported yet by ejbdoclet]]>
            <role-name>Administrator</role-name>
            </security-role>

            <method-permission >
            <![CDATA[description not supported yet by ejbdoclet]]>
            <role-name>Administrator</role-name>
            <role-name>User</role-name>

            <![CDATA[description not supported yet by ejbdoclet]]>
            <ejb-name>SubjectFacade</ejb-name>
            <method-name>*</method-name>

            </method-permission>

            ...


            web.xml
            ----------
            <security-constraint>
            <web-resource-collection>
            <web-resource-name>action</web-resource-name>
            Restricted area
            <url-pattern>/pages/*</url-pattern>
            <http-method>HEAD</http-method>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
            <http-method>PUT</http-method>
            <http-method>DELETE</http-method>
            </web-resource-collection>

            <auth-constraint>
            <role-name>Administrator</role-name>
            <role-name>User</role-name>
            </auth-constraint>

            <user-data-constraint>
            no description
            <transport-guarantee>NONE</transport-guarantee>
            </user-data-constraint>

            </security-constraint>

            <login-config>
            <auth-method>BASIC</auth-method>
            <realm-name>esubmit</realm-name>
            <!--form-login-config>
            <form-login-page>/login.do</form-login-page>
            <form-error-page>/logoff.do</form-error-page>
            </form-login-config-->
            </login-config>

            <security-role>
            Admin user
            <role-name>Administrator</role-name>
            </security-role>

            <security-role>
            Regular user
            <role-name>User</role-name>
            </security-role>

            jboss.xml
            -----------


            <security-domain>java:/jaas/esubmit</security-domain>

            <enterprise-beans>


            <ejb-name>SubjectFacade</ejb-name>
            <jndi-name>ejb/SubjectFacade</jndi-name>

            <method-attributes>
            </method-attributes>

            ...

            login-config.xml
            -------------------
            <application-policy name = "esubmit">

            <login-module code="org.jboss.security.ClientLoginModule" flag="required">
            </login-module>
            <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required">
            <module-option name="unauthenticatedIdentity">nobody</module-option>
            </login-module>


            • 3. Re: Problem with roles: principalRoles=null
              Scott Stark Master

              principal=cam has no roles assigned. The roles.properties file must not contain any mappings for this principal. To be sure of what properties file is being picked up you should define properties files unique to the login configuration as show here:

               <application-policy name = "esubmit">
               <authentication>
               <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
               flag = "required">
               <module-option name="usersProperties">esubmit-users.properties</module-option>
               <module-option name="rolesProperties">esubmit-roles.properties</module-option>
               </login-module>
               </authentication>
               </application-policy>
              



              • 4. Problem solved
                Robert Butera Newbie

                Thanks for your reply Scott.

                Had tried to explicity specify the user and roles file in the application policy. however it didn't make a difference.

                The problem ended up being the ClientLoginModule that was included in my application policy. i.e.

                Before:

                <application-policy name = "esubmit">

                <login-module code="org.jboss.security.ClientLoginModule" flag="required">
                </login-module>
                <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required">
                <module-option name="unauthenticatedIdentity">nobody</module-option>
                <module-option name="usersProperties">users.properties</module-option>
                <module-option name="rolesProperties">roles.properties</module-option>
                </login-module>

                </application-policy>

                After:

                <application-policy name = "esubmit">

                <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required">
                <module-option name="unauthenticatedIdentity">nobody</module-option>
                <module-option name="usersProperties">users.properties</module-option>
                <module-option name="rolesProperties">roles.properties</module-option>
                </login-module>

                </application-policy>

                This rectified the problem in both jboss 4.0 and jboss 4.0.1RC1.

                • 5. Re: Problem with roles: principalRoles=null
                  James Richardson Newbie

                  Hmm.. this seems very similar to the problem I'm seeing.

                  Does it work sometimes and not others?

                  If you add:

                  <category name="org.jboss.security">
                   <priority value="TRACE" />
                   </category>
                  
                   <category name="org.jboss.security">
                   <priority value="TRACE" class="org.jboss.logging.XLevel"/>
                   </category>


                  to your log4j.xml , can you see that initially there IS in fact a bunch of roles?



                  • 6. Re: Problem with roles: principalRoles=null
                    Robert Butera Newbie

                    On JBoss 4.0.0 it was occuring sporadically, however in JBoss 4.0.1R1 it was occuring on every request.

                    Yes, if I revert my configuration and change the logging settings, I can see the roles just before the exception is thrown:

                    2004-11-12 00:12:57,510 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] User 'cam' authenticated, loginOk=true
                    2004-11-12 00:12:57,510 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] commit, loginOk=true
                    2004-11-12 00:12:57,510 TRACE [org.jboss.security.plugins.JaasSecurityManager.esubmit] updateCache, subject=Subject:
                     Principal: cam
                     Principal: Roles(members:Administrator)
                    
                    2004-11-12 00:12:57,520 TRACE [org.jboss.security.auth.spi.UsersRolesLoginModule] logout
                    2004-11-12 00:12:57,520 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] Insufficient method permissions, principal=cam, method=create, interface=HOME, requiredRoles=[Administrator, User], principalRoles=null
                    


                    Am still not sure however, why this occurs when the ClientLoginModule is included in the application policy and why it disappears when it is removed.

                    • 7. Re: Problem with roles: principalRoles=null
                      Fred Nowak Newbie

                      Hello scott, hello robuttera,

                      I experience the same problem.
                      I try to use a protected method in an ejb but it
                      seems the roles are not set properly.

                      Here is the stack trace ...

                      
                      14:01:36,254 INFO [STDOUT] fnowak
                      14:01:36,254 INFO [STDOUT] ROLES(members:moderator,administrator,user)
                      
                      14:01:36,264 ERROR [SecurityInterceptor] Insufficient method permissions, principal=fnowak, method=deleteNews, interface=LOCAL, requiredRoles=[administrator, root, server, moderator], principalRoles=null
                      14:01:36,264 ERROR [LogInterceptor] EJBException in method: public abstract void com.holomind.ejb.communication.CommunicationAgentLocal.deleteNews(com.holomind.ejb.communication.CommunicationNewsData) throws com.holomind.ejb.communication.CommunicationException, causedBy:
                      java.lang.SecurityException: Insufficient method permissions, principal=fnowak, method=deleteNews, interface=LOCAL, requiredRoles=[administrator, root, server, moderator], principalRoles=null
                       at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:219)
                       at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:118)
                       at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:191)
                       at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor.java:122)
                       at org.jboss.ejb.SessionContainer.internalInvoke(SessionContainer.java:624)
                       at org.jboss.ejb.Container.invoke(Container.java:854)
                       at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invoke(BaseLocalProxyFactory.java:413)
                       at org.jboss.ejb.plugins.local.StatelessSessionProxy.invoke(StatelessSessionProxy.java:82)
                       at $Proxy134.deleteNews(Unknown Source)
                       at com.holomind.cocoon.communication.acting.DeleteNewsAction.act(DeleteNewsAction.java:62)
                       ...
                      
                      


                      I use the Jaas API to log JBoss 4.0.0.
                      I set up the servlet filter shown in tutorial on Jaas.
                      So I keep the login context in a session attribute and print its content just before using the protected method. (see before)

                      Here is the login configuration i use (i do not use an unauthenticatedIdentity) :

                       <application-policy name="other">
                       <authentication>
                       <login-module
                       code = "org.jboss.security.ClientLoginModule" flag = "required">
                       </login-module>
                       <login-module
                       code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
                       <module-option name="managedConnectionFactoryName">jboss.jca.service=LocalTxCM,name=MySqlDS</module-option>
                       <module-option name="dsJndiName">java:/MySqlDS</module-option>
                       <module-option name="principalsQuery">
                       // skipped for brievty
                       </module-option>
                       <module-option name="rolesQuery">
                       // skipped for brievty
                       </module-option>
                       </login-module>
                       </authentication>
                       </application-policy>
                      


                      An


                      • 8. Re: Problem with roles: principalRoles=null
                        Alessandro Yoshi Polliotti Newbie

                        Try to put the ClientLoginModule as the last module in your config file.