3 Replies Latest reply on Jan 15, 2005 6:01 PM by Thomas Cherel

    confusion about when requiredRoles=[] (i.e. no required role

    Dave Haas Newbie

      Hi all.

      I'm trying to set up the situation where client authentication is NOT required (client does not need to supply username/password) but EJB operations are still done over SSL.

      I have the following config:

      in server.policy:

      grant {
       // Allow everything for now
       permission java.security.AllPermission;
      };
      


      in jboss-service.xml I have configured a security domain

       <mbean code="org.jboss.security.plugins.JaasSecurityDomain" name="jboss.security:service=JaasSecurityDomain,domain=simpleSecureSB">
       <constructor>
       <arg type="java.lang.String" value="simpleSecureSB"/>
       </constructor>
       <attribute name="KeyStoreURL">test.keystore</attribute>
       <attribute name="KeyStorePass">test</attribute>
       </mbean>
      


      in login-config.xml I have set up the security domain to NOT require a username and password (at least I think I have):

       <application-policy name="simpleSecureSB">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="optional">
       <module-option name="unauthenticatedIdentity">anonymous</module-option>
       </login-module>
       </authentication>
       </application-policy>
      


      and yet when I run the client I get the following error:

      Insufficient method permissions, principal=null, method=create, interface=HOME, requiredRoles=[], principalRoles=[]
      


      which doesn't make any sense at all. If there are no required roles, what's the problem?

      Cheers,

      Dave

        • 1. Re: confusion about when requiredRoles=[] (i.e. no required
          Thomas Cherel Novice

          I believe that you will have to explicitly say in the ejb-jar.xml that no roles cheking is required:

          <method-permission>


          <ejb-name>[your bean name]</ejb-name>
          <method-name>*</method-name>

          </method-permission>

          Thomas

          • 2. Re: confusion about when requiredRoles=[] (i.e. no required
            Dave Haas Newbie

            Hi Thomas.

            I tried your suggestion but I'm still having some problems. I got it to work using the following setup, but I'm not completely sure it's the proper solution.

            1) It seems that you HAVE to have a security domain set up in the jboss-service.xml file to use the jrmp invoker using SSL. If I try to run the jrmp invoker without having defined a security domain it blows up. So, I have this in jboss-service.xml:

            <!-- Secure RMI/JRMP invoker -->
            <mbean code="org.jboss.invocation.jrmp.server.JRMPInvoker" name="jboss:service=invoker,type=jrmp,socketType=SSL">
             <attribute name="RMIObjectPort">14445</attribute>
             <attribute name="RMIClientSocketFactory">org.jboss.security.ssl.RMISSLClientSocketFactory</attribute>
             <attribute name="RMIServerSocketFactory">org.jboss.security.ssl.RMISSLServerSocketFactory</attribute>
             <attribute name="SecurityDomain">java:/jaas/simpleSecureSB</attribute>
             <depends>jboss:service=TransactionManager</depends>
             <depends>jboss.security:service=JaasSecurityDomain,domain=simpleSecureSB</depends>
            </mbean>
            


            2) Given that you have to have a security domain defined in jboss-service.xml, you also have to then configure how the authentication works in login-config.xml (otherwise the 'other' domain kicks in). So, I have a simple security domain with the unauthenticatedIdentity attribute set to 'everyone'. Now at least when the client doesn't send any credentials at all, the 'everyone' user is assigned instead. So, I have this in login-config.xml:

            <application-policy name="simpleSecureSB">
             <authentication>
             <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
             <module-option name="unauthenticatedIdentity">everyone</module-option>
             </login-module>
             </authentication>
            </application-policy>
            


            3) In the ejb-jar.xml descriptor I have:

            <assembly-descriptor>
             <method-permission>
             <unchecked/>
             <method>
             <ejb-name>simpleSecureSB</ejb-name>
             <method-name>*</method-name>
             </method>
             </method-permission>
            </assembly-descriptor>
            


            4) In the jboss.xml file I have assigned the session bean to the appropriate security domain and told it to use the jrmp invoker over SSL:

            <security-domain>java:/jaas/simpleSecureSB</security-domain>
            <enterprise-beans>
             <session>
             <ejb-name>simpleSecureSB</ejb-name>
             <jndi-name>ejb/simpleSecureSB</jndi-name>
             <configuration-name>Standard Stateless SessionBean</configuration-name>
             <invoker-bindings>
             <invoker>
             <invoker-proxy-binding-name>stateless-ssl-invoker</invoker-proxy-binding-name>
             </invoker>
             </invoker-bindings>
             </session>
            </enterprise-beans>
            


            Does the setup seem reasonable? It works, but I'm not sure if it can be streamlined any more ...

            Cheers,

            Dave

            • 3. Re: confusion about when requiredRoles=[] (i.e. no required
              Thomas Cherel Novice

              I am not JRMP/SSL expert, but if it requires a security domain, then the rest of the setup is the correct one.

              Thomas