8 Replies Latest reply on Feb 21, 2005 12:09 PM by twalsh2

    MDB run-as and SessionContext.isCallerInRole inconsistency

    twalsh2 Newbie

      I am having a problem with JBoss 3.2.6.

      I have MDB's which must call secure stateless session beans to perform a task. The MDB's use a <run-as> declaration which allows them to run at the proper security level to make a call to a session bean method.

      As an example, the MDB's are tagged with the following XDoclet:

      * @ejb.security-identity run-as = "Administrator"

      And the method in question is tagged with:

      * @ejb.permission role-name = "Administrator"

      The MDB is able to make it past the security interceptor and make it into the session bean's method.

      However within the method I need to do some slighlty more complex security checking and I am attempting to use SessionContext.isCallerInRole to determine the security level of the caller. Unfortunatley, a call like the following:

      sessionContext.isCallerInRole("Administrator");

      returns false.

      Using <run-as>Administrator</run-as> would seem to imply that the caller would be in the Administrator role.

      Is it correct that isCallerInRole return false?

      Is there any other way to get a security role associated with an MDB's invocation of a bean method?

      I searched the forum and saw others report this same issue, but I could not find any resolution.

        • 1. Re: MDB run-as and SessionContext.isCallerInRole inconsisten
          twalsh2 Newbie

          Anyone have any ideas on this?

          Anyone from JBoss available to comment on it?

          • 2. Re: MDB run-as and SessionContext.isCallerInRole inconsisten
            Scott Stark Master

            run-as has no affect on the roles seen by the onMessage invocation. It only affects calls made to other resources from within the onMessage method. There is no spec defined mechanism to setting the identity of an mdb message. You would have to use a custom interceptor and establish the identity based on some message property.

            • 3. Re: MDB run-as and SessionContext.isCallerInRole inconsisten
              twalsh2 Newbie

              In this case, I am calling a Secure Stateless Session Bean from within the onMessage method of an MDB.

              The SLSB is in turn calling another secure SLSB. The second SLSB is calling SessionContext.isCallerInRole("Administrator");

              So we have

              JMS message
               --> MDB.onMessage
               -->SLSB1.method()
               --> SLSB2.method()
               --> SessionContext.isCallerInRole("Administrator");


              So the call to isCallerInRole is being done by within a call made to other resources from within the onMessage method. isCallerInRole is returning false, which is a suprise as the MDB is set to run-as Administrator.

              All of the calls to the SLSB are done via local interfaces. I was suprised that isCallerInRole returned false, as the caller definitley is in the Administrator role. For example, if I have the MDB call a SLSB method with only a

              * @ejb.permission role-name = "Administrator"


              the security framework will allow the MDB to make the call. Its only isCallerInRole that does not seem able to determine the role of the calling MDB.

              • 4. principal=null
                Bart Vanhaute Newbie

                I'm seeing exactly the same problem, though I am still using jboss-3.2.3.
                Have you made any progress on this?

                I had TRACE logging enabled for 'org.jboss.ejb.plugins' and saw the following pass by:

                2005-02-17 15:05:51,540 TRACE [SecurityInterceptor] Authenticated principal=null
                

                In the source code of org.jboss.ejb.EnterpriseContext.EJBContextImpl (3.2.3), I found:
                // TODO - how to handle this best?
                public boolean isCallerInRole(String id)
                {
                 if (principal == null)
                 return false;
                 ....
                

                Probably related, no?


                • 5. Re: MDB run-as and SessionContext.isCallerInRole inconsisten
                  twalsh2 Newbie

                  I was acutally able to work around the "principal=null" condition by setting the following property on my Login Module:

                  <application-policy name = "nms">
                   <authentication>
                   <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
                   flag = "required">
                   <module-option name="dsJndiName">java:/NMS-DS</module-option>
                   <module-option name = "hashAlgorithm">MD5</module-option>
                   <module-option name = "hashEncoding">base64</module-option>
                   <module-option name="unauthenticatedIdentity">nobody</module-option>
                   </login-module>
                   </authentication>
                   </application-policy>


                  This causes the principal for unauthenticated entities (such as MDBs or MBeans) to be "nobody". Pair this with a <run-as> and you can kind of get MDB's to interact properly with secure session beans.

                  Unfortunatley, having a principal on the call does not fix my problem where isCallerInRole is returning an unexpected result.

                  • 6. Re: MDB run-as and SessionContext.isCallerInRole inconsisten
                    twalsh2 Newbie

                    Well, I have a workaround for anyone who encounters this problem. Its not the prettiest solution.

                    Basically on another SLSB, I create a local method called checkCallerAdmin. Then in my code where I want to do a

                    SessionContext.isCallerInRole("Administrator");


                    I call

                    otherSLSB.checkCallerAdmin()


                    The checkCallerAdmin method is set up to only allow callers with the role of "Administrator". Basically, it has a

                    * @ejb.permission role-name = "Administrator"


                    XDoclet tag. If my caller is not an Admin, I get a LocalAccessException which I can catch and use that fact to identify that the caller in the Administrator role.

                    It works, but the biggest drawback is that you are calling another EJB method, so you need to go through the entire interceptor chain (in order to get the the Security Interceptor) in order to get the check to occur. This probably will perform poorer than a direct call to:

                    sessionContext.isCallerInRole("Administrator");


                    I'd still be interested in hearing from someone from JBoss as to wether this behavior is by design or is a bug.

                    • 7. Re: MDB run-as and SessionContext.isCallerInRole inconsisten
                      Scott Stark Master

                      Its a limitation/bug of the 3.2.x anonymous caller/run-as interaction. There is an equivalent testcase that works fine in 4.0.1+. There is a jira issue for the 3.2.x behavior.
                      http://jira.jboss.com/jira/browse/JBAS-1493

                      • 8. Re: MDB run-as and SessionContext.isCallerInRole inconsisten
                        twalsh2 Newbie

                        Thank you. I will continue using my work around for the time being.