3 Replies Latest reply on Aug 3, 2005 6:49 AM by Ashwin Kumar Karkala

    EJB SecurityException even though roles are present

    Ashwin Kumar Karkala Newbie

      HI,
      I am doing the usual custom login module to login to the servlet and then using the servlet to access a session ejb. Both the servlet and session bean are secured by the role named "Secure".

      The security domain I am using is jwdomain and is set in the login-config.xml to


      <application-policy name = "jwdomain">
      <authentication>
      <login-module code="com.hp.bpo.framework.security.login.MyLDAPLoginModule" flag="required" >
      <module-option name="java.naming.factory.initial">com.netscape.jndi.ldap.LdapContextFactory</module-option>
      <module-option name="debug">true</module-option>
      </login-module>
      <login-module code = "org.jboss.security.ClientLoginModule" flag = "required">
      <module-option name="password-stacking">useFirstPass</module-option>
      </login-module>
      </authentication>
      </application-policy>



      Note: I am using Client Login Module as part of the security domain definition above.

      In the servlet I am using BASIC authentication to get the username and password. This is working fine. However when the servlet tries to access the ejb the following exception is got.


      java.rmi.AccessException: SecurityException; nested exception is:
      java.lang.SecurityException: Insufficient method permissions, principal=akarkala, ejbName=Fibo, method=factorial, interface=REMOTE, requiredRoles=[Secure], principalRoles=[Secure]


      Note that its looking for the role "Secure" and its present in the principalRoles. Why am I still getting the exception?

      Any pointers?

        • 1. Re: EJB SecurityException even though roles are present
          Ashwin Kumar Karkala Newbie

          Wanted to add some more details.
          Since the same security domain seems to work for the web application and not for the EJB, I suspect it could be some EJB config. I am positn the jboss.xml and the ejb-jar.xml here for reference.

          jboss.xml

          <jboss>
          
           <security-domain>java:/jaas/jwdomain</security-domain>
          
           <enterprise-beans>
          
           <!--
           To add beans that you have deployment descriptor info for, add
           a file to your XDoclet merge directory called jboss-beans.xml that contains
           the <session></session>, <entity></entity> and <message-driven></message-driven>
           markup for those beans.
           -->
          
           <session>
           <ejb-name>Fibo</ejb-name>
           <jndi-name>ejb/tutorial/Fibo</jndi-name>
           </session>
           </enterprise-beans>
          
           <resource-managers>
           </resource-managers>
          
          </jboss>
          


          And the ejb-jar.xml

          <ejb-jar >
           <display-name>Generated by XDoclet</display-name>
          
           <enterprise-beans>
          
           <session >
           <description>EJB that computes Fibonacci suite</description>
           <display-name>Fibo EJB</display-name>
           <ejb-name>Fibo</ejb-name>
           <home>tutorial.interfaces.FiboHome</home>
           <remote>tutorial.interfaces.Fibo</remote>
           <ejb-class>tutorial.ejb.FiboBean</ejb-class>
           <session-type>Stateless</session-type>
           <transaction-type>Container</transaction-type>
           </session>
          
           </enterprise-beans>
          
           <assembly-descriptor >
          
          <security-role>
           <role-name>Secure</role-name>
          </security-role>
          
          <method-permission>
           <unchecked/>
           <method>
           <ejb-name>Fibo</ejb-name>
           <method-name>create</method-name>
           </method>
          </method-permission>
          
          <method-permission>
           <role-name>Secure</role-name>
           <method>
           <ejb-name>Fibo</ejb-name>
           <method-name>factorial</method-name>
           </method>
          </method-permission>
          
          



          Again am I missing something ? Any help is appreciated.

          thanks

          • 2. Re: EJB SecurityException even though roles are present
            Ashwin Kumar Karkala Newbie

            I did a little source code searching and found that the exception is thrown by the org.jboss.ejb.plugins.SecurityInterceptor.

            The exact piece of code that fails is

             // Check if the caller is allowed to access the method
             if (methodRoles.contains(AnybodyPrincipal.ANYBODY_PRINCIPAL) == false)
             {
             // The caller is using a the caller identity
             if (callerRunAsIdentity == null)
             {
             // Now actually check if the current caller has one of the required method roles
             if (realmMapping.doesUserHaveRole(principal, methodRoles) == false)
             {
             Set userRoles = realmMapping.getUserRoles(principal);
             String method = mi.getMethod().getName();
             BeanMetaData beanMetaData = container.getBeanMetaData();
             String msg = "Insufficient method permissions, principal=" + principal
             + ", ejbName=" + beanMetaData.getEjbName()
             + ", method=" + method + ", interface=" + iface
             + ", requiredRoles=" + methodRoles + ", principalRoles=" + userRoles;
             SecurityException e = new SecurityException(msg);
             throw e;
             }
             }
            


            I was unable to debug any further as RealmMapping is an interface and am not sure which Impl class is actually working durign runtime.

            Also what baffles me most is that the exception indicates that I am not in role but the message in the exception clearly shows that I am indeed in the role.

            Any pointers?

            • 3. Re: EJB SecurityException even though roles are present
              Ashwin Kumar Karkala Newbie

              Finally managed to fix the problem. The issue was with my implementation of java.security.acl.Group interface. In the isMember() I was checking directly the principal rather than checking principal.getName(). The RealmMapping impl used by the EJB Container checks for available roles using the isMember() method.
              Surprisingly the same on the web container gets all the roles as strings and then checks against the strings. Wonder why this is so.

              In any case I am glad I was able to fix the issue and hopefully this helps others.