14 Replies Latest reply on Nov 22, 2005 10:35 AM by oglueck

    isCallerInRole() called with no security context.

    Harold Soppe Newbie

      Could someone help me with this exception?

      I can use the isUserInRole() in the session context with no problems but when i want to use the isCallerInRole() method on the session context i get an exception.

      i get this message when i use the isCallerInRole() method in a Session bean:

      javax.ejb.EJBException: null; CausedByException is:
      isCallerInRole() called with no security context. Check that a security-domain has been set for the application.


      I use:
      jboss-4.0.3
      EJB3.0

      I set the session context by using the @Resource annotation:
      @Resource
      private SessionContext ctx;


        • 1. Re: isCallerInRole() called with no security context.
          Harold Soppe Newbie

          Sorry I typed:

          I can use the isUserInRole() in the session context with no problems but when i want to use the isCallerInRole() method on the session context i get an exception.

          But I ment:
          I can use the isUserInRole() on the HttpServletRequest with no problems but when i want to use the isCallerInRole() method on the session context in a session bean i get an exception.

          • 2. Re: isCallerInRole() called with no security context.
            Novice

            Isn't that very clear: "Check that a security-domain has been set for the
            application."?

            @SecurityDomain("yourdomain")
            @Statless
            public class MyBean {

            }

            • 3. Re: isCallerInRole() called with no security context.
              Harold Soppe Newbie

              It looks very clear but the @SecurityDomain is set.

              If this was the problem it was already been solved.

              • 4. Re: isCallerInRole() called with no security context.
                Novice

                Try and use the JBoss client login module on the HTTP servlet side. For this define a new login config called "http" for instance:
                http {
                org.jboss.security.ClientLoginModule required multi-threaded=true;
                };

                and use this in your webapp to authenticate against.

                For your EJB application then specify your actual login modules.

                • 5. Re: isCallerInRole() called with no security context.
                  Harold Soppe Newbie

                  ok, in my login config there are now two application policy configurations:

                  <application-policy name="haqcsd">
                   <authentication>
                   <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
                   <module-option name="dsJndiName">java:/MySqlDS</module-option>
                   <module-option name="principalsQuery">SELECT wachtwoord FROM gebruiker WHERE gebruikersnaam=?</module-option>
                   <module-option name="rolesQuery">SELECT gebruiker_type,'Roles' FROM gebruiker WHERE gebruikersnaam=?</module-option>
                   <module-option name="hashAlgorithm">MD5</module-option>
                   <module-option name="hashEncoding">BASE64</module-option>
                   </login-module>
                   </authentication>
                   </application-policy>
                   <application-policy name="http">
                   <authentication>
                   <login-module code = "org.jboss.security.ClientLoginModule"
                   flag = "required">
                   </login-module>
                   </authentication>
                   </application-policy>
                  


                  in my jboss-web i select the http security domain

                  <jboss-web>
                   <security-domain>java:/jaas/http</security-domain>
                  </jboss-web>
                  


                  in the Session bean i select the haqcsd domain:

                  @SecurityDomain("haqcsd")

                  is this what you ment?

                  i get "Access to the requested resource has been denied"

                  • 6. Re: isCallerInRole() called with no security context.
                    Novice

                    Yes, exactly. For the http domain also set the multi-threaded=true option. Otherwise this is not thread safe (very hazardous is a web environment...)!

                    I guess the error comes from the security interceptor of the session bean. Does it say, WHY access was denied?

                    • 7. Re: isCallerInRole() called with no security context.
                      Harold Soppe Newbie

                      Does it make any difference if i set the domain in the auth.conf by:

                      http {
                      org.jboss.security.ClientLoginModule required multi-threaded=true;
                      };
                      

                      or in the login config by:
                      <application-policy name="http">
                       <authentication>
                       <login-module code = "org.jboss.security.ClientLoginModule"
                       flag = "required" multi-threaded="true">
                       </login-module>
                       </authentication>
                       </application-policy>
                      


                      I guess i have to comment out the security contraint in my web.xml?

                      <security-constraint>
                       <web-resource-collection>
                       <web-resource-name>Secure Content</web-resource-name>
                       <url-pattern>/app/*</url-pattern>
                       </web-resource-collection>
                       <auth-constraint>
                       <role-name>D</role-name>
                       <role-name>Z</role-name>
                       <role-name>B</role-name>
                       </auth-constraint>
                       <user-data-constraint>
                       <transport-guarantee>NONE</transport-guarantee>
                       </user-data-constraint>
                       </security-constraint>
                       <login-config>
                       <auth-method>BASIC</auth-method>
                       <realm-name>secure</realm-name>
                       </login-config>
                       <security-role>
                       <description>D.</description>
                       <role-name>D</role-name>
                       </security-role>
                       <security-role>
                       <description>Z.</description>
                       <role-name>Z</role-name>
                       </security-role>
                       <security-role>
                       <description>B.</description>
                       <role-name>B</role-name>
                       </security-role>
                      


                      • 8. Re: isCallerInRole() called with no security context.
                        Novice

                        auth.conf is not a standard file. If you use it, some component must read it and make a JAAS configuration object out of it. JBoss' DynamicLoginConfig can do that for example. So for the moment do it in login-config.xml.

                        Oh and the correct use of the multi-threaded option is:

                        <application-policy name="http">
                         <authentication>
                         <login-module code = "org.jboss.security.ClientLoginModule"
                         flag = "required">
                         <module-option name="multi-threaded">true</module-option>
                         </login-module>
                         </authentication>
                        </application-policy>
                        


                        Instead of disabling it, you can also include both login modules as required in the http policy:

                        <application-policy name="http">
                         <authentication>
                         <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
                         <module-option name="dsJndiName">java:/MySqlDS</module-option>
                         <module-option name="principalsQuery">SELECT wachtwoord FROM gebruiker WHERE gebruikersnaam=?</module-option>
                         <module-option name="rolesQuery">SELECT gebruiker_type,'Roles' FROM gebruiker WHERE gebruikersnaam=?</module-option>
                         <module-option name="hashAlgorithm">MD5</module-option>
                         <module-option name="hashEncoding">BASE64</module-option>
                         </login-module>
                         <login-module code = "org.jboss.security.ClientLoginModule"
                         flag = "required">
                         <module-option name="multi-threaded">true</module-option>
                         </login-module>
                         </authentication>
                        </application-policy>
                        


                        • 9. Re: isCallerInRole() called with no security context.
                          Harold Soppe Newbie

                          Ok, this is the full output when i call a method getDeelnemers on a session bean from a servlet.

                          javax.ejb.EJBException: null; CausedByException is:
                           isCallerInRole() called with no security context. Check that a security-domain has been set for the application.
                           org.jboss.ejb3.tx.Ejb3TxPolicy.handleExceptionInOurTx(Ejb3TxPolicy.java:46)
                           org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:70)
                           org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:134)
                           org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98)
                           org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:61)
                           org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98)
                           org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:39)
                           org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98)
                           org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:63)
                           org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98)
                           org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:32)
                           org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98)
                           org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:91)
                           org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98)
                           org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:148)
                           org.jboss.ejb3.stateless.StatelessLocalProxy.invoke(StatelessLocalProxy.java:60)
                           $Proxy122.getDeelnemers(Unknown Source)
                           web.application.DeelnemersController.handleRequest(DeelnemersController.java:54)
                           org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:44)
                           org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:717)
                           org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:658)
                           org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:392)
                           org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:347)
                           javax.servlet.http.HttpServlet.service(HttpServlet.java:697)
                           javax.servlet.http.HttpServlet.service(HttpServlet.java:810)
                           org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:81)
                          
                          


                          • 10. Re: isCallerInRole() called with no security context.
                            Novice

                            So you are still getting this exception? The servlet must of course use the http policy! Have you configured that correctly?

                            • 11. Re: isCallerInRole() called with no security context.
                              Harold Soppe Newbie

                              in my login-config.xml i have:

                              <application-policy name="http">
                               <authentication>
                               <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
                               <module-option name="dsJndiName">java:/MySqlDS</module-option>
                               <module-option name="principalsQuery">SELECT wachtwoord FROM gebruiker WHERE gebruikersnaam=?</module-option>
                               <module-option name="rolesQuery">SELECT gebruiker_type,'Roles' FROM gebruiker WHERE gebruikersnaam=?</module-option>
                               <module-option name="hashAlgorithm">MD5</module-option>
                               <module-option name="hashEncoding">BASE64</module-option>
                               </login-module>
                               <login-module code = "org.jboss.security.ClientLoginModule" flag = "required">
                               <module-option name="multi-threaded">true</module-option>
                               </login-module>
                               </authentication>
                               </application-policy>
                              


                              In my jboss-web.xml i have:
                              <jboss-web>
                               <security-domain>java:/jaas/http</security-domain>
                              </jboss-web>
                              


                              This is for the jsp and servlets right?

                              in my session beans i have:
                              @SecurityDomain("http")
                              


                              • 12. Re: isCallerInRole() called with no security context.
                                Novice

                                I think you want "haqcsd" for your beans as they are not clients.

                                The "with no security context" suggests that the container does not perform a JAAS login for your servlet request. Make 100% sure that it does perform authentication (try an invalid user and you should get an error). Then it will work.

                                • 13. Re: isCallerInRole() called with no security context.
                                  Harold Soppe Newbie

                                  After i try to login three times with a invalid user/password i get a HTTP 401 error. "This request requires HTTP authentication ()."

                                  I get the exception when i call the isCallerInRole(String role) methode on the SessionContext ctx.
                                  But i can call the getCallerPrincipal() and methods on the SessionContext ctx with a result and no exceptions.

                                  • 14. Re: isCallerInRole() called with no security context.
                                    Novice

                                    When you use isCallerInRole(String) you have to specify all the roles you are referring to in a @RolesReferenced({"role1", "role2"}) at class level. Otherwise they are not available.