1 Reply Latest reply on Jan 6, 2006 12:00 PM by Andreas Wieczorek

    403sp1, problem with AuthorizationInterceptor for InvokerAda

    Andreas Wieczorek Newbie

      Hello,

      I am trying to secure the Invoker Service in jmx-invoker-service.xml.

      The AuthenticationInterceptor works fine, but I like to have authorization as well - the hard coded role "JBossAdmin" is OK for now.

      I tried (that´s what I found)

      <interceptors>
      <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor"
       securityDomain="java:/jaas/jmx-console"/>
      <interceptor code="org.jboss.jmx.connector.invoker.AuthorizationInterceptor"
       authorizingClass="org.jboss.jmx.connector.invoker.RolesAuthorization"/>
       securityDomain="java:/jaas/jmx-console"
      </interceptors>


      ..but it says

      17:54:11,102 WARN [BasicMBeanRegistry] MBeanException: preRegister() failed: [ObjectName='jboss.jmx:name=Invoker,type=adaptor', Class=org.jboss.jmx.connector.invoker.InvokerAdaptorService (org.jboss.jmx.connector.invoker.InvokerAdaptorService@6f7ca220)] Cause: java.beans.IntrospectionException: No PropertyDescriptor for attribute:securityDomain
      17:54:11,122 INFO [InvokerAdaptorService] Registration is not done -> stop
      17:54:11,142 ERROR [MainDeployer] Could not create deployment: file:/C:/JBoss/server/default/deploy/jmx-invoker-service.xml
      org.jboss.deployment.DeploymentException: - nested throwable: (java.lang.reflect.InvocationTargetException)
       at org.jboss.system.ServiceConfigurator.install(ServiceConfigurator.java:178)
       at org.jboss.system.ServiceController.install(ServiceController.java:215)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)


      When I remove the securityDomain attribute, the deployment works - but not the interceptor
      twiddle --server=localhost:1199 --user=user --password=pw serverinfo -c

      brings
      17:32:49,919 ERROR [Twiddle] Exec failed
      java.lang.ArrayIndexOutOfBoundsException: 0
       at org.jboss.jmx.connector.invoker.AuthorizationInterceptor.invoke(AuthorizationInterceptor.java:91) at org.jboss.jmx.connector.invoker.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:87)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:245)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
       at org.jboss.invocation.jrmp.server.JRMPProxyFactory.invoke(JRMPProxyFactory.java:164)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)


      which happens here

      76 */
      77 public Object invoke(Invocation invocation) throws Throwable
      78 {
      79 String type = invocation.getType();
      80 if (type == Invocation.OP_INVOKE)
      81 {
      82 String opName = invocation.getName();
      83 if (opName.equals("invoke"))
      84 {
      85 Object[] args = invocation.getArgs();
      86 org.jboss.invocation.Invocation inv = (org.jboss.invocation.Invocation) args[0];
      87 // Authenticate the caller based on the security association
      88 Principal caller = inv.getPrincipal();
      89 //Get the Method Name
      90 Object[] obj = inv.getArguments();
      91 ObjectName objname = (ObjectName) obj[0];
      92 String opname = (String) obj[1];


      I searched all over Wiki and Forum but did not find a solution.
      What am I doing wrong / what´s missing in the invocation / how can I achieve authorization?

      Thanks in advance and best regards,
      Andreas


        • 1. Re: 403sp1, problem with AuthorizationInterceptor for Invoke
          Andreas Wieczorek Newbie

          I have not found out the reason of the problem, but I can add a little piece of information. The log says when booting:

          2006-01-06 17:42:24,455 DEBUG [org.jboss.jmx.connector.invoker.AuthorizationInterceptor] Loaded authenticator: org.jboss.jmx.connector.invoker.RolesAuthorization@1244c940
          2006-01-06 17:42:24,465 DEBUG [org.jboss.jmx.connector.invoker.AuthorizationInterceptor] Found authorize(Principal, Subject, String, String)
          2006-01-06 17:42:24,465 DEBUG [org.jboss.jmx.connector.invoker.AuthorizationInterceptor] Loaded authenticator: org.jboss.jmx.connector.invoker.RolesAuthorization@3baa0940
          2006-01-06 17:42:24,465 DEBUG [org.jboss.jmx.connector.invoker.AuthorizationInterceptor] Found authorize(Principal, Subject, String, String)
          2006-01-06 17:42:24,465 DEBUG [org.jboss.jmx.connector.invoker.InvokerAdaptorService] Creating jboss.jmx:name=Invoker,type=adaptor
          2006-01-06 17:42:24,465 DEBUG [org.jboss.jmx.connector.invoker.InvokerAdaptorService] Created jboss.jmx:name=Invoker,type=adaptor
          2006-01-06 17:42:24,485 DEBUG [org.jboss.jmx.connector.invoker.InvokerAdaptorService] Starting jboss.jmx:name=Invoker,type=adaptor
          2006-01-06 17:42:24,485 DEBUG [org.jboss.jmx.connector.invoker.InvokerAdaptorService] Started jboss.jmx:name=Invoker,type=adaptor


          Well, that looks like a fine initialization, but why does it occur twice?
          Am I not seeing something totally obvious?
          Is the AuthorizationInterceptor really supported within 403SP1?

          My workaround would be to have another LoginModule only authenticating when a user has a certain role, but I don´t like that too much...

          Thanks in advance,
          Andreas