1 Reply Latest reply on Jan 6, 2006 12:00 PM by andiwauss

    403sp1, problem with AuthorizationInterceptor for InvokerAda

    andiwauss Jan 5, 2006 12:12 PM

      Hello,

      I am trying to secure the Invoker Service in jmx-invoker-service.xml.

      The AuthenticationInterceptor works fine, but I like to have authorization as well - the hard coded role "JBossAdmin" is OK for now.

      I tried (that´s what I found)

      <interceptors>
<interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor"
 securityDomain="java:/jaas/jmx-console"/>
<interceptor code="org.jboss.jmx.connector.invoker.AuthorizationInterceptor"
 authorizingClass="org.jboss.jmx.connector.invoker.RolesAuthorization"/>
 securityDomain="java:/jaas/jmx-console"
</interceptors>


      ..but it says 

      17:54:11,102 WARN [BasicMBeanRegistry] MBeanException: preRegister() failed: [ObjectName='jboss.jmx:name=Invoker,type=adaptor', Class=org.jboss.jmx.connector.invoker.InvokerAdaptorService (org.jboss.jmx.connector.invoker.InvokerAdaptorService@6f7ca220)] Cause: java.beans.IntrospectionException: No PropertyDescriptor for attribute:securityDomain
17:54:11,122 INFO [InvokerAdaptorService] Registration is not done -> stop
17:54:11,142 ERROR [MainDeployer] Could not create deployment: file:/C:/JBoss/server/default/deploy/jmx-invoker-service.xml
org.jboss.deployment.DeploymentException: - nested throwable: (java.lang.reflect.InvocationTargetException)
 at org.jboss.system.ServiceConfigurator.install(ServiceConfigurator.java:178)
 at org.jboss.system.ServiceController.install(ServiceController.java:215)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)


      When I remove the securityDomain attribute, the deployment works - but not the interceptor
      twiddle --server=localhost:1199 --user=user --password=pw serverinfo -c

      brings 
      17:32:49,919 ERROR [Twiddle] Exec failed
java.lang.ArrayIndexOutOfBoundsException: 0
 at org.jboss.jmx.connector.invoker.AuthorizationInterceptor.invoke(AuthorizationInterceptor.java:91) at org.jboss.jmx.connector.invoker.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:87)
 at org.jboss.mx.server.Invocation.invoke(Invocation.java:74)
 at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:245)
 at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
 at org.jboss.invocation.jrmp.server.JRMPProxyFactory.invoke(JRMPProxyFactory.java:164)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)


      which happens here 

      76 */
77 public Object invoke(Invocation invocation) throws Throwable
78 {
79 String type = invocation.getType();
80 if (type == Invocation.OP_INVOKE)
81 {
82 String opName = invocation.getName();
83 if (opName.equals("invoke"))
84 {
85 Object[] args = invocation.getArgs();
86 org.jboss.invocation.Invocation inv = (org.jboss.invocation.Invocation) args[0];
87 // Authenticate the caller based on the security association
88 Principal caller = inv.getPrincipal();
89 //Get the Method Name
90 Object[] obj = inv.getArguments();
91 ObjectName objname = (ObjectName) obj[0];
92 String opname = (String) obj[1];


      I searched all over Wiki and Forum but did not find a solution.
      What am I doing wrong / what´s missing in the invocation / how can I achieve authorization?

      Thanks in advance and best regards,
      Andreas


      • 2577 Views
      • Tags:
        • 1. Re: 403sp1, problem with AuthorizationInterceptor for Invoke
          andiwauss Jan 6, 2006 12:00 PM (in response to andiwauss)

          I have not found out the reason of the problem, but I can add a little piece of information. The log says when booting:

          2006-01-06 17:42:24,455 DEBUG [org.jboss.jmx.connector.invoker.AuthorizationInterceptor] Loaded authenticator: org.jboss.jmx.connector.invoker.RolesAuthorization@1244c940
2006-01-06 17:42:24,465 DEBUG [org.jboss.jmx.connector.invoker.AuthorizationInterceptor] Found authorize(Principal, Subject, String, String)
2006-01-06 17:42:24,465 DEBUG [org.jboss.jmx.connector.invoker.AuthorizationInterceptor] Loaded authenticator: org.jboss.jmx.connector.invoker.RolesAuthorization@3baa0940
2006-01-06 17:42:24,465 DEBUG [org.jboss.jmx.connector.invoker.AuthorizationInterceptor] Found authorize(Principal, Subject, String, String)
2006-01-06 17:42:24,465 DEBUG [org.jboss.jmx.connector.invoker.InvokerAdaptorService] Creating jboss.jmx:name=Invoker,type=adaptor
2006-01-06 17:42:24,465 DEBUG [org.jboss.jmx.connector.invoker.InvokerAdaptorService] Created jboss.jmx:name=Invoker,type=adaptor
2006-01-06 17:42:24,485 DEBUG [org.jboss.jmx.connector.invoker.InvokerAdaptorService] Starting jboss.jmx:name=Invoker,type=adaptor
2006-01-06 17:42:24,485 DEBUG [org.jboss.jmx.connector.invoker.InvokerAdaptorService] Started jboss.jmx:name=Invoker,type=adaptor


          Well, that looks like a fine initialization, but why does it occur twice?
          Am I not seeing something totally obvious?
          Is the AuthorizationInterceptor really supported within 403SP1?

          My workaround would be to have another LoginModule only authenticating when a user has a certain role, but I don´t like that too much...

          Thanks in advance,
          Andreas


            • Actions