4 Replies Latest reply on Mar 7, 2006 2:36 PM by Eric Barendt

    Insufficient method permissions

    Bruce Link Newbie

      I have a jboss ear that I am developing with myeclipse/XDoclet. I am trying to use JBossSX security, and have read chap 8 of the JBoss 4 Application Server Guide (Release 4 for JBoss AS 4.0.3 which I am using). I have set up the security domain using a mysql database, which works fine authenticating the web app. I have tried to follow the security FAQ (url=http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQ) Q1,
      Q2, Q3.

      However, I get insufficient method permissions when turning on the EJB security domain (in jboss.xml) when attempting to create a session bean:

      15:08:46,945 INFO [STDOUT] java.rmi.AccessException: SecurityException; nested exception is:
       java.lang.SecurityException: Insufficient method permissions, principal=null, ejbName=ManageStudents, method=create, interface=HOME, requiredRoles=[], principalRoles=[]
      

      I have set the unauthenticatedIdentity to guest, in both the application-policy in the login-conf.xml as well as in the jboss.xml file (<unauthenticated-principal>guest</unauthenticated-principal>). Both seem to be ignored.

      I have tried a @ejb.protection unchecked="true" on the ejbCreate method, no change (XDoclet does not put anything into the ejb-jar.xml). If I login as a user, I still get an error:
      14:44:21,829 INFO [STDOUT] java.rmi.AccessException: SecurityException; nested exception is:
       java.lang.SecurityException: Insufficient method permissions, principal=bdl, ejbName=ManageStudents, method=create, interface=HOME, requiredRoles=[], principalRoles=[instructor, student]
      
      From the error message, this is puzzling, as there seem to be sufficient permissions here.

      My application policy in login-conf.xml is
      <application-policy name="infosys">
       <authentication>
       <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
       flag = "required">
       <module-option name = "unauthenticatedIdentity">guest</module-option>
       <module-option name = "dsJndiName">java:/InfosysDS</module-option>
       <module-option name = "principalsQuery">SELECT passwd FROM user_auth WHERE userName=?</module-option>
       <module-option name = "rolesQuery">SELECT userRoles, 'Roles' FROM user_roles WHERE userName=?</module-option>
       <module-option name = "hashAlgorithm">MD5</module-option>
       <module-option name = "hashEncoding">hex</module-option>
       </login-module>
       <!-- for propogation of login to back end -->
       <login-module code = "org.jboss.security.ClientLoginModule" flag = "required" />
       </authentication>
       </application-policy>
      

      The jboss-web.xml file has the following:
      <jboss-web>
       <security-domain>java:/jaas/infosys</security-domain>
      </jboss-web>
      
      and has no problems logging in for the protected pages.

      My jboss.xml has the following elements:
      <security-domain>java:/jaas/infosys</security-domain>
      <unauthenticated-principal>guest</unauthenticated-principal>
      

      If I remove these. everything works, but without, presumably any security on the back end. I have not tried to make the entire session bean unchecked, since there are methods that have to be secure.

      I have also googled this error, and seen several posts but no relevent solutions. Any suggestions would be appreciated!

        • 2. Re: Insufficient method permissions
          Bruce Link Newbie

          Thanks, I will try that.

          I was trying to get the create method to have unchecked permission, that should work as well, should it not?

          I still have the question of why the unauthenticatedIdentity is not working, when I get principal=null instead of guest in my original post (where the web user is not authenticated and I set the unauthenticatedIdentity to guest).

          I am also not clear on the difference between

          1. the unauthenticatedIdentity option in the authentication policy (login-conf.xml) and
          2. the unauthenticated-principal element in the jboss.xml file

          Neither one of these seem to be doing anything.

          • 3. Re: Insufficient method permissions
            Scott Stark Master

            unauthenticatedIdentity is the principal assigned when a null principal/credential are seen.

            unauthenticated-principal has little usage as its just the value returned from getCallerPrincipal in the ejb container if there is no caller.

            You need to enable trace level logging and look into the security layer behavior to determin what is going on. The configuration and behavior don't match.

            • 4. Re: Insufficient method permissions
              Eric Barendt Newbie

              I'm having a similar problem. I've got a session bean with some authenticated methods and some unchecked methods. They're correct (as far as I can tell) in ejb-jar.xml:

               <method-permission id="MethodPermission_7">
               <description><![CDATA[description not supported yet by ejbdoclet]]></description>
               <unchecked/>
               <method id="MethodElement_7">
               <description><![CDATA[]]></description>
               <ejb-name>ScrumWorksEJB</ejb-name>
               <method-intf>ServiceEndpoint</method-intf>
               <method-name>getTest</method-name>
               <method-params>
               </method-params>
               </method>
               </method-permission>
               <method-permission id="MethodPermission_8">
               <description><![CDATA[description not supported yet by ejbdoclet]]></description>
               <role-name>Team Member</role-name>
               <method id="MethodElement_8">
               <description><![CDATA[]]></description>
               <ejb-name>ScrumWorksEJB</ejb-name>
               <method-intf>ServiceEndpoint</method-intf>
               <method-name>getAuthenticatedTest</method-name>
               <method-params>
               </method-params>
               </method>
               </method-permission>
              


              This is in the jboss.xml:
               <security-domain>java:/jaas/ScrumWorks</security-domain>
               <unauthenticated-principal>guest</unauthenticated-principal>
              


              and my login-config.xml seems correct:
               <application-policy name="ScrumWorks">
               <authentication>
               <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
               <module-option name="dsJndiName">java:/jdbc/ScrumWorksDS</module-option>
               <module-option name="principalsQuery">
               SELECT password FROM userejb WHERE userName=?
               </module-option>
               <module-option name="rolesQuery">
               SELECT r.roleName as name, 'Roles'
               FROM userejb u, roleejb r, userejb_roles_roleejb_users ur
               WHERE u.userId=ur.userejb AND r.roleId=ur.roleejb AND u.userName=?
               </module-option>
               <module-option name="unauthenticatedIdentity">guest</module-option>
               </login-module>
               </authentication>
               </application-policy>
              


              But when I try to call a method that is marked as "unchecked", I get a 401 error authorization failure. This seemed like a Tomcat error, so I tried chaning the default security domain:
              <attribute name="DefaultSecurityDomain">java:/jaas/ScrumWorks</attribute>
              


              which didn't help either.

              The server.log file contains:
              2006-03-07 10:32:24,027 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Authenticating as unauthenticatedIdentity=guest
              2006-03-07 10:32:24,028 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] User 'guest' authenticated, loginOk=true
              2006-03-07 10:32:24,028 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] commit, loginOk=true
              2006-03-07 10:32:24,028 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] getRoleSets using rolesQuery: SELECT r.roleName as name, 'Roles'
               FROM userejb u, roleejb r, userejb_roles_roleejb_users ur
               WHERE u.userId=ur.userejb AND r.roleId=ur.roleejb AND u.userName=?, username: guest
              2006-03-07 10:32:24,041 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] suspendAnyTransaction
              2006-03-07 10:32:24,041 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] Excuting query: SELECT r.roleName as name, 'Roles'
               FROM userejb u, roleejb r, userejb_roles_roleejb_users ur
               WHERE u.userId=ur.userejb AND r.roleId=ur.roleejb AND u.userName=?, with username: guest
              2006-03-07 10:32:24,085 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] No roles found
              2006-03-07 10:32:24,086 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] resumeAnyTransaction
              2006-03-07 10:32:24,088 TRACE [org.jboss.security.plugins.JaasSecurityManager.ScrumWorks] defaultLogin, lc=javax.security.auth.login.LoginContext@3bc19e, subject=Subject(19164996).principals=org.jboss.securi
              ty.SimplePrincipal@31720052(guest)org.jboss.security.SimpleGroup@21726381(Roles(members))
              2006-03-07 10:32:24,088 TRACE [org.jboss.security.plugins.JaasSecurityManager.ScrumWorks] updateCache, inputSubject=Subject(19164996).principals=org.jboss.security.SimplePrincipal@31720052(guest)org.jboss.se
              curity.SimpleGroup@21726381(Roles(members)), cacheSubject=Subject(17103032).principals=org.jboss.security.SimplePrincipal@31720052(guest)org.jboss.security.SimpleGroup@21726381(Roles(members))
              2006-03-07 10:32:24,089 TRACE [org.jboss.security.plugins.JaasSecurityManager.ScrumWorks] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@16509fe[Subject(17103032).principals=o
              rg.jboss.security.SimplePrincipal@31720052(guest)org.jboss.security.SimpleGroup@21726381(Roles(members)),credential.class=null,expirationTime=1141758128525]
              2006-03-07 10:32:24,089 TRACE [org.jboss.security.plugins.JaasSecurityManager.ScrumWorks] End isValid, true
              2006-03-07 10:32:24,097 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
               Principal: guest
               Principal: Roles(members)
              , sc=org.jboss.security.SecurityAssociation$SubjectContext@fd2e1f{principal=null,subject=31392528}
              2006-03-07 10:32:24,100 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
              2006-03-07 10:32:24,122 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
              2006-03-07 10:32:24,122 TRACE [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext@fd2e1f{principal=null,subject=31392528}
              2006-03-07 10:32:24,142 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=null
              


              and

              2006-03-07 11:00:27,241 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Security checking request POST /scrumworks-api/scrumworks
              2006-03-07 11:00:27,242 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[ScrumWorksEndpoint]' against POST /scrumworks --> true
              2006-03-07 11:00:27,242 DEBUG [org.apache.catalina.realm.RealmBase] Checking constraint 'SecurityConstraint[ScrumWorksEndpoint]' against POST /scrumworks --> true
              2006-03-07 11:00:27,242 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling hasUserDataPermission()
              2006-03-07 11:00:27,242 DEBUG [org.apache.catalina.realm.RealmBase] User data constraint has no restrictions
              2006-03-07 11:00:27,242 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
              2006-03-07 11:00:27,242 DEBUG [org.apache.catalina.authenticator.AuthenticatorBase] Failed authenticate() test
              2006-03-07 11:00:27,242 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
              


              It seems to be ok with the unauthenticatedIdentity, but then rejects access anyway.

              Any help someone could provide would be great. I've read the FAQs and searched forums and google and can't seem to let me call non-authenticated methods without authenticating.

              Thanks,
              Eric