13 Replies Latest reply on Aug 18, 2006 3:06 AM by Prashanth Talapala

    JACC on the fly method permission changes not reflecting at

    Prashanth Talapala Newbie

      Hi all,
      I am using JbossAS for my JEE application which involves ejb3. I have given role based permission to an ejb session bean method using annotations. This works fine along expected lines for allowing / denying users belonging to certain roles to access the method. However, when I try to change the role based ejb3 method permission on the fly, the policy configuration shows the role and permisiion have changed in the active policy map after commit() is called, but the container (JbossAS) shows the same behavior as before based on the old permissions given in the annotations during system startup. How can I change the ejb3 method permission on the fly and make the container aware of it? Please help me regarding this problem.

      Thank you,
      -P.

        • 2. Re: JACC on the fly method permission changes not reflecting
          jaikiran pai Master

           

          However, when I try to change the role based ejb3 method permission on the fly


          Apologies. Hadnt read your question correctly. The link that i mentioned in my previous reply might not be a solution.



          • 3. Re: JACC on the fly method permission changes not reflecting
            Prashanth Talapala Newbie

            Disabling the cache of login credentials affects the credentials of the subject / principals.. However I am changing the method permission of an ejb session bean. The credentials are used to act on the ejb method... I am changing the ejb side permissions not the subject side credentials,... hence in this case i dont think flushing the login credentials cache makes a difference...

            • 4. Re: JACC on the fly method permission changes not reflecting
              chris griffith Expert

              P,

              Can you show us how you are attempting...


              I try to change the role based ejb3 method permission on the fly


              thanks cgriffith

              • 5. Re: JACC on the fly method permission changes not reflecting
                Prashanth Talapala Newbie

                I have a method in a session bean called JobServiceBean. The method is as follows:

                @RolesAllowed("Recruiter")
                public void outputJunk() {
                System.out.println("#######");
                }

                Now after authentication using JAAS, I am writing code to change the @RolesAllowed from "Recruiter" to "Hiring Manager" as follows:

                EJBMethodPermission ejbmp = new EJBMethodPermission("JobServiceBean","");

                PolicyConfigurationFactory pcf = PolicyConfigurationFactory.getPolicyConfigurationFactory();

                PolicyConfiguration pc = pcf.getPolicyConfiguration("kr.jar", false);
                pc.removeRole("Recruiter");
                pc.addToRole("Hiring Manager", ejbmp);
                pc.commit();

                IMHO once commit is called, the @RolesAllowed is now changed from "Recruiter" to "Hiring Manager" so when a user with the role "Hiring Manager" tries to run outputJunk() method in JobServiceBean he should be able to do it. But I am getting an Exception as follows:

                19:10:52,711 ERROR [RoleBasedAuthorizationInterceptor] Insufficient permissions, principal=admin, requiredRoles=[Recruiter], principalRoles=[Hiring Manager]
                19:10:59,305 ERROR [STDERR] javax.ejb.EJBAccessException: Authorization failure
                19:10:59,305 ERROR [STDERR] at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor.invoke(RoleBasedAuthorizationInterceptor.java:104)
                19:10:59,305 ERROR [STDERR] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
                19:10:59,305 ERROR [STDERR] at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:78)
                19:10:59,305 ERROR [STDERR] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
                19:10:59,321 ERROR [STDERR] at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:47)
                19:10:59,321 ERROR [STDERR] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
                19:10:59,321 ERROR [STDERR] at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
                19:10:59,321 ERROR [STDERR] at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
                19:10:59,321 ERROR [STDERR] at org.jboss.ejb3.stateless.StatelessContainer.localInvoke(StatelessContainer.java:181)
                19:10:59,321 ERROR [STDERR] at org.jboss.ejb3.stateless.StatelessLocalProxy.invoke(StatelessLocalProxy.java:79)
                19:10:59,321 ERROR [STDERR] at $Proxy90.outputJunk(Unknown Source)
                19:10:59,321 ERROR [STDERR] at com.kenexa.kr.web.LoginControllerBean.login(LoginControllerBean.java:118)
                19:10:59,321 ERROR [STDERR] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                19:10:59,321 ERROR [STDERR] at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
                19:10:59,321 ERROR [STDERR] at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
                19:10:59,321 ERROR [STDERR] at java.lang.reflect.Method.invoke(Unknown Source)
                19:10:59,336 ERROR [STDERR] at org.apache.myfaces.el.MethodBindingImpl.invoke(MethodBindingImpl.java:129)
                19:10:59,336 ERROR [STDERR] at org.apache.myfaces.application.ActionListenerImpl.processAction(ActionListenerImpl.java:63)
                19:10:59,336 ERROR [STDERR] at oracle.adf.view.faces.component.UIXCommand.broadcast(UIXCommand.java:211)
                19:10:59,336 ERROR [STDERR] at javax.faces.component.UIViewRoot._broadcastForPhase(UIViewRoot.java:90)
                19:10:59,336 ERROR [STDERR] at javax.faces.component.UIViewRoot.processApplication(UIViewRoot.java:164)
                19:10:59,336 ERROR [STDERR] at org.apache.myfaces.lifecycle.LifecycleImpl.invokeApplication(LifecycleImpl.java:316)
                19:10:59,336 ERROR [STDERR] at org.apache.myfaces.lifecycle.LifecycleImpl.execute(LifecycleImpl.java:86)
                19:10:59,336 ERROR [STDERR] at javax.faces.webapp.FacesServlet.service(FacesServlet.java:106)
                19:10:59,336 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:252)
                19:10:59,336 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
                19:10:59,336 ERROR [STDERR] at oracle.adfinternal.view.faces.webapp.AdfFacesFilterImpl._invokeDoFilter(AdfFacesFilterImpl.java:356)
                19:10:59,352 ERROR [STDERR] at oracle.adfinternal.view.faces.webapp.AdfFacesFilterImpl._doFilterImpl(AdfFacesFilterImpl.java:325)
                19:10:59,352 ERROR [STDERR] at oracle.adfinternal.view.faces.webapp.AdfFacesFilterImpl.doFilter(AdfFacesFilterImpl.java:190)
                19:10:59,352 ERROR [STDERR] at oracle.adf.view.faces.webapp.AdfFacesFilter.doFilter(AdfFacesFilter.java:87)
                19:10:59,352 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
                19:10:59,352 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
                19:10:59,352 ERROR [STDERR] at org.apache.myfaces.webapp.Filter.doFilter(Filter.java:202)
                19:10:59,352 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
                19:10:59,352 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
                19:10:59,352 ERROR [STDERR] at org.apache.myfaces.component.html.util.ExtensionsFilter.doFilter(ExtensionsFilter.java:122)
                19:10:59,352 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
                19:10:59,368 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
                19:10:59,368 ERROR [STDERR] at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
                19:10:59,368 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:202)
                19:10:59,368 ERROR [STDERR] at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:173)
                19:10:59,368 ERROR [STDERR] at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:213)
                19:10:59,368 ERROR [STDERR] at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:178)
                19:10:59,368 ERROR [STDERR] at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:175)
                19:10:59,368 ERROR [STDERR] at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:74)
                19:10:59,368 ERROR [STDERR] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:126)
                19:10:59,368 ERROR [STDERR] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:105)
                19:10:59,368 ERROR [STDERR] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:107)
                19:10:59,383 ERROR [STDERR] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:148)
                19:10:59,383 ERROR [STDERR] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:869)
                19:10:59,383 ERROR [STDERR] at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:664)
                19:10:59,383 ERROR [STDERR] at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:527)
                19:10:59,383 ERROR [STDERR] at org.apache.tomcat.util.net.MasterSlaveWorkerThread.run(MasterSlaveWorkerThread.java:112)
                19:10:59,383 ERROR [STDERR] at java.lang.Thread.run(Unknown Source)
                19:10:59,399 ERROR [STDERR] Caused by: java.lang.SecurityException: Insufficient permissions, principal=admin, requiredRoles=[Recruiter], principalRoles=[Hiring Manager]
                19:10:59,399 ERROR [STDERR] at org.jboss.aspects.security.RoleBasedAuthorizationInterceptor.invoke(RoleBasedAuthorizationInterceptor.java:150)
                19:10:59,399 ERROR [STDERR] at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor.invoke(RoleBasedAuthorizationInterceptor.java:100)
                19:10:59,399 ERROR [STDERR] ... 53 more

                Am i doing anything wrong?? or am I missing something??

                -P

                • 6. Re: JACC on the fly method permission changes not reflecting
                  chris griffith Expert

                  P,

                  What does JBoss use as contextID? I am wondering if you need to use "ear-name/bean-jar-name".

                  cgriffith

                  • 7. Re: JACC on the fly method permission changes not reflecting
                    Prashanth Talapala Newbie

                    My application has an ear called kr.ear. This ear has a kr.jar, which contains all the ejbs and a kr.war which contains the jsps etc.

                    The contextID i am using in this case is "kr.jar", since my ejbs are in the kr.jar archive.

                    -P

                    • 8. Re: JACC on the fly method permission changes not reflecting
                      Prashanth Talapala Newbie

                      According to the JACC spec When I call commit() on a PolicyConfiguration object , the PolicyConfiguration for that contextId is set inService (i.e; made active). I am able to debug and inspect the object state before commit() is called and after it is called. The PolicyConfiguration is reflecting the changes made by me on the fly. However, the behaviour of the container is as per the previous rules given as system startup. I tried to go through the JBossAS source code to figure out what the container was doing on commit(). JBossAS has a class called JBossPolicyConfiguration which is the implementation of PolicyConfiguration interface as defined by the JACC spec. The commit() method in JBossPolicyConfiguration in turn calls the commit() method of a DelegatingPolicy object which in turn calls the commit() method of a ContextPolicy object. The commit() method of a contextPolicy object is an empty method, it has no refresh or anything... in this case how does the container become aware of on the fly ejb method permission changes? The code of what I was trying to explain above is as follows:

                      JBossPolicyConfiguration code:

                      public void commit()
                      throws PolicyContextException
                      {
                      if( trace )
                      log.trace("commit");
                      validateState("commit");
                      policy.commit(contextID); // policy is a DelegatingPolicy object
                      }

                      DelegatingPolicy code:

                      public void commit(String contextID)
                      throws PolicyContextException
                      {
                      ContextPolicy policy = getContextPolicy(contextID);
                      openPolicies.remove(contextID);
                      activePolicies.put(contextID, policy);
                      policy.commit();
                      }

                      ContextPolicy code:

                      void commit()
                      throws PolicyContextException
                      {
                      }

                      I guess I am missing something here can anyone please help me.

                      Thank you,
                      -P

                      • 9. Re: JACC on the fly method permission changes not reflecting
                        chris griffith Expert

                        I had started to digest the JACC spec and how JBoss implements it a few months back, but have not looked at it recently. So this is pure speculation on what I think I know.

                        The point I was trying to make is that you have been modifying the PolicyContext specified by contextID "kr.jar". That does not mean that it is the same contextID set by container for your component. To be more specific, JBoss creates and configures the Policy at deployment time under a specific contextID. I am not sure what that is. Then your code comes along and tries to modify that context, but are you actually configuring the same context.

                        cgriffith

                        • 10. Re: JACC on the fly method permission changes not reflecting
                          Prashanth Talapala Newbie

                          I think the problem is that JACC is not being used by Jboss by default. When I try to debug and see the code flow it goes to RoleBasedAuthorizationInterceptor and not JaccAuthorizationInterceptor. The Insufficient permission exception is thrown by the RoleBasedAuthorizationInterceptor. How do I register the JaccAuthorizationInterceptor to handle my authorization needs?

                          -P.

                          • 11. Re: JACC on the fly method permission changes not reflecting
                            Anil Saldanha Master

                            What is the container configuration being applied for your EJB from standardjboss.xml?

                            • 12. Re: JACC on the fly method permission changes not reflecting
                              Anil Saldanha Master

                              Replace SecurityInterceptor with a combo of "JaasAuthenticationInterceptor" and "JaccAuthorizationInterceptor" with the same package as before.

                              • 13. Re: JACC on the fly method permission changes not reflecting
                                Prashanth Talapala Newbie

                                Thank you Anil,
                                I got it to work... but I have to give @AspectDomain("JACC Stateless Bean") in the ejb for every such ejb if i want its security to be JACC managed. Can i set aspect domain throught the system like I do for security-domain in jboss.xml. I tried it but it doesnt seem to be supported. Is there any other way to set Aspect Domain through jboss.xml??

                                -P