0 Replies Latest reply on Jun 13, 2007 6:14 PM by Bas Ven

    SecurityDomain annotation required when called from JMX cons

    Bas Ven Newbie

      Playing around with roles and my ejb and added the @RolesAllowed("SYSTEM") annotation. I created my own realms as follows:



       <application-policy name="MyModule">
       <authentication>
      
       <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="sufficient">
       <module-option name="dsJndiName">java:/MyDS</module-option>
       <module-option name="principalsQuery">SELECT account.password FROM ACCOUNTS account, PRINCIPALS principal WHERE principal.name=? and account.id = principal.id</module-option>
      
       <module-option name="rolesQuery">SELECT entry.role, 'Roles' FROM ROLE_ENTRY entry, PRINCIPALS account WHERE entry.principal = account.id and account.name=?</module-option>
       </login-module>
       <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="sufficient">
       <module-option name="usersProperties">props/my-users.properties</module-option>
       <module-option name="rolesProperties">props/my-roles.properties</module-option>
       </login-module>
      
       <!-- Client Login module so that the security context can be set for invoking EJBs -->
       <login-module code = "org.jboss.security.ClientLoginModule" flag = "required">
       <module-option name="restore-login-identity">true</module-option>
       </login-module>
      
       </authentication>
       </application-policy>
      
      


      The ejb is called from the JMX Service using by doing a local jndi lookup and calling the method. For JMX I only get this to work when I also add the @SecurityDomain("MyDomain") annotation to the bean.

      When I do not do that, it used the jmx-console realm, but even when I copy/past the above into that realm, the jmx-console is allowed to call the method. When I look at the security trace, I see that the SYSTEM role is not part of the credentials (as I was expecting) but the call gets executed anyways. Do I have to muck around in the tomcat configuration somewhere ?

      Output:

      2007-06-13 16:03:39,352 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] Checking roles GenericPrincipal[system(ADMIN,JBossAdmin,)]
      2007-06-13 16:03:39,352 TRACE [org.jboss.web.tomcat.security.JBossSecurityMgrRealm] No role found: JBossAdmin
      2007-06-13 16:03:39,352 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Begin invoke, callerGenericPrincipal[system(ADMIN,JBossAdmin,)]
      2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
      2007-06-13 16:03:39,352 TRACE [org.jboss.web.tomcat.security.SecurityAssociationValve] Restoring principal info from cache
      2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
       Principal: system
       Principal: Roles(members:ADMIN,JBossAdmin)
      , sc=org.jboss.security.SecurityAssociation$SubjectContext@186e848{principal=system,subject=30019131}
      2007-06-13 16:03:39,352 TRACE [org.jboss.web.tomcat.security.RunAsListener] HtmlAdaptor, runAs: null
      2007-06-13 16:03:39,352 TRACE [org.jboss.web.tomcat.security.RunAsListener] HtmlAdaptor, runAs: null
      2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=system
      2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext@1fc0932{principal=system,subject=null}
      2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=system
      2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext@1bfdaa4{principal=system,subject=null}
      2007-06-13 16:03:39,352 TRACE [org.jboss.security.SecurityAssociation] getPrincipal, principal=system