2 Replies Latest reply on Oct 30, 2007 1:41 PM by kasimier

    Problem securing NamingService, InvokerAdaptorService on 4.2

    kasimier Newbie

      I really tried everything and earned just kidding. Please can anyone help ??

      I tried to secure NamingService with AuthenticationInterceptor and UsersRolesLoginModule as described in docs and wiki (including JRMPProxyFactory config for NamingService). It has no effect at all.
      Then I tried to secure InvokerAdaptorService with AuthenticationInterceptor and UsersRolesLoginModule. The same problem occured.

      I still can retrieve the Naming Proxy, the JRMPInvokerProxy and of course can call invoke() without authentication. There are no log messages or Exceptions about the problem (org.jboss is on DEBUG level).

      Sending login information via LoginInitialContextFactory has no effect too. I also have configured SecureConfig, XMLLoginConfig, and JaasSecurityManager in a own SAR and server.log says that they are started successfully. MBean attributes of those services look fine.

      Maybe I have not configured depending MBeans?
      My server is configured with the following service:

      AttributePersistenceService
      ThreadPool
      Log4jService
      NamingBeanImpl
      NamingService
      JRMPInvoker
      JRMPProxyFactory for InvokerAdaptorService
      JRMPProxyFactory for NamingService
      MBeanProxyRemote
      NamingAlias
      InvokerAdaptorService
      URLDeploymentScanner
      TransactionManagerService
      WorkManagerThreadPool
      WorkManager
      RARDeployer
      XSLSubDeployer
      CachedConnectionManager

      WebServer

      SecurityConfig
      XMLLoginConfig
      JaasSecurityManager

      one MailService
      jboss-local-jdbc.rar
      one DataSource


      any idea ??

        • 1. Re: Problem securing NamingService, InvokerAdaptorService on
          Anil Saldanha Master

          http://anil-identity.blogspot.com/2007/04/tip-1-if-security-does-not-work-in.html

          The idea is to read the JBoss security FAQ and to enable trace level logging to see what the issue is.

          • 2. Re: Problem securing NamingService, InvokerAdaptorService on
            kasimier Newbie

            thanx for the info about the log level. I got a fine grained trace about what´s going on now, but the issue isn´t clear to me:

            the security relevant services (configured in a own sar) are created correctly and my PolicyConfig named "lcfg" is loaded correctly too. Don´t know if this matters, but JaasSecurityManagerService says nothing about a configured securityMgrCtxPath named "java:/jaas/lcfg"

            I have configured my NamingService XMBean with the following interceptors:

             <descriptors>
             <interceptors>
             <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" securityDomain="java:/jaas/lcfg" />
             <interceptor code="org.jboss.mx.interceptor.PersistenceInterceptor2" />
             <interceptor code="org.jboss.mx.interceptor.ModelMBeanInterceptor" />
             <interceptor code="org.jboss.mx.interceptor.ObjectReferenceInterceptor" />
             </interceptors>
             </descriptors>


            and of course the JRMPProxyFactory for the Naming service.

            Further I got a JRMPProxyFactory for the InvokerAdaptorService. InvokerAdaptorService is configured with following interceptors on it´s invoke() method:
             <operation>
             <name>invoke</name>
             <parameter>
             <name>invocation</name>
             <type>org.jboss.invocation.Invocation</type>
             </parameter>
             <return-type>java.lang.Object</return-type>
             <descriptors>
             <interceptors>
             <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" securityDomain="java:/jaas/lcfg"/>
             <interceptor code="org.jboss.jmx.connector.invoker.SerializableInterceptor" policyClass="StripModelMBeanInfoPolicy"/>
             </interceptors>
             </descriptors>
             </operation>
             </xmbean>


            When I connect to the MBeanServer via standard org.jnp.interfaces.NamingContextFactory, I can read all registered objects, without auth or error, of course jmx/rmi/RMIAdaptor too.
            I also can call invoke() on jmx/rmi/RMIAdaptor without auth or error.

            The security log trace when I stop a web module via invoke() does not say much, or I cannot interpret it correctly:

            ....
            2007-10-29 18:13:09,796 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext@912f10{principal=null,subject=null}
            ....
            2007-10-29 18:13:11,093 TRACE [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext@1e2e8cc{principal=null,subject=null}
            2007-10-29 18:13:11,109 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext@aa780b{principal=null,subject=null}
            2007-10-29 18:13:11,109 TRACE [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext@aa780b{principal=null,subject=null}
            2007-10-29 18:13:13,281 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext@1eb186a{principal=null,subject=null}
            2007-10-29 18:13:13,281 DEBUG [org.jboss.system.ServiceController] stopping service: jboss.web.deployment:war=iwa.war,id=-1069725553
            ....
            ....
            2007-10-29 18:13:13,531 DEBUG [org.apache.catalina.core.ContainerBase] unregistering jboss.web:j2eeType=WebModule,name=//localhost/iwa,J2EEApplication=none,J2EEServer=none
            2007-10-29 18:13:13,531 TRACE [org.jboss.web.tomcat.security.config.JBossContextConfig] destroy called with DELEGATE_TO_PARENT=false
            2007-10-29 18:13:13,531 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] delete
            2007-10-29 18:13:13,531 DEBUG [org.jboss.web.WebModule] Stopped jboss.web.deployment:war=iwa.war,id=-1069725553
            ....
            ....


            Really have no idea what kind of problem pains me.
            Maybe I have to force creation of the policy config before Interceptors using a JAAS domain are created?
            Maybe I must not configure InvokerAdaptorService, JRMPInvoker aso, directly in myServer/conf/jboss-service.xml?


            btw: securing a web application with the same JAAS domain works fine and forces my browser to pop up the login dialog.