6 Replies Latest reply on Apr 6, 2009 9:44 AM by Pawel Kasprzak

    SecurityAssociationCallback returns NULL-Principal in 5.0.0

    Thomas Wiesner Newbie

      Hello,

      i'm migrating J2EE-application from jboss 4.0.3sp1 to 5.0.0 ga. This application will be accessed from a remote client (RMI over HTTP with HTTPInvokerServlet). Now the working custom jaas login from 4.0.3 fails in 5.0.0 GA because of a principal which is NULL, requested from the SecurityAssociationCallback in my server-side custom login module.

      Any sugesstions how to deal with SecurityAssociationCallback in 5.0.0 GA ?

      My custom login more in detail:
      1) Client

      auth.conf:

      client-login {
      
       de.myapplication.secure.CustomClientLoginModule required
       ;
       org.jboss.security.ClientLoginModule required
       password-stacking="useFirstPass"
       ;
      };
      

      The client uses a CustomPasswordHandler implementing CallbackHandler for additional login informations which results in a CustomPrincipal class. This CustomPrincipal class is needed at the server-side login module.

      2) Server

      The jboss-service.xml and the login-config.xml are located in the META-INF of SAR bundled in the EAR of the application. The following code snippet from the CustomServerLoginModule shows the occurence where the principal returns with NULL

      SecurityAssociationCallback callback = new SecurityAssociationCallback();
       Callback[] callbacks = { callback };
      
      
       callbackHandler.handle(callbacks);
      
      
       Principal principal = callback.getPrincipal();
       LOG.debug("'getUsernameAndPassword()' found Principal " + principal);
      


      jboss-service.xml (snippet)

      <mbean code="org.jboss.security.auth.login.DynamicLoginConfig" name="de.myapplication.secure:service=LoginConfig-Custom">
       <attribute name="AuthConfig">META-INF/login-config.xml</attribute>
      
       <!-- The service which supports dynamic processing of login-config.xml
       configurations.
       -->
       <depends optional-attribute-name="LoginConfigService">
       jboss.security:service=XMLLoginConfig </depends>
      
       <!-- Optionally specify the security mgr service to use when
       this service is stopped to flush the auth caches of the domains
       registered by this service.
       -->
       <depends optional-attribute-name="SecurityManagerService">
       jboss.security:service=JaasSecurityManager </depends>
       </mbean>
      


      login-config.xml

      <policy>
       <application-policy name = "lisa">
       <authentication>
       <login-module flag="required" code="de.myapplication.secure.jboss.CustomServerLoginModule">
       <module-option name="unauthenticatedIdentity">unauthenticatedUser</module-option>
       <module-option name="DATA_SOURCE">java:/custom.DataSource</module-option>
       <module-option name="PRINCIPAL_QUERY">...</module-option>
       <module-option name="ROLES_QUERY">...</module-option>
       <module-option name="LOCATION_QUERY">...</module-option>
       </login-module>
       </authentication>
       </application-policy>
      </policy>
      


        • 1. Re: SecurityAssociationCallback returns NULL-Principal in 5.
          Thomas Wiesner Newbie

          Ok, i've tried it with new jboss 5.0.1.GA with same result above.

          Please look at the TRACE-log. Normaly there shoud be not the unauthenticated principal, but the principal how tries to login is not in the SecurityAssociation.
          On client side all looks ok, i've debugged from my custom login module to the jboss client login modul, and it has a valid principal.

          By the way i'can't find any resource which describe to 'use security context approach'.
          Anils blog http://anil-identity.blogspot.com/2008/12/as5-pluggable-access-control-ejbweb.html says that i've nothing to change to run the normal authorization stack.

          Anybody, how can help me out ?

          00:37:36,310 WARN [SecurityAssociation] You are using deprecated api to getPrincipal. Use security context based approach
          00:37:36,311 WARN [SecurityAssociation] You are using deprecated api to getCredential. Use security context based approach
          00:37:36,391 TRACE [SecurityRolesAssociation] Setting threadlocal:null
          00:37:36,396 TRACE [SecurityRolesAssociation] Setting threadlocal:null
          00:37:44,413 TRACE [SecurityRolesAssociation] Setting threadlocal:{}
          00:37:44,430 TRACE [lisa] Begin isValid, principal:null, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@b6023d[Subject(32542938).principals=org.jboss.security.SimplePrincipal@10428909(LisaUnauthenticated)org.jboss.security.SimpleGroup@18997348(LisaUser(members)),credential.class=null,expirationTime=1236470796304]
          00:37:44,431 TRACE [lisa] Begin validateCache, info=org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo@b6023d[Subject(32542938).principals=org.jboss.security.SimplePrincipal@10428909(LisaUnauthenticated)org.jboss.security.SimpleGroup@18997348(LisaUser(members)),credential.class=null,expirationTime=1236470796304];credential.class=null
          00:37:44,431 TRACE [lisa] End validateCache, isValid=true
          00:37:44,431 TRACE [lisa] End isValid, true
          00:37:44,432 TRACE [LogAuditProvider] [Success]Source=org.jboss.security.javaee.EJBAuthenticationHelper;principal=null;method=create;
          00:37:44,432 TRACE [SecurityRolesAssociation] Setting threadlocal:{}
          00:37:44,433 TRACE [JBossAuthorizationContext] Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
          00:37:44,434 TRACE [EJBPolicyModuleDelegate] method=public abstract de.ebcot.bsctool.ejb.ManagerRemote de.ebcot.bsctool.ejb.ManagerRemoteHome.create(java.lang.String,int,java.lang.Integer) throws javax.ejb.CreateException,javax.security.auth.login.LoginException,java.rmi.RemoteException,de.ebcot.tools.util.LoginTwiceException, interface=Home, requiredRoles=Roles(LisaUser,)
          00:37:44,434 TRACE [EJBPolicyModuleDelegate] Exception:Insufficient method permissions, principal=admin, ejbName=Manager, method=create, interface=Home, requiredRoles=Roles(LisaUser,), principalRoles=Roles()
          00:37:44,435 TRACE [JBossAuthorizationContext] REQUIRED failed for Name=org.jboss.security.authorization.modules.DelegatingAuthorizationModule:subject=Betreff:
           Principal: LisaUnauthenticated
           Principal: LisaUser(members)
          :role=Roles()
          00:37:44,436 TRACE [JBossAuthorizationContext] Error in authorize:
          org.jboss.security.authorization.AuthorizationException: Authorization Failed:
           at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:263)
           at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:67)
           at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:152)
           at java.security.AccessController.doPrivileged(Native Method)
           at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:148)
           at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:474)
           at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:124)
           at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.authorize(EJBAuthorizationHelper.java:116)
           at org.jboss.ejb.plugins.SecurityActions$14.run(SecurityActions.java:557)
           at org.jboss.ejb.plugins.SecurityActions$14.run(SecurityActions.java:555)
           at java.security.AccessController.doPrivileged(Native Method)
           at org.jboss.ejb.plugins.SecurityActions.authorize(SecurityActions.java:553)
           at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityContext(SecurityInterceptor.java:361)
           at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:243)
           at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:205)
           at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invokeHome(CachedConnectionInterceptor.java:187)
           at org.jboss.ejb.plugins.StatefulSessionInstanceInterceptor.invokeHome(StatefulSessionInstanceInterceptor.java:148)
           at org.jboss.ejb.plugins.CallValidationInterceptor.invokeHome(CallValidationInterceptor.java:56)
           at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:125)
           at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:350)
           at org.jboss.ejb.plugins.TxInterceptorCMT.invokeHome(TxInterceptorCMT.java:161)
           at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:136)
           at org.jboss.ejb.plugins.security.PreSecurityInterceptor.invokeHome(PreSecurityInterceptor.java:88)
           at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:132)
           at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:107)
           at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:639)
           at org.jboss.ejb.Container.invoke(Container.java:1046)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
           at java.lang.reflect.Method.invoke(Method.java:597)
           at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:157)
           at org.jboss.mx.server.Invocation.dispatch(Invocation.java:96)
           at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
           at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
           at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)
           at org.jboss.invocation.http.server.HttpInvoker.invoke(HttpInvoker.java:154)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
           at java.lang.reflect.Method.invoke(Method.java:597)
           at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:157)
           at org.jboss.mx.server.Invocation.dispatch(Invocation.java:96)
           at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
           at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
           at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)
           at org.jboss.invocation.http.servlet.InvokerServlet.processRequest(InvokerServlet.java:162)
           at org.jboss.invocation.http.servlet.InvokerServlet.doPost(InvokerServlet.java:224)
           at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
           at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
           at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
           at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
           at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
           at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
           at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
           at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
           at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
           at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
           at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
           at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
           at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
           at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
           at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
           at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
           at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
           at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
           at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
           at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
           at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
           at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
           at java.lang.Thread.run(Thread.java:619)
          00:37:44,441 TRACE [EJBAuthorizationHelper] Error in authorization:
          org.jboss.security.authorization.AuthorizationException: Authorization Failed:
           at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:263)
           at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:67)
           at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:152)
           at java.security.AccessController.doPrivileged(Native Method)
           at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:148)
           at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:474)
           at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:124)
           at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.authorize(EJBAuthorizationHelper.java:116)
           at org.jboss.ejb.plugins.SecurityActions$14.run(SecurityActions.java:557)
           at org.jboss.ejb.plugins.SecurityActions$14.run(SecurityActions.java:555)
           at java.security.AccessController.doPrivileged(Native Method)
           at org.jboss.ejb.plugins.SecurityActions.authorize(SecurityActions.java:553)
           at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityContext(SecurityInterceptor.java:361)
           at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:243)
           at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:205)
           at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invokeHome(CachedConnectionInterceptor.java:187)
           at org.jboss.ejb.plugins.StatefulSessionInstanceInterceptor.invokeHome(StatefulSessionInstanceInterceptor.java:148)
           at org.jboss.ejb.plugins.CallValidationInterceptor.invokeHome(CallValidationInterceptor.java:56)
           at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:125)
           at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:350)
           at org.jboss.ejb.plugins.TxInterceptorCMT.invokeHome(TxInterceptorCMT.java:161)
           at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:136)
           at org.jboss.ejb.plugins.security.PreSecurityInterceptor.invokeHome(PreSecurityInterceptor.java:88)
           at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:132)
           at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:107)
           at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:639)
           at org.jboss.ejb.Container.invoke(Container.java:1046)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
           at java.lang.reflect.Method.invoke(Method.java:597)
           at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:157)
           at org.jboss.mx.server.Invocation.dispatch(Invocation.java:96)
           at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
           at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
           at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)
           at org.jboss.invocation.http.server.HttpInvoker.invoke(HttpInvoker.java:154)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
           at java.lang.reflect.Method.invoke(Method.java:597)
           at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:157)
           at org.jboss.mx.server.Invocation.dispatch(Invocation.java:96)
           at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
           at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
           at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)
           at org.jboss.invocation.http.servlet.InvokerServlet.processRequest(InvokerServlet.java:162)
           at org.jboss.invocation.http.servlet.InvokerServlet.doPost(InvokerServlet.java:224)
           at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
           at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
           at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
           at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
           at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
           at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
           at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
           at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
           at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
           at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
           at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
           at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
           at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
           at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
           at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
           at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
           at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
           at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
           at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
           at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
           at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
           at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
           at java.lang.Thread.run(Thread.java:619)
          00:37:44,448 TRACE [LogAuditProvider] [Error]Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Exception:=Authorization Failed: ;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1dc3dfb}:method=public abstract de.ebcot.bsctool.ejb.ManagerRemote de.ebcot.bsctool.ejb.ManagerRemoteHome.create(java.lang.String,int,java.lang.Integer) throws javax.ejb.CreateException,javax.security.auth.login.LoginException,java.rmi.RemoteException,de.ebcot.tools.util.LoginTwiceException:ejbMethodInterface=Home:ejbName=Manager:ejbPrincipal=admin:MethodRoles=Roles(LisaUser,):securityRoleReferences=null:callerSubject=Betreff:
           Principal: LisaUnauthenticated
           Principal: LisaUser(members)
          :callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=null];policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration@1dc3dfb;
          00:37:44,449 ERROR [SecurityInterceptor] Error in Security Interceptor
          java.lang.SecurityException: Denied: caller with subject=Betreff:
           Principal: LisaUnauthenticated
           Principal: LisaUser(members)
           and security context post-mapping roles=null: ejbMethod=public abstract de.ebcot.bsctool.ejb.ManagerRemote de.ebcot.bsctool.ejb.ManagerRemoteHome.create(java.lang.String,int,java.lang.Integer) throws javax.ejb.CreateException,javax.security.auth.login.LoginException,java.rmi.RemoteException,de.ebcot.tools.util.LoginTwiceException
           at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityContext(SecurityInterceptor.java:368)
           at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:243)
           at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:205)
           at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invokeHome(CachedConnectionInterceptor.java:187)
           at org.jboss.ejb.plugins.StatefulSessionInstanceInterceptor.invokeHome(StatefulSessionInstanceInterceptor.java:148)
           at org.jboss.ejb.plugins.CallValidationInterceptor.invokeHome(CallValidationInterceptor.java:56)
           at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:125)
           at org.jboss.ejb.plugins.TxInterceptorCMT.runWithTransactions(TxInterceptorCMT.java:350)
           at org.jboss.ejb.plugins.TxInterceptorCMT.invokeHome(TxInterceptorCMT.java:161)
           at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:136)
           at org.jboss.ejb.plugins.security.PreSecurityInterceptor.invokeHome(PreSecurityInterceptor.java:88)
           at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:132)
           at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:107)
           at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:639)
           at org.jboss.ejb.Container.invoke(Container.java:1046)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
           at java.lang.reflect.Method.invoke(Method.java:597)
           at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:157)
           at org.jboss.mx.server.Invocation.dispatch(Invocation.java:96)
           at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
           at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
           at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)
           at org.jboss.invocation.http.server.HttpInvoker.invoke(HttpInvoker.java:154)
           at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
           at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
           at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
           at java.lang.reflect.Method.invoke(Method.java:597)
           at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:157)
           at org.jboss.mx.server.Invocation.dispatch(Invocation.java:96)
           at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
           at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
           at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)
           at org.jboss.invocation.http.servlet.InvokerServlet.processRequest(InvokerServlet.java:162)
           at org.jboss.invocation.http.servlet.InvokerServlet.doPost(InvokerServlet.java:224)
           at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
           at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
           at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
           at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
           at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
           at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
           at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
           at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
           at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
           at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
           at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
           at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
           at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
           at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
           at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
           at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
           at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
           at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
           at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
           at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
           at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:601)
           at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
           at java.lang.Thread.run(Thread.java:619)


          • 2. Re: SecurityAssociationCallback returns NULL-Principal in 5.
            Anil Saldanha Master

             

            00:37:44,434 TRACE [EJBPolicyModuleDelegate] Exception:Insufficient method permissions, principal=ad
            min, ejbName=Manager, method=create, interface=Home, requiredRoles=Roles(LisaUser,), principalRoles=
            Roles()


            Your ejb needs the caller to have a role "LisaUser" but the caller even though has the username "admin" did not get the role assigned. It is empty

            • 3. Re: SecurityAssociationCallback returns NULL-Principal in 5.
              Thomas Wiesner Newbie

              Hello anil,

              thanks for your answer.

              So, i understood my CustomLoginModule is responsible to assign the principal to the 'LisaUser'-role in the commit-phase. But in the login-phase, i can't get the principal from the SecurityAssociationCallback, which works in 4.0.3SP1.

              In detail, i call a getUserNameAndPassword() method

              /**
               * Gather username (principal) and password from callbackhandler which should be authenticated
               *
               * @return see main descritption
               * @throws LoginException
               */
               @Override
               protected Object[] getUsernameAndPassword() throws LoginException
               {
               Object[] info = { null, null };
               // prompt for a username and password
               if (callbackHandler == null)
               {
               throw new LoginException("Error: no CallbackHandler available " + "to collect authentication information");
               }
               LOG.debug("Current callbackHandler " + callbackHandler.toString());
              
               SecurityAssociationCallback callback = new SecurityAssociationCallback();
               Callback[] callbacks = { callback };
               String username = null;
               try
               {
               callbackHandler.handle(callbacks);
              
               Principal principal = callback.getPrincipal();
               LOG.debug("'getUsernameAndPassword()' found Principal " + principal);
               if (principal != null)
               {
               m_identity = principal;
               username = m_identity.getName();
               }
              
               char[] tmpPassword = (char[]) callback.getCredential();
               if (tmpPassword != null)
               {
               m_credential = new char[tmpPassword.length];
               System.arraycopy(tmpPassword, 0, m_credential, 0, tmpPassword.length);
               callback.clearCredential();
               }
               }
               catch (IOException e)
               {
               LoginException le = new LoginException("Failed to get username/password");
               le.initCause(e);
               throw le;
               }
               catch (UnsupportedCallbackException e)
               {
               LoginException le = new LoginException("CallbackHandler does not support: " + e.getCallback());
               le.initCause(e);
               throw le;
               }
               info[0] = username;
               info[1] = m_credential;
               LOG.debug("Found username: " + username);
               return info;
               }
              


              The SecurityAssociationCallbackHandler returns my CustomPrincipal, which i need for additional login information. But in 5.0.x.GA it returns null.

              After that in the commit phase a the getRoleSet() will be called, where the principal would be assigned to the role if its not null.

              • 4. Re: SecurityAssociationCallback returns NULL-Principal in 5.
                Anil Saldanha Master

                http://anil-identity.blogspot.com/2007/10/tip-6-want-custom-principal.html

                The approach mentioned here should be supported. Everything else (this callback, that callback, direct hacking), forget it.

                • 5. Re: SecurityAssociationCallback returns NULL-Principal in 5.
                  Thomas Wiesner Newbie

                  Hello anil,

                  thanks for your advise. May be i've implemented the false solution for my requirement. The requirement is to authenticate a user with its name, password and a mandator. This will be handled by my custom callbackhandler and a custom principal which holds the mandator as a member.
                  I had seen the way like

                  SecurityAssociationCallback callback = new SecurityAssociationCallback();
                   Callback[] callbacks = { callback };
                   String username = null;
                   try
                   {
                   callbackHandler.handle(callbacks);
                  
                   Principal principal = callback.getPrincipal();
                  

                  in org.jboss.security.srp.jaas.SRPCacheLoginModule and reused it. Later the mandator will be read from my custom principal.

                  What would you suggest to fulfill my requirement ?
                  Should i configure my custom callbackhandler in the JaasSecurityManagerService ?
                  Unfortunately i've found nothing about how to configure it only for my application vs. server-wide

                  • 6. Re: SecurityAssociationCallback returns NULL-Principal in 5.
                    Pawel Kasprzak Newbie

                    Hello anil,

                    I have similar problem: in filter class I set current Lang in multilingual application using SecurityAssociation.setPrincipal( ) method but after upgrade from 4.04 to 4.23 it isn't working. Is there other solution to sent such informations in custom principal ?