5 Replies Latest reply on Nov 11, 2009 6:38 AM by sangeetha.gold

    java.lang.SecurityException: Denied: caller with subject=Sub

      Hi,

      I have written custom JAAS Login Module which extends AbstractServerLoginModule for authN and authZ. I am getting the following error when I try to access the protected EJB with required role. But the Webcontainer is working as expected, able to access the secured resources based on the user role. But the EJB containers is not working. Please find the below error.

      My environment:
      JBoss 5.1.0 GA, Win XP

      As jboss.xml the <security-domain> element is ignored by JBoss 5.1.0 GA. Please correct me if I am worng, I think it is a bug in JBoss 5.1.0 GA? So, I have modified the security-policies-jboss-beans.xml for jboss-ejb-policy element as follows:

      <?xml version="1.0" encoding="UTF-8"?>



      <application-policy xmlns="urn:jboss:security-beans:1.0" name="jboss-web-policy" extends="other">

      <policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/>

      </application-policy>

      <application-policy xmlns="urn:jboss:security-beans:1.0" name="jboss-ejb-policy" extends="UIdPSso">

      <policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/>

      </application-policy>

      <application-policy xmlns="urn:jboss:security-beans:1.0" name="jboss-WebUIdP-policy" extends="UIdPSso">

      <policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/>



      ejb-jar.xml is in EJB's/META-INF :

      <?xml version="1.0"?>
      <!DOCTYPE ejb-jar PUBLIC '-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 1.1//EN' 'http://java.sun.com/j2ee/dtds/ejb-jar_1_1.dtd'>
      <ejb-jar>
      <enterprise-beans>


      <ejb-name>DsBean</ejb-name>
      com.sample.as2.weblogic.test.DsBeanHome
      com.sample.as2.weblogic.test.DsBean
      <ejb-class>com.sample.as2.weblogic.test.DsBeanEJB</ejb-class>
      <session-type>Stateless</session-type>
      <transaction-type>Container</transaction-type>

      </enterprise-beans>
      <assembly-descriptor>
      <security-role>
      DSmart Bean Level Access
      <role-name>DSBeanRole</role-name>
      </security-role>
      <method-permission>
      <role-name>DSBeanRole</role-name>

      <ejb-name>DsBean</ejb-name>
      <method-intf>Remote</method-intf>
      <method-name>*</method-name>

      </method-permission>
      <container-transaction>

      <ejb-name>DsBean</ejb-name>
      <method-name>*</method-name>

      <trans-attribute>Required</trans-attribute>
      </container-transaction>
      </assembly-descriptor>
      </ejb-jar>


      ERROR org.jboss.ejb.plugins.SecurityInterceptor - Error in Security Interceptor
      java.lang.SecurityException: Denied: caller with subject=Subject:
      Principal: jaasuser
      Principal: Roles(members:DSBeanRole,ProtectedServletGroup,ValidUser,jaasrole)
      Principal: CallerPrincipal(members:jaasuser)
      and security context post-mapping roles=Roles(DSBeanRole,ProtectedServletGroup,ValidUser,jaasrole,): ejbMethod=public abstract com.sample.as2.weblogic.test.DsBean com.sample.as2.weblogic.test.DsBeanHome.create() throws javax.ejb.CreateException,java.rmi.RemoteException
      at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityContext(SecurityInterceptor.java:368)
      at org.jboss.ejb.plugins.SecurityInterceptor.process(SecurityInterceptor.java:243)
      at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:205)
      at org.jboss.ejb.plugins.security.PreSecurityInterceptor.process(PreSecurityInterceptor.java:136)
      at org.jboss.ejb.plugins.security.PreSecurityInterceptor.invokeHome(PreSecurityInterceptor.java:88)
      at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:132)
      at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:107)
      at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:639)
      at org.jboss.ejb.Container.invoke(Container.java:1046)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:585)
      at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:157)
      at org.jboss.mx.server.Invocation.dispatch(Invocation.java:96)
      at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
      at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)
      at org.jboss.invocation.local.LocalInvoker$MBeanServerAction.invoke(LocalInvoker.java:169)
      at org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:118)
      at org.jboss.invocation.InvokerInterceptor.invokeLocal(InvokerInterceptor.java:209)
      at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:195)
      at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:61)
      at org.jboss.proxy.ejb.SecurityContextInterceptor.invoke(SecurityContextInterceptor.java:64)
      at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:68)
      at org.jboss.proxy.ejb.HomeInterceptor.invoke(HomeInterceptor.java:184)
      at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:101)
      at $Proxy248.create(Unknown Source)
      at com.sample.as2.servlets.unprotectedServlet.doPost(Unknown Source)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
      at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
      at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
      at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
      at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
      at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
      at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
      at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
      at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
      at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
      at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
      at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
      at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
      at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
      at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:402)
      at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
      at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
      at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
      at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
      at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
      at java.lang.Thread.run(Thread.java:595)
      1462903 [http-127.0.0.1-8080-1] ERROR com.sample.as2.servlets.unprotectedServlet - Exception caught initializing beans:java.rmi.AccessException: SecurityException; nested exception is:
      java.lang.SecurityException: Denied: caller with subject=Subject:
      Principal: jaasuser
      Principal: Roles(members:DSBeanRole,ProtectedServletGroup,ValidUser,jaasrole)
      Principal: CallerPrincipal(members:jaasuser)
      and security context post-mapping roles=Roles(DSBeanRole,ProtectedServletGroup,ValidUser,jaasrole,): ejbMethod=public abstract com.sample.as2.weblogic.test.DsBean com.sample.as2.weblogic.test.DsBeanHome.create() throws javax.ejb.CreateException,java.rmi.RemoteException


      Thanks,
      Sangeetha

        • 1. Re: java.lang.SecurityException: Denied: caller with subject
          wolfgangknauf

          Hi,

          "security-domain" in jboss.xml works, if used properly ;-).

          Please post your "jboss.xml". Is it placed in "ejb.jar"\META-INF\ ?

          Do you really (really?) build an EJB 1.1 app ;-)?

          You don't need to modify security policies for "standard" JAAS security.

          Best regards

          Wolfgang

          • 2. Re: java.lang.SecurityException: Denied: caller with subject

            Hi,

            Thanks for the reply! As you suggessted, I have rollbacked the changes that made in security-policies-jboss-beans.xml. Now this file is as it is we will get in Jboss installation. I am not build new application, this is old application developed in EJB1.1. [Is it required to upgrade to EJB3.0 but I didnt think so its required]. Now the jboss.xml in "ejb-jar"/META-INF looks like as follows :

            <?xml version="1.0" encoding="UTF-8"?>
            <!DOCTYPE jboss PUBLIC "-//JBoss//DTD JBOSS 5.0//EN" "http://www.jboss.org/j2ee/dtd/jboss_5_0.dtd">

            <security-domain>java:/jaas/UIdPSso</security-domain>
            <enterprise-beans>

            <ejb-name>DsBean</ejb-name>
            <jndi-name>DsBean</jndi-name>

            </enterprise-beans>


            I could see from the log that its making call to the CustomLoginModule & getting the Subject. But its throwing java.lang.SecurityException. But I am able to access unprocted EJBs and protected servlet.

            Just for your reference from the log file:
            java.lang.SecurityException: Denied: caller with subject=Subject:
            Principal: jaasuser
            Principal: Roles(members:DSBeanRole,ProtectedServletGroup,ValidUser,jaasrole)
            Principal: CallerPrincipal(members:jaasuser)
            and security context post-mapping roles=Roles(DSBeanRole,ProtectedServletGroup,ValidUser,jaasrole,).

            Is that I need the caller subject to EJBContext in my Servlet or do I need to define some policy file to give permission? If yes, could you please let me know how to set.

            Thanks & Regards,
            Sangeetha

            • 3. Re: java.lang.SecurityException: Denied: caller with subject

              Hi,

              Any one can help on this issue. Its very urgent for me, I need to fix this issue as soon as possible.

              Thanks in advance.

              Regards,
              Sangeetha

              • 4. Re: java.lang.SecurityException: Denied: caller with subject
                wolfgangknauf

                Hi,

                I don't know whether JBoss 5 still supports EJB 1.1, but I hope so ;-).An upgrade to EJB 3.0 will be quite a bunch of work if you use Entity Beans.

                Did you check the logs of the security layer (see sticky post "FAQ" in this forum, question 4)? Maybe there is some config error.

                Also, please post the snippet of "login-config.xml" (or any other config file which you use to plug in your login module), and the relevant code snippets of the login module.

                Do you have security constraints declared in your web.xml?

                Best regards

                Wolfgang

                • 5. Re: java.lang.SecurityException: Denied: caller with subject

                  Wolfgang,

                  Thanks a lot. I have re-solved the issue.... As suggested by you, I have created the beans using EJB 2.1 its working now and also ejb-jar.xml file also incorrect.

                  To resolve the above issue the ejb-jar.xml file should be as follows:
                  <?xml version="1.0" encoding="UTF-8"?>

                  <ejb-jar id="ejb-jar_1" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/ejb-jar_2_1.xsd" version="2.1">

                  <![CDATA[DSBean generated by eclipse wtp xdoclet extension.]]>
                  <display-name>DSBean</display-name>

                  <enterprise-beans>

                  <!-- Session Beans -->

                  <![CDATA[An EJB named WlConnectors]]>
                  <display-name>WlConnectors</display-name>

                  <ejb-name>WlConnectors</ejb-name>

                  com.test.jboss.WlConnectorsHome
                  com.test.jboss.WlConnectors
                  <local-home>com.test.jboss.WlConnectorsLocalHome</local-home>
                  com.test.jboss.WlConnectorsLocal
                  <ejb-class>com.test.jboss.WlConnectorsSession</ejb-class>
                  <session-type>Stateless</session-type>
                  <transaction-type>Container</transaction-type>




                  <![CDATA[An EJB named MethodConnectors]]>
                  <display-name>MethodConnectors</display-name>

                  <ejb-name>MethodConnectors</ejb-name>

                  com.test.jboss.MethodConnectorsHome
                  com.test.jboss.MethodConnectors
                  <local-home>com.test.jboss.MethodConnectorsLocalHome</local-home>
                  com.test.jboss.MethodConnectorsLocal
                  <ejb-class>com.test.jboss.MethodConnectorsSession</ejb-class>
                  <session-type>Stateless</session-type>
                  <transaction-type>Container</transaction-type>




                  <![CDATA[An EJB named DSConnectors]]>
                  <display-name>DSConnectors</display-name>

                  <ejb-name>DSConnectors</ejb-name>

                  com.test.jboss.DSConnectorsHome
                  com.test.jboss.DSConnectors
                  <local-home>com.test.jboss.DSConnectorsLocalHome</local-home>
                  com.test.jboss.DSConnectorsLocal
                  <ejb-class>com.test.jboss.DSConnectorsSession</ejb-class>
                  <session-type>Stateless</session-type>
                  <transaction-type>Container</transaction-type>



                  <!--
                  To add session beans that you have deployment descriptor info for, add
                  a file to your XDoclet merge directory called session-beans.xml that contains
                  the markup for those beans.
                  -->

                  <!-- Entity Beans -->
                  <!--
                  To add entity beans that you have deployment descriptor info for, add
                  a file to your XDoclet merge directory called entity-beans.xml that contains
                  the markup for those beans.
                  -->

                  <!-- Message Driven Beans -->
                  <!--
                  To add message driven beans that you have deployment descriptor info for, add
                  a file to your XDoclet merge directory called message-driven-beans.xml that contains
                  the <message-driven></message-driven> markup for those beans.
                  -->

                  </enterprise-beans>

                  <!-- Relationships -->

                  <!-- Assembly Descriptor -->
                  <!--
                  To specify your own assembly descriptor info here, add a file to your
                  XDoclet merge directory called assembly-descriptor.xml that contains
                  the <assembly-descriptor></assembly-descriptor> markup.
                  -->

                  <assembly-descriptor id="AssemblyDescriptor_1">
                  <!--
                  To specify additional security-role elements, add a file in the merge
                  directory called ejb-security-roles.xml that contains them.
                  -->

                  <!-- method permissions -->
                  <!--
                  To specify additional method-permission elements, add a file in the merge
                  directory called ejb-method-permissions.ent that contains them.
                  -->

                  <!-- transactions -->
                  <!--
                  To specify additional container-transaction elements, add a file in the merge
                  directory called ejb-container-transactions.ent that contains them.
                  -->

                  <!-- finder transactions -->

                  <!-- message destinations -->
                  <!--
                  To specify additional message-destination elements, add a file in the merge
                  directory called ejb-message-destinations.ent that contains them.
                  -->

                  <!-- exclude list -->
                  <!--
                  To specify an exclude-list element, add a file in the merge directory
                  called ejb-exclude-list.xml that contains it.
                  -->
                  <security-role>
                  <role-name>DSBeanRole</role-name>
                  </security-role>
                  <security-role>
                  <role-name>ProtectedMethodGroup</role-name>
                  </security-role>
                  <method-permission>
                  <role-name>DSBeanRole</role-name>

                  <ejb-name>DSConnectors</ejb-name>
                  <method-name>*</method-name>

                  </method-permission>
                  <method-permission>
                  <role-name>ProtectedMethodGroup</role-name>

                  <ejb-name>MethodConnectors</ejb-name>
                  <method-name>getUserId</method-name>

                  </method-permission>
                  <method-permission>


                  <ejb-name>MethodConnectors</ejb-name>
                  <method-name>create</method-name>

                  </method-permission>
                  <method-permission>


                  <ejb-name>WlConnectors</ejb-name>
                  <method-name>*</method-name>

                  </method-permission>
                  <container-transaction>

                  <ejb-name>MethodConnectors</ejb-name>
                  <method-name>*</method-name>

                  <trans-attribute>Required</trans-attribute>
                  </container-transaction>
                  </assembly-descriptor>

                  </ejb-jar>

                  Thanks & Regards,
                  Sangeetha