1 2 Previous Next 16 Replies Latest reply on Sep 24, 2002 5:51 AM by Nuno Maia

    How to enable security

    Thomas Phan Newbie

      Hi,

      I'm using JBoss 3 + JBoss.NET server, and .NET client

      I set up login-config.xml, and put



        • 1. Re: How to enable security
          Thomas Phan Newbie

          Sorry, I pressed the "post message" button by mistake, continue here:

          I've

          <security-domain>java:/jaas/esb</security-domain>

          in both jboss.xml and jboss-web.xml

          and use .NET's NetworkCredential to send my userId, password

          public static bool Login(string userId, string password)
          {
          credential = new NetworkCredential(userId, password);
          if (userDAOService == null) userDAOService = new UserReference.UserDAOService();
          userDAOService.Credentials = credential;
          if ((userData = userDAOService.loadUser(userId)) == null)
          {
          credential = null;
          return false;
          }
          return true;
          }

          where userDAOService is the web service interface. But I get:

          Caused by: java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
          java.lang.SecurityException: Insufficient method permissions, principal=null, method=create, requiredRoles=[admin], principalRoles=[]
          at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:219)
          at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:93)
          at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:109)
          at org.jboss.ejb.StatelessSessionContainer.invokeHome(StatelessSessionContainer.java:300)
          at org.jboss.ejb.Container.invoke(Container.java:726)
          at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:491)
          at org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:98)
          at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:102)
          at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:73)
          at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:76)
          at org.jboss.proxy.ejb.HomeInterceptor.invoke(HomeInterceptor.java:185)
          at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:76)
          at $Proxy39.create(Unknown Source)

          I guess JBoss.NET doesn't pass the credential to the EJB container. What else should I set to get this work, thanks

          • 2. Re: How to enable security
            James Moring Newbie

            Open the Axis-config.xml file in conf and find the following entry





            change java:/jaas/other to java:/jaas/esb

            This should work

            • 3. Re: How to enable security
              Thomas Phan Newbie

              Hi James,

              Thanks. I have axis-config.xml changed, but still doesn't work. When I enabled <security-domain>java:/jaas/esb</security-domain> in jboss.xml, I still got the same error as before. When I remove the security domain in the EJB container, I got no security check, or no HTTP password prompt, and still have my application running. I've the whole thing worked when I use the web/ejb containers together, i.e. changing both jboss.xml and jboss-web.xml. Only the JBoss.NET one (/axis) doesn't pass the credential. Do we need something like:

              <security-constraint>
              <web-resource-collection>
              <web-resource-name>esb</web-resource-name>
              <url-pattern>*.esb</url-pattern>
              <!--url-pattern>/servlet/*</url-pattern-->
              <http-method>GET</http-method>
              <http-method>POST</http-method>
              </web-resource-collection>
              <auth-constraint>
              <role-name>admin</role-name>
              <role-name>guess</role-name>
              </auth-constraint>
              <user-data-constraint>
              <transport-guarantee>NONE</transport-guarantee>
              </user-data-constraint>
              </security-constraint>
              <login-config>
              <auth-method>BASIC</auth-method>
              <realm-name>esb</realm-name>
              </login-config>

              • 4. Re: How to enable security
                James Moring Newbie

                Are you setting the username and password on the Call object in the client?

                Service oService = new Service();
                Call oCall = oService.createCall();

                oCall.setTargetEndpointAddress( "http://www.myco.com/axis/services/MyService" );

                // Login and password that are valid in esb domain
                oCall.setUsername( "joe" );
                oCall.setPassword( "green" );

                oCall.invoke( "ping", new Object[0] );

                I have this style setup working with my security domain.

                • 5. Re: How to enable security
                  Thomas Phan Newbie

                  Hi James,

                  I'm using a M$ C# .NET client. I set the username, and password via the NetworkCredential object, and binded it with the interface/stub. It should send the credential along with the HTTP request.

                  Do your browser ask you for password if you access http://<your host>:<your port>/axis/services/<your sevice>?wsdl

                  Maybe the above is a GET request, my browser (IE 6) doesn't ask me for credential

                  • 6. Re: How to enable security
                    James Moring Newbie

                    No my browser does not prompt. I don't think it should. The security domain controls the access to the web service itself. It does not cover access to the wsdl. I think that makes sense??? When you access the service via MS .Net client is the call authenticated? I apologize for not catching the fact that you were using MS .Net.

                    • 7. 3852263
                      Thomas Phan Newbie

                      Thanks James :)

                      Should each HTTP request needs to be authenticated? I put the credential info for each of my call.

                      I just find something:

                      [root@es conf]# pwd
                      /var/jboss/server/esb/conf
                      [root@es conf]# grep -r 'esb' axis-config.xml


                      [root@es conf]# cd ../../../bin/
                      [root@es bin]# ./run.sh -c esb
                      ...
                      14:46:59,599 INFO [MainDeployer] Starting deployment of package: file:/var/jboss-3.0.0/server/esb/deploy/jboss-net.sar
                      14:46:59,789 INFO [AxisService] Seting RootContext to axis.
                      14:46:59,791 INFO [AxisService] Setting Security Domain to java:/jaas/other.
                      14:46:59,833 INFO [MainDeployer] Successfully completed deployment of package: file:/var/jboss-3.0.0/server/esb/deploy/jboss-net.sar
                      14:46:59,834 INFO [MainDeployer] Starting deployment of package: file:/var/jboss-3.0.0/server/esb/deploy/jetty-plugin.sar
                      14:47:06,461 INFO [Jetty] Registered jboss.web:Jetty=0
                      14:47:07,065 INFO [Jetty] Registered jboss.web:Jetty=Debug
                      14:47:07,428 INFO [Jetty] Registered jboss.web:Jetty=Log
                      14:47:08,116 INFO [Jetty] Registered jboss.web:Jetty=Log,sink=0

                      ^^
                      even I changed axis-config.xml, I still get the "other" security domain. Pls note that I've 4 instances of JBoss, may this be a problem?

                      [root@es bin]# ls ../server/
                      all default esb minimal
                      [root@es bin]#

                      • 8. Re: How to enable security
                        James Moring Newbie

                        Let me just confirm the following:

                        - You have set a custom login module up in login-config.xml in conf under java:jaas/esb
                        - You can access the ejb your trying to expose as a webservice via standard ejb client access in the esb security domain
                        - You have tested it with Axis client

                        Have you had success with all the above?

                        Jim

                        • 9. Re: How to enable security
                          Thomas Phan Newbie

                          Hi Jim,

                          Thanks a lot for the checking points

                          > You have set a custom login module up in login-config.xml in conf under java:jaas/esb

                          Yes. To show this, please look at the below, where I access my EJB via Jetty (and web browser). There's a successful login, and an unsuccessful one.

                          > You can access the ejb your trying to expose as a webservice via standard ejb client access in the esb security domain

                          Consider Jetty is the EJB client, yes.

                          > You have tested it with Axis client

                          No, I don't know how to write an Axis client, but I think this is a server configuration problem. The AXIS server doesn't ask for the user principal (or it only know the "other" security domain, and ignore the "esb" one), so it has nothing to pass to the EJB (principal=null)

                          2002-07-14 02:10:19,801 DEBUG [org.jboss.jetty.security.JBossUserRealm#esb] JBossUserPrincipal: twhphan
                          2002-07-14 02:10:19,805 DEBUG [org.jboss.jetty.security.JBossUserRealm#esb] authenticating: Name:twhphan Password:****
                          2002-07-14 02:10:19,806 DEBUG [org.jboss.jetty.security.JBossUserRealm#esb] authenticated: twhphan
                          2002-07-14 02:10:19,806 DEBUG [org.jboss.jetty.security.JBossUserRealm#esb] setting JAAS subjectAttributeName(j_subject) : Subject:
                          Principal: twhphan
                          Principal: Roles

                          2002-07-14 02:10:19,806 DEBUG [org.jboss.jetty.security.JBossUserRealm#esb] JBossUserPrincipal: twhphan is in Role: guess
                          2002-07-14 02:10:19,807 INFO [org.jboss.jetty.Jetty] action: Processing a GET for /user
                          2002-07-14 02:10:19,809 INFO [org.jboss.jetty.Jetty] action: Setting locale 'en_US'
                          2002-07-14 02:10:19,810 INFO [org.jboss.jetty.Jetty] action: Looking for Action instance for class esb.web.UserAction

                          <i see my requested web page returned, then I closed my browser and open a new one to enter other user's login. This 2nd user doesn't have the role to access the EJB; although it has the role to access the WEB tier>

                          2002-07-14 02:11:12,855 DEBUG [org.jboss.jetty.security.JBossUserRealm#esb] JBossUserPrincipal: monster
                          2002-07-14 02:11:12,856 DEBUG [org.jboss.jetty.security.JBossUserRealm#esb] created JBossUserRealm::JBossUserPrincipal: monster
                          2002-07-14 02:11:12,856 DEBUG [org.jboss.jetty.security.JBossUserRealm#esb] authenticating: Name:monster Password:****
                          2002-07-14 02:11:12,863 DEBUG [org.jboss.jetty.security.JBossUserRealm#esb] authenticated: monster
                          2002-07-14 02:11:12,864 DEBUG [org.jboss.jetty.security.JBossUserRealm#esb] setting JAAS subjectAttributeName(j_subject) : Subject:
                          Principal: monster
                          Principal: Roles

                          2002-07-14 02:11:12,864 DEBUG [org.jboss.jetty.security.JBossUserRealm#esb] JBossUserPrincipal: monster is in Role: guess
                          2002-07-14 02:11:12,865 INFO [org.jboss.jetty.Jetty] action: Processing a GET for /user
                          2002-07-14 02:11:12,867 INFO [org.jboss.jetty.Jetty] action: Setting locale 'en_US'
                          2002-07-14 02:11:12,868 INFO [org.jboss.jetty.Jetty] action: Looking for Action instance for class esb.web.UserAction
                          2002-07-14 02:11:12,885 ERROR [org.jboss.ejb.plugins.SecurityInterceptor] Insufficient method permissions, principal=monster, method=loadUser, requiredRoles=[admin], principalRoles=[guess]
                          2002-07-14 02:11:12,886 ERROR [STDERR] java.rmi.RemoteException: checkSecurityAssociation; nested exception is:
                          java.lang.SecurityException: Insufficient method permissions, principal=monster, method=loadUser, requiredRoles=[admin], principalRoles=[guess]
                          2002-07-14 02:11:12,887 ERROR [STDERR] java.lang.SecurityException: Insufficient method permissions, principal=monster, method=loadUser, requiredRoles=[admin], principalRoles=[guess]
                          2002-07-14 02:11:12,887 ERROR [STDERR] at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:218)
                          2002-07-14 02:11:12,887 ERROR [STDERR] at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:118)
                          2002-07-14 02:11:12,888 ERROR [STDERR] at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:166)
                          2002-07-14 02:11:12,888 ERROR [STDERR] at org.jboss.ejb.StatelessSessionContainer.invoke(StatelessSessionContainer.java:313)
                          2002-07-14 02:11:12,888 ERROR [STDERR] at org.jboss.ejb.Container.invoke(Container.java:705)
                          2002-07-14 02:11:12,888 ERROR [STDERR] at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:491)
                          2002-07-14 02:11:12,888 ERROR [STDERR] at org.jboss.invocation.local.LocalInvoker.invoke(LocalInvoker.java:98)
                          2002-07-14 02:11:12,889 ERROR [STDERR] at org.jboss.invocation.InvokerInterceptor.invoke(InvokerInterceptor.java:102)
                          2002-07-14 02:11:12,889 ERROR [STDERR] at org.jboss.proxy.TransactionInterceptor.invoke(TransactionInterceptor.java:73)
                          2002-07-14 02:11:12,889 ERROR [STDERR] at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:76)
                          2002-07-14 02:11:12,889 ERROR [STDERR] at org.jboss.proxy.ejb.StatelessSessionInterceptor.invoke(StatelessSessionInterceptor.java:111)
                          2002-07-14 02:11:12,890 ERROR [STDERR] at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:76)
                          2002-07-14 02:11:12,890 ERROR [STDERR] at $Proxy40.loadUser(Unknown Source)
                          2002-07-14 02:11:12,890 ERROR [STDERR] at esb.web.UserAction.perform(Unknown Source)
                          2002-07-14 02:11:12,890 ERROR [STDERR] at org.apache.struts.action.ActionServlet.processActionPerform(ActionServlet.java:1787)
                          2002-07-14 02:11:12,890 ERROR [STDERR] at com.oroad.stxx.action.ActionServlet.process(ActionServlet.java:441)
                          2002-07-14 02:11:12,891 ERROR [STDERR] at org.apache.struts.action.ActionServlet.doGet(ActionServlet.java:492)
                          2002-07-14 02:11:12,891 ERROR [STDERR] at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
                          2002-07-14 02:11:12,891 ERROR [STDERR] at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
                          2002-07-14 02:11:12,891 ERROR [STDERR] at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:371)
                          2002-07-14 02:11:12,892 ERROR [STDERR] at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:607)
                          2002-07-14 02:11:12,892 ERROR [STDERR] at org.mortbay.http.HttpContext.handle(HttpContext.java:1387)
                          2002-07-14 02:11:12,892 ERROR [STDERR] at org.mortbay.http.HttpContext.handle(HttpContext.java:1326)
                          2002-07-14 02:11:12,892 ERROR [STDERR] at org.mortbay.http.HttpServer.service(HttpServer.java:757)
                          2002-07-14 02:11:12,892 ERROR [STDERR] at org.jboss.jetty.Jetty.service(Jetty.java:527)
                          2002-07-14 02:11:12,893 ERROR [STDERR] at org.mortbay.http.HttpConnection.service(HttpConnection.java:742)
                          2002-07-14 02:11:12,893 ERROR [STDERR] at org.mortbay.http.HttpConnection.handleNext(HttpConnection.java:915)
                          2002-07-14 02:11:12,893 ERROR [STDERR] at org.mortbay.http.HttpConnection.handle(HttpConnection.java:757)
                          2002-07-14 02:11:12,893 ERROR [STDERR] at org.mortbay.http.SocketListener.handleConnection(SocketListener.java:151)
                          2002-07-14 02:11:12,893 ERROR [STDERR] at org.mortbay.util.ThreadedServer.handle(ThreadedServer.java:287)
                          2002-07-14 02:11:12,894 ERROR [STDERR] at org.mortbay.util.ThreadPool$JobRunner.run(ThreadPool.java:715)
                          2002-07-14 02:11:12,894 ERROR [STDERR] at java.lang.Thread.run(Thread.java:484)

                          Using the same JBoss process, and accesses the same bean via JBoss.NET, I got

                          02:15:49,860 INFO [Jetty] JBossAxisServlet: init
                          02:15:51,084 ERROR [SecurityInterceptor] Insufficient method permissions, principal=null, method=create, requiredRoles=[admin], principalRoles=[]

                          note: different method name -- but create() must be called before loadUser(), my web application doesn't call create in the 2nd invoke becoz it cached the session bean's handler during my 1st call (the successful one)

                          • 10. Re: How to enable security
                            James Moring Newbie

                            I just noticed that the jboss-service.xml in the jboss-net.sar also references the java:jaas/other security domain. This appears to control the access to the axis servlet. This might be what you are looking for. The checking points were to make sure I understood your problem. Not to imply you had not already tried those things.

                            Good luck

                            • 11. Re: How to enable security
                              Thomas Phan Newbie

                              Hi Jim,

                              Great, it works. Thanks for giving me the direction. But I also changed install-axis.xml to request authentication for all roles

                              • 12. Re: How to enable security
                                James Moring Newbie

                                Great!!! To many configuration points!!!

                                1 in conf
                                2 in sar

                                This needs to be consolidated somehow.

                                Jim

                                • 13. Re: How to enable security
                                  Dr. Christoph Georg Jung Newbie

                                  That is right ... there is a security association in the AxisService mbean that will allow the AxisServlet to be shielded by the web-server security. Unfortunately this is an all-or-nothing approach, i.e., we cannot have unauthenticated calls once enabling this in the install-axis.xml (right done by the way, I had to disable it to allow unauthenticated calls)

                                  And there are security associations for the JBossAuthenticationHandler that will enable security on a per-web-service basis (and you need to specify these handlers in the web-service.xml - see axis wsdd documentation). Note that JBossAuthenticationHandler and JBossAuthorizationHandler (a primitive access filter that operates on the result of the authentication) must be used with simple principal security domains and are based on http basic auth.

                                  Both ways of adding security are independently configurable.

                                  CGJ

                                  • 14. Re: How to enable security
                                    no_ejb Newbie

                                    Just out of curiosity,

                                    How do you use M$ class from regular JVM? Since you mentioned using web services, doe M$ export NetworkCredential class as wsdl interface?

                                    Thanks.

                                    1 2 Previous Next