1 2 3 4 Previous Next 50 Replies Latest reply on May 14, 2008 8:49 AM by Anil Saldanha

    Security Injection in AS5

    Anil Saldanha Master

      this design thread is to discuss Adrian's subtask for me to tidy up some of the security injection in AS5.

      Adrian: There's no real way to depend upon a specific login module, you have to depend on the XMLLoginConfig

      The dependency cannot be on a single login module. XMLLoginConfig just establishes the configuration needed for the modules.

      I will take a look at the injection.

        • 1. Re: Security Injection in AS5
          Adrian Brock Master


          "anil.saldhana@jboss.com" wrote:
          this design thread is to discuss Adrian's subtask for me to tidy up some of the security injection in AS5.

          Adrian: There's no real way to depend upon a specific login module, you have to depend on the XMLLoginConfig

          The dependency cannot be on a single login module. XMLLoginConfig just establishes the configuration needed for the modules.

          I'm saying there should be.

          The first pass would be to make the SecurityDomain injectable
          by "hiding" all the wiring inside your own mc dependency.

          This would translate to the dependency is only satisfied
          when the login module repository has a "jbossmq" login module
          and the value returned is the security domain once it is satisifed

          Internally, this could use the current mechanism of looking up java:/jaas/name
          or it could be more optimised (more optimised is preferred since the
          jndi lookup doesn't provide a way to be notified of undeployment).

          <bean name="Whatever" ...>
           <property name="securityDomain"><security-domain-ref xmlns="urn:jboss-security-beans:1.0" name="jbossmq"/></property>

          The second pass would be to make security domains deployable inside the MC
          by writing a BeanMetaDataFactory

          This would be similar to above, except now you can deploy the login modules
          inside MC configuration

          bean name="Whatever" ...>
           <property name="securityDomain><inject name="jbossmq" property="securityDomain"/></property>
          <login-module xmlns="urn:jboss-security-beans:1.0" name="jbossmq">
           <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
           flag = "required">
           <module-option name = "unauthenticatedIdentity">guest</module-option>
           <module-option name = "dsJndiName">java:/DefaultDS</module-option>
           <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
           <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>

          The real solution (longer term) is to get the secuity aspect to "automagically"
          inject it from the "metadata repository" (such a mechansim
          doesn't really exist in AOP yet so this is asperational :-).

          e.g. something like (the annotations are not real, just for discussion purposes)
          @AspectFactory("SecurityAspect" scope=Scope.PER_INSTANCE)
          public class SecurityAspect
           public SecurityAspect(
           SecurityDomain securityDomain
           ) { ... }

          The later (which doesn't exist) would mean that when AOP injects the
          parameter into the constructor method, it uses
          MetaData.getMetaData(SecurityDomain.class) as the parameter
          which could come from any of the scopes
          e.g. instance - the ejb,
          or deployment - the ear config
          server - a server wide default piece of metadata

          • 2. Re: Security Injection in AS5
            Adrian Brock Master


            "adrian@jboss.org" wrote:

            <bean name="Whatever" ...>
             <property name="securityDomain"><security-domain-ref xmlns="urn:jboss-security-beans:1.0" name="jbossmq"/></property>

            In practice a jboss developer would be more likely to use it programmatically

            String securityDomainName = ...
            beanMetaDataBuilder = ...
            beanMetaDataBuilder.addProperty("securityDomain", new SecurityDomainDependency(securityDomainName);

            • 3. Re: Security Injection in AS5
              Anil Saldanha Master

              Ok, now I follow you. "jbossmq" is the security domain name or application policy. The DatabaseServerLoginModule is the login module name. I was saying that it should not depend on DSLM. Just terminology difference.

              I also followed that the security domain name should be more like "jbossmq" and not "java:jaas/jbossmq" which is more like an internal implementation.

              • 4. Re: Security Injection in AS5
                Anil Saldanha Master


                DynamicLoginConfig provides dynamic installation of application policies (such as jbossmq).

                • 5. Re: Security Injection in AS5
                  Anil Saldanha Master

                  Stefan, since we can make DynamicLoginConfig as a bean, we should be able to convert "messaging-service.xml" services into beans and then inject a dynamicloginconfig bean defining "messaging" application policy into the

                   <mbean code="org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore"

                  • 6. Re: Security Injection in AS5
                    Stefan Guilhen Apprentice

                    I've configured the DynamicLoginConfig as a bean, and it was working fine until I updated the AS and started getting a JBossXB error. This is the log that I get when using TRACE level for org.jboss.xb:

                    TRACE [org.jboss.xb.binding.sunday.unmarshalling.SequenceBinding] (main) startElement {urn:jboss:security-config:5.0}policy in org.jboss.xb.binding.sunday.unmarshalling.SequenceBinding@19a639b, 3: sequence choice ]
                    TRACE [org.jboss.xb.binding.sunday.unmarshalling.SequenceBinding] (main) startElement {urn:jboss:security-config:5.0}policy in org.jboss.xb.binding.sunday.unmarshalling.SequenceBinding@1019275, 1: {urn:jboss:bean-deployer:2.0}annotation ]
                    TRACE [org.jboss.xb.binding.sunday.unmarshalling.ChoiceBinding] (main) startElement {urn:jboss:security-config:5.0}policy in org.jboss.xb.binding.sunday.unmarshalling.ChoiceBinding@f6fd54, 10: {urn:jboss:bean-deployer:2.0}array {urn:jboss:bean-deployer:2.0}collection {urn:jboss:bean-deployer:2.0}inject {urn:jboss:bean-deployer:2.0}list {urn:jboss:bean-deployer:2.0}map {urn:jboss:bean-deployer:2.0}set {urn:jboss:bean-deployer:2.0}null {urn:jboss:bean-deployer:2.0}this {urn:jboss:bean-deployer:2.0}value {urn:jboss:bean-deployer:2.0}value-factory ]
                    TRACE [org.jboss.xb.binding.sunday.unmarshalling.ChoiceBinding] (main) leaving org.jboss.xb.binding.sunday.unmarshalling.ChoiceBinding@f6fd54 i=9, pos=-1
                    TRACE [org.jboss.xb.binding.sunday.unmarshalling.DefaultSchemaResolver] (main) Mapped schemaLocation to filename: security-config_5_0.xsd
                    TRACE [org.jboss.xb.binding.sunday.unmarshalling.DefaultSchemaResolver] (main) getInputSource, nsURI=urn:jboss:security-config:5.0, baseURI=null, schemaLocation=resource:security-config_5_0.xsd
                    WARN [org.jboss.util.xml.JBossEntityResolver] (main) Cannot load publicId from resource: security-config_5_0.xsd
                    WARN [org.jboss.util.xml.JBossEntityResolver] (main) Trying to resolve systemId as a non-file URL: resource:security-config_5_0.xsd
                    DEBUG [org.jboss.util.xml.JBossEntityResolver] (main) Cannot resolve [publicID=urn:jboss:security-config:5.0,systemID=resource:security-config_5_0.xsd]
                    TRACE [org.jboss.xb.binding.sunday.unmarshalling.DefaultSchemaResolver] (main) Resolved schema using namespace as publicId and schemaLocation as systemId
                    WARN [org.jboss.util.xml.JBossEntityResolver] (main) Cannot load systemId from resource: security-config_5_0.xsd
                    DEBUG [org.jboss.util.xml.JBossEntityResolver] (main) Cannot resolve [publicID=null,systemID=urn:jboss:security-config:5.0]
                    TRACE [org.jboss.xb.binding.sunday.unmarshalling.DefaultSchemaResolver] (main) getInputSource, nsURI=urn:jboss:security-config:5.0, baseURI=null, schemaLocation=resource:security-config_5_0.xsd, is=null
                    TRACE [org.jboss.xb.binding.sunday.unmarshalling.DefaultSchemaResolver] (main) found schema InputSource, nsURI=urn:jboss:security-config:5.0, baseURI=null, schemaLocation=resource:security-config_5_0.xsd
                    TRACE [org.jboss.xb.binding.sunday.unmarshalling.DefaultSchemaResolver] (main) resolved schema: null
                    TRACE [org.jboss.xb.binding.parser.sax.SaxJBossXBParser] (main) Exit startElement urn:jboss:security-config:5.0:policy
                    DEBUG [org.jboss.deployers.vfs.deployer.kernel.BeanDeployer] (main) Error during deploy: vfsfile:/opt/workspace/JBAS-Trunk/build/output/jboss-5.0.0.CR1/server/default/deploy/security-policies-beans.xml
                    org.jboss.deployers.spi.DeploymentException: Error creating managed object for vfsfile:/opt/workspace/JBAS-Trunk/build/output/jboss-5.0.0.CR1/server/default/deploy/security-policies-beans.xml
                     at org.jboss.deployers.spi.DeploymentException.rethrowAsDeploymentException(DeploymentException.java:49)
                     at org.jboss.deployers.spi.deployer.helpers.AbstractParsingDeployerWithOutput.createMetaData(AbstractParsingDeployerWithOutput.java:253)
                     at org.jboss.deployers.spi.deployer.helpers.AbstractParsingDeployerWithOutput.createMetaData(AbstractParsingDeployerWithOutput.java:223)
                     at org.jboss.deployers.spi.deployer.helpers.AbstractParsingDeployerWithOutput.deploy(AbstractParsingDeployerWithOutput.java:186)
                     at org.jboss.deployers.plugins.deployers.DeployerWrapper.deploy(DeployerWrapper.java:174)
                     at org.jboss.deployers.plugins.deployers.DeployersImpl.doInstallParentFirst(DeployersImpl.java:946)
                     at org.jboss.deployers.plugins.deployers.DeployersImpl.install(DeployersImpl.java:887)
                     at org.jboss.dependency.plugins.AbstractControllerContext.install(AbstractControllerContext.java:327)
                     at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:1324)
                     at org.jboss.dependency.plugins.AbstractController.incrementState(AbstractController.java:734)
                     at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:862)
                     at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:784)
                     at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:622)
                     at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:411)
                     at org.jboss.deployers.plugins.deployers.DeployersImpl.process(DeployersImpl.java:579)
                     at org.jboss.deployers.plugins.main.MainDeployerImpl.process(MainDeployerImpl.java:541)
                     at org.jboss.system.server.profileservice.ProfileServiceBootstrap.loadProfile(ProfileServiceBootstrap.java:259)
                     at org.jboss.system.server.profileservice.ProfileServiceBootstrap.start(ProfileServiceBootstrap.java:137)
                     at org.jboss.bootstrap.AbstractServerImpl.start(AbstractServerImpl.java:409)
                     at org.jboss.Main.boot(Main.java:209)
                     at org.jboss.Main$1.run(Main.java:544)
                     at java.lang.Thread.run(Thread.java:595)
                    Caused by: org.jboss.xb.binding.JBossXBException: Failed to parse source: {urn:jboss:security-config:5.0}policy not found as a child of {urn:jboss:bean-deployer:2.0}property
                     at org.jboss.xb.binding.parser.sax.SaxJBossXBParser.parse(SaxJBossXBParser.java:193)
                     at org.jboss.xb.binding.UnmarshallerImpl.unmarshal(UnmarshallerImpl.java:153)
                     at org.jboss.deployers.vfs.spi.deployer.SchemaResolverDeployer.parse(SchemaResolverDeployer.java:120)
                     at org.jboss.deployers.vfs.spi.deployer.AbstractVFSParsingDeployer.parse(AbstractVFSParsingDeployer.java:143)
                     at org.jboss.deployers.spi.deployer.helpers.AbstractParsingDeployerWithOutput.createMetaData(AbstractParsingDeployerWithOutput.java:249)
                     ... 20 more
                    Caused by: org.jboss.xb.binding.JBossXBRuntimeException: {urn:jboss:security-config:5.0}policy not found as a child of {urn:jboss:bean-deployer:2.0}property
                     at org.jboss.xb.binding.sunday.unmarshalling.SundayContentHandler.startElement(SundayContentHandler.java:396)
                     at org.jboss.xb.binding.parser.sax.SaxJBossXBParser$DelegatingContentHandler.startElement(SaxJBossXBParser.java:407)
                     at org.apache.xerces.parsers.AbstractSAXParser.startElement(Unknown Source)
                     at org.apache.xerces.xinclude.XIncludeHandler.startElement(Unknown Source)
                     at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown Source)
                     at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)
                     at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
                     at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
                     at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
                     at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
                     at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
                     at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
                     at org.jboss.xb.binding.parser.sax.SaxJBossXBParser.parse(SaxJBossXBParser.java:189)
                     ... 24 more
                    2008-03-24 12:51:50,650 ERROR [org.jboss.kernel.plugins.dependency.AbstractKernelController] (main) Error installing to Parse: name=vfsfile:/opt/workspace/JBAS-Trunk/build/output/jboss-5.0.0.CR1/server/default/deploy/security-policies-beans.xml state=Not Installed mode=Manual requiredState=Parse

                    • 7. Re: Security Injection in AS5
                      Stefan Guilhen Apprentice

                      Here is some background information

                      As part of http://jira.jboss.org/jira/browse/JBAS-5312, I've created a new file, security-policies-beans.xml and configured the DynamicLoginConfig as a bean:

                      <?xml version="1.0" encoding="UTF-8"?>
                      <deployment xmlns="urn:jboss:bean-deployer:2.0">
                       <bean name="StandardLoginConfig" class="org.jboss.security.auth.login.DynamicLoginConfig">
                       <property name="policyConfig">
                       xsi:schemaLocation="urn:jboss:security-config:5.0 resource:security-config_5_0.xsd"
                       <jbsx:application-policy name="jboss-web-policy" extends="other">
                       <jbsx:policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/>
                       <jbsx:application-policy name="jboss-ejb-policy" extends="other">
                       <jbsx:policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/>
                       <property name="mbeanServer"><inject bean="JMXKernel" property="mbeanServer"/></property>
                       <property name="loginConfigService">jboss.security:service=XMLLoginConfig</property>
                       <property name="securityManagerService">jboss.security:service=JaasSecurityManager</property>
                       <!-- dependency to allow for a smooth shutdown -->

                      This file replaced the old security-policies-service.xml, that was used to configure the DynamicLoginConfig as an MBean. I have tested this new configuration in many ways to make sure it was being properly parsed and the bean was being properly created.

                      Before committing the changes, I've decided to update the AS workspace to make sure everything was still working. I then started getting the parse error saying that (policy) was not found as child of (property).

                      • 8. Re: Security Injection in AS5
                        Stefan Guilhen Apprentice

                        Forgot to disable HTML, so my last sentence was not correctly displayed. It should read "started getting a parse error saying the {urn:jboss:security-config:5.0} policy was not found as a child of {urn:jboss:bean-deployer:2.0} property".

                        • 9. Re: Security Injection in AS5
                          Stefan Guilhen Apprentice

                          I've reverted my AS workspace to older revisions to find out when this error started showing. The last revision I was able to deploy the DynamicLoginConfig bean is 70928. Starting from revision 70929 the error shows up. I'll now take a look at the changes to see if I find out what exactly is causing the problem.

                          • 10. Re: Security Injection in AS5
                            Adrian Brock Master

                            Since this works in conf/bootstrap-beans.xml

                             <bean name="ClassLoadingDefaultDeployer" class="org.jboss.deployers.plugins.classloading.ClassLoadingDefaultDeployer">
                             <property name="defaultMetaData">
                            <!-- HERE -->
                             <classloading xmlns="urn:jboss:classloading:1.0" export-all="NON_EMPTY" import-all="true"/>

                            you need to explain what you are doing (or more likely not doing).

                            This works in bootstrap-beans.xml because JBossXB knows not just where
                            the schema is, but what to do with it.

                            Where/how do you tell JBossXB what to do with that a schema called

                            e.g. look at deployers/metadata-beans.xml for where we tell it how
                            to do javaee metadata parsing.

                            NOTE: The error message is misleading
                            urn:jboss:bean-deployer:2.0:property will take any element as a child
                            what it is really telling you is that it doesn't know what to do with

                            We know it found the schema (assuming that file exists in the classpath
                            and is reachable from the bean parsing deployer's classloader):
                            TRACE [org.jboss.xb.binding.sunday.unmarshalling.DefaultSchemaResolver] (main) found schema InputSou
                            rce, nsURI=urn:jboss:security-config:5.0, baseURI=null, schemaLocation=resource:security-config_5_0.

                            OFF TOPIC

                            Also, by tradition schemas are put in schema subfolders.
                            i.e. it should be resource:schema/security-config_5_0.xsd

                            The JBossEntityResolver will even look for this resource if you specify
                            a proper schema location, e.g. http://www.jboss.org/schemas/security-config_5_0.xsd
                            It strips the file name and tries to do getResource("schema/filename.xsd");

                            • 11. Re: Security Injection in AS5
                              Alexey Loubyansky Master

                              I have just updated my working copy of the AS trunk and replaced the content of the security-policies-service.xml with the xml above. I don't see any error in the log. Am I missing something?

                              • 12. Re: Security Injection in AS5
                                Anil Saldanha Master

                                Thanks Alex for checking it. I think Stefan is trying to install the beans in security-policies-beans.xml (and remove the -service.xml all together).

                                Stefan will provide the details in a little bit.

                                • 13. Re: Security Injection in AS5
                                  Alexey Loubyansky Master

                                  Yes, obviously I missed that -beans.xml bit. Follow up to Adrian's post.

                                  • 14. Re: Security Injection in AS5
                                    Stefan Guilhen Apprentice

                                    Alex, I've replaced the security-policies-service.xml by the security-policies-beans.xml. This file contains the definition of the DynamicLoginConfig as bean (shown earlier in this thread) and needs to be named -beans.xml.

                                    What I am trying to do: I'm trying to get a PolicyConfig object from the contents of the policyConfig property of the DynamicLoginConfig bean. That is, I would like to have the jbsx:policy parsed and a PolicyConfig object built from the parsed information.

                                    What I don't know: Adrian said that JBossXB doesn't know what to do with the schema it finds. I don't yet know how to tell it that it should build the PolicyConfig object.

                                    What I have done: when I've first written this config file, I've tried deploying it using revision 70750 of the AS (that was my workspace back then) and it worked - the PolicyConfig object was created. After revision 70929 I've started getting the mentioned error.

                                    1 2 3 4 Previous Next