-
1. Re: Security Injection in AS5
"anil.saldhana@jboss.com" wrote:
this design thread is to discuss Adrian's subtask for me to tidy up some of the security injection in AS5.
http://jira.jboss.com/jira/browse/JBAS-5309
Adrian: There's no real way to depend upon a specific login module, you have to depend on the XMLLoginConfig
The dependency cannot be on a single login module. XMLLoginConfig just establishes the configuration needed for the modules.
I'm saying there should be.
The first pass would be to make the SecurityDomain injectable
by "hiding" all the wiring inside your own mc dependency.
This would translate to the dependency is only satisfied
when the login module repository has a "jbossmq" login module
and the value returned is the security domain once it is satisifed
Internally, this could use the current mechanism of looking up java:/jaas/name
or it could be more optimised (more optimised is preferred since the
jndi lookup doesn't provide a way to be notified of undeployment).<bean name="Whatever" ...> <property name="securityDomain"><security-domain-ref xmlns="urn:jboss-security-beans:1.0" name="jbossmq"/></property> ...
The second pass would be to make security domains deployable inside the MC
by writing a BeanMetaDataFactory
This would be similar to above, except now you can deploy the login modules
inside MC configurationbean name="Whatever" ...> <property name="securityDomain><inject name="jbossmq" property="securityDomain"/></property> </bean> <login-module xmlns="urn:jboss-security-beans:1.0" name="jbossmq"> <authentication> <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required"> <module-option name = "unauthenticatedIdentity">guest</module-option> <module-option name = "dsJndiName">java:/DefaultDS</module-option> <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option> <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option> </login-module> </authentication> </login-module>
The real solution (longer term) is to get the secuity aspect to "automagically"
inject it from the "metadata repository" (such a mechansim
doesn't really exist in AOP yet so this is asperational :-).
e.g. something like (the annotations are not real, just for discussion purposes)@AspectFactory("SecurityAspect" scope=Scope.PER_INSTANCE) public class SecurityAspect { public SecurityAspect( @Inject(fromMetaData=true) SecurityDomain securityDomain ) { ... } }
The later (which doesn't exist) would mean that when AOP injects the
parameter into the constructor method, it uses
MetaData.getMetaData(SecurityDomain.class) as the parameter
which could come from any of the scopes
e.g. instance - the ejb,
or deployment - the ear config
server - a server wide default piece of metadata -
2. Re: Security Injection in AS5
"adrian@jboss.org" wrote:
<bean name="Whatever" ...> <property name="securityDomain"><security-domain-ref xmlns="urn:jboss-security-beans:1.0" name="jbossmq"/></property> ...
In practice a jboss developer would be more likely to use it programmaticallyString securityDomainName = ... beanMetaDataBuilder = ... beanMetaDataBuilder.addProperty("securityDomain", new SecurityDomainDependency(securityDomainName); -
3. Re: Security Injection in AS5
Ok, now I follow you. "jbossmq" is the security domain name or application policy. The DatabaseServerLoginModule is the login module name. I was saying that it should not depend on DSLM. Just terminology difference.
I also followed that the security domain name should be more like "jbossmq" and not "java:jaas/jbossmq" which is more like an internal implementation. -
4. Re: Security Injection in AS5
http://jira.jboss.org/jira/browse/JBAS-5312
DynamicLoginConfig provides dynamic installation of application policies (such as jbossmq). -
5. Re: Security Injection in AS5
Stefan, since we can make DynamicLoginConfig as a bean, we should be able to convert "messaging-service.xml" services into beans and then inject a dynamicloginconfig bean defining "messaging" application policy into the
<mbean code="org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore" name="jboss.messaging:service=SecurityStore">
-
6. Re: Security Injection in AS5
I've configured the DynamicLoginConfig as a bean, and it was working fine until I updated the AS and started getting a JBossXB error. This is the log that I get when using TRACE level for org.jboss.xb:
TRACE [org.jboss.xb.binding.sunday.unmarshalling.SequenceBinding] (main) startElement {urn:jboss:security-config:5.0}policy in org.jboss.xb.binding.sunday.unmarshalling.SequenceBinding@19a639b, 3: sequence choice ] TRACE [org.jboss.xb.binding.sunday.unmarshalling.SequenceBinding] (main) startElement {urn:jboss:security-config:5.0}policy in org.jboss.xb.binding.sunday.unmarshalling.SequenceBinding@1019275, 1: {urn:jboss:bean-deployer:2.0}annotation ] TRACE [org.jboss.xb.binding.sunday.unmarshalling.ChoiceBinding] (main) startElement {urn:jboss:security-config:5.0}policy in org.jboss.xb.binding.sunday.unmarshalling.ChoiceBinding@f6fd54, 10: {urn:jboss:bean-deployer:2.0}array {urn:jboss:bean-deployer:2.0}collection {urn:jboss:bean-deployer:2.0}inject {urn:jboss:bean-deployer:2.0}list {urn:jboss:bean-deployer:2.0}map {urn:jboss:bean-deployer:2.0}set {urn:jboss:bean-deployer:2.0}null {urn:jboss:bean-deployer:2.0}this {urn:jboss:bean-deployer:2.0}value {urn:jboss:bean-deployer:2.0}value-factory ] TRACE [org.jboss.xb.binding.sunday.unmarshalling.ChoiceBinding] (main) leaving org.jboss.xb.binding.sunday.unmarshalling.ChoiceBinding@f6fd54 i=9, pos=-1 TRACE [org.jboss.xb.binding.sunday.unmarshalling.DefaultSchemaResolver] (main) Mapped schemaLocation to filename: security-config_5_0.xsd TRACE [org.jboss.xb.binding.sunday.unmarshalling.DefaultSchemaResolver] (main) getInputSource, nsURI=urn:jboss:security-config:5.0, baseURI=null, schemaLocation=resource:security-config_5_0.xsd WARN [org.jboss.util.xml.JBossEntityResolver] (main) Cannot load publicId from resource: security-config_5_0.xsd WARN [org.jboss.util.xml.JBossEntityResolver] (main) Trying to resolve systemId as a non-file URL: resource:security-config_5_0.xsd DEBUG [org.jboss.util.xml.JBossEntityResolver] (main) Cannot resolve [publicID=urn:jboss:security-config:5.0,systemID=resource:security-config_5_0.xsd] TRACE [org.jboss.xb.binding.sunday.unmarshalling.DefaultSchemaResolver] (main) Resolved schema using namespace as publicId and schemaLocation as systemId WARN [org.jboss.util.xml.JBossEntityResolver] (main) Cannot load systemId from resource: security-config_5_0.xsd DEBUG [org.jboss.util.xml.JBossEntityResolver] (main) Cannot resolve [publicID=null,systemID=urn:jboss:security-config:5.0] TRACE [org.jboss.xb.binding.sunday.unmarshalling.DefaultSchemaResolver] (main) getInputSource, nsURI=urn:jboss:security-config:5.0, baseURI=null, schemaLocation=resource:security-config_5_0.xsd, is=null TRACE [org.jboss.xb.binding.sunday.unmarshalling.DefaultSchemaResolver] (main) found schema InputSource, nsURI=urn:jboss:security-config:5.0, baseURI=null, schemaLocation=resource:security-config_5_0.xsd TRACE [org.jboss.xb.binding.sunday.unmarshalling.DefaultSchemaResolver] (main) resolved schema: null TRACE [org.jboss.xb.binding.parser.sax.SaxJBossXBParser] (main) Exit startElement urn:jboss:security-config:5.0:policy DEBUG [org.jboss.deployers.vfs.deployer.kernel.BeanDeployer] (main) Error during deploy: vfsfile:/opt/workspace/JBAS-Trunk/build/output/jboss-5.0.0.CR1/server/default/deploy/security-policies-beans.xml org.jboss.deployers.spi.DeploymentException: Error creating managed object for vfsfile:/opt/workspace/JBAS-Trunk/build/output/jboss-5.0.0.CR1/server/default/deploy/security-policies-beans.xml at org.jboss.deployers.spi.DeploymentException.rethrowAsDeploymentException(DeploymentException.java:49) at org.jboss.deployers.spi.deployer.helpers.AbstractParsingDeployerWithOutput.createMetaData(AbstractParsingDeployerWithOutput.java:253) at org.jboss.deployers.spi.deployer.helpers.AbstractParsingDeployerWithOutput.createMetaData(AbstractParsingDeployerWithOutput.java:223) at org.jboss.deployers.spi.deployer.helpers.AbstractParsingDeployerWithOutput.deploy(AbstractParsingDeployerWithOutput.java:186) at org.jboss.deployers.plugins.deployers.DeployerWrapper.deploy(DeployerWrapper.java:174) at org.jboss.deployers.plugins.deployers.DeployersImpl.doInstallParentFirst(DeployersImpl.java:946) at org.jboss.deployers.plugins.deployers.DeployersImpl.install(DeployersImpl.java:887) at org.jboss.dependency.plugins.AbstractControllerContext.install(AbstractControllerContext.java:327) at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:1324) at org.jboss.dependency.plugins.AbstractController.incrementState(AbstractController.java:734) at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:862) at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:784) at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:622) at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:411) at org.jboss.deployers.plugins.deployers.DeployersImpl.process(DeployersImpl.java:579) at org.jboss.deployers.plugins.main.MainDeployerImpl.process(MainDeployerImpl.java:541) at org.jboss.system.server.profileservice.ProfileServiceBootstrap.loadProfile(ProfileServiceBootstrap.java:259) at org.jboss.system.server.profileservice.ProfileServiceBootstrap.start(ProfileServiceBootstrap.java:137) at org.jboss.bootstrap.AbstractServerImpl.start(AbstractServerImpl.java:409) at org.jboss.Main.boot(Main.java:209) at org.jboss.Main$1.run(Main.java:544) at java.lang.Thread.run(Thread.java:595) Caused by: org.jboss.xb.binding.JBossXBException: Failed to parse source: {urn:jboss:security-config:5.0}policy not found as a child of {urn:jboss:bean-deployer:2.0}property at org.jboss.xb.binding.parser.sax.SaxJBossXBParser.parse(SaxJBossXBParser.java:193) at org.jboss.xb.binding.UnmarshallerImpl.unmarshal(UnmarshallerImpl.java:153) at org.jboss.deployers.vfs.spi.deployer.SchemaResolverDeployer.parse(SchemaResolverDeployer.java:120) at org.jboss.deployers.vfs.spi.deployer.AbstractVFSParsingDeployer.parse(AbstractVFSParsingDeployer.java:143) at org.jboss.deployers.spi.deployer.helpers.AbstractParsingDeployerWithOutput.createMetaData(AbstractParsingDeployerWithOutput.java:249) ... 20 more Caused by: org.jboss.xb.binding.JBossXBRuntimeException: {urn:jboss:security-config:5.0}policy not found as a child of {urn:jboss:bean-deployer:2.0}property at org.jboss.xb.binding.sunday.unmarshalling.SundayContentHandler.startElement(SundayContentHandler.java:396) at org.jboss.xb.binding.parser.sax.SaxJBossXBParser$DelegatingContentHandler.startElement(SaxJBossXBParser.java:407) at org.apache.xerces.parsers.AbstractSAXParser.startElement(Unknown Source) at org.apache.xerces.xinclude.XIncludeHandler.startElement(Unknown Source) at org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source) at org.apache.xerces.parsers.XMLParser.parse(Unknown Source) at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source) at org.jboss.xb.binding.parser.sax.SaxJBossXBParser.parse(SaxJBossXBParser.java:189) ... 24 more 2008-03-24 12:51:50,650 ERROR [org.jboss.kernel.plugins.dependency.AbstractKernelController] (main) Error installing to Parse: name=vfsfile:/opt/workspace/JBAS-Trunk/build/output/jboss-5.0.0.CR1/server/default/deploy/security-policies-beans.xml state=Not Installed mode=Manual requiredState=Parse -
7. Re: Security Injection in AS5
Here is some background information
As part of http://jira.jboss.org/jira/browse/JBAS-5312, I've created a new file, security-policies-beans.xml and configured the DynamicLoginConfig as a bean:<?xml version="1.0" encoding="UTF-8"?> <deployment xmlns="urn:jboss:bean-deployer:2.0"> <bean name="StandardLoginConfig" class="org.jboss.security.auth.login.DynamicLoginConfig"> <property name="policyConfig"> <jbsx:policy xsi:schemaLocation="urn:jboss:security-config:5.0 resource:security-config_5_0.xsd" xmlns:jbsx="urn:jboss:security-config:5.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <jbsx:application-policy name="jboss-web-policy" extends="other"> <jbsx:authentication> </jbsx:authentication> <jbsx:authorization> <jbsx:policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/> </jbsx:authorization> </jbsx:application-policy> <jbsx:application-policy name="jboss-ejb-policy" extends="other"> <jbsx:authentication> </jbsx:authentication> <jbsx:authorization> <jbsx:policy-module code="org.jboss.security.authorization.modules.DelegatingAuthorizationModule" flag="required"/> </jbsx:authorization> </jbsx:application-policy> </jbsx:policy> </property> <property name="mbeanServer"><inject bean="JMXKernel" property="mbeanServer"/></property> <property name="loginConfigService">jboss.security:service=XMLLoginConfig</property> <property name="securityManagerService">jboss.security:service=JaasSecurityManager</property> <!-- dependency to allow for a smooth shutdown --> <depends>jboss.security:service=XMLLoginConfig</depends> </bean> </deployment>
This file replaced the old security-policies-service.xml, that was used to configure the DynamicLoginConfig as an MBean. I have tested this new configuration in many ways to make sure it was being properly parsed and the bean was being properly created.
Before committing the changes, I've decided to update the AS workspace to make sure everything was still working. I then started getting the parse error saying that (policy) was not found as child of (property). -
8. Re: Security Injection in AS5
Forgot to disable HTML, so my last sentence was not correctly displayed. It should read "started getting a parse error saying the {urn:jboss:security-config:5.0} policy was not found as a child of {urn:jboss:bean-deployer:2.0} property".
-
9. Re: Security Injection in AS5
I've reverted my AS workspace to older revisions to find out when this error started showing. The last revision I was able to deploy the DynamicLoginConfig bean is 70928. Starting from revision 70929 the error shows up. I'll now take a look at the changes to see if I find out what exactly is causing the problem.
-
10. Re: Security Injection in AS5
Since this works in conf/bootstrap-beans.xml
<bean name="ClassLoadingDefaultDeployer" class="org.jboss.deployers.plugins.classloading.ClassLoadingDefaultDeployer"> <property name="defaultMetaData"> <!-- HERE --> <classloading xmlns="urn:jboss:classloading:1.0" export-all="NON_EMPTY" import-all="true"/> </property> </bean>
you need to explain what you are doing (or more likely not doing).
This works in bootstrap-beans.xml because JBossXB knows not just where
the schema is, but what to do with it.
Where/how do you tell JBossXB what to do with that a schema called
urn:jboss:security-config:5.0
e.g. look at deployers/metadata-beans.xml for where we tell it how
to do javaee metadata parsing.
NOTE: The error message is misleading
urn:jboss:bean-deployer:2.0:property will take any element as a child
what it is really telling you is that it doesn't know what to do with
We know it found the schema (assuming that file exists in the classpath
and is reachable from the bean parsing deployer's classloader):TRACE [org.jboss.xb.binding.sunday.unmarshalling.DefaultSchemaResolver] (main) found schema InputSou rce, nsURI=urn:jboss:security-config:5.0, baseURI=null, schemaLocation=resource:security-config_5_0. xsd
OFF TOPIC
Also, by tradition schemas are put in schema subfolders.
i.e. it should be resource:schema/security-config_5_0.xsd
The JBossEntityResolver will even look for this resource if you specify
a proper schema location, e.g. http://www.jboss.org/schemas/security-config_5_0.xsd
It strips the file name and tries to do getResource("schema/filename.xsd"); -
11. Re: Security Injection in AS5
I have just updated my working copy of the AS trunk and replaced the content of the security-policies-service.xml with the xml above. I don't see any error in the log. Am I missing something?
-
12. Re: Security Injection in AS5
Thanks Alex for checking it. I think Stefan is trying to install the beans in security-policies-beans.xml (and remove the -service.xml all together).
Stefan will provide the details in a little bit. -
13. Re: Security Injection in AS5
Yes, obviously I missed that -beans.xml bit. Follow up to Adrian's post.
-
14. Re: Security Injection in AS5
Alex, I've replaced the security-policies-service.xml by the security-policies-beans.xml. This file contains the definition of the DynamicLoginConfig as bean (shown earlier in this thread) and needs to be named -beans.xml.
What I am trying to do: I'm trying to get a PolicyConfig object from the contents of the policyConfig property of the DynamicLoginConfig bean. That is, I would like to have the jbsx:policy parsed and a PolicyConfig object built from the parsed information.
What I don't know: Adrian said that JBossXB doesn't know what to do with the schema it finds. I don't yet know how to tell it that it should build the PolicyConfig object.
What I have done: when I've first written this config file, I've tried deploying it using revision 70750 of the AS (that was my workspace back then) and it worked - the PolicyConfig object was created. After revision 70929 I've started getting the mentioned error.