[jboss-user] [Security & JAAS/JBoss] - java.lang.SecurityException: Insufficient method permissions

craig1980 do-not-reply at jboss.com
Fri Mar 9 11:29:30 EST 2007


Hi all.

I have a problem in invoking a statefull session bean in JBoss AS.
When i call this Ejb i have this error:
anonymous wrote : java.lang.SecurityException: Insufficient method permissions, principal=tiziana1, ejbName=WorkflowEngine, method=create, interface=HOME, requiredRoles=[WfMOpenAdmin], principalRoles=[WfMOpenAdmin, WfMOpenAdmin]

As you can see the expected role is WfMOpenAdmin and the principal used for invokign this EJB has these roles: WfMOpenAdmin, WfMOpenAdmin

For loggin into JBoss i have written this login module: 

  | package it.eng.smclient.accessmanager.authentication.jaas.module.jboss;
  | 
  | import it.eng.smclient.accessmanager.authentication.jaas.principals.Login;
  | import it.eng.smclient.accessmanager.authentication.jaas.principals.WfmOpen;
  | import it.eng.smclient.accessmanager.configuration.Configuration;
  | import it.eng.smclient.accessmanager.configuration.securityaccessfilter.EjbRole;
  | import it.eng.smclient.accessmanager.configuration.utils.SingletonConfiguration;
  | import it.eng.smclient.accessmanager.iface.SecManagerAuthorizationIface;
  | import it.eng.smclient.accessmanager.util.resource.Message;
  | import it.eng.smclient.accessmanager.util.resource.constants.Rbaccessmanager;
  | 
  | import java.security.Principal;
  | import java.security.acl.Group;
  | import java.util.ArrayList;
  | import java.util.Enumeration;
  | import java.util.Iterator;
  | import java.util.List;
  | import java.util.Map;
  | import java.util.Set;
  | 
  | import javax.security.auth.Subject;
  | import javax.security.auth.callback.CallbackHandler;
  | import javax.security.auth.login.FailedLoginException;
  | import javax.security.auth.login.LoginException;
  | //import javax.security.auth.spi.LoginModule;
  | 
  | import org.apache.commons.logging.Log;
  | import org.apache.commons.logging.LogFactory;
  | import org.jboss.security.NestableGroup;
  | import org.jboss.security.SecurityAssociation;
  | import org.jboss.security.SimpleGroup;
  | //import org.jboss.security.SimplePrincipal;
  | import org.jboss.security.auth.spi.AbstractServerLoginModule;
  | 
  | public class SecurityManagerLoginModule extends AbstractServerLoginModule{
  | 
  | 
  | 	static public final Log logger = 
  | 		LogFactory.getLog(SecurityManagerLoginModule.class);
  | 
  | 	private Rbaccessmanager rb = new Rbaccessmanager();
  | 	private Message message = new Message(rb);
  | 	String username = null;
  | 	protected Subject subject;
  | 	protected CallbackHandler callbackHandler;
  | 	protected Map sharedState;
  | 	protected Map options;
  | 	protected boolean loginOk;
  | 	protected Principal unauthenticatedIdentity;
  | 	protected Configuration conf = null;
  | 	protected String ejbRole = null;
  | 	public void initialize(Subject subject, 
  | 						  CallbackHandler callbackHandler,
  | 						  Map sharedState, 
  | 						  Map options) {
  | 		logger.debug("[Method - initialize] [INIT]");
  | 		if (logger.isTraceEnabled())
  | 			logger.debug("[Method - initialize] [instance=@] "
  | 					+ System.identityHashCode(this));
  | 		this.subject = subject;
  | 		this.callbackHandler = callbackHandler;
  | 		this.sharedState = sharedState;
  | 		this.options = options;
  | 		logger.debug("[Method - initialize] [Security domain:] "
  | 				+ (String) options.get("jboss.security.security_domain"));
  | 		String name = (String) options.get("unauthenticatedIdentity");
  | 		ejbRole = (String) options.get("ejbRole");
  | 		if (name != null) {
  | 			try {
  | 				unauthenticatedIdentity = createIdentity(name);
  | 				logger.info("Aggiungo il principal: " + unauthenticatedIdentity+ " al subject: "+ subject);
  | 				subject.getPrincipals().add(unauthenticatedIdentity);
  | 				subject.getPrincipals().add(getIdentity());
  | 				Set principals = subject.getPrincipals();
  | 				Group roleSets[] = getRoleSets();
  | 				for (int g = 0; g < roleSets.length; g++) {
  | 					Group group = roleSets[g];
  | 					String aName = group.getName();
  | 					Group subjectGroup = createGroup(aName, principals);
  | 					if (subjectGroup instanceof NestableGroup) {
  | 						SimpleGroup tmp = new SimpleGroup("Roles");
  | 						subjectGroup.addMember(tmp);
  | 						subjectGroup = tmp;
  | 					} // if (subjectGroup instanceof NestableGroup)
  | 					Principal role;
  | 					for (Enumeration members = group.members(); members
  | 							.hasMoreElements(); subjectGroup.addMember(role))
  | 						role = (Principal) members.nextElement();
  | 				}
  | 				SecurityAssociation.setPrincipal(unauthenticatedIdentity);
  | 				//SecurityAssociation.setCredential(credential);
  | 				SecurityAssociation.setSubject(subject);				
  | 				logger.info("Aggiunto il principal a subject che ora è: " + subject);				
  | 				logger.debug("[Method - initialize] [navigazione anonima] " + name);
  | 			} catch (Exception e) {
  | 				logger.error("[Method - initialize] " +
  | 						"[Inizializzazione modulo di login non riuscita - " +
  | 						" Verificare la configurazione dei moduli]");
  | 				logger.error("[Method - initialize] [Exception]",e);
  | 				logger.error("[Method - initialize] [message]" + e.getMessage());
  | 			}
  | 		} // if (name != null)
  | 		logger.debug("[Method - initialize] [END]");
  | 	} // public void initialize(Subject subject, CallbackHandler
  | 			// callbackHandler, Map sharedState, Map options)
  | 	public boolean login() throws LoginException {
  | 		logger.debug("[Method - login] [LoginModule]");
  | 		/*
  | 		JAASConfigFile jaas = new JAASConfigFile();
  | 		jaas.displayProperties();
  | 		*/
  | 		boolean result = false;
  | 		loginOk = false;
  | 		try {
  | 			if (subject != null) {
  | 				Iterator iter = subject.getPrivateCredentials().iterator();
  | 				while (iter.hasNext()) {
  | 					Object obj = iter.next();
  | 					if (obj instanceof Login) {
  | 						username = ((Login) obj).getName();
  | 						logger.debug("[Method - login]" +
  | 								"[Username not null] " + username);
  | 						System.setProperty("javax.security.auth.login.name",username);
  | 					} // if (obj instanceof Login)
  | 				} // while ( iter.hasNext())
  | 			} // if (subject != null)
  | 			
  | 			// Se username = [null] vuol dire che ho effettuato autenticazione
  | 			// e sto richiamando il modulo all'interno dell'applicazione 
  | 			if (username == null) {
  | 				logger.debug("[Method - login] " +
  | 						"[Username = null] [Leggo le propietà di Sistema]");
  | 				username = System.getProperty("javax.security.auth.login.name");
  | 				logger.debug("[Method - login] " +
  | 						"[javax.security.auth.login.name] " + username);
  | 			} else {
  | 				sharedState.put("javax.security.auth.login.name",username);
  | 				Object credential = System.getProperty("javax.security.auth.login.name");
  | 				List rolesPM = ((SecManagerAuthorizationIface) Configuration
  | 						.getAccessManagerImplementation()).getRoles();
  | 				logger.debug("[Method - login] [Lista Ruoli PM] " + rolesPM);
  | 				WfmOpen wfmPrincipal = new WfmOpen(username);
  | 				
  | 				SingletonConfiguration singletonConfig = 
  | 					SingletonConfiguration.getInstance(null,null);
  | 				
  | 				Configuration conf = 
  | 					singletonConfig.getConfiguration();
  | 				
  | 				wfmPrincipal.setApplication(conf.getApplication()
  | 						.getApplicationCode());
  | 				
  | 				ArrayList roles = new ArrayList();
  | 				String role = ((EjbRole) conf.getEjbSecurityIdentity()
  | 						.getEjbRoles().iterator().next()).getRole();				
  | 				roles.add(role);
  | 				
  | 				ArrayList groups = new ArrayList();
  | 				groups.add("Some Group");
  | 				groups.add("Order Processing");
  | 				
  | 				wfmPrincipal.setRoles(roles);
  | 				wfmPrincipal.setGroups(groups);
  | 				
  | 				SecurityAssociation.setPrincipal(wfmPrincipal);
  | 				SecurityAssociation.setCredential(credential);
  | 				SecurityAssociation.setSubject(subject);
  | 				
  | 			} // if (username != null)
  | 			
  | 			loginOk = true;
  | 			result = true;
  | 			logger.debug("[Method - login] [END]");
  | 		} catch (Exception e) {
  | 			logger.error("[Method - login] ", e);
  | 			throw new FailedLoginException(message
  | 					.getMessage(rb.MODULE_LOGIN_ERROR));
  | 			// throw new LoginException( e.getMessage() );
  | 		}
  | 		return result;
  | 	} // public boolean login() throws LoginException
  | 
  | 	protected Principal createIdentity(String name) throws Exception {
  | 		logger.trace("[Method - login] [INIT]");
  | 		Principal principal = null;
  | 		logger.trace("[Method - login] [name] " + name);
  | 		principal = new WfmOpen(name);
  | 		return principal;
  | 	} //  protected Principal createIdentity(String name) throws Exception
  | 	public boolean commit() throws LoginException {
  | 		logger.trace("[Method - commit] [INIT]");
  | 		logger.trace("[Method - commit] [subject] "  + subject);
  | 		if (!loginOk) return false;
  | 		Set principals = subject.getPrincipals();
  | 		Principal identity = getIdentity();
  | 		logger.trace("[Method - commit] [identity] " + identity.getName());
  | 		
  | 		principals.add(identity);
  | 		Group roleSets[] = getRoleSets();
  | 
  | 		for (int g = 0; g < roleSets.length; g++) {
  | 			Group group = roleSets[g];
  | 			String name = group.getName();
  | 			Group subjectGroup = createGroup(name, principals);
  | 			if (subjectGroup instanceof NestableGroup) {
  | 				SimpleGroup tmp = new SimpleGroup("Roles");
  | 				subjectGroup.addMember(tmp);
  | 				subjectGroup = tmp;
  | 			} // if (subjectGroup instanceof NestableGroup)
  | 			Principal role;
  | 			for (Enumeration members = group.members(); members
  | 					.hasMoreElements(); subjectGroup.addMember(role))
  | 				role = (Principal) members.nextElement();
  | 		} // for(int g = 0; g < roleSets.length; g++)
  | 		return true;
  | 	} // public boolean commit() throws LoginException
  | 	public boolean abort() throws LoginException {
  | 		logger.trace("[Method - abort() ] [INIT]");
  | 		return true;
  | 	} // public boolean abort() throws LoginException
  | 
  | 	public boolean logout() throws LoginException {
  | 		logger.trace("[Method - logout() ] [INIT]");
  | 		Principal identity = getIdentity();
  | 		Set principals = subject.getPrincipals();
  | 		principals.remove(identity);
  | 		return true;
  | 	} // public boolean logout() throws LoginException   
  | 	protected Principal getIdentity() {
  | 		logger.info("[Method - getIdentity() ] [INIT]");
  | 		logger.trace("[Method - getIdentity() ] [username] " + username);
  | 		Principal p = null;
  | 		if (username != null) {
  | 			
  | 			logger.info("La username era diversa da null... "+ username);
  | 			p = new WfmOpen(username);
  | 		} else {
  | 			// Ruolo reucperato dalla configurazione XML
  | 			if (conf != null) {
  | 				logger.info("Conf non era null.....");
  | 				String role = ((EjbRole) conf.getEjbSecurityIdentity()
  | 						.getEjbRoles().iterator().next()).getRole();
  | 				p = new WfmOpen(role);
  | 			} else {
  | 				
  | 				logger.info("Conf era null.....");
  | 				p = new WfmOpen(ejbRole);	
  | 			}
  | 		} // if (username != null)
  | 		return p;
  | 	} // private Principal getIdentity()
  | 
  | 	protected Group[] getRoleSets() throws LoginException {
  | 		logger.trace("[Method - getRoleSets() ] [INIT]");
  | 		
  | 		SimpleGroup rolesGroup = new SimpleGroup("Roles");
  | 		ArrayList groups = new ArrayList();
  | 
  | 		// Ruolo reucperato dalla configurazione XML
  | 		Principal p = null;
  | 		if (conf != null) {
  | 			String role = ((EjbRole) conf.getEjbSecurityIdentity()
  | 					.getEjbRoles().iterator().next()).getRole();
  | 			logger.trace("[Method - getRoleSets() ] [Ruolo di sistema recuperato]");
  | 			p = new WfmOpen(role);
  | 		} else {
  | 			p = new WfmOpen(ejbRole);
  | 		}
  | 		rolesGroup.addMember(p);
  | 		groups.add(rolesGroup);
  | 
  | 		Group roleSets[] = new Group[groups.size()];
  | 		groups.toArray(roleSets);
  | 		
  | 		logger.trace("[Method - getRoleSets() ] [END]");
  | 		
  | 		return roleSets;
  | 
  | 	} // private Group[] getRoleSets() throws LoginException
  | 	protected Principal getUnauthenticatedIdentity() {
  | 		return unauthenticatedIdentity;
  | 	}
  | 
  | 	protected Group createGroup(String name, Set principals) {
  | 		logger.trace("[Method - createGroup ] [INIT]");
  | 		Group roles = null;
  | 		Iterator iter = principals.iterator();
  | 		do {
  | 			if (!iter.hasNext())
  | 				break;
  | 			Object next = iter.next();
  | 			if (!(next instanceof Group))
  | 				continue;
  | 			Group grp = (Group) next;
  | 			if (!grp.getName().equals(name))
  | 				continue;
  | 			roles = grp;
  | 			break;
  | 		} while (true);
  | 		if (roles == null) {
  | 			roles = new SimpleGroup(name);
  | 			principals.add(roles);
  | 		} // if (roles == null)
  | 		logger.trace("[Method - createGroup ] [END]");
  | 		return roles;
  | 	} //   protected Group createGroup(String name, Set principals)
  | 
  | }
  | 

I know that when there is an unauthenticatedIdentity a cabled principal is created but i was trying to understand what error was created....

In my login-config.xml I have this configuration:
anonymous wrote : 
  |      <application-policy name = "wfdemopluto">
  |         
  |         <login-module code = "org.jboss.security.auth.spi.ProxyLoginModule" flag = "sufficient">
  | 	     <module-option name = "moduleName">it.eng.smclient.accessmanager.authentication.jaas.module.jboss.SecurityManagerLoginModule</module-option>
  | 
  |             <module-option name="unauthenticatedIdentity">nobody</module-option>
  |             <module-option name="debug">true</module-option>
  |              <!--module-option name="password-stacking">useFirstPass</module-option-->
  |             <module-option name="ejbRole">WfMOpenAdmin</module-option>
  |             </login-module>
  |         
  |     </application-policy>   
  | 

Can anybody help me?
Thnks to all,
 Angelo

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4026655#4026655

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4026655




More information about the jboss-user mailing list