[jboss-user] [EJB 3.0] - Security principal propagation accross ejb3 modules
Davide Tabarelli
do-not-reply at jboss.com
Tue May 25 12:01:15 EDT 2010
Davide Tabarelli [http://community.jboss.org/people/giantPM] replied to the discussion
"Security principal propagation accross ejb3 modules"
To view the discussion, visit: http://community.jboss.org/message/544712#544712
--------------------------------------------------------------
Of course ...
I forgot to mention that I've already patched JBoss with the EJB3 Plugin 1.0.19.
Here the security realm configuration in login-config.xml:
<application-policy name="cdrms-realm">
<authentication>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<module-option name="dsJndiName">java:cimecDS</module-option>
<module-option name="principalsQuery">SELECT CDRMS_JBOSS_USER(?)</module-option>
<module-option name="rolesQuery">SELECT 'CDRMSRealmUser', 'Roles' FROM RESOURCES_LIST WHERE NAME=?</module-option>
<module-option name="hashAlgorithm">MD5</module-option>
<module-option name="hashEncoding">HEX</module-option>
<module-option name="ignorePasswordCase">true</module-option>
<module-option name="debug">true</module-option>
</login-module>
<login-module code="org.jboss.security.ClientLoginModule" flag="required">
<module-option name="debug">true</module-option>
</login-module>
</authentication>
</application-policy>
The Bean A in EJB A:
import ...
@Stateless
@RemoteBinding(jndiBinding = "CDRMS/AuditMessageManager/remote")
@LocalBinding(jndiBinding = "CDRMS/AuditMessageManager/local")
@SecurityDomain("cdrms-realm")
@RolesAllowed({"CDRMSRealmUser"})
public class AuditMessageManagerBean implements AuditMessageManagerRemote, AuditMessageManagerLocal {
@EJB(mappedName = "CDRMS/AuditEventManager/local")
private AuditEventManager pm;
@Resource
private SessionContext sctx;
// ... business and lifecycle methods ...
public int count() {
log.info( "------------------> Principal = " + this.sctx.getCallerPrincipal().getName());
return pm.count(); // (1)
}
}
The bean B in EJB B:
import ...
@Stateless
@RemoteBinding(jndiBinding = "CDRMS/AuditEventManager/remote")
@LocalBinding(jndiBinding = "CDRMS/AuditEventManager/local")
@SecurityDomain("cdrms-realm")
@RolesAllowed({"CDRMSRealmUser"})
public class AuditEventManagerBean implements AuditEventManagerLocal, AuditEventManagerRemote {
@PersistenceContext(unitName = "cimecPU")
private EntityManager em;
@Resource
private SessionContext sctx;
// ... business and lifecycle methods ...
public int count() { //(2)
log.info( "------------------> Principal = " + this.sctx.getCallerPrincipal().getName());
return ((Long) em.createQuery("select count(o) from AuditEvent as o").getSingleResult()).intValue();
}
The standalone client main method:
import ...
public static void main(String[] args) {
try {
SecurityClient client = SecurityClientFactory.getSecurityClient();
client.setSimple("vera.aloe", "***");
client.login();
Properties env = new Properties();
env.setProperty(Context.INITIAL_CONTEXT_FACTORY, "org.jnp.interfaces.NamingContextFactory");
env.setProperty(Context.URL_PKG_PREFIXES, "org.jnp.interfaces.NamingContextFactory");
env.setProperty(Context.PROVIDER_URL, "jnp://mybindinghost:1099/");
InitialContext ic = new InitialContext(env);
// This ok
AuditEventManager aem = (AuditEventManager) ic.lookup("CDRMS/AuditEventManager/remote");
System.out.println(aem.count());
// This gives the exception below
AuditMessageManager am = (AuditMessageManager) ic.lookup("CDRMS/AuditMessageManager/remote");
System.out.println(am.count());
// The same results by using LoginContext & CallbackHandler instead of SecurityClient
// and from the web tier
} catch (Exception ex) {
Logger.getLogger(SecurityTest.class.getName()).log(Level.SEVERE, null, ex);
}
}
The principal is correct in (2) but is anonymous in (1) ... here the exception trace:
17:51:56,691 DEBUG [ManagerBase](ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1274802716691 sessioncount 0
17:51:56,692 DEBUG [ManagerBase](ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 1 expired sessions: 0
17:51:56,692 DEBUG [ManagerBase](ContainerBackgroundProcessor[StandardEngine[jboss.web]]) Start expire sessions StandardManager at 1274802716692 sessioncount 0
17:51:56,692 DEBUG [ManagerBase](ContainerBackgroundProcessor[StandardEngine[jboss.web]]) End expire sessions StandardManager processingTime 0 expired sessions: 0
17:51:59,082 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56746]) Begin isValid, principal:vera.aloe, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo at 42d31a[Subject(17610996).principals=org.jboss.security.SimplePrincipal at 2853698(vera.aloe)org.jboss.security.SimpleGroup at 32834360(Roles(members:CDRMSRealmUser)),credential.class=java.lang.String at 27845948,expirationTime=1274802911126]
17:51:59,083 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56746]) Begin validateCache, info=org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo at 42d31a[Subject(17610996).principals=org.jboss.security.SimplePrincipal at 2853698(vera.aloe)org.jboss.security.SimpleGroup at 32834360(Roles(members:CDRMSRealmUser)),credential.class=java.lang.String at 27845948,expirationTime=1274802911126];credential.class=java.lang.String at 27845948
17:51:59,083 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56746]) End validateCache, isValid=true
17:51:59,083 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56746]) End isValid, true
17:51:59,083 TRACE [LogAuditProvider](WorkerThread#0[192.168.185.16:56746]) [Success]Source=org.jboss.security.javaee.EJBAuthenticationHelper;principal=vera.aloe;method=count;
17:51:59,083 TRACE [SecurityRolesAssociation](WorkerThread#0[192.168.185.16:56746]) Setting threadlocal:{}
17:51:59,083 TRACE [JBossAuthorizationContext](WorkerThread#0[192.168.185.16:56746]) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
17:51:59,083 TRACE [EJBPolicyModuleDelegate](WorkerThread#0[192.168.185.16:56746]) method=public int org.cdrms.jpa.managers.AuditEventManagerBean.count(), interface=Remote, requiredRoles=Roles(CDRMSRealmUser,)
17:51:59,084 TRACE [LogAuditProvider](WorkerThread#0[192.168.185.16:56746]) [Success]Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Exception:=;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration at 1fb2e99}:method=public int org.cdrms.jpa.managers.AuditEventManagerBean.count():ejbMethodInterface=Remote:ejbName=AuditEventManagerBean:ejbPrincipal=vera.aloe:MethodRoles=Roles(CDRMSRealmUser,):securityRoleReferences=null:callerSubject=Subject:
Principal: vera.aloe
Principal: Roles(members:CDRMSRealmUser)
:callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=null];policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration at 1fb2e99;
17:51:59,084 INFO [AuditEventManagerBean](WorkerThread#0[192.168.185.16:56746]) ------------------> Principal = vera.aloe
17:51:59,132 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56748]) Begin isValid, principal:vera.aloe, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo at 42d31a[Subject(17610996).principals=org.jboss.security.SimplePrincipal at 2853698(vera.aloe)org.jboss.security.SimpleGroup at 32834360(Roles(members:CDRMSRealmUser)),credential.class=java.lang.String at 27845948,expirationTime=1274802911126]
17:51:59,132 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56748]) Begin validateCache, info=org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo at 42d31a[Subject(17610996).principals=org.jboss.security.SimplePrincipal at 2853698(vera.aloe)org.jboss.security.SimpleGroup at 32834360(Roles(members:CDRMSRealmUser)),credential.class=java.lang.String at 27845948,expirationTime=1274802911126];credential.class=java.lang.String at 27845948
17:51:59,132 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56748]) End validateCache, isValid=true
17:51:59,132 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56748]) End isValid, true
17:51:59,133 TRACE [LogAuditProvider](WorkerThread#0[192.168.185.16:56748]) [Success]Source=org.jboss.security.javaee.EJBAuthenticationHelper;principal=vera.aloe;method=count;
17:51:59,133 TRACE [SecurityRolesAssociation](WorkerThread#0[192.168.185.16:56748]) Setting threadlocal:{}
17:51:59,133 TRACE [JBossAuthorizationContext](WorkerThread#0[192.168.185.16:56748]) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
17:51:59,133 TRACE [EJBPolicyModuleDelegate](WorkerThread#0[192.168.185.16:56748]) method=public int org.cdrms.audit.AuditMessageManagerBean.count(), interface=Remote, requiredRoles=Roles(CDRMSRealmUser,)
17:51:59,133 TRACE [LogAuditProvider](WorkerThread#0[192.168.185.16:56748]) [Success]Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Exception:=;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration at 1fb2e99}:method=public int org.cdrms.audit.AuditMessageManagerBean.count():ejbMethodInterface=Remote:ejbName=AuditMessageManagerBean:ejbPrincipal=vera.aloe:MethodRoles=Roles(CDRMSRealmUser,):securityRoleReferences=null:callerSubject=Subject:
Principal: vera.aloe
Principal: Roles(members:CDRMSRealmUser)
:callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=null];policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration at 1fb2e99;
17:51:59,139 TRACE [messaging](WorkerThread#0[192.168.185.16:56748]) Begin isValid, principal:null, cache info: org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo at 11603fa[Subject(29654441).principals=org.jboss.security.SimplePrincipal at 2853698(guest)org.jboss.security.SimpleGroup at 32834360(Roles(members:john,guest,j2ee)),credential.class=null,expirationTime=1274802858447]
17:51:59,140 TRACE [messaging](WorkerThread#0[192.168.185.16:56748]) Begin validateCache, info=org.jboss.security.plugins.auth.JaasSecurityManagerBase$DomainInfo at 11603fa[Subject(29654441).principals=org.jboss.security.SimplePrincipal at 2853698(guest)org.jboss.security.SimpleGroup at 32834360(Roles(members:john,guest,j2ee)),credential.class=null,expirationTime=1274802858447];credential.class=null
17:51:59,140 TRACE [messaging](WorkerThread#0[192.168.185.16:56748]) End validateCache, isValid=true
17:51:59,140 TRACE [messaging](WorkerThread#0[192.168.185.16:56748]) End isValid, true
17:51:59,140 TRACE [SecurityAssociation](WorkerThread#0[192.168.185.16:56748]) popSubjectContext, sc=null
17:51:59,140 TRACE [SecurityAssociation](WorkerThread#0[192.168.185.16:56748]) WARN::Deprecated usage of SecurityAssociation. Use SecurityContext
17:51:59,141 TRACE [cdrms-realm](WorkerThread#0[192.168.185.16:56748]) getPrincipal, cache info: null
17:51:59,141 INFO [AuditMessageManagerBean](WorkerThread#0[192.168.185.16:56748]) ------------------> Principal = anonymous
17:51:59,141 TRACE [SecurityRolesAssociation](WorkerThread#0[192.168.185.16:56748]) Setting threadlocal:{}
17:51:59,142 TRACE [JBossAuthorizationContext](WorkerThread#0[192.168.185.16:56748]) Control flag for entry:org.jboss.security.authorization.config.AuthorizationModuleEntry{org.jboss.security.authorization.modules.DelegatingAuthorizationModule:{}REQUIRED}is:[REQUIRED]
17:51:59,142 TRACE [EJBPolicyModuleDelegate](WorkerThread#0[192.168.185.16:56748]) method=public int org.cdrms.jpa.managers.AuditEventManagerBean.count(), interface=Local, requiredRoles=Roles(CDRMSRealmUser,)
17:51:59,142 TRACE [EJBPolicyModuleDelegate](WorkerThread#0[192.168.185.16:56748]) Exception:Insufficient method permissions, principal=null, ejbName=AuditEventManagerBean, method=count, interface=Local, requiredRoles=Roles(CDRMSRealmUser,), principalRoles=Roles()
17:51:59,144 TRACE [JBossAuthorizationContext](WorkerThread#0[192.168.185.16:56748]) REQUIRED failed for Name=org.jboss.security.authorization.modules.DelegatingAuthorizationModule:subject=Subject:
Principal: anonymous
:role=Roles()
17:51:59,144 TRACE [JBossAuthorizationContext](WorkerThread#0[192.168.185.16:56748]) Error in authorize:
org.jboss.security.authorization.AuthorizationException: Authorization Failed:
at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:263)
at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:67)
at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:152)
at java.security.AccessController.doPrivileged(Native Method)
at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:148)
at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:474)
at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:124)
at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.authorize(EJBAuthorizationHelper.java:116)
at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:189)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:182)
at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:240)
at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:188)
at $Proxy786.count(Unknown Source)
at org.cdrms.audit.AuditMessageManagerBean.count(AuditMessageManagerBean.java:303)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111)
at org.jboss.ejb3.EJBContainerInvocationWrapper.invokeNext(EJBContainerInvocationWrapper.java:69)
at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:76)
at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:62)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.jboss.aop.advice.PerJoinpointAdvice.invoke(PerJoinpointAdvice.java:174)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.fillMethod(InvocationContextInterceptor.java:72)
at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_fillMethod_6749397.invoke(InvocationContextInterceptor_z_fillMethod_6749397.java)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.setup(InvocationContextInterceptor.java:88)
at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_setup_6749397.invoke(InvocationContextInterceptor_z_setup_6749397.java)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:62)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:56)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:68)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:79)
at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:190)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.security.RunAsSecurityInterceptorv2.invoke(RunAsSecurityInterceptorv2.java:94)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:201)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:438)
at org.jboss.ejb3.session.InvokableContextClassProxyHack._dynamicInvoke(InvokableContextClassProxyHack.java:53)
at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:91)
at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:891)
at org.jboss.remoting.transport.socket.ServerThread.completeInvocation(ServerThread.java:744)
at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:697)
at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:524)
at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:232)
17:51:59,147 TRACE [EJBAuthorizationHelper](WorkerThread#0[192.168.185.16:56748]) Error in authorization:
org.jboss.security.authorization.AuthorizationException: Authorization Failed:
at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:263)
at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:67)
at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:152)
at java.security.AccessController.doPrivileged(Native Method)
at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:148)
at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:474)
at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:124)
at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.authorize(EJBAuthorizationHelper.java:116)
at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:189)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:182)
at org.jboss.ejb3.session.SessionSpecContainer.invoke(SessionSpecContainer.java:240)
at org.jboss.ejb3.proxy.impl.handler.session.SessionProxyInvocationHandlerBase.invoke(SessionProxyInvocationHandlerBase.java:188)
at $Proxy786.count(Unknown Source)
at org.cdrms.audit.AuditMessageManagerBean.count(AuditMessageManagerBean.java:303)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation.java:122)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111)
at org.jboss.ejb3.EJBContainerInvocationWrapper.invokeNext(EJBContainerInvocationWrapper.java:69)
at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(InterceptorSequencer.java:76)
at org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(InterceptorSequencer.java:62)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.jboss.aop.advice.PerJoinpointAdvice.invoke(PerJoinpointAdvice.java:174)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.fillMethod(InvocationContextInterceptor.java:72)
at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_fillMethod_6749397.invoke(InvocationContextInterceptor_z_fillMethod_6749397.java)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.setup(InvocationContextInterceptor.java:88)
at org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor_z_setup_6749397.invoke(InvocationContextInterceptor_z_setup_6749397.java)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:62)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.entity.TransactionScopedEntityManagerInterceptor.invoke(TransactionScopedEntityManagerInterceptor.java:56)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.AllowedOperationsInterceptor.invoke(AllowedOperationsInterceptor.java:47)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.tx.NullInterceptor.invoke(NullInterceptor.java:42)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.stateless.StatelessInstanceInterceptor.invoke(StatelessInstanceInterceptor.java:68)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.aspects.tx.TxPolicy.invokeInOurTx(TxPolicy.java:79)
at org.jboss.aspects.tx.TxInterceptor$Required.invoke(TxInterceptor.java:190)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.aspects.tx.TxPropagationInterceptor.invoke(TxPropagationInterceptor.java:76)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.security.RunAsSecurityInterceptorv2.invoke(RunAsSecurityInterceptorv2.java:94)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptorv2.invoke(RoleBasedAuthorizationInterceptorv2.java:201)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:186)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.interceptor.EJB3TCCLInterceptor.invoke(EJB3TCCLInterceptor.java:86)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:438)
at org.jboss.ejb3.session.InvokableContextClassProxyHack._dynamicInvoke(InvokableContextClassProxyHack.java:53)
at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:91)
at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:891)
at org.jboss.remoting.transport.socket.ServerThread.completeInvocation(ServerThread.java:744)
at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:697)
at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:524)
at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:232)
17:51:59,149 TRACE [LogAuditProvider](WorkerThread#0[192.168.185.16:56748]) [Error]Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Exception:=Authorization Failed: ;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration at 1fb2e99}:method=public int org.cdrms.jpa.managers.AuditEventManagerBean.count():ejbMethodInterface=Local:ejbName=AuditEventManagerBean:ejbPrincipal=null:MethodRoles=Roles(CDRMSRealmUser,):securityRoleReferences=null:callerSubject=Subject:
Principal: anonymous
:callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=null];policyRegistration=org.jboss.security.plugins.JBossPolicyRegistration at 1fb2e99;
I addition: I've tried both with and without specifying to use caller identity in ejb-jar.xml descriptors as follows:
EJB A:
<ejb-jar xmlns = "http://java.sun.com/xml/ns/javaee"
version = "3.0"
xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation = "http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd">
<enterprise-beans>
<session>
<ejb-name>AuditEventManagerBean</ejb-name>
<security-identity>
<use-caller-identity/>
</security-identity>
</session>
</enterprise-beans>
</ejb-jar>
EJB B:
<ejb-jar xmlns = "http://java.sun.com/xml/ns/javaee"
version = "3.0"
xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation = "http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_0.xsd">
<enterprise-beans>
<session>
<ejb-name>AuditMessageManagerBean</ejb-name>
<security-identity>
<use-caller-identity/>
</security-identity>
</session>
</enterprise-beans>
</ejb-jar>
Thank you very much in advance.
D.
--------------------------------------------------------------
Reply to this message by going to Community
[http://community.jboss.org/message/544712#544712]
Start a new discussion in EJB 3.0 at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2029]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20100525/97b15f78/attachment-0001.html
More information about the jboss-user
mailing list