[Design of Security on JBoss] - Security EJB2 and dependencies
by adrian@jboss.org
If you run the pooled tests in JBoss5
| ./build.sh test -Dtest=pooled -Dnojars=t
|
you will see it fails with
| 16:20:26,857 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
| java.io.IOException: No properties file: users.properties or defaults: defaultUsers.properties found
| at org.jboss.security.auth.spi.Util.loadProperties(Util.java:366)
| at org.jboss.security.auth.spi.UsersRolesLoginModule.loadUsers(UsersRolesLoginModule.java:186)
| at org.jboss.security.auth.spi.UsersRolesLoginModule.createUsers(UsersRolesLoginModule.java:200)
| at org.jboss.security.auth.spi.UsersRolesLoginModule.initialize(UsersRolesLoginModule.java:127)
| at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
| at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
| at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
| at java.lang.reflect.Method.invoke(Method.java:585)
| at javax.security.auth.login.LoginContext.invoke(LoginContext.java:756)
| at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
| at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
| at java.security.AccessController.doPrivileged(Native Method)
| at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
| at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
| at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:563)
| at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:497)
| at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
| at org.jboss.security.javaee.EJBAuthenticationHelper.isValid(EJBAuthenticationHelper.java:76)
| at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityContext(SecurityInterceptor.java:301)
| at org.jboss.ejb.plugins.SecurityInterceptor.invoke(SecurityInterceptor.java:238)
| at org.jboss.ejb.plugins.SSLSessionInterceptor.invokeHome(SSLSessionInterceptor.java:53)
| at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:132)
| at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:107)
| at org.jboss.ejb.SessionContainer.internalInvokeHome(SessionContainer.java:640)
| at org.jboss.ejb.Container.invoke(Container.java:1031)
| at sun.reflect.GeneratedMethodAccessor156.invoke(Unknown Source)
| at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
| at java.lang.reflect.Method.invoke(Method.java:585)
| at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:157)
| at org.jboss.mx.server.Invocation.dispatch(Invocation.java:96)
| at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)
| at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)
| at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)
| at org.jboss.invocation.pooled.server.PooledInvoker$MBeanServerAction.invoke(PooledInvoker.java:896)
| at org.jboss.invocation.pooled.server.PooledInvoker.invoke(PooledInvoker.java:383)
| at org.jboss.invocation.pooled.server.ServerThread.processInvocation(ServerThread.java:233)
| at org.jboss.invocation.pooled.server.ServerThread.dorun(ServerThread.java:275)
| at org.jboss.invocation.pooled.server.ServerThread.run(ServerThread.java:156)
|
This is because it has been configured to use the ssl-pooled domain which is hot
deployed with the ejbs, but it is actually using the "other" domain.
I'd guess this is because org.jboss.ejb.plugins.SecurityInterceptor
is not respecting the jmx dependency rules.
i.e. it is trying to retrieve the SecurityDomain in setContainer() instead of start()
setContainer() is invoked from EJB.create()
| public void setContainer(Container container)
| {
| ...
|
| // HERE This is invoked from EJB.create() which is too early since
| the SecurityDomain is not deployed until start()
|
| if(securityManager != null)
| {
| appSecurityDomain = securityManager.getSecurityDomain();
| appSecurityDomain = SecurityUtil.unprefixSecurityDomain(appSecurityDomain);
| }
| }
| }
|
>From the debug logging
|
| This is where it tries to retrieve the security domain:
|
| 2008-04-22 16:20:25,185 DEBUG [org.jboss.ejb.StatelessSessionContainer] (RMI TCP Connection(6)-127.0.0.1) Creating jboss.j2ee:jndiName=StatelessSessionWithPooledSSL,se
| rvice=EJB
|
| This is where the security domain is actually deployed
|
| 2008-04-22 16:20:25,198 DEBUG [org.jboss.security.plugins.JaasSecurityDomain] (RMI TCP Connection(6)-127.0.0.1) Starting jboss.security:service=JaasSecurityDomain,doma
| in=pooled-ssl
| 2008-04-22 16:20:25,201 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] (RMI TCP Connection(6)-127.0.0.1) Added pooled-ssl, org.jboss.security.plugins.Ja
| asSecurityDomain@18441c1 to map
| 2008-04-22 16:20:25,213 DEBUG [org.jboss.security.plugins.auth.JaasSecurityManagerBase.pooled-ssl] (RMI TCP Connection(6)-127.0.0.1) CachePolicy set to: org.jboss.util
| .TimedCachePolicy@1f90a95
| 2008-04-22 16:20:25,213 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] (RMI TCP Connection(6)-127.0.0.1) setCachePolicy, c=org.jboss.util.TimedCachePoli
| cy@1f90a95
| 2008-04-22 16:20:25,213 DEBUG [org.jboss.security.plugins.JaasSecurityDomain] (RMI TCP Connection(6)-127.0.0.1) Started jboss.security:service=JaasSecurityDomain,domai
| n=pooled-ssl
|
| This is where it should be retrieved
|
| 2008-04-22 16:20:25,269 DEBUG [org.jboss.ejb.StatelessSessionContainer] (RMI TCP Connection(6)-127.0.0.1) Started jboss.j2ee:jndiName=StatelessSessionWithPooledSSL,ser
| vice=EJB
|
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4145879#4145879
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4145879
16 years, 5 months
[Design the new POJO MicroContainer] - Refreshing entries in JARs
by alesj
Regarding this JIRA issue:
- http://jira.jboss.com/jira/browse/JBVFS-7
I created this test:
| public void testEntryModified() throws Exception
| {
| File tmp = File.createTempFile("testJarEntry", ".jar");
| Manifest mf = new Manifest();
| mf.getMainAttributes().putValue("Created-By", getClass().getName() + "." + "testEntryModified");
| FileOutputStream fos = new FileOutputStream(tmp);
| JarOutputStream jos = new JarOutputStream(fos, mf);
| try
| {
| jos.setComment("testJarURLs");
| jos.setLevel(0);
| }
| finally
| {
| jos.close();
| }
| VFS vfs = VFS.getVFS(tmp.toURI());
| VirtualFile metainf = vfs.findChild("META-INF");
| List<VirtualFile> children = metainf.getChildren();
| assertEquals(1, children.size());
|
| fos = new FileOutputStream(tmp);
| jos = new JarOutputStream(fos, mf);
| try
| {
| ZipEntry entry = new ZipEntry("META-INF/some.txt");
| entry.setComment("some_comment");
| entry.setExtra("qwerty".getBytes());
| entry.setSize(1);
| jos.putNextEntry(entry);
| jos.closeEntry();
|
| entry = new ZipEntry("META-INF/other.txt");
| entry.setComment("other_comment");
| entry.setExtra("foobar".getBytes());
| entry.setSize(1);
| jos.putNextEntry(entry);
| jos.closeEntry();
| }
| finally
| {
| jos.close();
| }
|
| // vfs = VFS.getVFS(tmp.toURI());
| // metainf = vfs.findChild("META-INF");
| System.out.println("metainf = " + metainf.hasBeenModified());
| children = metainf.getChildren();
| assertEquals(3, children.size());
| }
|
Which looks legit, since when I uncomment two lines at the bottom, the new vfs handle picks up all three entries.
But in our case, where we don't want to create new handle, but use the existing one, where the handle should see that the content has changed and return 3 entries.
Of course that is not the case. :-(
And I don't see how you really do this in generic fashion w/o modifying all VFS, e.g. lets say some 4level nested jar is updated.
Even in this case, where we have just simple jar, updating contents of META-INF handler is far from trivial.
The handler that maps to META-INF is SynthenticDirEntryHandler, which only gets populated when we iterate over entries of parent jar.
Meaning we would have to go back and recreate every entry.
And I don't know how much information that's needed for reconstruction we're holding.
I'll have a look what can be done if I add some 'reconstruct' method to VirtualFileHandler.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4145853#4145853
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4145853
16 years, 5 months