[jboss-user] [Security & JAAS/JBoss] - java.lang.SecurityException: Insufficient method permissions
craig1980
do-not-reply at jboss.com
Fri Mar 9 11:29:30 EST 2007
Hi all.
I have a problem in invoking a statefull session bean in JBoss AS.
When i call this Ejb i have this error:
anonymous wrote : java.lang.SecurityException: Insufficient method permissions, principal=tiziana1, ejbName=WorkflowEngine, method=create, interface=HOME, requiredRoles=[WfMOpenAdmin], principalRoles=[WfMOpenAdmin, WfMOpenAdmin]
As you can see the expected role is WfMOpenAdmin and the principal used for invokign this EJB has these roles: WfMOpenAdmin, WfMOpenAdmin
For loggin into JBoss i have written this login module:
| package it.eng.smclient.accessmanager.authentication.jaas.module.jboss;
|
| import it.eng.smclient.accessmanager.authentication.jaas.principals.Login;
| import it.eng.smclient.accessmanager.authentication.jaas.principals.WfmOpen;
| import it.eng.smclient.accessmanager.configuration.Configuration;
| import it.eng.smclient.accessmanager.configuration.securityaccessfilter.EjbRole;
| import it.eng.smclient.accessmanager.configuration.utils.SingletonConfiguration;
| import it.eng.smclient.accessmanager.iface.SecManagerAuthorizationIface;
| import it.eng.smclient.accessmanager.util.resource.Message;
| import it.eng.smclient.accessmanager.util.resource.constants.Rbaccessmanager;
|
| import java.security.Principal;
| import java.security.acl.Group;
| import java.util.ArrayList;
| import java.util.Enumeration;
| import java.util.Iterator;
| import java.util.List;
| import java.util.Map;
| import java.util.Set;
|
| import javax.security.auth.Subject;
| import javax.security.auth.callback.CallbackHandler;
| import javax.security.auth.login.FailedLoginException;
| import javax.security.auth.login.LoginException;
| //import javax.security.auth.spi.LoginModule;
|
| import org.apache.commons.logging.Log;
| import org.apache.commons.logging.LogFactory;
| import org.jboss.security.NestableGroup;
| import org.jboss.security.SecurityAssociation;
| import org.jboss.security.SimpleGroup;
| //import org.jboss.security.SimplePrincipal;
| import org.jboss.security.auth.spi.AbstractServerLoginModule;
|
| public class SecurityManagerLoginModule extends AbstractServerLoginModule{
|
|
| static public final Log logger =
| LogFactory.getLog(SecurityManagerLoginModule.class);
|
| private Rbaccessmanager rb = new Rbaccessmanager();
| private Message message = new Message(rb);
| String username = null;
| protected Subject subject;
| protected CallbackHandler callbackHandler;
| protected Map sharedState;
| protected Map options;
| protected boolean loginOk;
| protected Principal unauthenticatedIdentity;
| protected Configuration conf = null;
| protected String ejbRole = null;
| public void initialize(Subject subject,
| CallbackHandler callbackHandler,
| Map sharedState,
| Map options) {
| logger.debug("[Method - initialize] [INIT]");
| if (logger.isTraceEnabled())
| logger.debug("[Method - initialize] [instance=@] "
| + System.identityHashCode(this));
| this.subject = subject;
| this.callbackHandler = callbackHandler;
| this.sharedState = sharedState;
| this.options = options;
| logger.debug("[Method - initialize] [Security domain:] "
| + (String) options.get("jboss.security.security_domain"));
| String name = (String) options.get("unauthenticatedIdentity");
| ejbRole = (String) options.get("ejbRole");
| if (name != null) {
| try {
| unauthenticatedIdentity = createIdentity(name);
| logger.info("Aggiungo il principal: " + unauthenticatedIdentity+ " al subject: "+ subject);
| subject.getPrincipals().add(unauthenticatedIdentity);
| subject.getPrincipals().add(getIdentity());
| Set principals = subject.getPrincipals();
| Group roleSets[] = getRoleSets();
| for (int g = 0; g < roleSets.length; g++) {
| Group group = roleSets[g];
| String aName = group.getName();
| Group subjectGroup = createGroup(aName, principals);
| if (subjectGroup instanceof NestableGroup) {
| SimpleGroup tmp = new SimpleGroup("Roles");
| subjectGroup.addMember(tmp);
| subjectGroup = tmp;
| } // if (subjectGroup instanceof NestableGroup)
| Principal role;
| for (Enumeration members = group.members(); members
| .hasMoreElements(); subjectGroup.addMember(role))
| role = (Principal) members.nextElement();
| }
| SecurityAssociation.setPrincipal(unauthenticatedIdentity);
| //SecurityAssociation.setCredential(credential);
| SecurityAssociation.setSubject(subject);
| logger.info("Aggiunto il principal a subject che ora è: " + subject);
| logger.debug("[Method - initialize] [navigazione anonima] " + name);
| } catch (Exception e) {
| logger.error("[Method - initialize] " +
| "[Inizializzazione modulo di login non riuscita - " +
| " Verificare la configurazione dei moduli]");
| logger.error("[Method - initialize] [Exception]",e);
| logger.error("[Method - initialize] [message]" + e.getMessage());
| }
| } // if (name != null)
| logger.debug("[Method - initialize] [END]");
| } // public void initialize(Subject subject, CallbackHandler
| // callbackHandler, Map sharedState, Map options)
| public boolean login() throws LoginException {
| logger.debug("[Method - login] [LoginModule]");
| /*
| JAASConfigFile jaas = new JAASConfigFile();
| jaas.displayProperties();
| */
| boolean result = false;
| loginOk = false;
| try {
| if (subject != null) {
| Iterator iter = subject.getPrivateCredentials().iterator();
| while (iter.hasNext()) {
| Object obj = iter.next();
| if (obj instanceof Login) {
| username = ((Login) obj).getName();
| logger.debug("[Method - login]" +
| "[Username not null] " + username);
| System.setProperty("javax.security.auth.login.name",username);
| } // if (obj instanceof Login)
| } // while ( iter.hasNext())
| } // if (subject != null)
|
| // Se username = [null] vuol dire che ho effettuato autenticazione
| // e sto richiamando il modulo all'interno dell'applicazione
| if (username == null) {
| logger.debug("[Method - login] " +
| "[Username = null] [Leggo le propietà di Sistema]");
| username = System.getProperty("javax.security.auth.login.name");
| logger.debug("[Method - login] " +
| "[javax.security.auth.login.name] " + username);
| } else {
| sharedState.put("javax.security.auth.login.name",username);
| Object credential = System.getProperty("javax.security.auth.login.name");
| List rolesPM = ((SecManagerAuthorizationIface) Configuration
| .getAccessManagerImplementation()).getRoles();
| logger.debug("[Method - login] [Lista Ruoli PM] " + rolesPM);
| WfmOpen wfmPrincipal = new WfmOpen(username);
|
| SingletonConfiguration singletonConfig =
| SingletonConfiguration.getInstance(null,null);
|
| Configuration conf =
| singletonConfig.getConfiguration();
|
| wfmPrincipal.setApplication(conf.getApplication()
| .getApplicationCode());
|
| ArrayList roles = new ArrayList();
| String role = ((EjbRole) conf.getEjbSecurityIdentity()
| .getEjbRoles().iterator().next()).getRole();
| roles.add(role);
|
| ArrayList groups = new ArrayList();
| groups.add("Some Group");
| groups.add("Order Processing");
|
| wfmPrincipal.setRoles(roles);
| wfmPrincipal.setGroups(groups);
|
| SecurityAssociation.setPrincipal(wfmPrincipal);
| SecurityAssociation.setCredential(credential);
| SecurityAssociation.setSubject(subject);
|
| } // if (username != null)
|
| loginOk = true;
| result = true;
| logger.debug("[Method - login] [END]");
| } catch (Exception e) {
| logger.error("[Method - login] ", e);
| throw new FailedLoginException(message
| .getMessage(rb.MODULE_LOGIN_ERROR));
| // throw new LoginException( e.getMessage() );
| }
| return result;
| } // public boolean login() throws LoginException
|
| protected Principal createIdentity(String name) throws Exception {
| logger.trace("[Method - login] [INIT]");
| Principal principal = null;
| logger.trace("[Method - login] [name] " + name);
| principal = new WfmOpen(name);
| return principal;
| } // protected Principal createIdentity(String name) throws Exception
| public boolean commit() throws LoginException {
| logger.trace("[Method - commit] [INIT]");
| logger.trace("[Method - commit] [subject] " + subject);
| if (!loginOk) return false;
| Set principals = subject.getPrincipals();
| Principal identity = getIdentity();
| logger.trace("[Method - commit] [identity] " + identity.getName());
|
| principals.add(identity);
| Group roleSets[] = getRoleSets();
|
| for (int g = 0; g < roleSets.length; g++) {
| Group group = roleSets[g];
| String name = group.getName();
| Group subjectGroup = createGroup(name, principals);
| if (subjectGroup instanceof NestableGroup) {
| SimpleGroup tmp = new SimpleGroup("Roles");
| subjectGroup.addMember(tmp);
| subjectGroup = tmp;
| } // if (subjectGroup instanceof NestableGroup)
| Principal role;
| for (Enumeration members = group.members(); members
| .hasMoreElements(); subjectGroup.addMember(role))
| role = (Principal) members.nextElement();
| } // for(int g = 0; g < roleSets.length; g++)
| return true;
| } // public boolean commit() throws LoginException
| public boolean abort() throws LoginException {
| logger.trace("[Method - abort() ] [INIT]");
| return true;
| } // public boolean abort() throws LoginException
|
| public boolean logout() throws LoginException {
| logger.trace("[Method - logout() ] [INIT]");
| Principal identity = getIdentity();
| Set principals = subject.getPrincipals();
| principals.remove(identity);
| return true;
| } // public boolean logout() throws LoginException
| protected Principal getIdentity() {
| logger.info("[Method - getIdentity() ] [INIT]");
| logger.trace("[Method - getIdentity() ] [username] " + username);
| Principal p = null;
| if (username != null) {
|
| logger.info("La username era diversa da null... "+ username);
| p = new WfmOpen(username);
| } else {
| // Ruolo reucperato dalla configurazione XML
| if (conf != null) {
| logger.info("Conf non era null.....");
| String role = ((EjbRole) conf.getEjbSecurityIdentity()
| .getEjbRoles().iterator().next()).getRole();
| p = new WfmOpen(role);
| } else {
|
| logger.info("Conf era null.....");
| p = new WfmOpen(ejbRole);
| }
| } // if (username != null)
| return p;
| } // private Principal getIdentity()
|
| protected Group[] getRoleSets() throws LoginException {
| logger.trace("[Method - getRoleSets() ] [INIT]");
|
| SimpleGroup rolesGroup = new SimpleGroup("Roles");
| ArrayList groups = new ArrayList();
|
| // Ruolo reucperato dalla configurazione XML
| Principal p = null;
| if (conf != null) {
| String role = ((EjbRole) conf.getEjbSecurityIdentity()
| .getEjbRoles().iterator().next()).getRole();
| logger.trace("[Method - getRoleSets() ] [Ruolo di sistema recuperato]");
| p = new WfmOpen(role);
| } else {
| p = new WfmOpen(ejbRole);
| }
| rolesGroup.addMember(p);
| groups.add(rolesGroup);
|
| Group roleSets[] = new Group[groups.size()];
| groups.toArray(roleSets);
|
| logger.trace("[Method - getRoleSets() ] [END]");
|
| return roleSets;
|
| } // private Group[] getRoleSets() throws LoginException
| protected Principal getUnauthenticatedIdentity() {
| return unauthenticatedIdentity;
| }
|
| protected Group createGroup(String name, Set principals) {
| logger.trace("[Method - createGroup ] [INIT]");
| Group roles = null;
| Iterator iter = principals.iterator();
| do {
| if (!iter.hasNext())
| break;
| Object next = iter.next();
| if (!(next instanceof Group))
| continue;
| Group grp = (Group) next;
| if (!grp.getName().equals(name))
| continue;
| roles = grp;
| break;
| } while (true);
| if (roles == null) {
| roles = new SimpleGroup(name);
| principals.add(roles);
| } // if (roles == null)
| logger.trace("[Method - createGroup ] [END]");
| return roles;
| } // protected Group createGroup(String name, Set principals)
|
| }
|
I know that when there is an unauthenticatedIdentity a cabled principal is created but i was trying to understand what error was created....
In my login-config.xml I have this configuration:
anonymous wrote :
| <application-policy name = "wfdemopluto">
|
| <login-module code = "org.jboss.security.auth.spi.ProxyLoginModule" flag = "sufficient">
| <module-option name = "moduleName">it.eng.smclient.accessmanager.authentication.jaas.module.jboss.SecurityManagerLoginModule</module-option>
|
| <module-option name="unauthenticatedIdentity">nobody</module-option>
| <module-option name="debug">true</module-option>
| <!--module-option name="password-stacking">useFirstPass</module-option-->
| <module-option name="ejbRole">WfMOpenAdmin</module-option>
| </login-module>
|
| </application-policy>
|
Can anybody help me?
Thnks to all,
Angelo
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4026655#4026655
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4026655
More information about the jboss-user
mailing list