[jboss-user] [Security & JAAS/JBoss] - Re: Problem securing NamingService, InvokerAdaptorService on

kasimier do-not-reply at jboss.com
Tue Oct 30 13:41:55 EDT 2007 

thanx for the info about the log level. I got a fine grained trace about what´s going on now, but the issue isn´t clear to me:

the security relevant services (configured in a own sar) are created correctly and my PolicyConfig named "lcfg" is loaded correctly too. Don´t know if this matters, but JaasSecurityManagerService says nothing about a configured securityMgrCtxPath named "java:/jaas/lcfg"

I have configured my NamingService XMBean with the following interceptors:

  |    <descriptors>
  |       <interceptors>
  |          <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" securityDomain="java:/jaas/lcfg" />
  |          <interceptor code="org.jboss.mx.interceptor.PersistenceInterceptor2" />
  |          <interceptor code="org.jboss.mx.interceptor.ModelMBeanInterceptor" />
  |          <interceptor code="org.jboss.mx.interceptor.ObjectReferenceInterceptor" />
  |       </interceptors>
  |    </descriptors>
   
and of course the JRMPProxyFactory for the Naming service.

Further I got a JRMPProxyFactory for the InvokerAdaptorService. InvokerAdaptorService is configured with following interceptors on it´s invoke() method:
  |          <operation>
  |             <name>invoke</name>
  |             <parameter>
  |                <name>invocation</name>
  |                <type>org.jboss.invocation.Invocation</type>
  |             </parameter>
  |             <return-type>java.lang.Object</return-type>
  |             <descriptors>
  |                <interceptors>
  |                   <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" securityDomain="java:/jaas/lcfg"/>              
  |                   <interceptor code="org.jboss.jmx.connector.invoker.SerializableInterceptor" policyClass="StripModelMBeanInfoPolicy"/>
  |                </interceptors>
  |             </descriptors>            
  |          </operation>
  |       </xmbean>
      
When I connect to the MBeanServer via standard org.jnp.interfaces.NamingContextFactory, I can read all registered objects, without auth or error, of course jmx/rmi/RMIAdaptor too.
I also can call invoke() on jmx/rmi/RMIAdaptor without auth or error.

The security log trace when I stop a web module via invoke() does not say much, or I cannot interpret it correctly:

....                                                                                                                                                                                                                                                                                                                                                                                                      
2007-10-29 18:13:09,796 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext at 912f10{principal=null,subject=null}
....
2007-10-29 18:13:11,093 TRACE [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext at 1e2e8cc{principal=null,subject=null}
2007-10-29 18:13:11,109 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext at aa780b{principal=null,subject=null}
2007-10-29 18:13:11,109 TRACE [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext at aa780b{principal=null,subject=null}
2007-10-29 18:13:13,281 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext at 1eb186a{principal=null,subject=null}
2007-10-29 18:13:13,281 DEBUG [org.jboss.system.ServiceController] stopping service: jboss.web.deployment:war=iwa.war,id=-1069725553
....
....
2007-10-29 18:13:13,531 DEBUG [org.apache.catalina.core.ContainerBase] unregistering jboss.web:j2eeType=WebModule,name=//localhost/iwa,J2EEApplication=none,J2EEServer=none
2007-10-29 18:13:13,531 TRACE [org.jboss.web.tomcat.security.config.JBossContextConfig] destroy called with DELEGATE_TO_PARENT=false
2007-10-29 18:13:13,531 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] delete
2007-10-29 18:13:13,531 DEBUG [org.jboss.web.WebModule] Stopped jboss.web.deployment:war=iwa.war,id=-1069725553
....
....


Really have no idea what kind of problem pains me. 
Maybe I have to force creation of the policy config before Interceptors using a JAAS domain are created?
Maybe I must not configure InvokerAdaptorService, JRMPInvoker aso, directly in myServer/conf/jboss-service.xml?


btw: securing a web application with the same JAAS domain works fine and forces my browser to pop up the login dialog.



View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4100390#4100390

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4100390

More information about the jboss-user mailing list