[jboss-user] [Security & JAAS/JBoss] - Re: Problem securing NamingService, InvokerAdaptorService on
kasimier
do-not-reply at jboss.com
Tue Oct 30 13:41:55 EDT 2007
thanx for the info about the log level. I got a fine grained trace about what´s going on now, but the issue isn´t clear to me:
the security relevant services (configured in a own sar) are created correctly and my PolicyConfig named "lcfg" is loaded correctly too. Don´t know if this matters, but JaasSecurityManagerService says nothing about a configured securityMgrCtxPath named "java:/jaas/lcfg"
I have configured my NamingService XMBean with the following interceptors:
| <descriptors>
| <interceptors>
| <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" securityDomain="java:/jaas/lcfg" />
| <interceptor code="org.jboss.mx.interceptor.PersistenceInterceptor2" />
| <interceptor code="org.jboss.mx.interceptor.ModelMBeanInterceptor" />
| <interceptor code="org.jboss.mx.interceptor.ObjectReferenceInterceptor" />
| </interceptors>
| </descriptors>
and of course the JRMPProxyFactory for the Naming service.
Further I got a JRMPProxyFactory for the InvokerAdaptorService. InvokerAdaptorService is configured with following interceptors on it´s invoke() method:
| <operation>
| <name>invoke</name>
| <parameter>
| <name>invocation</name>
| <type>org.jboss.invocation.Invocation</type>
| </parameter>
| <return-type>java.lang.Object</return-type>
| <descriptors>
| <interceptors>
| <interceptor code="org.jboss.jmx.connector.invoker.AuthenticationInterceptor" securityDomain="java:/jaas/lcfg"/>
| <interceptor code="org.jboss.jmx.connector.invoker.SerializableInterceptor" policyClass="StripModelMBeanInfoPolicy"/>
| </interceptors>
| </descriptors>
| </operation>
| </xmbean>
When I connect to the MBeanServer via standard org.jnp.interfaces.NamingContextFactory, I can read all registered objects, without auth or error, of course jmx/rmi/RMIAdaptor too.
I also can call invoke() on jmx/rmi/RMIAdaptor without auth or error.
The security log trace when I stop a web module via invoke() does not say much, or I cannot interpret it correctly:
....
2007-10-29 18:13:09,796 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext at 912f10{principal=null,subject=null}
....
2007-10-29 18:13:11,093 TRACE [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext at 1e2e8cc{principal=null,subject=null}
2007-10-29 18:13:11,109 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext at aa780b{principal=null,subject=null}
2007-10-29 18:13:11,109 TRACE [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext at aa780b{principal=null,subject=null}
2007-10-29 18:13:13,281 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=null, sc=org.jboss.security.SecurityAssociation$SubjectContext at 1eb186a{principal=null,subject=null}
2007-10-29 18:13:13,281 DEBUG [org.jboss.system.ServiceController] stopping service: jboss.web.deployment:war=iwa.war,id=-1069725553
....
....
2007-10-29 18:13:13,531 DEBUG [org.apache.catalina.core.ContainerBase] unregistering jboss.web:j2eeType=WebModule,name=//localhost/iwa,J2EEApplication=none,J2EEServer=none
2007-10-29 18:13:13,531 TRACE [org.jboss.web.tomcat.security.config.JBossContextConfig] destroy called with DELEGATE_TO_PARENT=false
2007-10-29 18:13:13,531 TRACE [org.jboss.security.jacc.JBossPolicyConfiguration] delete
2007-10-29 18:13:13,531 DEBUG [org.jboss.web.WebModule] Stopped jboss.web.deployment:war=iwa.war,id=-1069725553
....
....
Really have no idea what kind of problem pains me.
Maybe I have to force creation of the policy config before Interceptors using a JAAS domain are created?
Maybe I must not configure InvokerAdaptorService, JRMPInvoker aso, directly in myServer/conf/jboss-service.xml?
btw: securing a web application with the same JAAS domain works fine and forces my browser to pop up the login dialog.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4100390#4100390
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4100390
More information about the jboss-user
mailing list