[jboss-user] [Installation, Configuration & DEPLOYMENT] - Re: How to authenticate to the JBoss server from a desktop (

jaikiran do-not-reply at jboss.com
Sat Jul 5 06:52:38 EDT 2008


"Marcos_APS" wrote : 
  | Yes. My EJBs are secured. I'm using EJB3, JPA 1.0, JSF 1.2. Yes, I'm using jboss.xml.
  | 
  | Jaikiran, look at the first post when I started this discussion. Almost all my files (including jboss.xml) are there. 

I did check your first post, but it doesn't have the jboss.xml :) 

Its been a long time since i last tried my sample application to access a secure bean. I decided to give it a try with EJB3 beans:

@Stateless
  | @Remote( { UserManagerRemote.class })
  | @Local (UserManagerLocal.class)
  | @RemoteBinding(jndiBinding = "RemoteUserManagerBean")
  | @SecurityDomain (value="other")
  | public class UserManagerBean implements UserManagerLocal, UserManagerRemote {
  | 
  | 	/**
  | 	 * Instance of logger
  | 	 */
  | 	private static Logger logger = Logger.getLogger(UserManagerBean.class);
  | 
  | 	/**
  | 	 * 
  | 	 * 
  | 	 */
  | 	public UserManagerBean() {
  | 		System.out.println("Default constructor of UserManagerBean " + this);
  | 	}
  | 
  | 	@RolesAllowed (value="admin")
  | 	public User getUser(long id) {
  | System.out.println("Bean method successfully called");
  | 		// do something
  | 		return user;
  | 	}
  | }
  | 

I decided to use annotations (@SecurityDomain and @RolesAllowed) to secure the bean. Using jboss.xml is an alternative. 

The method getUser is allowed to be accessed only by users belonging to "admin" role. The security-domain "other" is configured in login-config.xml to use a users.properties and a roles.properties for authentication and authorization:

  |   <application-policy name = "other">
  |        <!-- A simple server login module, which can be used when the number
  |        of users is relatively small. It uses two properties files:
  |        users.properties, which holds users (key) and their password (value).
  |        roles.properties, which holds users (key) and a comma-separated list of
  |        their roles (value).
  |        The unauthenticatedIdentity property defines the name of the principal
  |        that will be used when a null username and password are presented as is
  |        the case for an unuathenticated web client or MDB. If you want to
  |        allow such users to be authenticated add the property, e.g.,
  |        unauthenticatedIdentity="nobody"
  |        -->
  |        <authentication>
  |           <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
  |              flag = "required" />
  |        </authentication>
  |     </application-policy>
  |     

These are my users.properties and roles.properties in the EAR:

users.properties:

  | jaikiran=jaikiran
  | dummy=dummy

roles.properties:
jaikiran=admin
  | dummy=normaluser

The client uses the org.jboss.security.ClientLoginModule as mentioned in the blog. Now let's try with various user/password combinations and see what happens:

1) Incorrect user name and password:


  | String userName = "notanuser";
  | 			String password = "notanuser";
  | 			MyCallbackHandler handler = new MyCallbackHandler(userName,password);
  | 			
  | 			lc = new LoginContext("someXYZLogin",handler);
  | 
  | 		         lc.login();
  | 
  | 			System.out.println("Successfully logged in user: " + userName);
  | 			Context ctx = new InitialContext();
  | 			UserManagerRemote userManager = (UserManagerRemote) ctx.lookup("RemoteUserManagerBean");
  | 			System.out.println("Got the usermanager bean");
  | 			User user = userManager.getUser((long) 1); 

The lc.login succeeds on the client side and the non-existent "notanuser" is logged in.. However, when the call to userManager.getUser is done, another round of authentication (and authorization) is done on the server side. This time with the "other" login module which is configured on the bean. At this point the login fails and an AuthenticationException is thrown:

2008-07-05 15:49:35,199 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.plugins.JaasSecurityManager.other] Begin isValid, principal:notanuser, cache info: null
  | 2008-07-05 15:49:35,199 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.plugins.JaasSecurityManager.other] defaultLogin, principal=notanuser
  | 2008-07-05 15:49:35,199 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(other), size=8
  | 2008-07-05 15:49:35,199 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(other), authInfo=AppConfigurationEntry[]:
  | [0]
  | LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule
  | ControlFlag: LoginModuleControlFlag: required
  | Options:
  | 2008-07-05 15:49:35,199 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize, instance=@4020218
  | 2008-07-05 15:49:35,199 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Security domain: other
  | 2008-07-05 15:49:35,199 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: file:/D:/JBoss-4.2.2/jboss-4.2.2.GA/server/jaikiran/deploy/EJB3Persistence.ear/users.properties
  | 2008-07-05 15:49:35,199 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/D:/JBoss-4.2.2/jboss-4.2.2.GA/server/jaikiran/deploy/EJB3Persistence.ear/users.properties, defaults=null
  | 2008-07-05 15:49:35,215 DEBUG [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[dummy, jaikiran]
  | 2008-07-05 15:49:35,215 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: file:/D:/JBoss-4.2.2/jboss-4.2.2.GA/server/jaikiran/deploy/EJB3Persistence.ear/roles.properties
  | 2008-07-05 15:49:35,215 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/D:/JBoss-4.2.2/jboss-4.2.2.GA/server/jaikiran/deploy/EJB3Persistence.ear/roles.properties, defaults=null
  | 2008-07-05 15:49:35,215 DEBUG [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[dummy, jaikiran]
  | 2008-07-05 15:49:35,215 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] login
  | 2008-07-05 15:49:35,215 DEBUG [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Bad password for username=notanuser
  | 2008-07-05 15:49:35,215 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.auth.spi.UsersRolesLoginModule] abort
  | 2008-07-05 15:49:35,215 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.plugins.JaasSecurityManager.other] Login failure
  | javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
  | 	at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:213)
  | 	at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:152)
  | 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  | 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  | 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  | 	at java.lang.reflect.Method.invoke(Method.java:585)
  | 	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
  | 	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
  | 	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
  | 	at java.security.AccessController.doPrivileged(Native Method)
  | 	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
  | 	at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
  | 	at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
  | 	at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
  | 	at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
  | 	at org.jboss.aspects.security.AuthenticationInterceptor.authenticate(AuthenticationInterceptor.java:123)
  | 	at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:66)
  | 	at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110)
  | 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
  | 	at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
  | 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
  | 	at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
  | 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
  | 	at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:304)
  | 	at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:106)
  | 	at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
  | 	at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:769)
  | 	at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:573)
  | 	at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:373)
  | 	at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:166)
  | 2008-07-05 15:49:35,215 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.security.plugins.JaasSecurityManager.other] End isValid, false
  | 2008-07-05 15:49:35,215 DEBUG [WorkerThread#0[223.1.1.128:1681]] [org.jboss.ejb3.security.Ejb3AuthenticationInterceptor] Authentication failure
  | javax.security.auth.login.FailedLoginException: Password Incorrect/Password Required
  | 	at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:213)
  | 	at org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.java:152)
  | 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  | 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
  | 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
  | 	at java.lang.reflect.Method.invoke(Method.java:585)
  | 	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
  | 	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
  | 	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
  | 	at java.security.AccessController.doPrivileged(Native Method)
  | 	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
  | 	at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
  | 	at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
  | 	at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
  | 	at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
  | 	at org.jboss.aspects.security.AuthenticationInterceptor.authenticate(AuthenticationInterceptor.java:123)
  | 	at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:66)
  | 	at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110)
  | 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
  | 	at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
  | 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
  | 	at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
  | 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
  | 	at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:304)
  | 	at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:106)
  | 	at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
  | 	at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:769)
  | 	at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:573)
  | 	at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:373)
  | 	at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:166)
  | 2008-07-05 15:49:35,215 TRACE [WorkerThread#0[223.1.1.128:1681]] [org.jboss.remoting.transport.socket.ServerThread] SocketServerInvoker[223.1.1.128:3873].invoke() call failed
  | javax.ejb.EJBAccessException: Authentication failure
  | 	at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.handleGeneralSecurityException(Ejb3AuthenticationInterceptor.java:68)
  | 	at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:70)
  | 	at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110)
  | 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
  | 	at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
  | 

2) Let's now try with an existing user, but one who does not have rights to access the bean method. Again the login succeeds on the client side and the user/password information is passed on to the server while accessing the bean method. Another round of authentication starts on the server when the method is accessed. The login succeeds on the server side too, because the user/password are existing valid ones. However, since the user does not have rights to access the method, an AuthorizationException is thrown:

  | 2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] Begin isValid, principal:dummy, cache info: null
  | 2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] defaultLogin, principal=dummy
  | 2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(other), size=8
  | 2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(other), authInfo=AppConfigurationEntry[]:
  | [0]
  | LoginModule Class: org.jboss.security.auth.spi.UsersRolesLoginModule
  | ControlFlag: LoginModuleControlFlag: required
  | Options:
  | 2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] initialize, instance=@7641571
  | 2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Security domain: other
  | 2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: file:/D:/JBoss-4.2.2/jboss-4.2.2.GA/server/jaikiran/deploy/EJB3Persistence.ear/users.properties
  | 2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/D:/JBoss-4.2.2/jboss-4.2.2.GA/server/jaikiran/deploy/EJB3Persistence.ear/users.properties, defaults=null
  | 2008-07-05 15:50:51,140 DEBUG [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[dummy, jaikiran]
  | 2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] findResource: file:/D:/JBoss-4.2.2/jboss-4.2.2.GA/server/jaikiran/deploy/EJB3Persistence.ear/roles.properties
  | 2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Properties file=file:/D:/JBoss-4.2.2/jboss-4.2.2.GA/server/jaikiran/deploy/EJB3Persistence.ear/roles.properties, defaults=null
  | 2008-07-05 15:50:51,140 DEBUG [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Loaded properties, users=[dummy, jaikiran]
  | 2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] login
  | 2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] User 'dummy' authenticated, loginOk=true
  | 2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] commit, loginOk=true
  | 2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Checking user: jaikiran, roles string: admin
  | 2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Checking user: dummy, roles string: normaluser
  | 2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.auth.spi.UsersRolesLoginModule] Adding to Roles: normaluser
  | 2008-07-05 15:50:51,140 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] defaultLogin, lc=javax.security.auth.login.LoginContext at 650be6, subject=Subject(32516939).principals=org.jboss.security.SimplePrincipal at 14335210(dummy)org.jboss.security.SimpleGroup at 32038290(Roles(members:normaluser))
  | 2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] updateCache, inputSubject=Subject(32516939).principals=org.jboss.security.SimplePrincipal at 14335210(dummy)org.jboss.security.SimpleGroup at 32038290(Roles(members:normaluser)), cacheSubject=Subject(11160568).principals=org.jboss.security.SimplePrincipal at 14335210(dummy)org.jboss.security.SimpleGroup at 32038290(Roles(members:normaluser))
  | 2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo at 61b548[Subject(11160568).principals=org.jboss.security.SimplePrincipal at 14335210(dummy)org.jboss.security.SimpleGroup at 32038290(Roles(members:normaluser)),credential.class=[C at 9519074,expirationTime=1215255040046]
  | 2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] End isValid, true
  | 2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
  | 	Principal: dummy
  | 	Principal: Roles(members:normaluser)
  | , sc=org.jboss.security.SecurityAssociation$SubjectContext at 16d7e89{principal=dummy,subject=26119032}
  | 2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.SecurityAssociation] getPrincipal, principal=dummy
  | 2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.SecurityAssociation] getSubject, sc=org.jboss.security.SecurityAssociation$SubjectContext at 16d7e89{principal=dummy,subject=26119032}
  | 2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] doesUserHaveRole(Set), subject: Subject:
  | 	Principal: dummy
  | 	Principal: Roles(members:normaluser)
  | 
  | 2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] roles=Roles(members:normaluser)
  | 2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] hasRole(admin)=false
  | 2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] hasRole=false
  | 2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.SecurityAssociation] getSubject, sc=org.jboss.security.SecurityAssociation$SubjectContext at 16d7e89{principal=dummy,subject=26119032}
  | 2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.plugins.JaasSecurityManager.other] getUserRoles, subject: Subject:
  | 	Principal: dummy
  | 	Principal: Roles(members:normaluser)
  | 
  | 2008-07-05 15:50:51,155 ERROR [WorkerThread#0[223.1.1.128:1687]] [org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor] Insufficient permissions, principal=dummy, requiredRoles=[admin], principalRoles=[normaluser]
  | 2008-07-05 15:50:51,155 DEBUG [WorkerThread#0[223.1.1.128:1687]] [org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor] Authorization failure
  | java.lang.SecurityException: Insufficient permissions, principal=dummy, requiredRoles=[admin], principalRoles=[normaluser]
  | 	at org.jboss.aspects.security.RoleBasedAuthorizationInterceptor.invoke(RoleBasedAuthorizationInterceptor.java:149)
  | 	at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor.invoke(RoleBasedAuthorizationInterceptor.java:115)
  | 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
  | 	at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:77)
  | 	at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110)
  | 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
  | 	at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:46)
  | 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
  | 	at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
  | 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
  | 	at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:304)
  | 	at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:106)
  | 	at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
  | 	at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:769)
  | 	at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:573)
  | 	at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:373)
  | 	at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:166)
  | 2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.SecurityAssociation] popSubjectContext, sc=org.jboss.security.SecurityAssociation$SubjectContext at 16d7e89{principal=dummy,subject=26119032}
  | 2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.SecurityAssociation] setPrincipal, p=null, server=true
  | 2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.SecurityAssociation] setPrincipal, sc=org.jboss.security.SecurityAssociation$SubjectContext at e7ef68{principal=null,subject=null}
  | 2008-07-05 15:50:51,155 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.security.SecurityAssociation] setCredential, sc=org.jboss.security.SecurityAssociation$SubjectContext at e7ef68{principal=null,subject=null}
  | 2008-07-05 15:50:51,171 TRACE [WorkerThread#0[223.1.1.128:1687]] [org.jboss.remoting.transport.socket.ServerThread] SocketServerInvoker[223.1.1.128:3873].invoke() call failed
  | javax.ejb.EJBAccessException: Authorization failure
  | 	at org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor.invoke(RoleBasedAuthorizationInterceptor.java:120)
  | 	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:101)
  | 

3) Now lets try with an existing username with correct password and with sufficient rights to access the method. The login on the client side succeeds and the user/pass info is passed on the server when the bean method is invoked. Another round of authentication is done on server and it too passes. Then an authorization check is done. And since the user has sufficient rights, the bean method is successfully called:

15:51:28,141 INFO [STDOUT] Bean method successfully called

"Marcos_APS" wrote : 
  | Now I'm able to login 'normally' using loginContext.login() . But JBoss is now accepting any user  I pass in and I suppose this is really not a good thing at the point of security. 

As explained above, the org.jboss.security.ClientLoginModule login module is just used as a carrier for passing on the username/password to the server. The login will succeed with even a invalid user with this module on the client side. However at the server, another round of authentication is done. The login module that gets used on the server side is the one that you have configured in the jboss.xml (or through annotations) for the EJBs and only valid authorized users will be allowed to access the method.


View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4162639#4162639

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4162639



More information about the jboss-user mailing list