[jboss-user] [Beginners Corner] - Secure access to an EJB3.0

Luftballon do-not-reply at jboss.com
Fri May 22 18:25:32 EDT 2009 

Hi @ all,

i try to implement a secure access to an EJB and have "javax.ejb.EJBAccessException: Invalid User".  Does someone see something wrong or suspicious in the following code? (the security domain "mySecurityDomain" is properly binded in JNDI)

Formated and colourful version of the code: http://pastebin.com/f74dbf9e6

SECURITY DOMAIN DEFINITION in login-config.xml------------------------------------------
<application-policy name="mySecurityDomain">
    
      <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
        flag="required">
        <module-option name="usersProperties">props/myProps/users.properties</module-option>
        <module-option name="rolesProperties">props/myProps/roles.properties</module-option>
      </login-module>
    
  </application-policy>

props/myProps/roles.properties----------------------------------------------------------
guest=guestRole
user=userRole,guestRole
admin=adminRole,userRole,guestRole

props/myProps/users.properties----------------------------------------------------------
admin=adminpas
user=userpas
guest=guestpas

BEANINTERFACE----------------------------------------------------------------------------
package ejb;

import javax.ejb.Remote;

@Remote
public interface Secure {
	public String forAll();
	public String forUsers();
	public String forAdmins();
	public String forNoOne();
}


BEAN-------------------------------------------------------------------------------------
package ejb;

import javax.annotation.security.DenyAll;
import javax.annotation.security.PermitAll;
import javax.annotation.security.RolesAllowed;
import javax.ejb.Stateless;

import org.jboss.ejb3.annotation.SecurityDomain;

//import org.jboss.security.annotation.SecurityDomain;


@Stateless
@SecurityDomain("mySecurityDomain")
@RolesAllowed({"guestRole", "userRole", "adminRole"})
public class SecureBean implements Secure {

	@RolesAllowed("adminRole")
	public String forAdmins() {
		return "forAdmins";
	}

	@PermitAll
	public String forAll() {
		return "forAll";
	}
	@DenyAll
	public String forNoOne() {
		return "forNoOne";
	}
	@RolesAllowed("userRole")
	public String forUsers() {
		return "forUsers";
	}
}

CLIENT-------------------------------------------------------------------------------------
package client;

import java.util.Properties;

import javax.naming.Context;
import javax.naming.InitialContext;
import javax.naming.NamingException;

import ejb.Secure;

public class SecureClient {
	public static void main(String[] args) {
		Context ctx;
		try {
			Properties props = new Properties();
			props.put(Context.SECURITY_PRINCIPAL, "guest");
			props.put(Context.SECURITY_CREDENTIALS, "guestpas");
			ctx = new InitialContext(props);
			Secure bean = (Secure)ctx.lookup("SecureBean/remote");
			System.out.println(bean.forAll());
		} catch (NamingException e) {
			e.printStackTrace();
		}
	}
}

EXCEPTION-------------------------------------------------------------------------------------
Exception in thread "main" javax.ejb.EJBAccessException: Invalid User
	at org.jboss.ejb3.security.Ejb3AuthenticationInterceptorv2.invoke(Ejb3AuthenticationInterceptorv2.java:165)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
	at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:41)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
	at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
	at org.jboss.ejb3.BlockContainerShutdownInterceptor.invoke(BlockContainerShutdownInterceptor.java:67)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
	at org.jboss.aspects.currentinvocation.CurrentInvocationInterceptor.invoke(CurrentInvocationInterceptor.java:67)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
	at org.jboss.ejb3.stateless.StatelessContainer.dynamicInvoke(StatelessContainer.java:487)
	at org.jboss.ejb3.session.InvokableContextClassProxyHack._dynamicInvoke(InvokableContextClassProxyHack.java:53)
	at org.jboss.aop.Dispatcher.invoke(Dispatcher.java:91)
	at org.jboss.aspects.remoting.AOPRemotingInvocationHandler.invoke(AOPRemotingInvocationHandler.java:82)
	at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:908)
	at org.jboss.remoting.transport.socket.ServerThread.completeInvocation(ServerThread.java:742)
	at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:695)
	at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:522)
	at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:230)
	at org.jboss.remoting.MicroRemoteClientInvoker.invoke(MicroRemoteClientInvoker.java:206)
	at org.jboss.remoting.Client.invoke(Client.java:1708)
	at org.jboss.remoting.Client.invoke(Client.java:612)
	at org.jboss.aspects.remoting.InvokeRemoteInterceptor.invoke(InvokeRemoteInterceptor.java:60)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
	at org.jboss.aspects.tx.ClientTxPropagationInterceptor.invoke(ClientTxPropagationInterceptor.java:61)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
	at org.jboss.ejb3.security.client.SecurityClientInterceptor.invoke(SecurityClientInterceptor.java:65)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
	at org.jboss.ejb3.remoting.IsLocalInterceptor.invoke(IsLocalInterceptor.java:74)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
	at org.jboss.aspects.remoting.PojiProxy.invoke(PojiProxy.java:62)
	at $Proxy3.invoke(Unknown Source)
	at org.jboss.ejb3.proxy.handler.ProxyInvocationHandlerBase.invoke(ProxyInvocationHandlerBase.java:261)
	at org.jboss.ejb3.proxy.handler.session.SessionSpecProxyInvocationHandlerBase.invoke(SessionSpecProxyInvocationHandlerBase.java:101)
	at $Proxy2.forAll(Unknown Source)
	at client.SecureClient.main(SecureClient.java:21)
	at org.jboss.aspects.remoting.InvokeRemoteInterceptor.invoke(InvokeRemoteInterceptor.java:72)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
	at org.jboss.aspects.tx.ClientTxPropagationInterceptor.invoke(ClientTxPropagationInterceptor.java:61)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
	at org.jboss.ejb3.security.client.SecurityClientInterceptor.invoke(SecurityClientInterceptor.java:65)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
	at org.jboss.ejb3.remoting.IsLocalInterceptor.invoke(IsLocalInterceptor.java:74)
	at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
	at org.jboss.aspects.remoting.PojiProxy.invoke(PojiProxy.java:62)
	at $Proxy3.invoke(Unknown Source)
	at org.jboss.ejb3.proxy.handler.ProxyInvocationHandlerBase.invoke(ProxyInvocationHandlerBase.java:261)
	at org.jboss.ejb3.proxy.handler.session.SessionSpecProxyInvocationHandlerBase.invoke(SessionSpecProxyInvocationHandlerBase.java:101)
	at $Proxy2.forAll(Unknown Source)
	at client.SecureClient.main(SecureClient.java:21)

View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=4232836#4232836

Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=4232836

More information about the jboss-user mailing list