[jboss-user] [EJB3] - Re: Can't get SessionContext.isCallerInRole(...) to work from remote call.

Wed May 4 08:04:16 EDT 2011

Krister Wicksell [http://community.jboss.org/people/kriwic] created the discussion

"Re: Can't get SessionContext.isCallerInRole(...) to work from remote call."

To view the discussion, visit: http://community.jboss.org/message/603396#603396

--------------------------------------------------------------
Since I did not get any reply on this post I thought I explain a little better. I would like to get some feedback before I report this as a bug because I don't know if I have missed something.

When I access a stateless bean from outside of JBoss via its remote interface from a Java client SessionContext.isCallerInRole(...) always return false. How ever when I access the same bean from a JSP running in the same JBoss SessionContext.isCallerInRole(...) works correctly. This behavior is in JBoss 5 & 6. In JBoss 4 it works OK for both cases.

In my small test case I have a stateless bean interface named Test. It have only one method checkRole(). This method should return true if the caller have the role administrator.

@Remote
public interface Test {
  public boolean checkRole();
}

The implementation of the role is as follows below. It uses the security domain zert and the only method return the result of SessionContext.isCallerInRole("administrator").

@Stateless
@Remote({Test.class})
@SecurityDomain("zert")
@DeclareRoles({"administrator", "producer", "consumer"})
public class TestBean implements Test {
  @Resource 
  private SessionContext context;

  @Override
  public boolean checkRole() {
    return context.isCallerInRole("administrator");    
  }
}

The security domain zert has only one user called admin. The admin user is in the roles, administrator, producer and consumer. This can be seen in the listing below.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE server PUBLIC -//JBoss//DTD MBean Service 4.0//EN http://www.jboss.org/j2ee/dtd/jboss-service_4_0.dtd>

<server>
  <mbean code="org.jboss.security.auth.login.DynamicLoginConfig" name="jboss:service=DynamicLoginConfig">
    <attribute name="PolicyConfig" serialDataType="jbxb">
      <jaas:policy
        xsi:schemaLocation="urn:jboss:security-config:4.1 resource:security-config_4_1.xsd"
        xmlns:jaas="urn:jboss:security-config:4.1"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">

        <jaas:application-policy name="zert">
          <jaas:authentication>
            <jaas:login-module code="org.jboss.security.auth.spi.XMLLoginModule" flag="required">
              <jaas:module-option name="userInfo">
                <ur:users
                  xsi:schemaLocation="urn:jboss:user-roles:1.0 resource:user-roles_1_0.xsd"
                  xmlns:ur="urn:jboss:user-roles:1.0">
                  <ur:user name="admin" password="test">
                    <ur:role name="administrator"></ur:role>
                    <ur:role name="producer"></ur:role>
                    <ur:role name="consumer"></ur:role>
                  </ur:user>
                </ur:users>
              </jaas:module-option>
              <jaas:module-option name="unauthenticatedIdentity">guest</jaas:module-option>
            </jaas:login-module>
          </jaas:authentication>
        </jaas:application-policy>        
      </jaas:policy>         
    </attribute>
    <depends optional-attribute-name="LoginConfigService">jboss.security:service=XMLLoginConfig</depends> 
    <depends optional-attribute-name="SecurityManagerService">jboss.security:service=JaasSecurityManager</depends>
  </mbean>
</server>

When the Test bean is accessed via the remote interface using the following test client, then SessionContext.isCallerInRole(...) always return false. For me this looks like a bug!

public class TestClient {
  public static void main(String[] argv) {
    try {
      System.setProperty("java.security.auth.login.config", "auth.conf");

      ConnectionHandler connectionHandler = new ConnectionHandler("admin", "test");
      LoginContext loginContext = new LoginContext("zert", connectionHandler);
      loginContext.login();

      System.out.println(runTest());

      loginContext.logout();
    } catch (Exception e) {
      e.printStackTrace();
    }
  }

  public static String runTest() throws Exception {
    Hashtable<String, String> env = new Hashtable<String, String>();
    env.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.NamingContextFactory");
    env.put(Context.PROVIDER_URL, "localhost");

    InitialContext context = new InitialContext(env);

    Test test = (Test)context.lookup("zert/TestBean/remote");

    return "Is administrator: " + test.checkRole();
  }

  ...
}

How ever when I access the same bean the following JSP the method workd correctly and returns true.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html PUBLIC -//W3C//DTD XHTML 1.1//EN http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd>

<%@page contentType="text/html; charset=UTF-8" %>
<%@page import="se.zert.test.*"%>

<html xmlns="http://www.w3.org/1999/xhtml">
  <head>
    <title>Test</title>
  </head>
  <body>
    <%=TestClient.runTest()%>
  </body>
</html>

Does anyone have a good answer to why the bean reacts different when accessed from outside of JBoss than inside of JBoss?

Thanks in advance!
/Krister
--------------------------------------------------------------

Reply to this message by going to Community
[http://community.jboss.org/message/603396#603396]

Start a new discussion in EJB3 at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2029]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20110504/6311989d/attachment-0001.html 