Uploaded image for project: 'EJB 3.0'
  1. EJB 3.0
  2. EJBTHREE-491

@RunAs + @Management/Service not working - @SecurityDomain ignored?

    XMLWordPrintable

Details

    • Workaround Exists
    • Hide

      Starting the service manually via JMX console

      Show
      Starting the service manually via JMX console

    Description

      I'm trying to run a @Service with a special role, so that it is able to access other beans, but @SecurityDomain seems to be ignored and thus the service is not started.

      E.g.:

      @Service
      @SecurityDomain("shared")
      @RunAs("staff")
      public class UpdateService
      implements UpdateServiceM
      {
      ...
      }

      @Local
      @Management
      public interface UpdateServiceM {
      ... // defines e.g. start() and stop(), but not create() and destroy()
      }

      @Stateless
      @SecurityDomain("shared")
      @RolesAllowed("staff")
      public class UpdateServiceSB implements UpdateServiceDaoL {
      ...
      }

      @Local
      public interface UpdateServiceDaoL extends UpdateServiceDao {
      ...
      }

      All SBs/IFs are part of the same foo.ear .

      Deployment Exception:

      2006-03-28 23:43:26,263 WARN [ScannerThread:org.jboss.system.ServiceController:424] - Problem starting service jboss.j2ee:ear=foo.ear,jar=foo-ejb-0.0.9a.jar,name=UpdateService,service=EJB3,type=ManagementInterface
      javax.ejb.EJBAccessException: Authentication failure
      at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.handleGeneralSecurityException(Ejb3AuthenticationInterceptor.java:46)
      at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:71)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98)
      at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:47)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98)
      at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98)
      at org.jboss.ejb3.service.ServiceContainer.localInvoke(ServiceContainer.java:174)
      at org.jboss.ejb3.service.ServiceContainer.localInvoke(ServiceContainer.java:142)
      at org.jboss.ejb3.service.ServiceMBeanDelegate.invoke(ServiceMBeanDelegate.java:166)
      at org.jboss.mx.server.RawDynamicInvoker.invoke(RawDynamicInvoker.java:164)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
      at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:991)
      at $Proxy0.start(Unknown Source)
      ...
      Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException
      at org.jboss.security.Util.createPasswordHash(Util.java:407)
      at org.jboss.security.auth.spi.UsernamePasswordLoginModule.createPasswordHash(UsernamePasswordLoginModule.java:367)
      at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:195)
      ...
      2006-03-28 23:53:25,969 ERROR [main:org.jboss.deployment.scanner.URLDeploymentScanner:548] - Incomplete Deployment listing:

      — MBeans waiting for other MBeans —
      ObjectName: jboss.j2ee:ear=foo.ear,jar=foo-ejb-0.0.9a.jar,name=UpdateService,service=EJB3,type=ManagementInterface
      State: FAILED
      Reason: javax.ejb.EJBAccessException: Authentication failure

      — MBEANS THAT ARE THE ROOT CAUSE OF THE PROBLEM —
      ObjectName: jboss.j2ee:ear=foo.ear,jar=foo-ejb-0.0.9a.jar,name=UpdateService,service=EJB3,type=ManagementInterface
      State: FAILED
      Reason: javax.ejb.EJBAccessException: Authentication failure
      ...

      Actually I'm wondering, why the UsernamePasswordLoginModule appears in the stack trace, because @SecurityDomain("shared") is defined as:
      ...
      <application-policy name="@security.domain@">
      <authentication>
      <login-module
      code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
      flag="required">
      <module-option name="dsJndiName">java:/@security.ds@</module-option>
      <module-option name="principalsQuery"
      >SELECT passwd FROM users WHERE login=? AND (ISNULL(expire) OR (UNIX_TIMESTAMP() - (expire/1000) < 0))</module-option>
      <module-option name="rolesQuery"
      >SELECT r.name, 'Roles' FROM users u, roles r, user2role m WHERE u.login=? AND u.uid=m.users_uid AND m.roles_gid=r.gid</module-option>
      <module-option name="hashAlgorithm">MD5</module-option>
      <module-option name="hashEncoding">base64</module-option>
      </login-module>
      </authentication>
      </application-policy>
      ...

      So no UsernamePasswordLoginModule at all. Finally my guess is, that @SecurityDomain is completely ignored during deployment and that's why the start fails....

      Attachments

        Issue Links

          relates to

          Bug - A problem that impairs or prevents the functions of the product. EJBTHREE-1738 Security, transaction contexts broken in start() method of @Service beans

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              elkner Jens Elkner (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: