Uploaded image for project: 'EJB 3.0'
  1. EJB 3.0
  2. EJBTHREE-491

@RunAs + @Management/Service not working - @SecurityDomain ignored?

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: EJB 3.0 RC5 - PFD
    • Fix Version/s: EJB 3.0 RC6 - PFD
    • Component/s: EJB3 Extensions
    • Labels:
      None
    • Environment:

      JBoss AS 4.0.4RC1 vanilla

    • Workaround:
      Workaround Exists
    • Workaround Description:
      Hide

      Starting the service manually via JMX console

      Show
      Starting the service manually via JMX console

      Description

      I'm trying to run a @Service with a special role, so that it is able to access other beans, but @SecurityDomain seems to be ignored and thus the service is not started.

      E.g.:

      @Service
      @SecurityDomain("shared")
      @RunAs("staff")
      public class UpdateService
      implements UpdateServiceM
      {
      ...
      }

      @Local
      @Management
      public interface UpdateServiceM {
      ... // defines e.g. start() and stop(), but not create() and destroy()
      }

      @Stateless
      @SecurityDomain("shared")
      @RolesAllowed("staff")
      public class UpdateServiceSB implements UpdateServiceDaoL {
      ...
      }

      @Local
      public interface UpdateServiceDaoL extends UpdateServiceDao {
      ...
      }

      All SBs/IFs are part of the same foo.ear .

      Deployment Exception:

      2006-03-28 23:43:26,263 WARN [ScannerThread:org.jboss.system.ServiceController:424] - Problem starting service jboss.j2ee:ear=foo.ear,jar=foo-ejb-0.0.9a.jar,name=UpdateService,service=EJB3,type=ManagementInterface
      javax.ejb.EJBAccessException: Authentication failure
      at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.handleGeneralSecurityException(Ejb3AuthenticationInterceptor.java:46)
      at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:71)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98)
      at org.jboss.ejb3.ENCPropagationInterceptor.invoke(ENCPropagationInterceptor.java:47)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98)
      at org.jboss.ejb3.asynchronous.AsynchronousInterceptor.invoke(AsynchronousInterceptor.java:106)
      at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:98)
      at org.jboss.ejb3.service.ServiceContainer.localInvoke(ServiceContainer.java:174)
      at org.jboss.ejb3.service.ServiceContainer.localInvoke(ServiceContainer.java:142)
      at org.jboss.ejb3.service.ServiceMBeanDelegate.invoke(ServiceMBeanDelegate.java:166)
      at org.jboss.mx.server.RawDynamicInvoker.invoke(RawDynamicInvoker.java:164)
      at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:659)
      at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:991)
      at $Proxy0.start(Unknown Source)
      ...
      Caused by: javax.security.auth.login.LoginException: java.lang.NullPointerException
      at org.jboss.security.Util.createPasswordHash(Util.java:407)
      at org.jboss.security.auth.spi.UsernamePasswordLoginModule.createPasswordHash(UsernamePasswordLoginModule.java:367)
      at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:195)
      ...
      2006-03-28 23:53:25,969 ERROR [main:org.jboss.deployment.scanner.URLDeploymentScanner:548] - Incomplete Deployment listing:

      — MBeans waiting for other MBeans —
      ObjectName: jboss.j2ee:ear=foo.ear,jar=foo-ejb-0.0.9a.jar,name=UpdateService,service=EJB3,type=ManagementInterface
      State: FAILED
      Reason: javax.ejb.EJBAccessException: Authentication failure

      — MBEANS THAT ARE THE ROOT CAUSE OF THE PROBLEM —
      ObjectName: jboss.j2ee:ear=foo.ear,jar=foo-ejb-0.0.9a.jar,name=UpdateService,service=EJB3,type=ManagementInterface
      State: FAILED
      Reason: javax.ejb.EJBAccessException: Authentication failure
      ...

      Actually I'm wondering, why the UsernamePasswordLoginModule appears in the stack trace, because @SecurityDomain("shared") is defined as:
      ...
      <application-policy name="@security.domain@">
      <authentication>
      <login-module
      code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
      flag="required">
      <module-option name="dsJndiName">java:/@security.ds@</module-option>
      <module-option name="principalsQuery"
      >SELECT passwd FROM users WHERE login=? AND (ISNULL(expire) OR (UNIX_TIMESTAMP() - (expire/1000) < 0))</module-option>
      <module-option name="rolesQuery"
      >SELECT r.name, 'Roles' FROM users u, roles r, user2role m WHERE u.login=? AND u.uid=m.users_uid AND m.roles_gid=r.gid</module-option>
      <module-option name="hashAlgorithm">MD5</module-option>
      <module-option name="hashEncoding">base64</module-option>
      </login-module>
      </authentication>
      </application-policy>
      ...

      So no UsernamePasswordLoginModule at all. Finally my guess is, that @SecurityDomain is completely ignored during deployment and that's why the start fails....

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  elkner Jens Elkner
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: