users@glassfish.java.net

Re: "Caller not authorized" calling a protected EJB method from a servlet

From: V B Kumar Jayanti <Vbkumar.Jayanti_at_Sun.COM>
Date: Fri, 13 Jul 2007 16:52:07 +0530

Hi ,

   Will you be able to try with GF V2 and let us know if it fails there
as well (https://glassfish.dev.java.net/downloads/v2-b55.html). Meantime
we will try to investigate more on this.

Thanks.

glassfish_at_javadesktop.org wrote:

>I'm getting the following stack trace while attempting to call a protected EJB method
>from a servlet that has been marked with 'run-as'. I've search both these and the SUN
>forums and have seem similar problems, but unfortunately, no resolutions.
>
>The high-level process looks like this:
>servlet (run-as 'registrant')
>--> [EJB] RegistrantAuthenticator.authenticate(..)
> Has no role restrictions
>--> [EJB] QuestionManager.getQuestionsForRegistrantWithAnswers(..)
> Has 'registrant_role' restriction
>
>After the stack trace, I've put together a quick overview of the relevant pieces of the
>application.
>
>--8<-- stack trace from server.log
>[#|2007-07-12T11:32:36.353+0100|FINE|sun-appserver-pe9.0|javax.enterprise.system.core.security|_ThreadID=18;_ThreadName=httpWorkerThread-8443-3;ClassName=com.sun.enterprise.security.application.EJBSecurityManager;MethodName=authorize;_RequestID=3a7683b3-1eaf-451f-8e49-5faa92dcc8db;|JACC: permission initialized in InvocationInfo: EJBMethodPermission (Name) = RegistrantAuthenticator (Action) = authenticateRegistrant,Remote,com.digitalsteps.jaas.AuthenticationData|#]
>...
>[#|2007-07-12T11:32:36.353+0100|FINE|sun-appserver-pe9.0|javax.enterprise.system.core.security|_ThreadID=18;_ThreadName=httpWorkerThread-8443-3;ClassName=com.sun.enterprise.security.application.EJBSecurityManager;MethodName=authorize;_RequestID=3a7683b3-1eaf-451f-8e49-5faa92dcc8db;|JACC: Access Control Decision Result: true EJBMethodPermission (Name) = RegistrantAuthenticator (Action) = authenticateRegistrant,Remote,com.digitalsteps.jaas.AuthenticationData (Caller) = null|#]
>
>[#|2007-07-12T11:32:45.288+0100|FINE|sun-appserver-pe9.0|javax.enterprise.system.core.security|_ThreadID=18;_ThreadName=httpWorkerThread-8443-3;ClassName=com.sun.enterprise.security.application.EJBSecurityManager;MethodName=authorize;_RequestID=3a7683b3-1eaf-451f-8e49-5faa92dcc8db;|JACC: permission initialized in InvocationInfo: EJBMethodPermission (Name) = QuestionManager (Action) = getQuestionsForRegistrantWithAnswers,Local,java.lang.String|#]
>
>[#|2007-07-12T11:32:45.308+0100|FINE|sun-appserver-pe9.0|javax.enterprise.system.core.security|_ThreadID=18;_ThreadName=httpWorkerThread-8443-3;ClassName=com.sun.enterprise.security.application.EJBSecurityManager;MethodName=getCachedProtectionDomain;_RequestID=3a7683b3-1eaf-451f-8e49-5faa92dcc8db;|JACC: new ProtectionDomain added to cache|#]
>
>[#|2007-07-12T11:32:45.318+0100|FINE|sun-appserver-pe9.0|javax.enterprise.system.core.security|_ThreadID=18;_ThreadName=httpWorkerThread-8443-3;ClassName=com.sun.enterprise.security.application.EJBSecurityManager;MethodName=getCachedProtectionDomain;_RequestID=3a7683b3-1eaf-451f-8e49-5faa92dcc8db;|JACC: returning cached ProtectionDomain - CodeSource: ((file:/LISA-JAS/LISA-JAS-ejb_jar <no signer certificates>)) PrincipalSet: registrant|#]
>
>[#|2007-07-12T11:32:45.358+0100|INFO|sun-appserver-pe9.0|javax.enterprise.system.core.security|_ThreadID=18;_ThreadName=httpWorkerThread-8443-3;|JACC Policy Provider: PolicyWrapper.implies, context(LISA-JAS/LISA-JAS-ejb_jar)- permission((javax.security.jacc.EJBMethodPermission QuestionManager getQuestionsForRegistrantWithAnswers,Local,java.lang.String)) domain that failed(ProtectionDomain (file:/LISA-JAS/LISA-JAS-ejb_jar <no signer certificates>)
> null
> (principals com.sun.enterprise.deployment.PrincipalImpl "registrant")
>
> java.security.Permissions_at_7dca91 (
> ...
> (javax.security.auth.PrivateCredentialPermission javax.resource.spi.security.PasswordCredential * "*" read)
> (java.io.FilePermission <<ALL FILES>> read,write)
> (java.net.SocketPermission localhost:1024- listen,resolve)
> (java.net.SocketPermission * connect,resolve)
>)
>
>)|#]
>
>[#|2007-07-12T11:32:45.398+0100|FINE|sun-appserver-pe9.0|javax.enterprise.system.core.security|_ThreadID=18;_ThreadName=httpWorkerThread-8443-3;ClassName=com.sun.enterprise.security.application.EJBSecurityManager;MethodName=authorize;_RequestID=3a7683b3-1eaf-451f-8e49-5faa92dcc8db;|JACC: Access Control Decision Result: false EJBMethodPermission (Name) = QuestionManager (Action) = getQuestionsForRegistrantWithAnswers,Local,java.lang.String (Caller) = null|#]
>
>[#|2007-07-12T11:32:45.408+0100|INFO|sun-appserver-pe9.0|javax.enterprise.system.container.ejb|_ThreadID=18;_ThreadName=httpWorkerThread-8443-3;QuestionManager;|EJB5018: An exception was thrown during an ejb invocation on [QuestionManager]|#]
>
>[#|2007-07-12T11:32:45.408+0100|INFO|sun-appserver-pe9.0|javax.enterprise.system.container.ejb|_ThreadID=18;_ThreadName=httpWorkerThread-8443-3;|
>javax.ejb.AccessLocalException: Client not authorized for this invocation.
> at com.sun.ejb.containers.BaseContainer.preInvoke(BaseContainer.java:1143)
> at com.sun.ejb.containers.EJBLocalObjectInvocationHandler.invoke(EJBLocalObjectInvocationHandler.java:182)
> at com.sun.ejb.containers.EJBLocalObjectInvocationHandlerDelegate.invoke(EJBLocalObjectInvocationHandlerDelegate.java:118)
> at $Proxy148.getQuestionsForRegistrantWithAnswers(Unknown Source)
>...
>--8<--
>
>(A) EAR:
> sun-application.xml
> <sun-application>
> <security-role-mapping>
> <role-name>registrant_role</role-name>
> <group-name>registrant</group-name>
> </security-role-mapping>
> ...
> <realm>file</realm>
> </sun-application>
>
>(B) EJB:
> @Stateless
> public class QuestionManagerBean implements IQuestionManagerLocal, IQuestionManagerRemote
> {
> ...
> }
>
> @Local
> @RolesAllowed({"registrant_role", "registration_officer_role", "registration_manager_role"})
> public interface IQuestionManagerLocal
> {
> ...
> }
>
> @Remote
> @RolesAllowed({"registrant_role", "registration_officer_role", "registration_manager_role"})
> public interface IQuestionManagerRemote
> {
> ...
> }
>
>
>(C) WEB:
> public class ActivateAccount extends HttpServlet
> {
> ...
> }
>
> web.xml
> <web-app>
> <servlet>
> <servlet-name>ActivateAccount</servlet-name>
> <servlet-class>test.ActivateAccount</servlet-class>
> <run-as>
> <role-name>ejb_registrant_role</role-name>
> </run-as>
> </servlet>
> ...
> <security-role>
> <role-name>ejb_registrant_role</role-name>
> </security-role>
> </web-app>
>
> sun-web.xml
> <sun-web-app>
> <servlet>
> <servlet-name>ActivateAccount</servlet-name>
> <principal>registrant</principal>
> </servlet>
> ...
> </sun-web-app>
>
>(D) Server configuration
>- in Configuration > Security
> - default realm is 'file'
> - default principal is deliberately left blank
> - default role to group mapping is NOT active
>- in Configuration > Security > Realms > file
> - user 'registant' with group(s) 'registrant' is present
>
>(E) Generated granted.policy file:
>grant principal com.sun.enterprise.deployment.Group "registrant" {
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", ",Local";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", ",Remote";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "createQuestion,Local,com.digitalsteps.lisa.questionmanager.SecurityQuestion,long";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "createQuestion,Remote,com.digitalsteps.lisa.questionmanager.SecurityQuestion,long";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "createQuestions,Local,java.util.List,java.lang.String";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "createQuestions,Local,java.util.List,long";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "createQuestions,Remote,java.util.List,java.lang.String";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "createQuestions,Remote,java.util.List,long";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getAllSystemQuestions,Local,";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getAllSystemQuestions,Remote,";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getQuestionsForRegistrant,Local,java.lang.String";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getQuestionsForRegistrant,Local,long";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getQuestionsForRegistrant,Remote,java.lang.String";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getQuestionsForRegistrant,Remote,long";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getQuestionsForRegistrantWithAnswers,Local,java.lang.String";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getQuestionsForRegistrantWithAnswers,Local,long";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getQuestionsForRegistrantWithAnswers,Remote,java.lang.String";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getQuestionsForRegistrantWithAnswers,Remote,long";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "setQuestions,Local,java.util.List,long";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "setQuestions,Remote,java.util.List,long";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "validateAnswers,Local,java.util.List,java.lang.String";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "validateAnswers,Local,java.util.List,long";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "validateAnswers,Remote,java.util.List,java.lang.String";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "validateAnswers,Remote,java.util.List,long";
> ...
>};
>
>(F) Generated ejb-jar.xml:
><ejb-jar>
> ...
> <assembly-descriptor>
> <security-role>
> <role-name>registrant_role</role-name>
> </security-role>
> ...
> <method-permission>
> <role-name>registrant_role</role-name>
> <method>
> <ejb-name>QuestionManager</ejb-name>
> <method-intf>Local</method-intf>
> <method-name>*</method-name>
> </method>
> <method>
> <ejb-name>QuestionManager</ejb-name>
> <method-intf>Remote</method-intf>
> <method-name>*</method-name>
> </method>
> </method-permission>
> ...
></ejb-jar>
>
>Environment:
>JDK1.6.0_01
>SJSAS 9.0_01(b02_p01)
>Windows XP
>
>Any idea on how to diagnose this further or any observations / corrections are very
>welcome.
>
>Thanks,
>Marcus
>[Message sent by forum member 'redentis' (redentis)]
>
>http://forums.java.net/jive/thread.jspa?messageID=226525
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe_at_glassfish.dev.java.net
>For additional commands, e-mail: users-help_at_glassfish.dev.java.net
>
>
>