FIGURED IT OUT!
Thought I'd post in case anyone else hits it. My own stupid fault, for the bean being injected I had the following configuration (not the required=true for authentication)
<ior-security-config>
<as-context>
<auth-method>username_password</auth-method>
<realm>myrealm</realm>
<required>true</required>
</as-context>
<sas-context>
<caller-propagation>supported</caller-propagation>
</sas-context>
</ior-security-config>
I changed it to <required>false</required> for all the ejbs that are being referenced from non secured web pages.
Can someone comment whether @RolesAllowed method level security will still work even though I have <required>false</required> for the bean? I have a bunch of @RolesAllowed on that ejb and need to know whether I should seperate them out to a completely new ejb or not.
--- On Sun, 15/3/09, Adam Jenkins <adamjenkinstmpredirect_at_yahoo.com.au> wrote:
> From: Adam Jenkins <adamjenkinstmpredirect_at_yahoo.com.au>
> Subject: Re: Cannot propagate username/password required by target when using run as identity
> To: users_at_glassfish.dev.java.net
> Received: Sunday, 15 March, 2009, 6:27 AM
> A bit more information:
>
> I've narrowed the error down to piece of code in
> com.sun.enterprise.iiop.security.SecurityManagerSelector in
> the method propagateIdentity. It's checking to see if
> the target requires EstablishTrustInClient.value.
>
> My guess (not knowing the code) is that somehow I've
> set my ejb container up to require SSL authentication (or
> some other authentication) to access the container. The
> methods I'm using when I'm not logged in don't
> require any particular security, they're not doing
> anything fantastic. I just used the instance that's
> hosting the EJBs with the default settings after I created
> the new instance and assigned it to a node agent in
> glassfish. So it seems (fingers crossed) that this may just
> be a configuration problem with my EJB server instance. Can
> anyone suggest where I might look in the admin console to
> investigate the configuration that eventually ends up
> setting that the target requires
> EstablishTrustInClient.value (code snipped below)?
>
> Cheers
> Adam
>
> private SecurityContext propagateIdentity(boolean
> clientAuth,
>
> ComponentInvocation ci)
> throws InvalidIdentityTokenException,
> InvalidMechanismException,SecurityMechanismException {
>
> ......
>
> if(isSet(asContext.target_requires,
> EstablishTrustInClient.value)) {
> ctx = getUsernameAndPassword(ci);
> if (ctx.authcls == null){ // run as mode cannot
> send password
> String errmsg =
> localStrings.getLocalString("securitymechansimselector.runas_cannot_propagate_username_password",
> "Cannot propagate username/password required by target
> when using run as identity");
>
>
> _logger.log(Level.SEVERE,"iiop.runas_error",errmsg);
> throw new SecurityMechanismException (errmsg);
> }
> }
>
>
> --- On Sat, 14/3/09, Adam Jenkins
> <adamjenkinstmpredirect_at_yahoo.com.au> wrote:
>
> > From: Adam Jenkins
> <adamjenkinstmpredirect_at_yahoo.com.au>
> > Subject: Re: Cannot propagate username/password
> required by target when using run as identity
> > To: users_at_glassfish.dev.java.net
> > Received: Saturday, 14 March, 2009, 4:47 PM
> > A bit more information:
> >
> > This is only when I'm accessing unsecured web
> resources
> > (those without a security constraint) when I'm not
> > logged in.
> >
> > Once I log in, everything works. If I log out, again,
> > can't access anything on the site. The resources
> > I'm attempting to access do not require
> authentication
> > and are not accessing any EJB methods that require
> > authentication. But it seems that the EJB container
> is
> > still checking to see if there's a principal
> before it
> > will inject the remote reference (even though there
> are many
> > methods on the bean that have no @RolesAllowed
> declarations
> > on them).
> >
> > This is that last thing holding up production of a
> system
> > that's been under development for the last year :)
> Any
> > help would really really be appreciated.
> >
> >
> > --- On Sat, 14/3/09, Adam Jenkins
> > <adamjenkinstmpredirect_at_yahoo.com.au> wrote:
> >
> > > From: Adam Jenkins
> > <adamjenkinstmpredirect_at_yahoo.com.au>
> > > Subject: Cannot propagate username/password
> required
> > by target when using run as identity
> > > To: users_at_glassfish.dev.java.net
> > > Received: Saturday, 14 March, 2009, 12:48 PM
> > > Hi All,
> > >
> > > I'm moving a developed application to a
> production
> > > environment. To try something different, we have
> two
> > server
> > > instances set up, one for the ejb part of the
> app, one
> > for
> > > the webapp. We have a custom jaas realm
> configured
> > which
> > > they both have access to.
> > >
> > > When we deploy locally with everything on the
> same
> > server
> > > there are no problems, however when we deploy to
> > production
> > > and try to access the website, we get the
> following
> > error:
> > >
> > >
> >
> com.sun.enterprise.iiop.security.SecurityMechanismException:
> > > Cannot propagate username/password required by
> target
> > when
> > > using run as identity
> > >
> > > Interestingly enough, at this stage we're not
> > actually
> > > logged into the application, and the while the
> ejb
> > > that's being injected into the jsf managed
> bean
> > does
> > > have some secure methods (declared with
> > > @RolesAllowed("...")) none of these are
> > being
> > > accessed by the managed bean being declared. We
> do
> > not use
> > > @RunAs anywhere in our application.
> > >
> > > My ejbs are declared in my sun-web.xml as:
> > >
> > > <ejb-ref>
> > >
> > >
> >
> <ejb-ref-name>IndexingRemote</ejb-ref-name>
> > >
> > >
> >
> <jndi-name>corbaname:iiop:localhost:33701#ejb/IndexingBean</jndi-name>
> > > </ejb-ref>
> > >
> > > Which is the correct port...interestingly, when
> both
> > the
> > > web application and the ejb application are in
> the
> > same
> > > server instance (even with the declarations using
> > corbaname
> > > as above) everything works fine, but when I put
> them
> > in
> > > seperate instances I get the error above.
> > >
> > > Can anyone shed some light on this error, I
> can't
> > find
> > > anything online other than a bunch of
> 'TBD'
> > notes on
> > > the wiki.
> > >
> > > Also, is there anyway to specify to use jrmp
> instead
> > of
> > > iiop (is there any advantages to iiop rather than
> > jrmp?)
> > >
> > > Thanks
> > > Adam
> > >
> > >
> > >
> > >
> > > Stay connected to the people that matter
> most
> > with a
> > > smarter inbox. Take a look
> > > http://au.docs.yahoo.com/mail/smarterinbox
> > >
> > >
> >
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail:
> > > users-unsubscribe_at_glassfish.dev.java.net
> > > For additional commands, e-mail:
> > > users-help_at_glassfish.dev.java.net
> >
> >
> > Stay connected to the people that matter most
> with a
> > smarter inbox. Take a look
> > http://au.docs.yahoo.com/mail/smarterinbox
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > users-unsubscribe_at_glassfish.dev.java.net
> > For additional commands, e-mail:
> > users-help_at_glassfish.dev.java.net
>
>
> Stay connected to the people that matter most with a
> smarter inbox. Take a look
> http://au.docs.yahoo.com/mail/smarterinbox
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> users-unsubscribe_at_glassfish.dev.java.net
> For additional commands, e-mail:
> users-help@glassfish.dev.java.net
Stay connected to the people that matter most with a smarter inbox. Take a look http://au.docs.yahoo.com/mail/smarterinbox