geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: Geronimo 2.2 fails can't load beans with @RunAs("Role")
Date Mon, 19 Oct 2009 16:26:29 GMT
As far as I understand what you are trying to do, you can't do this.

Does the postConstruct method need to call some other secured ejbs?   
otherwise it seems as if you could just run it with no role...

I can think of a number of possible ways to get around this but I'd  
like to know more about your situation.... e.g. maybe setting up  
security in a gbean rather than an ejb, or constructing another dummy  
security realm with a principal that maps to role "Admin".

thanks
david jencks

On Oct 19, 2009, at 3:20 AM, Quintin Beukes wrote:

> I failed to add that I can't specify credentials for this runas,
> because this is the bean that is supposed to initialize those
> credentials, so if it's the first time it loads, it will fail to log
> in, which means it will never work.
>
> I need some way to run-as "Admin" without having to specify
> credentials. It's not a security leak, as this bean ONLY has an
> @PostConstruct method, so no methods are exposed which can be
> exploited, so magic execution as "Admin" is acceptable.
>
> Quintin Beukes
>
>
>
> On Mon, Oct 19, 2009 at 12:15 PM, Quintin Beukes  
> <quintin@last.za.net> wrote:
>> Hey,
>>
>> I have the following in my deploy plan:
>>  <sec:security>
>>    <sec:role-mappings>
>>      <sec:role role-name="Admin">
>>        <sec:principal
>> class 
>> = 
>> "org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
>>                  name="Admin"/>
>>      </sec:role>
>>    </sec:role-mappings>
>>  </sec:security>
>>
>> When I add @RunAs("Admin") to a bean, I get the following:
>> 2009-10-19 12:11:30,857 INFO  [startup] Assembling app:
>> /opt/kms/server/geronimo-2.2-20091019/var/temp/geronimo- 
>> deployer49287.tmpdir/KMSPlatform-ejb.jar
>> 2009-10-19 12:11:30,891 INFO  [startup] Jndi(name=SiteBeanLocal) -->
>> Ejb(deployment-id=KMSPlatform-ejb/SiteBean)
>> 2009-10-19 12:11:30,891 INFO  [startup] Jndi(name=SiteBeanRemote) -->
>> Ejb(deployment-id=KMSPlatform-ejb/SiteBean)
>> 2009-10-19 12:11:30,892 INFO  [startup]
>> Jndi(name=InitializeDataBeanLocal) -->
>> Ejb(deployment-id=KMSPlatform-ejb/InitializeDataBean)
>> 2009-10-19 12:11:30,892 INFO  [startup]
>> Jndi(name=KMSPlatformEjbStartupBeanLocal) -->
>> Ejb(deployment-id=KMSPlatform-ejb/KMSPlatformEjbStartupBean)
>> 2009-10-19 12:11:30,892 INFO  [startup]
>> Jndi(name=SpringContextBeanLocal) -->
>> Ejb(deployment-id=KMSPlatform-ejb/SpringContextBean)
>> 2009-10-19 12:11:30,892 INFO  [startup] Created
>> Ejb(deployment-id=KMSPlatform-ejb/KMSPlatformEjbStartupBean,
>> ejb-name=KMSPlatformEjbStartupBean,
>> container=DefaultStatelessContainer)
>> 2009-10-19 12:11:30,892 INFO  [startup] Created
>> Ejb(deployment-id=KMSPlatform-ejb/SpringContextBean,
>> ejb-name=SpringContextBean, container=DefaultStatelessContainer)
>> 2009-10-19 12:11:30,892 INFO  [startup] Created
>> Ejb(deployment-id=KMSPlatform-ejb/SiteBean, ejb-name=SiteBean,
>> container=DefaultStatelessContainer)
>> 2009-10-19 12:11:30,892 INFO  [startup] Created
>> Ejb(deployment-id=KMSPlatform-ejb/InitializeDataBean,
>> ejb-name=InitializeDataBean, container=DefaultStatelessContainer)
>> 2009-10-19 12:11:30,892 INFO  [startup] Deployed
>> Application(path=/opt/kms/server/geronimo-2.2-20091019/var/temp/ 
>> geronimo-deployer49287.tmpdir/KMSPlatform-ejb.jar)
>> 2009-10-19 12:11:30,894 ERROR [GBeanInstanceState] Error while
>> starting; GBean is now in the FAILED state:
>> abstractName="net.kunye/KMSPlatform-ejb/1.0/jar?EJBModule=net.kunye/ 
>> KMSPlatform-ejb/1.0/ 
>> jar 
>> ,J2EEApplication 
>> =null,j2eeType=StatelessSessionBean,name=KMSPlatformEjbStartupBean"
>> java.lang.IllegalStateException: no run-as identity configured for  
>> role: Admin
>>        at  
>> org 
>> .apache 
>> .geronimo 
>> .security 
>> .jacc 
>> .mappingprovider 
>> .ApplicationPrincipalRoleConfigurationManager 
>> .getSubjectForRole 
>> (ApplicationPrincipalRoleConfigurationManager.java:109)
>>        at  
>> org.apache.geronimo.openejb.EjbDeployment.<init>(EjbDeployment.java: 
>> 109)
>>        at  
>> org 
>> .apache 
>> .geronimo.openejb.EjbDeploymentGBean.<init>(EjbDeploymentGBean.java: 
>> 56)
>>        at  
>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>>        at  
>> sun 
>> .reflect 
>> .NativeConstructorAccessorImpl 
>> .newInstance(NativeConstructorAccessorImpl.java:39)
>>        at  
>> sun 
>> .reflect 
>> .DelegatingConstructorAccessorImpl 
>> .newInstance(DelegatingConstructorAccessorImpl.java:27)
>>        at  
>> java.lang.reflect.Constructor.newInstance(Constructor.java:513)
>>        at org.apache.xbean.recipe.ReflectionUtil 
>> $ConstructorFactory.create(ReflectionUtil.java:952)
>>        at  
>> org 
>> .apache.xbean.recipe.ObjectRecipe.internalCreate(ObjectRecipe.java: 
>> 276)
>>        at  
>> org.apache.xbean.recipe.AbstractRecipe.create(AbstractRecipe.java:96)
>>        at  
>> org.apache.xbean.recipe.AbstractRecipe.create(AbstractRecipe.java:61)
>>        at  
>> org 
>> .apache 
>> .geronimo 
>> .gbean.runtime.GBeanInstance.createInstance(GBeanInstance.java:911)
>>        at  
>> org 
>> .apache 
>> .geronimo 
>> .gbean 
>> .runtime 
>> .GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:269)
>>        at  
>> org 
>> .apache 
>> .geronimo 
>> .gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:103)
>>        at  
>> org 
>> .apache 
>> .geronimo.gbean.runtime.GBeanInstance.start(GBeanInstance.java:525)
>>        at  
>> org 
>> .apache 
>> .geronimo 
>> .gbean 
>> .runtime.GBeanDependency.attemptFullStart(GBeanDependency.java:110)
>>        at  
>> org 
>> .apache 
>> .geronimo 
>> .gbean.runtime.GBeanDependency.addTarget(GBeanDependency.java:145)
>>        at org.apache.geronimo.gbean.runtime.GBeanDependency 
>> $1.running(GBeanDependency.java:119)
>>        at  
>> org 
>> .apache 
>> .geronimo 
>> .kernel 
>> .basic 
>> .BasicLifecycleMonitor.fireRunningEvent(BasicLifecycleMonitor.java: 
>> 175)
>>        at  
>> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.access 
>> $300(BasicLifecycleMonitor.java:44)
>>        at org.apache.geronimo.kernel.basic.BasicLifecycleMonitor 
>> $ 
>> RawLifecycleBroadcaster.fireRunningEvent(BasicLifecycleMonitor.java: 
>> 253)
>>        at  
>> org 
>> .apache 
>> .geronimo 
>> .gbean 
>> .runtime 
>> .GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:295)
>>        at  
>> org 
>> .apache 
>> .geronimo 
>> .gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:103)
>>        at  
>> org 
>> .apache 
>> .geronimo 
>> .gbean 
>> .runtime.GBeanInstanceState.startRecursive(GBeanInstanceState.java: 
>> 125)
>>        at  
>> org 
>> .apache 
>> .geronimo 
>> .gbean.runtime.GBeanInstance.startRecursive(GBeanInstance.java:539)
>>        at  
>> org 
>> .apache 
>> .geronimo 
>> .kernel.basic.BasicKernel.startRecursiveGBean(BasicKernel.java:377)
>>        at  
>> org 
>> .apache 
>> .geronimo 
>> .kernel 
>> .config 
>> .ConfigurationUtil.startConfigurationGBeans(ConfigurationUtil.java: 
>> 456)
>>        at  
>> org 
>> .apache 
>> .geronimo 
>> .kernel 
>> .config 
>> .KernelConfigurationManager.start(KernelConfigurationManager.java: 
>> 190)
>>        at  
>> org 
>> .apache 
>> .geronimo 
>> .kernel 
>> .config 
>> .SimpleConfigurationManager 
>> .startConfiguration(SimpleConfigurationManager.java:546)
>>        at  
>> org 
>> .apache 
>> .geronimo 
>> .kernel 
>> .config 
>> .SimpleConfigurationManager 
>> .startConfiguration(SimpleConfigurationManager.java:527)
>>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>        at  
>> sun 
>> .reflect 
>> .NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>        at  
>> sun 
>> .reflect 
>> .DelegatingMethodAccessorImpl 
>> .invoke(DelegatingMethodAccessorImpl.java:25)
>>        at java.lang.reflect.Method.invoke(Method.java:597)
>>        at  
>> org 
>> .apache 
>> .geronimo 
>> .gbean 
>> .runtime 
>> .ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34)
>>        at  
>> org 
>> .apache 
>> .geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java: 
>> 130)
>>        at  
>> org 
>> .apache 
>> .geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:851)
>>        at  
>> org 
>> .apache.geronimo.kernel.basic.BasicKernel.invoke(BasicKernel.java: 
>> 237)
>>        at  
>> org.apache.geronimo.kernel.KernelGBean.invoke(KernelGBean.java:342)
>>        at sun.reflect.GeneratedMethodAccessor105.invoke(Unknown  
>> Source)
>>        at  
>> sun 
>> .reflect 
>> .DelegatingMethodAccessorImpl 
>> .invoke(DelegatingMethodAccessorImpl.java:25)
>>        at java.lang.reflect.Method.invoke(Method.java:597)
>>        at  
>> org 
>> .apache 
>> .geronimo 
>> .gbean 
>> .runtime 
>> .ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34)
>>        at  
>> org 
>> .apache 
>> .geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java: 
>> 130)
>>        at  
>> org 
>> .apache 
>> .geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:851)
>>        at  
>> org 
>> .apache.geronimo.kernel.basic.BasicKernel.invoke(BasicKernel.java: 
>> 237)
>>        at  
>> org 
>> .apache 
>> .geronimo.system.jmx.MBeanGBeanBridge.invoke(MBeanGBeanBridge.java: 
>> 172)
>>        at  
>> com 
>> .sun 
>> .jmx 
>> .interceptor 
>> .DefaultMBeanServerInterceptor 
>> .invoke(DefaultMBeanServerInterceptor.java:836)
>>        at  
>> com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java: 
>> 761)
>>        at  
>> javax 
>> .management 
>> .remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java: 
>> 1426)
>>        at javax.management.remote.rmi.RMIConnectionImpl.access 
>> $200(RMIConnectionImpl.java:72)
>>        at javax.management.remote.rmi.RMIConnectionImpl 
>> $PrivilegedOperation.run(RMIConnectionImpl.java:1264)
>>        at java.security.AccessController.doPrivileged(Native Method)
>>        at  
>> javax 
>> .management 
>> .remote 
>> .rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java: 
>> 1366)
>>        at  
>> javax 
>> .management 
>> .remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788)
>>        at sun.reflect.GeneratedMethodAccessor25.invoke(Unknown  
>> Source)
>>        at  
>> sun 
>> .reflect 
>> .DelegatingMethodAccessorImpl 
>> .invoke(DelegatingMethodAccessorImpl.java:25)
>>        at java.lang.reflect.Method.invoke(Method.java:597)
>>        at  
>> sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:305)
>>        at sun.rmi.transport.Transport$1.run(Transport.java:159)
>>        at java.security.AccessController.doPrivileged(Native Method)
>>        at sun.rmi.transport.Transport.serviceCall(Transport.java:155)
>>        at  
>> sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java: 
>> 535)
>>        at sun.rmi.transport.tcp.TCPTransport 
>> $ConnectionHandler.run0(TCPTransport.java:790)
>>        at sun.rmi.transport.tcp.TCPTransport 
>> $ConnectionHandler.run(TCPTransport.java:649)
>>        at java.util.concurrent.ThreadPoolExecutor 
>> $Worker.runTask(ThreadPoolExecutor.java:885)
>>        at java.util.concurrent.ThreadPoolExecutor 
>> $Worker.run(ThreadPoolExecutor.java:907)
>>        at java.lang.Thread.run(Thread.java:619)
>> 2009-10-19 12:11:30,894 INFO  [SessionFactoryImpl] closing
>>
>> Can someone please advise.
>>
>> Quintin Beukes
>>


Mime
View raw message