geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Quintin Beukes <quin...@skywalk.co.za>
Subject Re: Geronimo 2.2 fails can't load beans with @RunAs("Role")
Date Mon, 19 Oct 2009 18:35:42 GMT
It has to run secured methods like managing the modules, roles, etc.
It's all specified via Spring beans loaded when the application is
deployed. The @Startup singleton in each module would be called,
queries the module management to see if it has been installed, and if
not starts setting up the module.

It's very important for some of the methods it access to be secure. I
temporarily deactivated the security, but will need to find a way to
run as role "Admin".

Can you please explain
1. Security configured in a GBean instead of EJB
2. Dummy security realm. I was thinking of this one as well. I was
thinking of a simple properties realm. Is there something simpler? And
if I do this, do I then use the CredentialStore for the run-as?

Quintin Beukes



On Mon, Oct 19, 2009 at 6:26 PM, David Jencks <david_jencks@yahoo.com> wrote:
> As far as I understand what you are trying to do, you can't do this.
>
> Does the postConstruct method need to call some other secured ejbs?
>  otherwise it seems as if you could just run it with no role...
>
> I can think of a number of possible ways to get around this but I'd like to
> know more about your situation.... e.g. maybe setting up security in a gbean
> rather than an ejb, or constructing another dummy security realm with a
> principal that maps to role "Admin".
>
> thanks
> david jencks
>
> On Oct 19, 2009, at 3:20 AM, Quintin Beukes wrote:
>
>> I failed to add that I can't specify credentials for this runas,
>> because this is the bean that is supposed to initialize those
>> credentials, so if it's the first time it loads, it will fail to log
>> in, which means it will never work.
>>
>> I need some way to run-as "Admin" without having to specify
>> credentials. It's not a security leak, as this bean ONLY has an
>> @PostConstruct method, so no methods are exposed which can be
>> exploited, so magic execution as "Admin" is acceptable.
>>
>> Quintin Beukes
>>
>>
>>
>> On Mon, Oct 19, 2009 at 12:15 PM, Quintin Beukes <quintin@last.za.net>
>> wrote:
>>>
>>> Hey,
>>>
>>> I have the following in my deploy plan:
>>>  <sec:security>
>>>   <sec:role-mappings>
>>>     <sec:role role-name="Admin">
>>>       <sec:principal
>>>
>>> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
>>>                 name="Admin"/>
>>>     </sec:role>
>>>   </sec:role-mappings>
>>>  </sec:security>
>>>
>>> When I add @RunAs("Admin") to a bean, I get the following:
>>> 2009-10-19 12:11:30,857 INFO  [startup] Assembling app:
>>>
>>> /opt/kms/server/geronimo-2.2-20091019/var/temp/geronimo-deployer49287.tmpdir/KMSPlatform-ejb.jar
>>> 2009-10-19 12:11:30,891 INFO  [startup] Jndi(name=SiteBeanLocal) -->
>>> Ejb(deployment-id=KMSPlatform-ejb/SiteBean)
>>> 2009-10-19 12:11:30,891 INFO  [startup] Jndi(name=SiteBeanRemote) -->
>>> Ejb(deployment-id=KMSPlatform-ejb/SiteBean)
>>> 2009-10-19 12:11:30,892 INFO  [startup]
>>> Jndi(name=InitializeDataBeanLocal) -->
>>> Ejb(deployment-id=KMSPlatform-ejb/InitializeDataBean)
>>> 2009-10-19 12:11:30,892 INFO  [startup]
>>> Jndi(name=KMSPlatformEjbStartupBeanLocal) -->
>>> Ejb(deployment-id=KMSPlatform-ejb/KMSPlatformEjbStartupBean)
>>> 2009-10-19 12:11:30,892 INFO  [startup]
>>> Jndi(name=SpringContextBeanLocal) -->
>>> Ejb(deployment-id=KMSPlatform-ejb/SpringContextBean)
>>> 2009-10-19 12:11:30,892 INFO  [startup] Created
>>> Ejb(deployment-id=KMSPlatform-ejb/KMSPlatformEjbStartupBean,
>>> ejb-name=KMSPlatformEjbStartupBean,
>>> container=DefaultStatelessContainer)
>>> 2009-10-19 12:11:30,892 INFO  [startup] Created
>>> Ejb(deployment-id=KMSPlatform-ejb/SpringContextBean,
>>> ejb-name=SpringContextBean, container=DefaultStatelessContainer)
>>> 2009-10-19 12:11:30,892 INFO  [startup] Created
>>> Ejb(deployment-id=KMSPlatform-ejb/SiteBean, ejb-name=SiteBean,
>>> container=DefaultStatelessContainer)
>>> 2009-10-19 12:11:30,892 INFO  [startup] Created
>>> Ejb(deployment-id=KMSPlatform-ejb/InitializeDataBean,
>>> ejb-name=InitializeDataBean, container=DefaultStatelessContainer)
>>> 2009-10-19 12:11:30,892 INFO  [startup] Deployed
>>>
>>> Application(path=/opt/kms/server/geronimo-2.2-20091019/var/temp/geronimo-deployer49287.tmpdir/KMSPlatform-ejb.jar)
>>> 2009-10-19 12:11:30,894 ERROR [GBeanInstanceState] Error while
>>> starting; GBean is now in the FAILED state:
>>>
>>> abstractName="net.kunye/KMSPlatform-ejb/1.0/jar?EJBModule=net.kunye/KMSPlatform-ejb/1.0/jar,J2EEApplication=null,j2eeType=StatelessSessionBean,name=KMSPlatformEjbStartupBean"
>>> java.lang.IllegalStateException: no run-as identity configured for role:
>>> Admin
>>>       at
>>> org.apache.geronimo.security.jacc.mappingprovider.ApplicationPrincipalRoleConfigurationManager.getSubjectForRole(ApplicationPrincipalRoleConfigurationManager.java:109)
>>>       at
>>> org.apache.geronimo.openejb.EjbDeployment.<init>(EjbDeployment.java:109)
>>>       at
>>> org.apache.geronimo.openejb.EjbDeploymentGBean.<init>(EjbDeploymentGBean.java:56)
>>>       at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>> Method)
>>>       at
>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
>>>       at
>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
>>>       at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
>>>       at
>>> org.apache.xbean.recipe.ReflectionUtil$ConstructorFactory.create(ReflectionUtil.java:952)
>>>       at
>>> org.apache.xbean.recipe.ObjectRecipe.internalCreate(ObjectRecipe.java:276)
>>>       at
>>> org.apache.xbean.recipe.AbstractRecipe.create(AbstractRecipe.java:96)
>>>       at
>>> org.apache.xbean.recipe.AbstractRecipe.create(AbstractRecipe.java:61)
>>>       at
>>> org.apache.geronimo.gbean.runtime.GBeanInstance.createInstance(GBeanInstance.java:911)
>>>       at
>>> org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:269)
>>>       at
>>> org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:103)
>>>       at
>>> org.apache.geronimo.gbean.runtime.GBeanInstance.start(GBeanInstance.java:525)
>>>       at
>>> org.apache.geronimo.gbean.runtime.GBeanDependency.attemptFullStart(GBeanDependency.java:110)
>>>       at
>>> org.apache.geronimo.gbean.runtime.GBeanDependency.addTarget(GBeanDependency.java:145)
>>>       at
>>> org.apache.geronimo.gbean.runtime.GBeanDependency$1.running(GBeanDependency.java:119)
>>>       at
>>> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.fireRunningEvent(BasicLifecycleMonitor.java:175)
>>>       at
>>> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.access$300(BasicLifecycleMonitor.java:44)
>>>       at
>>> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor$RawLifecycleBroadcaster.fireRunningEvent(BasicLifecycleMonitor.java:253)
>>>       at
>>> org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:295)
>>>       at
>>> org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:103)
>>>       at
>>> org.apache.geronimo.gbean.runtime.GBeanInstanceState.startRecursive(GBeanInstanceState.java:125)
>>>       at
>>> org.apache.geronimo.gbean.runtime.GBeanInstance.startRecursive(GBeanInstance.java:539)
>>>       at
>>> org.apache.geronimo.kernel.basic.BasicKernel.startRecursiveGBean(BasicKernel.java:377)
>>>       at
>>> org.apache.geronimo.kernel.config.ConfigurationUtil.startConfigurationGBeans(ConfigurationUtil.java:456)
>>>       at
>>> org.apache.geronimo.kernel.config.KernelConfigurationManager.start(KernelConfigurationManager.java:190)
>>>       at
>>> org.apache.geronimo.kernel.config.SimpleConfigurationManager.startConfiguration(SimpleConfigurationManager.java:546)
>>>       at
>>> org.apache.geronimo.kernel.config.SimpleConfigurationManager.startConfiguration(SimpleConfigurationManager.java:527)
>>>       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>       at
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>>       at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>>       at java.lang.reflect.Method.invoke(Method.java:597)
>>>       at
>>> org.apache.geronimo.gbean.runtime.ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34)
>>>       at
>>> org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:130)
>>>       at
>>> org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:851)
>>>       at
>>> org.apache.geronimo.kernel.basic.BasicKernel.invoke(BasicKernel.java:237)
>>>       at
>>> org.apache.geronimo.kernel.KernelGBean.invoke(KernelGBean.java:342)
>>>       at sun.reflect.GeneratedMethodAccessor105.invoke(Unknown Source)
>>>       at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>>       at java.lang.reflect.Method.invoke(Method.java:597)
>>>       at
>>> org.apache.geronimo.gbean.runtime.ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34)
>>>       at
>>> org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:130)
>>>       at
>>> org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:851)
>>>       at
>>> org.apache.geronimo.kernel.basic.BasicKernel.invoke(BasicKernel.java:237)
>>>       at
>>> org.apache.geronimo.system.jmx.MBeanGBeanBridge.invoke(MBeanGBeanBridge.java:172)
>>>       at
>>> com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836)
>>>       at
>>> com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761)
>>>       at
>>> javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1426)
>>>       at
>>> javax.management.remote.rmi.RMIConnectionImpl.access$200(RMIConnectionImpl.java:72)
>>>       at
>>> javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1264)
>>>       at java.security.AccessController.doPrivileged(Native Method)
>>>       at
>>> javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1366)
>>>       at
>>> javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788)
>>>       at sun.reflect.GeneratedMethodAccessor25.invoke(Unknown Source)
>>>       at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>>       at java.lang.reflect.Method.invoke(Method.java:597)
>>>       at
>>> sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:305)
>>>       at sun.rmi.transport.Transport$1.run(Transport.java:159)
>>>       at java.security.AccessController.doPrivileged(Native Method)
>>>       at sun.rmi.transport.Transport.serviceCall(Transport.java:155)
>>>       at
>>> sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:535)
>>>       at
>>> sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:790)
>>>       at
>>> sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:649)
>>>       at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:885)
>>>       at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)
>>>       at java.lang.Thread.run(Thread.java:619)
>>> 2009-10-19 12:11:30,894 INFO  [SessionFactoryImpl] closing
>>>
>>> Can someone please advise.
>>>
>>> Quintin Beukes
>>>
>
>

Mime
View raw message