geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Quintin Beukes <quin...@skywalk.co.za>
Subject Re: Geronimo 2.2 fails can't load beans with @RunAs("Role")
Date Wed, 21 Oct 2009 19:31:33 GMT
Hey,

I figured if I can get something like this going it would work perfectly.

a. Create a security realm with a single user, which has a single
GroupPrinciple of "Admin".
b. Configure the EJB to authenticate against this user/realm.
c. Disable the security realm from outside authentication. Meaning,
ONLY applications can authenticate against it (ie. no remote clients
via OpenEJB).

Anyone can give me a basic overview of how this is possible. Even if a
some server modifications need to be made.

Quintin Beukes



On Mon, Oct 19, 2009 at 8:35 PM, Quintin Beukes <quintin@skywalk.co.za> wrote:
> It has to run secured methods like managing the modules, roles, etc.
> It's all specified via Spring beans loaded when the application is
> deployed. The @Startup singleton in each module would be called,
> queries the module management to see if it has been installed, and if
> not starts setting up the module.
>
> It's very important for some of the methods it access to be secure. I
> temporarily deactivated the security, but will need to find a way to
> run as role "Admin".
>
> Can you please explain
> 1. Security configured in a GBean instead of EJB
> 2. Dummy security realm. I was thinking of this one as well. I was
> thinking of a simple properties realm. Is there something simpler? And
> if I do this, do I then use the CredentialStore for the run-as?
>
> Quintin Beukes
>
>
>
> On Mon, Oct 19, 2009 at 6:26 PM, David Jencks <david_jencks@yahoo.com> wrote:
>> As far as I understand what you are trying to do, you can't do this.
>>
>> Does the postConstruct method need to call some other secured ejbs?
>>  otherwise it seems as if you could just run it with no role...
>>
>> I can think of a number of possible ways to get around this but I'd like to
>> know more about your situation.... e.g. maybe setting up security in a gbean
>> rather than an ejb, or constructing another dummy security realm with a
>> principal that maps to role "Admin".
>>
>> thanks
>> david jencks
>>
>> On Oct 19, 2009, at 3:20 AM, Quintin Beukes wrote:
>>
>>> I failed to add that I can't specify credentials for this runas,
>>> because this is the bean that is supposed to initialize those
>>> credentials, so if it's the first time it loads, it will fail to log
>>> in, which means it will never work.
>>>
>>> I need some way to run-as "Admin" without having to specify
>>> credentials. It's not a security leak, as this bean ONLY has an
>>> @PostConstruct method, so no methods are exposed which can be
>>> exploited, so magic execution as "Admin" is acceptable.
>>>
>>> Quintin Beukes
>>>
>>>
>>>
>>> On Mon, Oct 19, 2009 at 12:15 PM, Quintin Beukes <quintin@last.za.net>
>>> wrote:
>>>>
>>>> Hey,
>>>>
>>>> I have the following in my deploy plan:
>>>>  <sec:security>
>>>>   <sec:role-mappings>
>>>>     <sec:role role-name="Admin">
>>>>       <sec:principal
>>>>
>>>> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
>>>>                 name="Admin"/>
>>>>     </sec:role>
>>>>   </sec:role-mappings>
>>>>  </sec:security>
>>>>
>>>> When I add @RunAs("Admin") to a bean, I get the following:
>>>> 2009-10-19 12:11:30,857 INFO  [startup] Assembling app:
>>>>
>>>> /opt/kms/server/geronimo-2.2-20091019/var/temp/geronimo-deployer49287.tmpdir/KMSPlatform-ejb.jar
>>>> 2009-10-19 12:11:30,891 INFO  [startup] Jndi(name=SiteBeanLocal) -->
>>>> Ejb(deployment-id=KMSPlatform-ejb/SiteBean)
>>>> 2009-10-19 12:11:30,891 INFO  [startup] Jndi(name=SiteBeanRemote) -->
>>>> Ejb(deployment-id=KMSPlatform-ejb/SiteBean)
>>>> 2009-10-19 12:11:30,892 INFO  [startup]
>>>> Jndi(name=InitializeDataBeanLocal) -->
>>>> Ejb(deployment-id=KMSPlatform-ejb/InitializeDataBean)
>>>> 2009-10-19 12:11:30,892 INFO  [startup]
>>>> Jndi(name=KMSPlatformEjbStartupBeanLocal) -->
>>>> Ejb(deployment-id=KMSPlatform-ejb/KMSPlatformEjbStartupBean)
>>>> 2009-10-19 12:11:30,892 INFO  [startup]
>>>> Jndi(name=SpringContextBeanLocal) -->
>>>> Ejb(deployment-id=KMSPlatform-ejb/SpringContextBean)
>>>> 2009-10-19 12:11:30,892 INFO  [startup] Created
>>>> Ejb(deployment-id=KMSPlatform-ejb/KMSPlatformEjbStartupBean,
>>>> ejb-name=KMSPlatformEjbStartupBean,
>>>> container=DefaultStatelessContainer)
>>>> 2009-10-19 12:11:30,892 INFO  [startup] Created
>>>> Ejb(deployment-id=KMSPlatform-ejb/SpringContextBean,
>>>> ejb-name=SpringContextBean, container=DefaultStatelessContainer)
>>>> 2009-10-19 12:11:30,892 INFO  [startup] Created
>>>> Ejb(deployment-id=KMSPlatform-ejb/SiteBean, ejb-name=SiteBean,
>>>> container=DefaultStatelessContainer)
>>>> 2009-10-19 12:11:30,892 INFO  [startup] Created
>>>> Ejb(deployment-id=KMSPlatform-ejb/InitializeDataBean,
>>>> ejb-name=InitializeDataBean, container=DefaultStatelessContainer)
>>>> 2009-10-19 12:11:30,892 INFO  [startup] Deployed
>>>>
>>>> Application(path=/opt/kms/server/geronimo-2.2-20091019/var/temp/geronimo-deployer49287.tmpdir/KMSPlatform-ejb.jar)
>>>> 2009-10-19 12:11:30,894 ERROR [GBeanInstanceState] Error while
>>>> starting; GBean is now in the FAILED state:
>>>>
>>>> abstractName="net.kunye/KMSPlatform-ejb/1.0/jar?EJBModule=net.kunye/KMSPlatform-ejb/1.0/jar,J2EEApplication=null,j2eeType=StatelessSessionBean,name=KMSPlatformEjbStartupBean"
>>>> java.lang.IllegalStateException: no run-as identity configured for role:
>>>> Admin
>>>>       at
>>>> org.apache.geronimo.security.jacc.mappingprovider.ApplicationPrincipalRoleConfigurationManager.getSubjectForRole(ApplicationPrincipalRoleConfigurationManager.java:109)
>>>>       at
>>>> org.apache.geronimo.openejb.EjbDeployment.<init>(EjbDeployment.java:109)
>>>>       at
>>>> org.apache.geronimo.openejb.EjbDeploymentGBean.<init>(EjbDeploymentGBean.java:56)
>>>>       at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>>> Method)
>>>>       at
>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
>>>>       at
>>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
>>>>       at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
>>>>       at
>>>> org.apache.xbean.recipe.ReflectionUtil$ConstructorFactory.create(ReflectionUtil.java:952)
>>>>       at
>>>> org.apache.xbean.recipe.ObjectRecipe.internalCreate(ObjectRecipe.java:276)
>>>>       at
>>>> org.apache.xbean.recipe.AbstractRecipe.create(AbstractRecipe.java:96)
>>>>       at
>>>> org.apache.xbean.recipe.AbstractRecipe.create(AbstractRecipe.java:61)
>>>>       at
>>>> org.apache.geronimo.gbean.runtime.GBeanInstance.createInstance(GBeanInstance.java:911)
>>>>       at
>>>> org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:269)
>>>>       at
>>>> org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:103)
>>>>       at
>>>> org.apache.geronimo.gbean.runtime.GBeanInstance.start(GBeanInstance.java:525)
>>>>       at
>>>> org.apache.geronimo.gbean.runtime.GBeanDependency.attemptFullStart(GBeanDependency.java:110)
>>>>       at
>>>> org.apache.geronimo.gbean.runtime.GBeanDependency.addTarget(GBeanDependency.java:145)
>>>>       at
>>>> org.apache.geronimo.gbean.runtime.GBeanDependency$1.running(GBeanDependency.java:119)
>>>>       at
>>>> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.fireRunningEvent(BasicLifecycleMonitor.java:175)
>>>>       at
>>>> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.access$300(BasicLifecycleMonitor.java:44)
>>>>       at
>>>> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor$RawLifecycleBroadcaster.fireRunningEvent(BasicLifecycleMonitor.java:253)
>>>>       at
>>>> org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:295)
>>>>       at
>>>> org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:103)
>>>>       at
>>>> org.apache.geronimo.gbean.runtime.GBeanInstanceState.startRecursive(GBeanInstanceState.java:125)
>>>>       at
>>>> org.apache.geronimo.gbean.runtime.GBeanInstance.startRecursive(GBeanInstance.java:539)
>>>>       at
>>>> org.apache.geronimo.kernel.basic.BasicKernel.startRecursiveGBean(BasicKernel.java:377)
>>>>       at
>>>> org.apache.geronimo.kernel.config.ConfigurationUtil.startConfigurationGBeans(ConfigurationUtil.java:456)
>>>>       at
>>>> org.apache.geronimo.kernel.config.KernelConfigurationManager.start(KernelConfigurationManager.java:190)
>>>>       at
>>>> org.apache.geronimo.kernel.config.SimpleConfigurationManager.startConfiguration(SimpleConfigurationManager.java:546)
>>>>       at
>>>> org.apache.geronimo.kernel.config.SimpleConfigurationManager.startConfiguration(SimpleConfigurationManager.java:527)
>>>>       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>       at
>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>>>       at
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>>>       at java.lang.reflect.Method.invoke(Method.java:597)
>>>>       at
>>>> org.apache.geronimo.gbean.runtime.ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34)
>>>>       at
>>>> org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:130)
>>>>       at
>>>> org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:851)
>>>>       at
>>>> org.apache.geronimo.kernel.basic.BasicKernel.invoke(BasicKernel.java:237)
>>>>       at
>>>> org.apache.geronimo.kernel.KernelGBean.invoke(KernelGBean.java:342)
>>>>       at sun.reflect.GeneratedMethodAccessor105.invoke(Unknown Source)
>>>>       at
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>>>       at java.lang.reflect.Method.invoke(Method.java:597)
>>>>       at
>>>> org.apache.geronimo.gbean.runtime.ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34)
>>>>       at
>>>> org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:130)
>>>>       at
>>>> org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:851)
>>>>       at
>>>> org.apache.geronimo.kernel.basic.BasicKernel.invoke(BasicKernel.java:237)
>>>>       at
>>>> org.apache.geronimo.system.jmx.MBeanGBeanBridge.invoke(MBeanGBeanBridge.java:172)
>>>>       at
>>>> com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836)
>>>>       at
>>>> com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761)
>>>>       at
>>>> javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1426)
>>>>       at
>>>> javax.management.remote.rmi.RMIConnectionImpl.access$200(RMIConnectionImpl.java:72)
>>>>       at
>>>> javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1264)
>>>>       at java.security.AccessController.doPrivileged(Native Method)
>>>>       at
>>>> javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1366)
>>>>       at
>>>> javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788)
>>>>       at sun.reflect.GeneratedMethodAccessor25.invoke(Unknown Source)
>>>>       at
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>>>       at java.lang.reflect.Method.invoke(Method.java:597)
>>>>       at
>>>> sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:305)
>>>>       at sun.rmi.transport.Transport$1.run(Transport.java:159)
>>>>       at java.security.AccessController.doPrivileged(Native Method)
>>>>       at sun.rmi.transport.Transport.serviceCall(Transport.java:155)
>>>>       at
>>>> sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:535)
>>>>       at
>>>> sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:790)
>>>>       at
>>>> sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:649)
>>>>       at
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:885)
>>>>       at
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)
>>>>       at java.lang.Thread.run(Thread.java:619)
>>>> 2009-10-19 12:11:30,894 INFO  [SessionFactoryImpl] closing
>>>>
>>>> Can someone please advise.
>>>>
>>>> Quintin Beukes
>>>>
>>
>>
>

Mime
View raw message