geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Re: Geronimo 2.2 fails can't load beans with @RunAs("Role")
Date Wed, 21 Oct 2009 22:06:21 GMT

On Oct 21, 2009, at 12:31 PM, Quintin Beukes wrote:

> Hey,
>
> I figured if I can get something like this going it would work  
> perfectly.
>
> a. Create a security realm with a single user, which has a single
> GroupPrinciple of "Admin".
> b. Configure the EJB to authenticate against this user/realm.
> c. Disable the security realm from outside authentication. Meaning,
> ONLY applications can authenticate against it (ie. no remote clients
> via OpenEJB).
>
> Anyone can give me a basic overview of how this is possible. Even if a
> some server modifications need to be made.

(2.2 only)

IIRC openejb only uses security realms with the global flag set to  
true.  So I think you can set up a non-global security realm, refer to  
it from a credentials store instance, and get this to work.  You  
should check that I'm right about this.

thanks
david jencks
>
> Quintin Beukes
>
>
>
> On Mon, Oct 19, 2009 at 8:35 PM, Quintin Beukes  
> <quintin@skywalk.co.za> wrote:
>> It has to run secured methods like managing the modules, roles, etc.
>> It's all specified via Spring beans loaded when the application is
>> deployed. The @Startup singleton in each module would be called,
>> queries the module management to see if it has been installed, and if
>> not starts setting up the module.
>>
>> It's very important for some of the methods it access to be secure. I
>> temporarily deactivated the security, but will need to find a way to
>> run as role "Admin".
>>
>> Can you please explain
>> 1. Security configured in a GBean instead of EJB
>> 2. Dummy security realm. I was thinking of this one as well. I was
>> thinking of a simple properties realm. Is there something simpler?  
>> And
>> if I do this, do I then use the CredentialStore for the run-as?
>>
>> Quintin Beukes
>>
>>
>>
>> On Mon, Oct 19, 2009 at 6:26 PM, David Jencks  
>> <david_jencks@yahoo.com> wrote:
>>> As far as I understand what you are trying to do, you can't do this.
>>>
>>> Does the postConstruct method need to call some other secured ejbs?
>>>  otherwise it seems as if you could just run it with no role...
>>>
>>> I can think of a number of possible ways to get around this but  
>>> I'd like to
>>> know more about your situation.... e.g. maybe setting up security  
>>> in a gbean
>>> rather than an ejb, or constructing another dummy security realm  
>>> with a
>>> principal that maps to role "Admin".
>>>
>>> thanks
>>> david jencks
>>>
>>> On Oct 19, 2009, at 3:20 AM, Quintin Beukes wrote:
>>>
>>>> I failed to add that I can't specify credentials for this runas,
>>>> because this is the bean that is supposed to initialize those
>>>> credentials, so if it's the first time it loads, it will fail to  
>>>> log
>>>> in, which means it will never work.
>>>>
>>>> I need some way to run-as "Admin" without having to specify
>>>> credentials. It's not a security leak, as this bean ONLY has an
>>>> @PostConstruct method, so no methods are exposed which can be
>>>> exploited, so magic execution as "Admin" is acceptable.
>>>>
>>>> Quintin Beukes
>>>>
>>>>
>>>>
>>>> On Mon, Oct 19, 2009 at 12:15 PM, Quintin Beukes <quintin@last.za.net

>>>> >
>>>> wrote:
>>>>>
>>>>> Hey,
>>>>>
>>>>> I have the following in my deploy plan:
>>>>>  <sec:security>
>>>>>   <sec:role-mappings>
>>>>>     <sec:role role-name="Admin">
>>>>>       <sec:principal
>>>>>
>>>>> class 
>>>>> = 
>>>>> "org 
>>>>> .apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
>>>>>                 name="Admin"/>
>>>>>     </sec:role>
>>>>>   </sec:role-mappings>
>>>>>  </sec:security>
>>>>>
>>>>> When I add @RunAs("Admin") to a bean, I get the following:
>>>>> 2009-10-19 12:11:30,857 INFO  [startup] Assembling app:
>>>>>
>>>>> /opt/kms/server/geronimo-2.2-20091019/var/temp/geronimo- 
>>>>> deployer49287.tmpdir/KMSPlatform-ejb.jar
>>>>> 2009-10-19 12:11:30,891 INFO  [startup] Jndi(name=SiteBeanLocal)  
>>>>> -->
>>>>> Ejb(deployment-id=KMSPlatform-ejb/SiteBean)
>>>>> 2009-10-19 12:11:30,891 INFO  [startup]  
>>>>> Jndi(name=SiteBeanRemote) -->
>>>>> Ejb(deployment-id=KMSPlatform-ejb/SiteBean)
>>>>> 2009-10-19 12:11:30,892 INFO  [startup]
>>>>> Jndi(name=InitializeDataBeanLocal) -->
>>>>> Ejb(deployment-id=KMSPlatform-ejb/InitializeDataBean)
>>>>> 2009-10-19 12:11:30,892 INFO  [startup]
>>>>> Jndi(name=KMSPlatformEjbStartupBeanLocal) -->
>>>>> Ejb(deployment-id=KMSPlatform-ejb/KMSPlatformEjbStartupBean)
>>>>> 2009-10-19 12:11:30,892 INFO  [startup]
>>>>> Jndi(name=SpringContextBeanLocal) -->
>>>>> Ejb(deployment-id=KMSPlatform-ejb/SpringContextBean)
>>>>> 2009-10-19 12:11:30,892 INFO  [startup] Created
>>>>> Ejb(deployment-id=KMSPlatform-ejb/KMSPlatformEjbStartupBean,
>>>>> ejb-name=KMSPlatformEjbStartupBean,
>>>>> container=DefaultStatelessContainer)
>>>>> 2009-10-19 12:11:30,892 INFO  [startup] Created
>>>>> Ejb(deployment-id=KMSPlatform-ejb/SpringContextBean,
>>>>> ejb-name=SpringContextBean, container=DefaultStatelessContainer)
>>>>> 2009-10-19 12:11:30,892 INFO  [startup] Created
>>>>> Ejb(deployment-id=KMSPlatform-ejb/SiteBean, ejb-name=SiteBean,
>>>>> container=DefaultStatelessContainer)
>>>>> 2009-10-19 12:11:30,892 INFO  [startup] Created
>>>>> Ejb(deployment-id=KMSPlatform-ejb/InitializeDataBean,
>>>>> ejb-name=InitializeDataBean, container=DefaultStatelessContainer)
>>>>> 2009-10-19 12:11:30,892 INFO  [startup] Deployed
>>>>>
>>>>> Application(path=/opt/kms/server/geronimo-2.2-20091019/var/temp/ 
>>>>> geronimo-deployer49287.tmpdir/KMSPlatform-ejb.jar)
>>>>> 2009-10-19 12:11:30,894 ERROR [GBeanInstanceState] Error while
>>>>> starting; GBean is now in the FAILED state:
>>>>>
>>>>> abstractName="net.kunye/KMSPlatform-ejb/1.0/jar? 
>>>>> EJBModule=net.kunye/KMSPlatform-ejb/1.0/ 
>>>>> jar 
>>>>> ,J2EEApplication 
>>>>> = 
>>>>> null,j2eeType=StatelessSessionBean,name=KMSPlatformEjbStartupBean"
>>>>> java.lang.IllegalStateException: no run-as identity configured  
>>>>> for role:
>>>>> Admin
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .geronimo 
>>>>> .security 
>>>>> .jacc 
>>>>> .mappingprovider 
>>>>> .ApplicationPrincipalRoleConfigurationManager 
>>>>> .getSubjectForRole 
>>>>> (ApplicationPrincipalRoleConfigurationManager.java:109)
>>>>>       at
>>>>> org 
>>>>> .apache.geronimo.openejb.EjbDeployment.<init>(EjbDeployment.java:

>>>>> 109)
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .geronimo 
>>>>> .openejb.EjbDeploymentGBean.<init>(EjbDeploymentGBean.java:56)
>>>>>       at  
>>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>>>> Method)
>>>>>       at
>>>>> sun 
>>>>> .reflect 
>>>>> .NativeConstructorAccessorImpl 
>>>>> .newInstance(NativeConstructorAccessorImpl.java:39)
>>>>>       at
>>>>> sun 
>>>>> .reflect 
>>>>> .DelegatingConstructorAccessorImpl 
>>>>> .newInstance(DelegatingConstructorAccessorImpl.java:27)
>>>>>       at  
>>>>> java.lang.reflect.Constructor.newInstance(Constructor.java:513)
>>>>>       at
>>>>> org.apache.xbean.recipe.ReflectionUtil 
>>>>> $ConstructorFactory.create(ReflectionUtil.java:952)
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .xbean.recipe.ObjectRecipe.internalCreate(ObjectRecipe.java:276)
>>>>>       at
>>>>> org 
>>>>> .apache.xbean.recipe.AbstractRecipe.create(AbstractRecipe.java:96)
>>>>>       at
>>>>> org 
>>>>> .apache.xbean.recipe.AbstractRecipe.create(AbstractRecipe.java:61)
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .geronimo 
>>>>> .gbean.runtime.GBeanInstance.createInstance(GBeanInstance.java: 
>>>>> 911)
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .geronimo 
>>>>> .gbean 
>>>>> .runtime 
>>>>> .GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:269)
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .geronimo 
>>>>> .gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java: 
>>>>> 103)
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .geronimo.gbean.runtime.GBeanInstance.start(GBeanInstance.java: 
>>>>> 525)
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .geronimo 
>>>>> .gbean 
>>>>> .runtime.GBeanDependency.attemptFullStart(GBeanDependency.java: 
>>>>> 110)
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .geronimo 
>>>>> .gbean.runtime.GBeanDependency.addTarget(GBeanDependency.java:145)
>>>>>       at
>>>>> org.apache.geronimo.gbean.runtime.GBeanDependency 
>>>>> $1.running(GBeanDependency.java:119)
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .geronimo 
>>>>> .kernel 
>>>>> .basic 
>>>>> .BasicLifecycleMonitor 
>>>>> .fireRunningEvent(BasicLifecycleMonitor.java:175)
>>>>>       at
>>>>> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.access 
>>>>> $300(BasicLifecycleMonitor.java:44)
>>>>>       at
>>>>> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor 
>>>>> $ 
>>>>> RawLifecycleBroadcaster 
>>>>> .fireRunningEvent(BasicLifecycleMonitor.java:253)
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .geronimo 
>>>>> .gbean 
>>>>> .runtime 
>>>>> .GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:295)
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .geronimo 
>>>>> .gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java: 
>>>>> 103)
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .geronimo 
>>>>> .gbean 
>>>>> .runtime 
>>>>> .GBeanInstanceState.startRecursive(GBeanInstanceState.java:125)
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .geronimo 
>>>>> .gbean.runtime.GBeanInstance.startRecursive(GBeanInstance.java: 
>>>>> 539)
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .geronimo 
>>>>> .kernel.basic.BasicKernel.startRecursiveGBean(BasicKernel.java: 
>>>>> 377)
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .geronimo 
>>>>> .kernel 
>>>>> .config 
>>>>> .ConfigurationUtil 
>>>>> .startConfigurationGBeans(ConfigurationUtil.java:456)
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .geronimo 
>>>>> .kernel 
>>>>> .config 
>>>>> .KernelConfigurationManager 
>>>>> .start(KernelConfigurationManager.java:190)
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .geronimo 
>>>>> .kernel 
>>>>> .config 
>>>>> .SimpleConfigurationManager 
>>>>> .startConfiguration(SimpleConfigurationManager.java:546)
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .geronimo 
>>>>> .kernel 
>>>>> .config 
>>>>> .SimpleConfigurationManager 
>>>>> .startConfiguration(SimpleConfigurationManager.java:527)
>>>>>       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native  
>>>>> Method)
>>>>>       at
>>>>> sun 
>>>>> .reflect 
>>>>> .NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>>>>       at
>>>>> sun 
>>>>> .reflect 
>>>>> .DelegatingMethodAccessorImpl 
>>>>> .invoke(DelegatingMethodAccessorImpl.java:25)
>>>>>       at java.lang.reflect.Method.invoke(Method.java:597)
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .geronimo 
>>>>> .gbean 
>>>>> .runtime 
>>>>> .ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34)
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .geronimo 
>>>>> .gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:130)
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java: 
>>>>> 851)
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .geronimo.kernel.basic.BasicKernel.invoke(BasicKernel.java:237)
>>>>>       at
>>>>> org.apache.geronimo.kernel.KernelGBean.invoke(KernelGBean.java: 
>>>>> 342)
>>>>>       at sun.reflect.GeneratedMethodAccessor105.invoke(Unknown  
>>>>> Source)
>>>>>       at
>>>>> sun 
>>>>> .reflect 
>>>>> .DelegatingMethodAccessorImpl 
>>>>> .invoke(DelegatingMethodAccessorImpl.java:25)
>>>>>       at java.lang.reflect.Method.invoke(Method.java:597)
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .geronimo 
>>>>> .gbean 
>>>>> .runtime 
>>>>> .ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34)
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .geronimo 
>>>>> .gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:130)
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java: 
>>>>> 851)
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .geronimo.kernel.basic.BasicKernel.invoke(BasicKernel.java:237)
>>>>>       at
>>>>> org 
>>>>> .apache 
>>>>> .geronimo 
>>>>> .system.jmx.MBeanGBeanBridge.invoke(MBeanGBeanBridge.java:172)
>>>>>       at
>>>>> com 
>>>>> .sun 
>>>>> .jmx 
>>>>> .interceptor 
>>>>> .DefaultMBeanServerInterceptor 
>>>>> .invoke(DefaultMBeanServerInterceptor.java:836)
>>>>>       at
>>>>> com 
>>>>> .sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java: 
>>>>> 761)
>>>>>       at
>>>>> javax 
>>>>> .management 
>>>>> .remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java: 
>>>>> 1426)
>>>>>       at
>>>>> javax.management.remote.rmi.RMIConnectionImpl.access 
>>>>> $200(RMIConnectionImpl.java:72)
>>>>>       at
>>>>> javax.management.remote.rmi.RMIConnectionImpl 
>>>>> $PrivilegedOperation.run(RMIConnectionImpl.java:1264)
>>>>>       at java.security.AccessController.doPrivileged(Native  
>>>>> Method)
>>>>>       at
>>>>> javax 
>>>>> .management 
>>>>> .remote 
>>>>> .rmi 
>>>>> .RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java: 
>>>>> 1366)
>>>>>       at
>>>>> javax 
>>>>> .management 
>>>>> .remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788)
>>>>>       at sun.reflect.GeneratedMethodAccessor25.invoke(Unknown  
>>>>> Source)
>>>>>       at
>>>>> sun 
>>>>> .reflect 
>>>>> .DelegatingMethodAccessorImpl 
>>>>> .invoke(DelegatingMethodAccessorImpl.java:25)
>>>>>       at java.lang.reflect.Method.invoke(Method.java:597)
>>>>>       at
>>>>> sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java: 
>>>>> 305)
>>>>>       at sun.rmi.transport.Transport$1.run(Transport.java:159)
>>>>>       at java.security.AccessController.doPrivileged(Native  
>>>>> Method)
>>>>>       at sun.rmi.transport.Transport.serviceCall(Transport.java: 
>>>>> 155)
>>>>>       at
>>>>> sun 
>>>>> .rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java: 
>>>>> 535)
>>>>>       at
>>>>> sun.rmi.transport.tcp.TCPTransport 
>>>>> $ConnectionHandler.run0(TCPTransport.java:790)
>>>>>       at
>>>>> sun.rmi.transport.tcp.TCPTransport 
>>>>> $ConnectionHandler.run(TCPTransport.java:649)
>>>>>       at
>>>>> java.util.concurrent.ThreadPoolExecutor 
>>>>> $Worker.runTask(ThreadPoolExecutor.java:885)
>>>>>       at
>>>>> java.util.concurrent.ThreadPoolExecutor 
>>>>> $Worker.run(ThreadPoolExecutor.java:907)
>>>>>       at java.lang.Thread.run(Thread.java:619)
>>>>> 2009-10-19 12:11:30,894 INFO  [SessionFactoryImpl] closing
>>>>>
>>>>> Can someone please advise.
>>>>>
>>>>> Quintin Beukes
>>>>>
>>>
>>>
>>


Mime
View raw message