Hi,
First off, I have tried my best to look through the sticky topics and many
other posts on the net, and cannot figure out how to make this work. Sorry if
this is a basic question.
I've set up a Struts application using JBoss 4.0.3SP1, and I've set up
form-based authentication posting to j_security_check. I'm seeing the
following sequence:
1) Attempt to access a secured resource
2) Receive the login page
3) Submit the login page
4) User is authenticated successfully using the DatabaseLoginModule
5) SessionBean1 is successfully looked up and a method is executed
6) SessionBean1 attempts to look up SessionBean2
7) Receive exception: 'java.lang.IllegalStateExeception: No valid security
context for the caller identity'
My understanding was that the default behavior was that subsequent EJB calls
would run under the calling user's identity, but that doesn't appear to be
happening. Am I doing soemthing wrong?
Thank you very much for your help, and let me know if I can provide any more
information.
Thanks,
Matt
Section of login-config.xml
<application-policy name="mwo">
| <authentication>
| <login-module
code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
| flag="required">
| <module-option
name="managedConnectionFactoryName">
| jboss.jca:service=LocalTxCM,name=MySQLDS
| </module-option>
| <module-option name="dsJndiName">
| java:/MySQLDS
| </module-option>
| <module-option name="principalsQuery">
| Select Password from Principals where
ID =?
| </module-option>
| <module-option name="rolesQuery">
| Select R.Role 'Roles', R.RoleGroup
'RoleGroups'
| from Roles R, LINK_PRINCIPAL_ROLE L
| where L.PRINCIPAL_ID =?
| </module-option>
| </login-module>
| <login-module
code="org.jboss.security.ClientLoginModule" flag="required"
restore-login-identity="true"/>
| </authentication>
| </application-policy>
Snippet from ejb-jar.xml
<method-permission>
| <role-name>Administrator</role-name>
| <method>
| <ejb-name>SessionBean1</ejb-name>
| <method-name>*</method-name>
| </method>
| <method>
| <ejb-name>SessionBean2</ejb-name>
| <method-name>*</method-name>
| </method>
| </method-permission>
My EJB-JBoss configuration and my Web.xml are both using the same
<security-domain>, and I have no unauthenticated-principal set.
Here is the trace:
2005-11-20 00:46:17,140 TRACE
[org.jboss.web.tomcat.security.SecurityAssociationValve] Begin invoke,
callerGenericPrincipal[admin(Administrator,Guest,)]
2005-11-20 00:46:17,140 TRACE [org.jboss.security.SecurityAssociation]
pushRunAsIdentity, runAs=null
2005-11-20 00:46:17,140 TRACE
[org.jboss.web.tomcat.security.SecurityAssociationValve] Restoring principal
info from cache
2005-11-20 00:46:17,140 TRACE [org.jboss.security.SecurityAssociation]
pushSubjectContext, subject=Subject:
Principal: admin
Principal: Roles(members:Guest,Administrator)
, [EMAIL PROTECTED],subject=18489944}
2005-11-20 00:46:17,140 TRACE [org.jboss.web.tomcat.security.RunAsListener]
jsp, runAs: null
2005-11-20 00:46:17,140 TRACE [org.jboss.web.tomcat.security.RunAsListener]
jsp, runAs: null
2005-11-20 00:46:17,156 TRACE [org.jboss.web.tomcat.security.RunAsListener]
jsp, runAs: null
2005-11-20 00:46:17,156 TRACE [org.jboss.web.tomcat.security.RunAsListener]
jsp, runAs: null
2005-11-20 00:46:17,156 TRACE [org.jboss.security.SecurityAssociation]
popRunAsIdentity, runAs=null
2005-11-20 00:46:17,156 TRACE
[org.jboss.web.tomcat.security.SecurityAssociationValve] End invoke,
callerGenericPrincipal[admin(Administrator,Guest,)]
2005-11-20 00:46:17,156 TRACE [org.jboss.security.SecurityAssociation] clear,
server=true
2005-11-20 00:46:18,375 DEBUG [org.apache.catalina.connector.CoyoteAdapter]
Requested cookie session id is 2E6F48CFB8D7C4D4A6B829B9E87D4256
2005-11-20 00:46:18,375 DEBUG
[org.apache.catalina.authenticator.AuthenticatorBase] Security checking request
GET /mwo/actions/secure/ListAccounts.do
2005-11-20 00:46:18,375 DEBUG
[org.apache.catalina.authenticator.AuthenticatorBase] We have cached auth type
FORM for principal GenericPrincipal[admin(Administrator,Guest,)]
2005-11-20 00:46:18,375 DEBUG [org.apache.catalina.realm.RealmBase] Checking
constraint 'SecurityConstraint[action]' against GET
/actions/secure/ListAccounts.do --> true
2005-11-20 00:46:18,390 DEBUG [org.apache.catalina.realm.RealmBase] Checking
constraint 'SecurityConstraint[action]' against GET
/actions/secure/ListAccounts.do --> true
2005-11-20 00:46:18,390 DEBUG
[org.apache.catalina.authenticator.AuthenticatorBase] Calling
hasUserDataPermission()
2005-11-20 00:46:18,390 DEBUG [org.apache.catalina.realm.RealmBase] User data
constraint has no restrictions
2005-11-20 00:46:18,390 DEBUG
[org.apache.catalina.authenticator.AuthenticatorBase] Calling authenticate()
2005-11-20 00:46:18,390 DEBUG
[org.apache.catalina.authenticator.FormAuthenticator] Already authenticated
'admin'
2005-11-20 00:46:18,390 DEBUG
[org.apache.catalina.authenticator.AuthenticatorBase] Calling accessControl()
2005-11-20 00:46:18,390 DEBUG
[org.apache.catalina.authenticator.AuthenticatorBase] Successfully passed all
security constraints
2005-11-20 00:46:18,390 TRACE
[org.jboss.web.tomcat.security.SecurityAssociationValve] Begin invoke,
callerGenericPrincipal[admin(Administrator,Guest,)]
2005-11-20 00:46:18,390 TRACE [org.jboss.security.SecurityAssociation]
pushRunAsIdentity, runAs=null
2005-11-20 00:46:18,390 TRACE
[org.jboss.web.tomcat.security.SecurityAssociationValve] Restoring principal
info from cache
2005-11-20 00:46:18,390 TRACE [org.jboss.security.SecurityAssociation]
pushSubjectContext, subject=Subject:
Principal: admin
Principal: Roles(members:Guest,Administrator)
, [EMAIL PROTECTED],subject=18489944}
2005-11-20 00:46:18,390 DEBUG [org.apache.catalina.core.StandardWrapper]
Returning non-STM instance
2005-11-20 00:46:18,390 TRACE [org.jboss.web.tomcat.security.RunAsListener]
action, runAs: null
2005-11-20 00:46:18,390 TRACE [org.jboss.web.tomcat.security.RunAsListener]
action, runAs: null
2005-11-20 00:46:18,390 TRACE [org.jboss.security.SecurityAssociation]
getPrincipal, principal=admin
2005-11-20 00:46:18,390 TRACE
[org.jboss.security.plugins.JaasSecurityManager.mwo] Begin isValid,
principal:admin, cache info: [EMAIL PROTECTED](20435221)[EMAIL
PROTECTED](admin)[EMAIL PROTECTED](Roles(members:Guest,Administrator)),[EMAIL
PROTECTED],expirationTime=1132470898390]
2005-11-20 00:46:18,390 TRACE
[org.jboss.security.plugins.JaasSecurityManager.mwo] Begin validateCache,
[EMAIL PROTECTED](20435221)[EMAIL PROTECTED](admin)[EMAIL
PROTECTED](Roles(members:Guest,Administrator)),[EMAIL
PROTECTED],expirationTime=1132470898390];[EMAIL PROTECTED]
2005-11-20 00:46:18,390 TRACE
[org.jboss.security.plugins.JaasSecurityManager.mwo] End validateCache,
isValid=true
2005-11-20 00:46:18,390 TRACE
[org.jboss.security.plugins.JaasSecurityManager.mwo] End isValid, true
2005-11-20 00:46:18,390 TRACE [org.jboss.security.SecurityAssociation]
pushSubjectContext, subject=Subject:
Principal: admin
Principal: Roles(members:Guest,Administrator)
, [EMAIL PROTECTED],subject=4767079}
2005-11-20 00:46:18,390 TRACE [org.jboss.security.SecurityAssociation]
getSubject, [EMAIL PROTECTED],subject=4767079}
2005-11-20 00:46:18,390 TRACE
[org.jboss.security.plugins.JaasSecurityManager.mwo] doesUserHaveRole(Set),
subject: Subject:
Principal: admin
Principal: Roles(members:Guest,Administrator)
2005-11-20 00:46:18,390 TRACE
[org.jboss.security.plugins.JaasSecurityManager.mwo]
roles=Roles(members:Guest,Administrator)
2005-11-20 00:46:18,390 TRACE
[org.jboss.security.plugins.JaasSecurityManager.mwo] hasRole(Administrator)=true
2005-11-20 00:46:18,390 TRACE
[org.jboss.security.plugins.JaasSecurityManager.mwo] hasRole=true
2005-11-20 00:46:18,390 TRACE [org.jboss.security.SecurityAssociation]
pushRunAsIdentity, runAs=null
2005-11-20 00:46:18,390 DEBUG [com.myejb.Session1Bean] getSession2
2005-11-20 00:46:18,484 TRACE [org.jboss.security.SecurityAssociation]
getPrincipal, principal=admin
2005-11-20 00:46:18,484 TRACE
[org.jboss.security.plugins.JaasSecurityManager.mwo] Begin isValid,
principal:admin, cache info: [EMAIL PROTECTED](20435221)[EMAIL
PROTECTED](admin)[EMAIL PROTECTED](Roles(members:Guest,Administrator)),[EMAIL
PROTECTED],expirationTime=1132470898390]
2005-11-20 00:46:18,484 TRACE
[org.jboss.security.plugins.JaasSecurityManager.mwo] Begin validateCache,
[EMAIL PROTECTED](20435221)[EMAIL PROTECTED](admin)[EMAIL
PROTECTED](Roles(members:Guest,Administrator)),[EMAIL
PROTECTED],expirationTime=1132470898390];[EMAIL PROTECTED]
2005-11-20 00:46:18,484 TRACE
[org.jboss.security.plugins.JaasSecurityManager.mwo] End validateCache,
isValid=true
2005-11-20 00:46:18,484 TRACE
[org.jboss.security.plugins.JaasSecurityManager.mwo] End isValid, true
2005-11-20 00:46:18,484 TRACE [org.jboss.security.SecurityAssociation]
pushSubjectContext, subject=Subject:
Principal: admin
Principal: Roles(members:Guest,Administrator)
, [EMAIL PROTECTED],subject=15632500}
2005-11-20 00:46:18,484 TRACE [org.jboss.security.SecurityAssociation]
getSubject, [EMAIL PROTECTED],subject=15632500}
2005-11-20 00:46:18,484 TRACE
[org.jboss.security.plugins.JaasSecurityManager.mwo] doesUserHaveRole(Set),
subject: Subject:
Principal: admin
Principal: Roles(members:Guest,Administrator)
2005-11-20 00:46:18,484 TRACE
[org.jboss.security.plugins.JaasSecurityManager.mwo]
roles=Roles(members:Guest,Administrator)
2005-11-20 00:46:18,484 TRACE
[org.jboss.security.plugins.JaasSecurityManager.mwo] hasRole(Administrator)=true
2005-11-20 00:46:18,484 TRACE
[org.jboss.security.plugins.JaasSecurityManager.mwo] hasRole=true
2005-11-20 00:46:18,484 TRACE [org.jboss.security.SecurityAssociation]
pushRunAsIdentity, runAs=null
2005-11-20 00:46:18,484 DEBUG [com.myejb.jboss.Session2SecurityProxy] Entered
setEJBContext(EJBContext)
2005-11-20 00:46:18,484 TRACE
[org.jboss.security.plugins.JaasSecurityManager.mwo] getPrincipal, cache info:
null
2005-11-20 00:46:18,484 TRACE [org.jboss.security.SecurityAssociation]
popRunAsIdentity, runAs=null
2005-11-20 00:46:18,500 TRACE [org.jboss.security.SecurityAssociation]
popSubjectContext, [EMAIL PROTECTED],subject=15632500}
2005-11-20 00:46:18,500 ERROR [org.jboss.ejb.plugins.LogInterceptor]
TransactionRolledbackException in method: public abstract
com.myejb.Session2Remote com.myejb.Session2Home.create() throws
javax.ejb.CreateException,java.rmi.RemoteException, causedBy:
java.lang.IllegalStateException: No valid security context for the caller
identity
at
org.jboss.ejb.EnterpriseContext$EJBContextImpl.getCallerPrincipalInternal(EnterpriseContext.java:370)
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3908051#3908051
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3908051
-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc. Get Certified Today
Register for a JBoss Training Course. Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
http://ads.osdn.com/?ad_id=7628&alloc_id=16845&op=click
_______________________________________________
JBoss-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jboss-user
