Re: Geronimo 2.2 fails can't load beans with @RunAs("Role")

Mon, 19 Oct 2009 09:26:58 -0700 

As far as I understand what you are trying to do, you can't do this.
Does the postConstruct method need to call some other secured ejbs? otherwise it seems as if you could just run it with no role...
I can think of a number of possible ways to get around this but I'd like to know more about your situation.... e.g. maybe setting up security in a gbean rather than an ejb, or constructing another dummy security realm with a principal that maps to role "Admin". 

thanks
david jencks

On Oct 19, 2009, at 3:20 AM, Quintin Beukes wrote:


I failed to add that I can't specify credentials for this runas,
because this is the bean that is supposed to initialize those
credentials, so if it's the first time it loads, it will fail to log
in, which means it will never work.

I need some way to run-as "Admin" without having to specify
credentials. It's not a security leak, as this bean ONLY has an
@PostConstruct method, so no methods are exposed which can be
exploited, so magic execution as "Admin" is acceptable.

Quintin Beukes
On Mon, Oct 19, 2009 at 12:15 PM, Quintin Beukes <[email protected]> wrote: 
Hey,

I have the following in my deploy plan:
 <sec:security>
   <sec:role-mappings>
     <sec:role role-name="Admin">
       <sec:principal
class = "org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" 
                 name="Admin"/>
     </sec:role>
   </sec:role-mappings>
 </sec:security>

When I add @RunAs("Admin") to a bean, I get the following:
2009-10-19 12:11:30,857 INFO  [startup] Assembling app:
/opt/kms/server/geronimo-2.2-20091019/var/temp/geronimo- deployer49287.tmpdir/KMSPlatform-ejb.jar 
2009-10-19 12:11:30,891 INFO  [startup] Jndi(name=SiteBeanLocal) -->
Ejb(deployment-id=KMSPlatform-ejb/SiteBean)
2009-10-19 12:11:30,891 INFO  [startup] Jndi(name=SiteBeanRemote) -->
Ejb(deployment-id=KMSPlatform-ejb/SiteBean)
2009-10-19 12:11:30,892 INFO  [startup]
Jndi(name=InitializeDataBeanLocal) -->
Ejb(deployment-id=KMSPlatform-ejb/InitializeDataBean)
2009-10-19 12:11:30,892 INFO  [startup]
Jndi(name=KMSPlatformEjbStartupBeanLocal) -->
Ejb(deployment-id=KMSPlatform-ejb/KMSPlatformEjbStartupBean)
2009-10-19 12:11:30,892 INFO  [startup]
Jndi(name=SpringContextBeanLocal) -->
Ejb(deployment-id=KMSPlatform-ejb/SpringContextBean)
2009-10-19 12:11:30,892 INFO  [startup] Created
Ejb(deployment-id=KMSPlatform-ejb/KMSPlatformEjbStartupBean,
ejb-name=KMSPlatformEjbStartupBean,
container=DefaultStatelessContainer)
2009-10-19 12:11:30,892 INFO  [startup] Created
Ejb(deployment-id=KMSPlatform-ejb/SpringContextBean,
ejb-name=SpringContextBean, container=DefaultStatelessContainer)
2009-10-19 12:11:30,892 INFO  [startup] Created
Ejb(deployment-id=KMSPlatform-ejb/SiteBean, ejb-name=SiteBean,
container=DefaultStatelessContainer)
2009-10-19 12:11:30,892 INFO  [startup] Created
Ejb(deployment-id=KMSPlatform-ejb/InitializeDataBean,
ejb-name=InitializeDataBean, container=DefaultStatelessContainer)
2009-10-19 12:11:30,892 INFO  [startup] Deployed
Application(path=/opt/kms/server/geronimo-2.2-20091019/var/temp/ geronimo-deployer49287.tmpdir/KMSPlatform-ejb.jar) 
2009-10-19 12:11:30,894 ERROR [GBeanInstanceState] Error while
starting; GBean is now in the FAILED state:
abstractName="net.kunye/KMSPlatform-ejb/1.0/jar?EJBModule=net.kunye/ KMSPlatform-ejb/1.0/ jar ,J2EEApplication =null,j2eeType=StatelessSessionBean,name=KMSPlatformEjbStartupBean" java.lang.IllegalStateException: no run-as identity configured for role: Admin at org .apache .geronimo .security .jacc .mappingprovider .ApplicationPrincipalRoleConfigurationManager .getSubjectForRole (ApplicationPrincipalRoleConfigurationManager.java:109) at org.apache.geronimo.openejb.EjbDeployment.<init>(EjbDeployment.java: 109) at org .apache .geronimo.openejb.EjbDeploymentGBean.<init>(EjbDeploymentGBean.java: 56) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun .reflect .NativeConstructorAccessorImpl .newInstance(NativeConstructorAccessorImpl.java:39) at sun .reflect .DelegatingConstructorAccessorImpl .newInstance(DelegatingConstructorAccessorImpl.java:27) at java.lang.reflect.Constructor.newInstance(Constructor.java:513) at org.apache.xbean.recipe.ReflectionUtil $ConstructorFactory.create(ReflectionUtil.java:952) at org .apache.xbean.recipe.ObjectRecipe.internalCreate(ObjectRecipe.java: 276) at org.apache.xbean.recipe.AbstractRecipe.create(AbstractRecipe.java:96) at org.apache.xbean.recipe.AbstractRecipe.create(AbstractRecipe.java:61) at org .apache .geronimo .gbean.runtime.GBeanInstance.createInstance(GBeanInstance.java:911) at org .apache .geronimo .gbean .runtime .GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:269) at org .apache .geronimo .gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:103) at org .apache .geronimo.gbean.runtime.GBeanInstance.start(GBeanInstance.java:525) at org .apache .geronimo .gbean .runtime.GBeanDependency.attemptFullStart(GBeanDependency.java:110) at org .apache .geronimo .gbean.runtime.GBeanDependency.addTarget(GBeanDependency.java:145) at org.apache.geronimo.gbean.runtime.GBeanDependency $1.running(GBeanDependency.java:119) at org .apache .geronimo .kernel .basic .BasicLifecycleMonitor.fireRunningEvent(BasicLifecycleMonitor.java: 175) at org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.access $300(BasicLifecycleMonitor.java:44) at org.apache.geronimo.kernel.basic.BasicLifecycleMonitor $ RawLifecycleBroadcaster.fireRunningEvent(BasicLifecycleMonitor.java: 253) at org .apache .geronimo .gbean .runtime .GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:295) at org .apache .geronimo .gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:103) at org .apache .geronimo .gbean .runtime.GBeanInstanceState.startRecursive(GBeanInstanceState.java: 125) at org .apache .geronimo .gbean.runtime.GBeanInstance.startRecursive(GBeanInstance.java:539) at org .apache .geronimo .kernel.basic.BasicKernel.startRecursiveGBean(BasicKernel.java:377) at org .apache .geronimo .kernel .config .ConfigurationUtil.startConfigurationGBeans(ConfigurationUtil.java: 456) at org .apache .geronimo .kernel .config .KernelConfigurationManager.start(KernelConfigurationManager.java: 190) at org .apache .geronimo .kernel .config .SimpleConfigurationManager .startConfiguration(SimpleConfigurationManager.java:546) at org .apache .geronimo .kernel .config .SimpleConfigurationManager .startConfiguration(SimpleConfigurationManager.java:527) 
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun .reflect .NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun .reflect .DelegatingMethodAccessorImpl .invoke(DelegatingMethodAccessorImpl.java:25) 
       at java.lang.reflect.Method.invoke(Method.java:597)
at org .apache .geronimo .gbean .runtime .ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34) at org .apache .geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java: 130) at org .apache .geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:851) at org .apache.geronimo.kernel.basic.BasicKernel.invoke(BasicKernel.java: 237) at org.apache.geronimo.kernel.KernelGBean.invoke(KernelGBean.java:342) at sun.reflect.GeneratedMethodAccessor105.invoke(Unknown Source) at sun .reflect .DelegatingMethodAccessorImpl .invoke(DelegatingMethodAccessorImpl.java:25) 
       at java.lang.reflect.Method.invoke(Method.java:597)
at org .apache .geronimo .gbean .runtime .ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34) at org .apache .geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java: 130) at org .apache .geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:851) at org .apache.geronimo.kernel.basic.BasicKernel.invoke(BasicKernel.java: 237) at org .apache .geronimo.system.jmx.MBeanGBeanBridge.invoke(MBeanGBeanBridge.java: 172) at com .sun .jmx .interceptor .DefaultMBeanServerInterceptor .invoke(DefaultMBeanServerInterceptor.java:836) at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java: 761) at javax .management .remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java: 1426) at javax.management.remote.rmi.RMIConnectionImpl.access $200(RMIConnectionImpl.java:72) at javax.management.remote.rmi.RMIConnectionImpl $PrivilegedOperation.run(RMIConnectionImpl.java:1264) 
       at java.security.AccessController.doPrivileged(Native Method)
at javax .management .remote .rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java: 1366) at javax .management .remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788) at sun.reflect.GeneratedMethodAccessor25.invoke(Unknown Source) at sun .reflect .DelegatingMethodAccessorImpl .invoke(DelegatingMethodAccessorImpl.java:25) 
       at java.lang.reflect.Method.invoke(Method.java:597)
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:305) 
       at sun.rmi.transport.Transport$1.run(Transport.java:159)
       at java.security.AccessController.doPrivileged(Native Method)
       at sun.rmi.transport.Transport.serviceCall(Transport.java:155)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java: 535) at sun.rmi.transport.tcp.TCPTransport $ConnectionHandler.run0(TCPTransport.java:790) at sun.rmi.transport.tcp.TCPTransport $ConnectionHandler.run(TCPTransport.java:649) at java.util.concurrent.ThreadPoolExecutor $Worker.runTask(ThreadPoolExecutor.java:885) at java.util.concurrent.ThreadPoolExecutor $Worker.run(ThreadPoolExecutor.java:907) 
       at java.lang.Thread.run(Thread.java:619)
2009-10-19 12:11:30,894 INFO  [SessionFactoryImpl] closing

Can someone please advise.

Quintin Beukes

Reply via email to