Hey, I figured if I can get something like this going it would work perfectly.
a. Create a security realm with a single user, which has a single GroupPrinciple of "Admin". b. Configure the EJB to authenticate against this user/realm. c. Disable the security realm from outside authentication. Meaning, ONLY applications can authenticate against it (ie. no remote clients via OpenEJB). Anyone can give me a basic overview of how this is possible. Even if a some server modifications need to be made. Quintin Beukes On Mon, Oct 19, 2009 at 8:35 PM, Quintin Beukes <[email protected]> wrote: > It has to run secured methods like managing the modules, roles, etc. > It's all specified via Spring beans loaded when the application is > deployed. The @Startup singleton in each module would be called, > queries the module management to see if it has been installed, and if > not starts setting up the module. > > It's very important for some of the methods it access to be secure. I > temporarily deactivated the security, but will need to find a way to > run as role "Admin". > > Can you please explain > 1. Security configured in a GBean instead of EJB > 2. Dummy security realm. I was thinking of this one as well. I was > thinking of a simple properties realm. Is there something simpler? And > if I do this, do I then use the CredentialStore for the run-as? > > Quintin Beukes > > > > On Mon, Oct 19, 2009 at 6:26 PM, David Jencks <[email protected]> wrote: >> As far as I understand what you are trying to do, you can't do this. >> >> Does the postConstruct method need to call some other secured ejbs? >> otherwise it seems as if you could just run it with no role... >> >> I can think of a number of possible ways to get around this but I'd like to >> know more about your situation.... e.g. maybe setting up security in a gbean >> rather than an ejb, or constructing another dummy security realm with a >> principal that maps to role "Admin". >> >> thanks >> david jencks >> >> On Oct 19, 2009, at 3:20 AM, Quintin Beukes wrote: >> >>> I failed to add that I can't specify credentials for this runas, >>> because this is the bean that is supposed to initialize those >>> credentials, so if it's the first time it loads, it will fail to log >>> in, which means it will never work. >>> >>> I need some way to run-as "Admin" without having to specify >>> credentials. It's not a security leak, as this bean ONLY has an >>> @PostConstruct method, so no methods are exposed which can be >>> exploited, so magic execution as "Admin" is acceptable. >>> >>> Quintin Beukes >>> >>> >>> >>> On Mon, Oct 19, 2009 at 12:15 PM, Quintin Beukes <[email protected]> >>> wrote: >>>> >>>> Hey, >>>> >>>> I have the following in my deploy plan: >>>> <sec:security> >>>> <sec:role-mappings> >>>> <sec:role role-name="Admin"> >>>> <sec:principal >>>> >>>> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" >>>> name="Admin"/> >>>> </sec:role> >>>> </sec:role-mappings> >>>> </sec:security> >>>> >>>> When I add @RunAs("Admin") to a bean, I get the following: >>>> 2009-10-19 12:11:30,857 INFO [startup] Assembling app: >>>> >>>> /opt/kms/server/geronimo-2.2-20091019/var/temp/geronimo-deployer49287.tmpdir/KMSPlatform-ejb.jar >>>> 2009-10-19 12:11:30,891 INFO [startup] Jndi(name=SiteBeanLocal) --> >>>> Ejb(deployment-id=KMSPlatform-ejb/SiteBean) >>>> 2009-10-19 12:11:30,891 INFO [startup] Jndi(name=SiteBeanRemote) --> >>>> Ejb(deployment-id=KMSPlatform-ejb/SiteBean) >>>> 2009-10-19 12:11:30,892 INFO [startup] >>>> Jndi(name=InitializeDataBeanLocal) --> >>>> Ejb(deployment-id=KMSPlatform-ejb/InitializeDataBean) >>>> 2009-10-19 12:11:30,892 INFO [startup] >>>> Jndi(name=KMSPlatformEjbStartupBeanLocal) --> >>>> Ejb(deployment-id=KMSPlatform-ejb/KMSPlatformEjbStartupBean) >>>> 2009-10-19 12:11:30,892 INFO [startup] >>>> Jndi(name=SpringContextBeanLocal) --> >>>> Ejb(deployment-id=KMSPlatform-ejb/SpringContextBean) >>>> 2009-10-19 12:11:30,892 INFO [startup] Created >>>> Ejb(deployment-id=KMSPlatform-ejb/KMSPlatformEjbStartupBean, >>>> ejb-name=KMSPlatformEjbStartupBean, >>>> container=DefaultStatelessContainer) >>>> 2009-10-19 12:11:30,892 INFO [startup] Created >>>> Ejb(deployment-id=KMSPlatform-ejb/SpringContextBean, >>>> ejb-name=SpringContextBean, container=DefaultStatelessContainer) >>>> 2009-10-19 12:11:30,892 INFO [startup] Created >>>> Ejb(deployment-id=KMSPlatform-ejb/SiteBean, ejb-name=SiteBean, >>>> container=DefaultStatelessContainer) >>>> 2009-10-19 12:11:30,892 INFO [startup] Created >>>> Ejb(deployment-id=KMSPlatform-ejb/InitializeDataBean, >>>> ejb-name=InitializeDataBean, container=DefaultStatelessContainer) >>>> 2009-10-19 12:11:30,892 INFO [startup] Deployed >>>> >>>> Application(path=/opt/kms/server/geronimo-2.2-20091019/var/temp/geronimo-deployer49287.tmpdir/KMSPlatform-ejb.jar) >>>> 2009-10-19 12:11:30,894 ERROR [GBeanInstanceState] Error while >>>> starting; GBean is now in the FAILED state: >>>> >>>> abstractName="net.kunye/KMSPlatform-ejb/1.0/jar?EJBModule=net.kunye/KMSPlatform-ejb/1.0/jar,J2EEApplication=null,j2eeType=StatelessSessionBean,name=KMSPlatformEjbStartupBean" >>>> java.lang.IllegalStateException: no run-as identity configured for role: >>>> Admin >>>> at >>>> org.apache.geronimo.security.jacc.mappingprovider.ApplicationPrincipalRoleConfigurationManager.getSubjectForRole(ApplicationPrincipalRoleConfigurationManager.java:109) >>>> at >>>> org.apache.geronimo.openejb.EjbDeployment.<init>(EjbDeployment.java:109) >>>> at >>>> org.apache.geronimo.openejb.EjbDeploymentGBean.<init>(EjbDeploymentGBean.java:56) >>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native >>>> Method) >>>> at >>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39) >>>> at >>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27) >>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:513) >>>> at >>>> org.apache.xbean.recipe.ReflectionUtil$ConstructorFactory.create(ReflectionUtil.java:952) >>>> at >>>> org.apache.xbean.recipe.ObjectRecipe.internalCreate(ObjectRecipe.java:276) >>>> at >>>> org.apache.xbean.recipe.AbstractRecipe.create(AbstractRecipe.java:96) >>>> at >>>> org.apache.xbean.recipe.AbstractRecipe.create(AbstractRecipe.java:61) >>>> at >>>> org.apache.geronimo.gbean.runtime.GBeanInstance.createInstance(GBeanInstance.java:911) >>>> at >>>> org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:269) >>>> at >>>> org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:103) >>>> at >>>> org.apache.geronimo.gbean.runtime.GBeanInstance.start(GBeanInstance.java:525) >>>> at >>>> org.apache.geronimo.gbean.runtime.GBeanDependency.attemptFullStart(GBeanDependency.java:110) >>>> at >>>> org.apache.geronimo.gbean.runtime.GBeanDependency.addTarget(GBeanDependency.java:145) >>>> at >>>> org.apache.geronimo.gbean.runtime.GBeanDependency$1.running(GBeanDependency.java:119) >>>> at >>>> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.fireRunningEvent(BasicLifecycleMonitor.java:175) >>>> at >>>> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.access$300(BasicLifecycleMonitor.java:44) >>>> at >>>> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor$RawLifecycleBroadcaster.fireRunningEvent(BasicLifecycleMonitor.java:253) >>>> at >>>> org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:295) >>>> at >>>> org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:103) >>>> at >>>> org.apache.geronimo.gbean.runtime.GBeanInstanceState.startRecursive(GBeanInstanceState.java:125) >>>> at >>>> org.apache.geronimo.gbean.runtime.GBeanInstance.startRecursive(GBeanInstance.java:539) >>>> at >>>> org.apache.geronimo.kernel.basic.BasicKernel.startRecursiveGBean(BasicKernel.java:377) >>>> at >>>> org.apache.geronimo.kernel.config.ConfigurationUtil.startConfigurationGBeans(ConfigurationUtil.java:456) >>>> at >>>> org.apache.geronimo.kernel.config.KernelConfigurationManager.start(KernelConfigurationManager.java:190) >>>> at >>>> org.apache.geronimo.kernel.config.SimpleConfigurationManager.startConfiguration(SimpleConfigurationManager.java:546) >>>> at >>>> org.apache.geronimo.kernel.config.SimpleConfigurationManager.startConfiguration(SimpleConfigurationManager.java:527) >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>>> at >>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) >>>> at >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) >>>> at java.lang.reflect.Method.invoke(Method.java:597) >>>> at >>>> org.apache.geronimo.gbean.runtime.ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34) >>>> at >>>> org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:130) >>>> at >>>> org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:851) >>>> at >>>> org.apache.geronimo.kernel.basic.BasicKernel.invoke(BasicKernel.java:237) >>>> at >>>> org.apache.geronimo.kernel.KernelGBean.invoke(KernelGBean.java:342) >>>> at sun.reflect.GeneratedMethodAccessor105.invoke(Unknown Source) >>>> at >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) >>>> at java.lang.reflect.Method.invoke(Method.java:597) >>>> at >>>> org.apache.geronimo.gbean.runtime.ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34) >>>> at >>>> org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:130) >>>> at >>>> org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:851) >>>> at >>>> org.apache.geronimo.kernel.basic.BasicKernel.invoke(BasicKernel.java:237) >>>> at >>>> org.apache.geronimo.system.jmx.MBeanGBeanBridge.invoke(MBeanGBeanBridge.java:172) >>>> at >>>> com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836) >>>> at >>>> com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761) >>>> at >>>> javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1426) >>>> at >>>> javax.management.remote.rmi.RMIConnectionImpl.access$200(RMIConnectionImpl.java:72) >>>> at >>>> javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1264) >>>> at java.security.AccessController.doPrivileged(Native Method) >>>> at >>>> javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1366) >>>> at >>>> javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788) >>>> at sun.reflect.GeneratedMethodAccessor25.invoke(Unknown Source) >>>> at >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) >>>> at java.lang.reflect.Method.invoke(Method.java:597) >>>> at >>>> sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:305) >>>> at sun.rmi.transport.Transport$1.run(Transport.java:159) >>>> at java.security.AccessController.doPrivileged(Native Method) >>>> at sun.rmi.transport.Transport.serviceCall(Transport.java:155) >>>> at >>>> sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:535) >>>> at >>>> sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:790) >>>> at >>>> sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:649) >>>> at >>>> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:885) >>>> at >>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907) >>>> at java.lang.Thread.run(Thread.java:619) >>>> 2009-10-19 12:11:30,894 INFO [SessionFactoryImpl] closing >>>> >>>> Can someone please advise. >>>> >>>> Quintin Beukes >>>> >> >> >
