Re: Geronimo 2.2 fails can't load beans with @RunAs("Role")

Wed, 21 Oct 2009 15:06:57 -0700 


On Oct 21, 2009, at 12:31 PM, Quintin Beukes wrote:


Hey,
I figured if I can get something like this going it would work perfectly. 

a. Create a security realm with a single user, which has a single
GroupPrinciple of "Admin".
b. Configure the EJB to authenticate against this user/realm.
c. Disable the security realm from outside authentication. Meaning,
ONLY applications can authenticate against it (ie. no remote clients
via OpenEJB).

Anyone can give me a basic overview of how this is possible. Even if a
some server modifications need to be made.


(2.2 only)
IIRC openejb only uses security realms with the global flag set to true. So I think you can set up a non-global security realm, refer to it from a credentials store instance, and get this to work. You should check that I'm right about this. 

thanks
david jencks


Quintin Beukes
On Mon, Oct 19, 2009 at 8:35 PM, Quintin Beukes <[email protected]> wrote: 
It has to run secured methods like managing the modules, roles, etc.
It's all specified via Spring beans loaded when the application is
deployed. The @Startup singleton in each module would be called,
queries the module management to see if it has been installed, and if
not starts setting up the module.

It's very important for some of the methods it access to be secure. I
temporarily deactivated the security, but will need to find a way to
run as role "Admin".

Can you please explain
1. Security configured in a GBean instead of EJB
2. Dummy security realm. I was thinking of this one as well. I was
thinking of a simple properties realm. Is there something simpler? And 
if I do this, do I then use the CredentialStore for the run-as?

Quintin Beukes
On Mon, Oct 19, 2009 at 6:26 PM, David Jencks <[email protected]> wrote: 
As far as I understand what you are trying to do, you can't do this.

Does the postConstruct method need to call some other secured ejbs?
 otherwise it seems as if you could just run it with no role...
I can think of a number of possible ways to get around this but I'd like to know more about your situation.... e.g. maybe setting up security in a gbean rather than an ejb, or constructing another dummy security realm with a 
principal that maps to role "Admin".

thanks
david jencks

On Oct 19, 2009, at 3:20 AM, Quintin Beukes wrote:


I failed to add that I can't specify credentials for this runas,
because this is the bean that is supposed to initialize those
credentials, so if it's the first time it loads, it will fail to log 
in, which means it will never work.

I need some way to run-as "Admin" without having to specify
credentials. It's not a security leak, as this bean ONLY has an
@PostConstruct method, so no methods are exposed which can be
exploited, so magic execution as "Admin" is acceptable.

Quintin Beukes
On Mon, Oct 19, 2009 at 12:15 PM, Quintin Beukes <[email protected] > 
wrote:


Hey,

I have the following in my deploy plan:
 <sec:security>
  <sec:role-mappings>
    <sec:role role-name="Admin">
      <sec:principal
class = "org .apache.geronimo.security.realm.providers.GeronimoGroupPrincipal" 
                name="Admin"/>
    </sec:role>
  </sec:role-mappings>
 </sec:security>

When I add @RunAs("Admin") to a bean, I get the following:
2009-10-19 12:11:30,857 INFO  [startup] Assembling app:
/opt/kms/server/geronimo-2.2-20091019/var/temp/geronimo- deployer49287.tmpdir/KMSPlatform-ejb.jar 2009-10-19 12:11:30,891 INFO [startup] Jndi(name=SiteBeanLocal) --> 
Ejb(deployment-id=KMSPlatform-ejb/SiteBean)
2009-10-19 12:11:30,891 INFO [startup] Jndi(name=SiteBeanRemote) --> 
Ejb(deployment-id=KMSPlatform-ejb/SiteBean)
2009-10-19 12:11:30,892 INFO  [startup]
Jndi(name=InitializeDataBeanLocal) -->
Ejb(deployment-id=KMSPlatform-ejb/InitializeDataBean)
2009-10-19 12:11:30,892 INFO  [startup]
Jndi(name=KMSPlatformEjbStartupBeanLocal) -->
Ejb(deployment-id=KMSPlatform-ejb/KMSPlatformEjbStartupBean)
2009-10-19 12:11:30,892 INFO  [startup]
Jndi(name=SpringContextBeanLocal) -->
Ejb(deployment-id=KMSPlatform-ejb/SpringContextBean)
2009-10-19 12:11:30,892 INFO  [startup] Created
Ejb(deployment-id=KMSPlatform-ejb/KMSPlatformEjbStartupBean,
ejb-name=KMSPlatformEjbStartupBean,
container=DefaultStatelessContainer)
2009-10-19 12:11:30,892 INFO  [startup] Created
Ejb(deployment-id=KMSPlatform-ejb/SpringContextBean,
ejb-name=SpringContextBean, container=DefaultStatelessContainer)
2009-10-19 12:11:30,892 INFO  [startup] Created
Ejb(deployment-id=KMSPlatform-ejb/SiteBean, ejb-name=SiteBean,
container=DefaultStatelessContainer)
2009-10-19 12:11:30,892 INFO  [startup] Created
Ejb(deployment-id=KMSPlatform-ejb/InitializeDataBean,
ejb-name=InitializeDataBean, container=DefaultStatelessContainer)
2009-10-19 12:11:30,892 INFO  [startup] Deployed
Application(path=/opt/kms/server/geronimo-2.2-20091019/var/temp/ geronimo-deployer49287.tmpdir/KMSPlatform-ejb.jar) 
2009-10-19 12:11:30,894 ERROR [GBeanInstanceState] Error while
starting; GBean is now in the FAILED state:
abstractName="net.kunye/KMSPlatform-ejb/1.0/jar? EJBModule=net.kunye/KMSPlatform-ejb/1.0/ jar ,J2EEApplication = null,j2eeType=StatelessSessionBean,name=KMSPlatformEjbStartupBean" java.lang.IllegalStateException: no run-as identity configured for role: 
Admin
      at
org .apache .geronimo .security .jacc .mappingprovider .ApplicationPrincipalRoleConfigurationManager .getSubjectForRole (ApplicationPrincipalRoleConfigurationManager.java:109) 
      at
org .apache.geronimo.openejb.EjbDeployment.<init>(EjbDeployment.java: 109) 
      at
org .apache .geronimo .openejb.EjbDeploymentGBean.<init>(EjbDeploymentGBean.java:56) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native 
Method)
      at
sun .reflect .NativeConstructorAccessorImpl .newInstance(NativeConstructorAccessorImpl.java:39) 
      at
sun .reflect .DelegatingConstructorAccessorImpl .newInstance(DelegatingConstructorAccessorImpl.java:27) at java.lang.reflect.Constructor.newInstance(Constructor.java:513) 
      at
org.apache.xbean.recipe.ReflectionUtil $ConstructorFactory.create(ReflectionUtil.java:952) 
      at
org .apache .xbean.recipe.ObjectRecipe.internalCreate(ObjectRecipe.java:276) 
      at
org .apache.xbean.recipe.AbstractRecipe.create(AbstractRecipe.java:96) 
      at
org .apache.xbean.recipe.AbstractRecipe.create(AbstractRecipe.java:61) 
      at
org .apache .geronimo .gbean.runtime.GBeanInstance.createInstance(GBeanInstance.java: 911) 
      at
org .apache .geronimo .gbean .runtime .GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:269) 
      at
org .apache .geronimo .gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java: 103) 
      at
org .apache .geronimo.gbean.runtime.GBeanInstance.start(GBeanInstance.java: 525) 
      at
org .apache .geronimo .gbean .runtime.GBeanDependency.attemptFullStart(GBeanDependency.java: 110) 
      at
org .apache .geronimo .gbean.runtime.GBeanDependency.addTarget(GBeanDependency.java:145) 
      at
org.apache.geronimo.gbean.runtime.GBeanDependency $1.running(GBeanDependency.java:119) 
      at
org .apache .geronimo .kernel .basic .BasicLifecycleMonitor .fireRunningEvent(BasicLifecycleMonitor.java:175) 
      at
org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.access $300(BasicLifecycleMonitor.java:44) 
      at
org.apache.geronimo.kernel.basic.BasicLifecycleMonitor $ RawLifecycleBroadcaster .fireRunningEvent(BasicLifecycleMonitor.java:253) 
      at
org .apache .geronimo .gbean .runtime .GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:295) 
      at
org .apache .geronimo .gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java: 103) 
      at
org .apache .geronimo .gbean .runtime .GBeanInstanceState.startRecursive(GBeanInstanceState.java:125) 
      at
org .apache .geronimo .gbean.runtime.GBeanInstance.startRecursive(GBeanInstance.java: 539) 
      at
org .apache .geronimo .kernel.basic.BasicKernel.startRecursiveGBean(BasicKernel.java: 377) 
      at
org .apache .geronimo .kernel .config .ConfigurationUtil .startConfigurationGBeans(ConfigurationUtil.java:456) 
      at
org .apache .geronimo .kernel .config .KernelConfigurationManager .start(KernelConfigurationManager.java:190) 
      at
org .apache .geronimo .kernel .config .SimpleConfigurationManager .startConfiguration(SimpleConfigurationManager.java:546) 
      at
org .apache .geronimo .kernel .config .SimpleConfigurationManager .startConfiguration(SimpleConfigurationManager.java:527) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
      at
sun .reflect .NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 
      at
sun .reflect .DelegatingMethodAccessorImpl .invoke(DelegatingMethodAccessorImpl.java:25) 
      at java.lang.reflect.Method.invoke(Method.java:597)
      at
org .apache .geronimo .gbean .runtime .ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34) 
      at
org .apache .geronimo .gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:130) 
      at
org .apache .geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java: 851) 
      at
org .apache .geronimo.kernel.basic.BasicKernel.invoke(BasicKernel.java:237) 
      at
org.apache.geronimo.kernel.KernelGBean.invoke(KernelGBean.java: 342) at sun.reflect.GeneratedMethodAccessor105.invoke(Unknown Source) 
      at
sun .reflect .DelegatingMethodAccessorImpl .invoke(DelegatingMethodAccessorImpl.java:25) 
      at java.lang.reflect.Method.invoke(Method.java:597)
      at
org .apache .geronimo .gbean .runtime .ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34) 
      at
org .apache .geronimo .gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:130) 
      at
org .apache .geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java: 851) 
      at
org .apache .geronimo.kernel.basic.BasicKernel.invoke(BasicKernel.java:237) 
      at
org .apache .geronimo .system.jmx.MBeanGBeanBridge.invoke(MBeanGBeanBridge.java:172) 
      at
com .sun .jmx .interceptor .DefaultMBeanServerInterceptor .invoke(DefaultMBeanServerInterceptor.java:836) 
      at
com .sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java: 761) 
      at
javax .management .remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java: 1426) 
      at
javax.management.remote.rmi.RMIConnectionImpl.access $200(RMIConnectionImpl.java:72) 
      at
javax.management.remote.rmi.RMIConnectionImpl $PrivilegedOperation.run(RMIConnectionImpl.java:1264) at java.security.AccessController.doPrivileged(Native Method) 
      at
javax .management .remote .rmi .RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java: 1366) 
      at
javax .management .remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788) at sun.reflect.GeneratedMethodAccessor25.invoke(Unknown Source) 
      at
sun .reflect .DelegatingMethodAccessorImpl .invoke(DelegatingMethodAccessorImpl.java:25) 
      at java.lang.reflect.Method.invoke(Method.java:597)
      at
sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java: 305) 
      at sun.rmi.transport.Transport$1.run(Transport.java:159)
at java.security.AccessController.doPrivileged(Native Method) at sun.rmi.transport.Transport.serviceCall(Transport.java: 155) 
      at
sun .rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java: 535) 
      at
sun.rmi.transport.tcp.TCPTransport $ConnectionHandler.run0(TCPTransport.java:790) 
      at
sun.rmi.transport.tcp.TCPTransport $ConnectionHandler.run(TCPTransport.java:649) 
      at
java.util.concurrent.ThreadPoolExecutor $Worker.runTask(ThreadPoolExecutor.java:885) 
      at
java.util.concurrent.ThreadPoolExecutor $Worker.run(ThreadPoolExecutor.java:907) 
      at java.lang.Thread.run(Thread.java:619)
2009-10-19 12:11:30,894 INFO  [SessionFactoryImpl] closing

Can someone please advise.

Quintin Beukes

Reply via email to