Granny's Programming Pearls
"inside of every large program is a small program struggling to get out"
JavaRanch.com/granny.jsp
The moose likes JBoss/WildFly and the fly likes problem calling ejb: SecurityActions.getContextSubject() returns null Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Android Security Essentials Live Lessons this week in the Android forum!
JavaRanch » Java Forums » Products » JBoss/WildFly
Bookmark "problem calling ejb: SecurityActions.getContextSubject() returns null" Watch "problem calling ejb: SecurityActions.getContextSubject() returns null" New topic
Author

problem calling ejb: SecurityActions.getContextSubject() returns null

Hub Fel
Greenhorn

Joined: Oct 21, 2009
Posts: 10
Hi all,
I try to migrate a working app from JBoss 4.2.2 to JBoss 5.1. I have an EJB 2.0 with some "unchecked" Methods and some that requires a authenticated user.
For the "unchecked" methods I established a "RunAsIdentity" via ejb-jar.xml and jboss.xml and I see it pushedAs to EJB context. From a MBean that runs as service, I created that EJB "unchecked" with a "RunAsId" and call "unchecked" methods.
Now the Problem:
In the EJB I make a context.IsCallerInRole("role") that produces error messages in the form of:
ERROR [EnterpriseContext] Subject is null for isCallerInRole Check with role=PeV
The context.IsCallerInRole("role") calls
SubjectPolicyContextHandler.getAuthenticatedSubject(); which returns NULL
SecurityContext.getIncomingRunsAs() also returns null
But when I do a

Then I get a valid principal, the one I defined in jboss.xml
I do not understand this, since I explicitly do a login before creating / calling the EJB.
In 4.2.2 I did not log on for the unchecked methods and it worked fine. I have tried many things, without success.
This is my l appliaction-policy:

The EJB 2.0 runs in MyRealm, and both login-module succeed.
I quadruplechecked every thing, debugged through every Interceptor but still have no clue about the cause.
It would be great if anybody could give me a hint.
jboss.xml has a

ejb-jar.xml has a


Why doesn't my EJB context have a valid authenticatedSubject()?
Any hint could definitively save my day!

Thank you
Hubert
P.S.
One more thing: The SessionContext used by the EJB on IsCallerInRole is set during the myEjb.create() invocation.
Jaikiran Pai
Marshal

Joined: Jul 20, 2005
Posts: 9953
    
161

I have seen similar posts related to JBoss AS-5, but I haven't been able to look into the details. In your login-module, try adding unauthenticatedIdentity as follows:



See if that works.


[My Blog] [JavaRanch Journal]
Hub Fel
Greenhorn

Joined: Oct 21, 2009
Posts: 10
Jaikiran,
Thank you very much, but unfortunately this did not help.
thnx anyway
Hubert
Hub Fel
Greenhorn

Joined: Oct 21, 2009
Posts: 10
Hi,

Well, I think I have an idea what's going on.
On creation of the EJB:
InvokeHome calls SecurityInterceptor to create EJB. During this process the EJB receives a SessionContext with a authenticated subject.

in SecurityInterceptorJBoss does a

The PopSubjectContext() destroys my SubjectIfno.authenticatedSubject by setting it to NULL.
This looks strange to me.
Is this correct? If yes, how should the EJB get another authenticated Subject? There is no authentication anymore.

Thank you
Regards
Hubert
Hub Fel
Greenhorn

Joined: Oct 21, 2009
Posts: 10
Ok, I think I isolated the problem.

What I described in previous post is working correct.
SecurityActions.popSubjectContext() is called after every call and an authenticated subject is pushed before every call.

So when I arrive at my ejb method, the context is good and context.IsCallerInRole("role") works fine.
But I call several other EJB's with unchecked security / local view (BYPASS_SECURITY). When calling these EJB's the authenticated subject is set to NULL and left to NULL.
After return of the EJB calls the authenticated subject is still null and that's why my further context.isCallerInRole() fail.

Does anybody have an idea how to work arround this?

Thank you
Hubert
Hub Fel
Greenhorn

Joined: Oct 21, 2009
Posts: 10
Ok, I fixed my problem.

As mentioned I lost my authenticated subject .
In my EJB I call other EJBs. After such a call my subject was NULL. I figured out which EJB caused the loss of this.

I edited the corresponding jboss.xml and added a


In login-config.xml I added:


note the "restore-login-identity".
That was it, the specific EJB runs in the "EjbRealm" domain and my security association is restored after the call, so that context.isUserInRole("test") from my own EJB has a valid authenticated subject.

Before my changes this EJB run in "BYPASSED-SECURITY" domain. I tried to create a <application-policy name="BYPASSED-SECURITY"> but this was never picked up.


Hope this help others.
Hubert
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: problem calling ejb: SecurityActions.getContextSubject() returns null
 
Similar Threads
Problems with JAAS in JBoss
auth-method none? for a JBoss simple SSO using digital signature?
Want to use different data source than my security principal
Client login on 3.2.5
error on jboss start up