Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Cloud/Virtualization forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

problem calling ejb: SecurityActions.getContextSubject() returns null

 
Hub Fel
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,
I try to migrate a working app from JBoss 4.2.2 to JBoss 5.1. I have an EJB 2.0 with some "unchecked" Methods and some that requires a authenticated user.
For the "unchecked" methods I established a "RunAsIdentity" via ejb-jar.xml and jboss.xml and I see it pushedAs to EJB context. From a MBean that runs as service, I created that EJB "unchecked" with a "RunAsId" and call "unchecked" methods.
Now the Problem:
In the EJB I make a context.IsCallerInRole("role") that produces error messages in the form of:
ERROR [EnterpriseContext] Subject is null for isCallerInRole Check with role=PeV
The context.IsCallerInRole("role") calls
SubjectPolicyContextHandler.getAuthenticatedSubject(); which returns NULL
SecurityContext.getIncomingRunsAs() also returns null
But when I do a

Then I get a valid principal, the one I defined in jboss.xml
I do not understand this, since I explicitly do a login before creating / calling the EJB.
In 4.2.2 I did not log on for the unchecked methods and it worked fine. I have tried many things, without success.
This is my l appliaction-policy:

The EJB 2.0 runs in MyRealm, and both login-module succeed.
I quadruplechecked every thing, debugged through every Interceptor but still have no clue about the cause.
It would be great if anybody could give me a hint.
jboss.xml has a

ejb-jar.xml has a


Why doesn't my EJB context have a valid authenticatedSubject()?
Any hint could definitively save my day!

Thank you
Hubert
P.S.
One more thing: The SessionContext used by the EJB on IsCallerInRole is set during the myEjb.create() invocation.
 
Jaikiran Pai
Marshal
Pie
Posts: 10444
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I have seen similar posts related to JBoss AS-5, but I haven't been able to look into the details. In your login-module, try adding unauthenticatedIdentity as follows:



See if that works.

 
Hub Fel
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Jaikiran,
Thank you very much, but unfortunately this did not help.
thnx anyway
Hubert
 
Hub Fel
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi,

Well, I think I have an idea what's going on.
On creation of the EJB:
InvokeHome calls SecurityInterceptor to create EJB. During this process the EJB receives a SessionContext with a authenticated subject.

in SecurityInterceptorJBoss does a

The PopSubjectContext() destroys my SubjectIfno.authenticatedSubject by setting it to NULL.
This looks strange to me.
Is this correct? If yes, how should the EJB get another authenticated Subject? There is no authentication anymore.

Thank you
Regards
Hubert
 
Hub Fel
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok, I think I isolated the problem.

What I described in previous post is working correct.
SecurityActions.popSubjectContext() is called after every call and an authenticated subject is pushed before every call.

So when I arrive at my ejb method, the context is good and context.IsCallerInRole("role") works fine.
But I call several other EJB's with unchecked security / local view (BYPASS_SECURITY). When calling these EJB's the authenticated subject is set to NULL and left to NULL.
After return of the EJB calls the authenticated subject is still null and that's why my further context.isCallerInRole() fail.

Does anybody have an idea how to work arround this?

Thank you
Hubert
 
Hub Fel
Greenhorn
Posts: 10
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Ok, I fixed my problem.

As mentioned I lost my authenticated subject .
In my EJB I call other EJBs. After such a call my subject was NULL. I figured out which EJB caused the loss of this.

I edited the corresponding jboss.xml and added a


In login-config.xml I added:


note the "restore-login-identity".
That was it, the specific EJB runs in the "EjbRealm" domain and my security association is restored after the call, so that context.isUserInRole("test") from my own EJB has a valid authenticated subject.

Before my changes this EJB run in "BYPASSED-SECURITY" domain. I tried to create a <application-policy name="BYPASSED-SECURITY"> but this was never picked up.


Hope this help others.
Hubert
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic