John Fawcett wrote:
I don't claim to speak for others, but I would like to avoid having to create account(s) in the user directory for system functions. There are several security problems with this, not least of which is that I would have to hard-code the password for this user into a config file (or somehow force an admin to provide the password upon deploy/redeploy and lose the ability to do this automatically).To: [EMAIL PROTECTED] Subject: RE: [JBoss-user] MBeans, local EJBs and Authentication Date: Mon, 16 Dec 2002 18:38:53 -0500 Organization: Tamale Software, LLC Reply-To: [EMAIL PROTECTED]Just curious -- is it particularly bad form to have your automated beans also log in? Perhaps create an account for these automated functions?
A priori, I guess I don't see why I should have to create a user, authenticate, etc., to use a local, non-secured EJB. I see why I would need this if I were accessing a secured EJB, but I am only trying to access a local, non-secured EJB. What am I missing? :-)
For now, I am working around this by doing exactly as you suggest: I temporarily created a 'system' user in my LDAP, and I am authenticating with this user in the scheduler task. But this just does not "feel" right.
-- Randy
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of Randy Shoup
Sent: Monday, December 16, 2002 6:23 PM
To: [EMAIL PROTECTED]
Subject: [JBoss-user] MBeans, local EJBs and Authentication
JBoss gurus --
I am using JBoss 3.0.4 - Tomcat 4.1.12 on Win2K. I want to get unauthenticated access to a local SLSB from an MBean, while still requiring authenticated access to my remote EJBs.
I am trying to add to my application a scheduled "batch" operation which does some periodic cleanup. The scheduling part was straightforward to set up, thanks to the docs and the list. However, I
am having some trouble with the authentication part.
All of my remote session facades require authentication, with user/role information in an LDAP. The scheduled operation is a "system"
operation, though, and so I would like to avoid requiring it to do any explicit authentication. I don't, for example, want to put a "system" or "internal" entry in the LDAP, which is intended to be just for real users. And I would like to avoid hard-coding any password anywhere.
I have done the following:
+ created a local SLSB which does the real work
+ added a scheduler MBean, which periodically calls the local SLSB
+ added an 'unauthenticatedIdentity' entry in the login-config.xml:
<application-policy name = "ime_ejb">
<authentication>
<login-module code = "com.tumbleweed.ime.ejb.security.jboss3.LdapLoginModule"
flag = "required">
...
<module-option name="unauthenticatedIdentity">system</module-option>
</login-module>
</authentication>
</application-policy>
+ made all methods of the local SLSB 'unchecked':
<method-permission>
<description><![CDATA[Local EJBs are unchecked]]></description>
<unchecked/>
<method >
<ejb-name>PackageExpireSession</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
+ added no authentication calls in the MBean
Still, whenever I call the SLSB from within the scheduler MBean, I get the famous "principal=null" exception:
15:05:43,431 INFO [PackageExpireTask] expirePackages(Mon Dec 16 15:05:40 PST 2002)
15:05:43,446 ERROR [SecurityInterceptor] Authentication exception, principal=null
15:05:43,446 ERROR [LogInterceptor] EJBException, causedBy:
java.lang.SecurityException: Authentication exception, principal=null at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(Secur
ityInterceptor.java:173)
at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor
.java:94)
at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:129)
at org.jboss.ejb.StatelessSessionContainer.invokeHome(StatelessSessionConta
iner.java:300)
at org.jboss.ejb.plugins.local.BaseLocalContainerInvoker.invokeHome(BaseLoc
alContainerInvoker.java:230)
at org.jboss.ejb.plugins.local.LocalHomeProxy.invoke(LocalHomeProxy.java:11
0)
at $Proxy38.create(Unknown Source)
at com.tumbleweed.ime.ejb.scheduler.jboss3.PackageExpireTask.expirePackages
(Unknown Source)
at com.tumbleweed.ime.ejb.scheduler.jboss3.PackageExpireTask.perform(Unknow
n Source)
at org.jboss.varia.scheduler.Scheduler$Listener.handleNotification(Schedule
r.java:1046)
at org.jboss.mx.server.NotificationListenerProxy.handleNotification(Notific
ationListenerProxy.java:71)
at javax.management.NotificationBroadcasterSupport.sendNotification(Notific
ationBroadcasterSupport.java:84)
at
javax.management.timer.Timer.sendNotifications(Timer.java:441)
at javax.management.timer.Timer.access$000(Timer.java:31)
at javax.management.timer.Timer$RegisteredNotification.doRun(Timer.java:612
)
at org.jboss.mx.util.SchedulableRunnable.run(SchedulableRunnable.java:164)
at org.jboss.mx.util.ThreadPool$Worker.run(ThreadPool.java:225)
15:05:43,446 ERROR [PackageExpireTask] Exception in PackageExpireTask: javax.ejb
.EJBException: checkSecurityAssociation; CausedByException is:
Authentication exception, principal=null
BTW, if I do make an explicit login call to one of my (secured) remote facades from within the scheduler MBean, and use a valid user in my LDAP, it works fine.
I have searched on the list, and taken a look at the JBoss security test cases, but I can't figure out how to get the results I want. Probably I have missed something.
Any suggestions?
-- Randy
_________________________________________________________________
Randy Shoup (650)216-2038
Tumbleweed Communications Corporation [EMAIL PROTECTED]
-------------------------------------------------------
This sf.net email is sponsored by:
With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel
http://hpc.devchannel.org/
_______________________________________________
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
