On Jul 15, 2009, at 10:23 AM, Kory Markevich wrote:
djencks wrote:
OK, this is weird, I've never seen a bug in this area. What kind of
authentication does the web app use? Can you show the entire stack
trace to the ejb security exception?
If that's the case then my gut is that the bug is somewhere in the
web app,
but as I didn't write it and have never seen this kind of error
before I'm
at a bit of a loss on where to look. Time to get creative I guess.
We are using Spring's authentication framework with a custom
authenticator.
Spring security may secure spring apps but it wont relate to container
managed authorization unless you do something to hook it up. You need
some code that looks vaguely like this:
Subject subject = getSpringAuthenticatedSubject();
ContextManager.registerSubject(subject); //if the subject is cached in
a session this should only happen once when the subject is first
authenticated/constructed.
//the following should happen on every request
ContextManager.setCallers(subject, subject);
try {
//process request
} finally {
ContextManager.clearCallers();
}
WIthout code like this the mystery is why any ejb calls succeed -- it
sort of points to a bug where an authenticated subject is left
associated with a thread.
I suspect someone has already solved this problem of hooking spring
security up to geronimo security -- we should come up with a bit of
code that does it and documentation.
thanks
david jencks
The exception stack itself is bog-standard so I doubt it will reveal
anything, but here it is:
javax.ejb.EJBAccessException: Unauthorized Access by Principal Denied
at
org
.apache
.openejb
.core.stateless.StatelessContainer.invoke(StatelessContainer.java:144)
at
org
.apache
.openejb
.core
.ivm.EjbObjectProxyHandler.businessMethod(EjbObjectProxyHandler.java:
217)
at
org
.apache
.openejb
.core.ivm.EjbObjectProxyHandler._invoke(EjbObjectProxyHandler.java:77)
at
org
.apache
.openejb
.core.ivm.BaseEjbProxyHandler.invoke(BaseEjbProxyHandler.java:245)
at
org
.apache
.openejb
.util
.proxy.Jdk13InvocationHandler.invoke(Jdk13InvocationHandler.java:49)
at $Proxy39.getMyFavorites(Unknown Source)
at ourcode.SomeStatelessBean.getMyFavorites(SomeStatelessBean.java:
58)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun
.reflect
.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun
.reflect
.DelegatingMethodAccessorImpl
.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
org.apache.openejb.core.interceptor.ReflectionInvocationContext
$Invocation.invoke(ReflectionInvocationContext.java:158)
at
org
.apache
.openejb
.core
.interceptor
.ReflectionInvocationContext
.proceed(ReflectionInvocationContext.java:141)
at
org
.apache
.openejb
.core.interceptor.InterceptorStack.invoke(InterceptorStack.java:67)
at
org
.apache
.openejb
.core.stateless.StatelessContainer._invoke(StatelessContainer.java:
210)
at
org
.apache
.openejb
.core.stateless.StatelessContainer._invoke(StatelessContainer.java:
188)
at
org
.apache
.openejb
.core.stateless.StatelessContainer.invoke(StatelessContainer.java:165)
at
org
.apache
.openejb
.core
.ivm.EjbObjectProxyHandler.businessMethod(EjbObjectProxyHandler.java:
217)
at
org
.apache
.openejb
.core.ivm.EjbObjectProxyHandler._invoke(EjbObjectProxyHandler.java:77)
at
org
.apache
.openejb
.core.ivm.BaseEjbProxyHandler.invoke(BaseEjbProxyHandler.java:321)
at
org
.apache
.openejb
.util
.proxy.Jdk13InvocationHandler.invoke(Jdk13InvocationHandler.java:49)
at $Proxy35.getMyFavorites(Unknown Source)
at
ourcode
.dao.impl.MyFavoritesDaoImpl.getFavoriteList(MyFavoritesDaoImpl.java:
42)
at
ourcode
.service
.impl
.MyFavoritesServiceImpl.getFavoriteList(MyFavoritesServiceImpl.java:
30)
at
ourcode
.web
.controller
.MyFavoritesController.getFavoriteList(MyFavoritesController.java:32)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun
.reflect
.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun
.reflect
.DelegatingMethodAccessorImpl
.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
org.springframework.web.bind.annotation.support.HandlerMethodInvoker.doInvokeMethod
(HandlerMethodInvoker.java:409)
at
org.springframework.web.bind.annotation.support.HandlerMethodInvoker.invokeHandlerMethod
(HandlerMethodInvoker.java:132)
at
org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.invokeHandlerMethod
(AnnotationMethodHandlerAdapter.java:310)
at
org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter.handle
(AnnotationMethodHandlerAdapter.java:297)
at
org
.springframework
.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:875)
at
org
.springframework
.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:809)
at
org
.springframework
.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:
571)
at
org
.springframework
.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:501)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:693)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:806)
at
org
.apache
.catalina
.core
.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:
290)
at
org
.apache
.catalina
.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org.springframework.security.util.FilterChainProxy
$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
at
org.springframework.security.intercept.web.FilterSecurityInterceptor.invoke
(FilterSecurityInterceptor.java:109)
at
org.springframework.security.intercept.web.FilterSecurityInterceptor.doFilter
(FilterSecurityInterceptor.java:83)
at
org.springframework.security.util.FilterChainProxy
$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
at
org
.springframework
.security
.ui
.SessionFixationProtectionFilter
.doFilterHttp(SessionFixationProtectionFilter.java:67)
at
org
.springframework
.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:
53)
at
org.springframework.security.util.FilterChainProxy
$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
at
org
.springframework
.security
.ui
.ExceptionTranslationFilter
.doFilterHttp(ExceptionTranslationFilter.java:101)
at
org
.springframework
.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:
53)
at
org.springframework.security.util.FilterChainProxy
$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
at
org
.springframework
.security
.wrapper
.SecurityContextHolderAwareRequestFilter
.doFilterHttp(SecurityContextHolderAwareRequestFilter.java:91)
at
org
.springframework
.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:
53)
at
org.springframework.security.util.FilterChainProxy
$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
at
org
.springframework
.security
.ui
.AbstractProcessingFilter.doFilterHttp(AbstractProcessingFilter.java:
277)
at
org
.springframework
.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:
53)
at
org.springframework.security.util.FilterChainProxy
$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
at
org
.springframework
.security.ui.logout.LogoutFilter.doFilterHttp(LogoutFilter.java:89)
at
org
.springframework
.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:
53)
at
org.springframework.security.util.FilterChainProxy
$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
at
org
.springframework
.security
.context
.HttpSessionContextIntegrationFilter
.doFilterHttp(HttpSessionContextIntegrationFilter.java:235)
at
org
.springframework
.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:
53)
at
org.springframework.security.util.FilterChainProxy
$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
at
org
.springframework
.security
.securechannel
.ChannelProcessingFilter.doFilterHttp(ChannelProcessingFilter.java:
116)
at
org
.springframework
.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:
53)
at
org.springframework.security.util.FilterChainProxy
$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
at
org
.springframework
.security.util.FilterChainProxy.doFilter(FilterChainProxy.java:175)
at
org
.springframework
.web
.filter
.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:236)
at
org
.springframework
.web
.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:167)
at
org
.apache
.catalina
.core
.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:
235)
at
org
.apache
.catalina
.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
ourcode
.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:
35)
at
org
.apache
.catalina
.core
.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:
235)
at
org
.apache
.catalina
.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at
org
.apache
.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:
233)
at
org
.apache
.catalina.core.StandardContextValve.invoke(StandardContextValve.java:
191)
at
org
.apache
.geronimo
.tomcat.valve.DefaultSubjectValve.invoke(DefaultSubjectValve.java:56)
at
org.apache.geronimo.tomcat.GeronimoStandardContext
$SystemMethodValve.invoke(GeronimoStandardContext.java:406)
at
org
.apache
.geronimo
.tomcat
.valve.GeronimoBeforeAfterValve.invoke(GeronimoBeforeAfterValve.java:
47)
at
org
.apache
.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
at
org
.apache
.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at
org
.apache
.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:
109)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:
568)
at
org
.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:
286)
at
org
.apache.coyote.http11.Http11Processor.process(Http11Processor.java:
845)
at
org.apache.coyote.http11.Http11Protocol
$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint
$Worker.run(JIoEndpoint.java:447)
at java.lang.Thread.run(Thread.java:619)
--
View this message in context:
http://www.nabble.com/EJB---Web-App-losing-Subject-tp24485373s134p24502397.html
Sent from the Apache Geronimo - Users mailing list archive at
Nabble.com.
