Skip to main content

"Caller not authorized" calling a protected EJB method from a servlet

1 reply [Last post]
redentis
Offline
Joined: 2007-07-13

I'm getting the following stack trace while attempting to call a protected EJB method
from a servlet that has been marked with 'run-as'. I've search both these and the SUN
forums and have seem similar problems, but unfortunately, no resolutions.

The high-level process looks like this:
servlet (run-as 'registrant')
--> [EJB] RegistrantAuthenticator.authenticate(..)
Has no role restrictions
--> [EJB] QuestionManager.getQuestionsForRegistrantWithAnswers(..)
Has 'registrant_role' restriction

After the stack trace, I've put together a quick overview of the relevant pieces of the
application.

--8<-- stack trace from server.log
[#|2007-07-12T11:32:36.353+0100|FINE|sun-appserver-pe9.0|javax.enterprise.system.core.security|_ThreadID=18;_ThreadName=httpWorkerThread-8443-3;ClassName=com.sun.enterprise.security.application.EJBSecurityManager;MethodName=authorize;_RequestID=3a7683b3-1eaf-451f-8e49-5faa92dcc8db;|JACC: permission initialized in InvocationInfo: EJBMethodPermission (Name) = RegistrantAuthenticator (Action) = authenticateRegistrant,Remote,com.digitalsteps.jaas.AuthenticationData|#]
...
[#|2007-07-12T11:32:36.353+0100|FINE|sun-appserver-pe9.0|javax.enterprise.system.core.security|_ThreadID=18;_ThreadName=httpWorkerThread-8443-3;ClassName=com.sun.enterprise.security.application.EJBSecurityManager;MethodName=authorize;_RequestID=3a7683b3-1eaf-451f-8e49-5faa92dcc8db;|JACC: Access Control Decision Result: true EJBMethodPermission (Name) = RegistrantAuthenticator (Action) = authenticateRegistrant,Remote,com.digitalsteps.jaas.AuthenticationData (Caller) = null|#]

[#|2007-07-12T11:32:45.288+0100|FINE|sun-appserver-pe9.0|javax.enterprise.system.core.security|_ThreadID=18;_ThreadName=httpWorkerThread-8443-3;ClassName=com.sun.enterprise.security.application.EJBSecurityManager;MethodName=authorize;_RequestID=3a7683b3-1eaf-451f-8e49-5faa92dcc8db;|JACC: permission initialized in InvocationInfo: EJBMethodPermission (Name) = QuestionManager (Action) = getQuestionsForRegistrantWithAnswers,Local,java.lang.String|#]

[#|2007-07-12T11:32:45.308+0100|FINE|sun-appserver-pe9.0|javax.enterprise.system.core.security|_ThreadID=18;_ThreadName=httpWorkerThread-8443-3;ClassName=com.sun.enterprise.security.application.EJBSecurityManager;MethodName=getCachedProtectionDomain;_RequestID=3a7683b3-1eaf-451f-8e49-5faa92dcc8db;|JACC: new ProtectionDomain added to cache|#]

[#|2007-07-12T11:32:45.318+0100|FINE|sun-appserver-pe9.0|javax.enterprise.system.core.security|_ThreadID=18;_ThreadName=httpWorkerThread-8443-3;ClassName=com.sun.enterprise.security.application.EJBSecurityManager;MethodName=getCachedProtectionDomain;_RequestID=3a7683b3-1eaf-451f-8e49-5faa92dcc8db;|JACC: returning cached ProtectionDomain - CodeSource: ((file:/LISA-JAS/LISA-JAS-ejb_jar )) PrincipalSet: registrant|#]

[#|2007-07-12T11:32:45.358+0100|INFO|sun-appserver-pe9.0|javax.enterprise.system.core.security|_ThreadID=18;_ThreadName=httpWorkerThread-8443-3;|JACC Policy Provider: PolicyWrapper.implies, context(LISA-JAS/LISA-JAS-ejb_jar)- permission((javax.security.jacc.EJBMethodPermission QuestionManager getQuestionsForRegistrantWithAnswers,Local,java.lang.String)) domain that failed(ProtectionDomain (file:/LISA-JAS/LISA-JAS-ejb_jar )
null
(principals com.sun.enterprise.deployment.PrincipalImpl "registrant")

java.security.Permissions@7dca91 (
...
(javax.security.auth.PrivateCredentialPermission javax.resource.spi.security.PasswordCredential * "*" read)
(java.io.FilePermission <> read,write)
(java.net.SocketPermission localhost:1024- listen,resolve)
(java.net.SocketPermission * connect,resolve)
)

)|#]

[#|2007-07-12T11:32:45.398+0100|FINE|sun-appserver-pe9.0|javax.enterprise.system.core.security|_ThreadID=18;_ThreadName=httpWorkerThread-8443-3;ClassName=com.sun.enterprise.security.application.EJBSecurityManager;MethodName=authorize;_RequestID=3a7683b3-1eaf-451f-8e49-5faa92dcc8db;|JACC: Access Control Decision Result: false EJBMethodPermission (Name) = QuestionManager (Action) = getQuestionsForRegistrantWithAnswers,Local,java.lang.String (Caller) = null|#]

[#|2007-07-12T11:32:45.408+0100|INFO|sun-appserver-pe9.0|javax.enterprise.system.container.ejb|_ThreadID=18;_ThreadName=httpWorkerThread-8443-3;QuestionManager;|EJB5018: An exception was thrown during an ejb invocation on [QuestionManager]|#]

[#|2007-07-12T11:32:45.408+0100|INFO|sun-appserver-pe9.0|javax.enterprise.system.container.ejb|_ThreadID=18;_ThreadName=httpWorkerThread-8443-3;|
javax.ejb.AccessLocalException: Client not authorized for this invocation.
at com.sun.ejb.containers.BaseContainer.preInvoke(BaseContainer.java:1143)
at com.sun.ejb.containers.EJBLocalObjectInvocationHandler.invoke(EJBLocalObjectInvocationHandler.java:182)
at com.sun.ejb.containers.EJBLocalObjectInvocationHandlerDelegate.invoke(EJBLocalObjectInvocationHandlerDelegate.java:118)
at $Proxy148.getQuestionsForRegistrantWithAnswers(Unknown Source)
...
--8<--

(A) EAR:
sun-application.xml

registrant_role
registrant

...
file

(B) EJB:
@Stateless
public class QuestionManagerBean implements IQuestionManagerLocal, IQuestionManagerRemote
{
...
}

@Local
@RolesAllowed({"registrant_role", "registration_officer_role", "registration_manager_role"})
public interface IQuestionManagerLocal
{
...
}

@Remote
@RolesAllowed({"registrant_role", "registration_officer_role", "registration_manager_role"})
public interface IQuestionManagerRemote
{
...
}

(C) WEB:
public class ActivateAccount extends HttpServlet
{
...
}

web.xml

ActivateAccount
test.ActivateAccount

ejb_registrant_role

...

ejb_registrant_role

sun-web.xml

ActivateAccount
registrant

...

(D) Server configuration
- in Configuration > Security
- default realm is 'file'
- default principal is deliberately left blank
- default role to group mapping is NOT active
- in Configuration > Security > Realms > file
- user 'registant' with group(s) 'registrant' is present

(E) Generated granted.policy file:
grant principal com.sun.enterprise.deployment.Group "registrant" {
permission javax.security.jacc.EJBMethodPermission "QuestionManager", ",Local";
permission javax.security.jacc.EJBMethodPermission "QuestionManager", ",Remote";
permission javax.security.jacc.EJBMethodPermission "QuestionManager", "createQuestion,Local,com.digitalsteps.lisa.questionmanager.SecurityQuestion,long";
permission javax.security.jacc.EJBMethodPermission "QuestionManager", "createQuestion,Remote,com.digitalsteps.lisa.questionmanager.SecurityQuestion,long";
permission javax.security.jacc.EJBMethodPermission "QuestionManager", "createQuestions,Local,java.util.List,java.lang.String";
permission javax.security.jacc.EJBMethodPermission "QuestionManager", "createQuestions,Local,java.util.List,long";
permission javax.security.jacc.EJBMethodPermission "QuestionManager", "createQuestions,Remote,java.util.List,java.lang.String";
permission javax.security.jacc.EJBMethodPermission "QuestionManager", "createQuestions,Remote,java.util.List,long";
permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getAllSystemQuestions,Local,";
permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getAllSystemQuestions,Remote,";
permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getQuestionsForRegistrant,Local,java.lang.String";
permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getQuestionsForRegistrant,Local,long";
permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getQuestionsForRegistrant,Remote,java.lang.String";
permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getQuestionsForRegistrant,Remote,long";
permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getQuestionsForRegistrantWithAnswers,Local,java.lang.String";
permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getQuestionsForRegistrantWithAnswers,Local,long";
permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getQuestionsForRegistrantWithAnswers,Remote,java.lang.String";
permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getQuestionsForRegistrantWithAnswers,Remote,long";
permission javax.security.jacc.EJBMethodPermission "QuestionManager", "setQuestions,Local,java.util.List,long";
permission javax.security.jacc.EJBMethodPermission "QuestionManager", "setQuestions,Remote,java.util.List,long";
permission javax.security.jacc.EJBMethodPermission "QuestionManager", "validateAnswers,Local,java.util.List,java.lang.String";
permission javax.security.jacc.EJBMethodPermission "QuestionManager", "validateAnswers,Local,java.util.List,long";
permission javax.security.jacc.EJBMethodPermission "QuestionManager", "validateAnswers,Remote,java.util.List,java.lang.String";
permission javax.security.jacc.EJBMethodPermission "QuestionManager", "validateAnswers,Remote,java.util.List,long";
...
};

(F) Generated ejb-jar.xml:

...

registrant_role

...

registrant_role

QuestionManager
Local
*

QuestionManager
Remote
*

...

Environment:
JDK1.6.0_01
SJSAS 9.0_01(b02_p01)
Windows XP

Any idea on how to diagnose this further or any observations / corrections are very
welcome.

Thanks,
Marcus

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
V B Kumar Jayanti

Hi ,

Will you be able to try with GF V2 and let us know if it fails there
as well (https://glassfish.dev.java.net/downloads/v2-b55.html). Meantime
we will try to investigate more on this.

Thanks.

glassfish@javadesktop.org wrote:

>I'm getting the following stack trace while attempting to call a protected EJB method
>from a servlet that has been marked with 'run-as'. I've search both these and the SUN
>forums and have seem similar problems, but unfortunately, no resolutions.
>
>The high-level process looks like this:
>servlet (run-as 'registrant')
>--> [EJB] RegistrantAuthenticator.authenticate(..)
> Has no role restrictions
>--> [EJB] QuestionManager.getQuestionsForRegistrantWithAnswers(..)
> Has 'registrant_role' restriction
>
>After the stack trace, I've put together a quick overview of the relevant pieces of the
>application.
>
>--8<-- stack trace from server.log
>[#|2007-07-12T11:32:36.353+0100|FINE|sun-appserver-pe9.0|javax.enterprise.system.core.security|_ThreadID=18;_ThreadName=httpWorkerThread-8443-3;ClassName=com.sun.enterprise.security.application.EJBSecurityManager;MethodName=authorize;_RequestID=3a7683b3-1eaf-451f-8e49-5faa92dcc8db;|JACC: permission initialized in InvocationInfo: EJBMethodPermission (Name) = RegistrantAuthenticator (Action) = authenticateRegistrant,Remote,com.digitalsteps.jaas.AuthenticationData|#]
>...
>[#|2007-07-12T11:32:36.353+0100|FINE|sun-appserver-pe9.0|javax.enterprise.system.core.security|_ThreadID=18;_ThreadName=httpWorkerThread-8443-3;ClassName=com.sun.enterprise.security.application.EJBSecurityManager;MethodName=authorize;_RequestID=3a7683b3-1eaf-451f-8e49-5faa92dcc8db;|JACC: Access Control Decision Result: true EJBMethodPermission (Name) = RegistrantAuthenticator (Action) = authenticateRegistrant,Remote,com.digitalsteps.jaas.AuthenticationData (Caller) = null|#]
>
>[#|2007-07-12T11:32:45.288+0100|FINE|sun-appserver-pe9.0|javax.enterprise.system.core.security|_ThreadID=18;_ThreadName=httpWorkerThread-8443-3;ClassName=com.sun.enterprise.security.application.EJBSecurityManager;MethodName=authorize;_RequestID=3a7683b3-1eaf-451f-8e49-5faa92dcc8db;|JACC: permission initialized in InvocationInfo: EJBMethodPermission (Name) = QuestionManager (Action) = getQuestionsForRegistrantWithAnswers,Local,java.lang.String|#]
>
>[#|2007-07-12T11:32:45.308+0100|FINE|sun-appserver-pe9.0|javax.enterprise.system.core.security|_ThreadID=18;_ThreadName=httpWorkerThread-8443-3;ClassName=com.sun.enterprise.security.application.EJBSecurityManager;MethodName=getCachedProtectionDomain;_RequestID=3a7683b3-1eaf-451f-8e49-5faa92dcc8db;|JACC: new ProtectionDomain added to cache|#]
>
>[#|2007-07-12T11:32:45.318+0100|FINE|sun-appserver-pe9.0|javax.enterprise.system.core.security|_ThreadID=18;_ThreadName=httpWorkerThread-8443-3;ClassName=com.sun.enterprise.security.application.EJBSecurityManager;MethodName=getCachedProtectionDomain;_RequestID=3a7683b3-1eaf-451f-8e49-5faa92dcc8db;|JACC: returning cached ProtectionDomain - CodeSource: ((file:/LISA-JAS/LISA-JAS-ejb_jar )) PrincipalSet: registrant|#]
>
>[#|2007-07-12T11:32:45.358+0100|INFO|sun-appserver-pe9.0|javax.enterprise.system.core.security|_ThreadID=18;_ThreadName=httpWorkerThread-8443-3;|JACC Policy Provider: PolicyWrapper.implies, context(LISA-JAS/LISA-JAS-ejb_jar)- permission((javax.security.jacc.EJBMethodPermission QuestionManager getQuestionsForRegistrantWithAnswers,Local,java.lang.String)) domain that failed(ProtectionDomain (file:/LISA-JAS/LISA-JAS-ejb_jar )
> null
> (principals com.sun.enterprise.deployment.PrincipalImpl "registrant")
>
> java.security.Permissions@7dca91 (
> ...
> (javax.security.auth.PrivateCredentialPermission javax.resource.spi.security.PasswordCredential * "*" read)
> (java.io.FilePermission <> read,write)
> (java.net.SocketPermission localhost:1024- listen,resolve)
> (java.net.SocketPermission * connect,resolve)
>)
>
>)|#]
>
>[#|2007-07-12T11:32:45.398+0100|FINE|sun-appserver-pe9.0|javax.enterprise.system.core.security|_ThreadID=18;_ThreadName=httpWorkerThread-8443-3;ClassName=com.sun.enterprise.security.application.EJBSecurityManager;MethodName=authorize;_RequestID=3a7683b3-1eaf-451f-8e49-5faa92dcc8db;|JACC: Access Control Decision Result: false EJBMethodPermission (Name) = QuestionManager (Action) = getQuestionsForRegistrantWithAnswers,Local,java.lang.String (Caller) = null|#]
>
>[#|2007-07-12T11:32:45.408+0100|INFO|sun-appserver-pe9.0|javax.enterprise.system.container.ejb|_ThreadID=18;_ThreadName=httpWorkerThread-8443-3;QuestionManager;|EJB5018: An exception was thrown during an ejb invocation on [QuestionManager]|#]
>
>[#|2007-07-12T11:32:45.408+0100|INFO|sun-appserver-pe9.0|javax.enterprise.system.container.ejb|_ThreadID=18;_ThreadName=httpWorkerThread-8443-3;|
>javax.ejb.AccessLocalException: Client not authorized for this invocation.
> at com.sun.ejb.containers.BaseContainer.preInvoke(BaseContainer.java:1143)
> at com.sun.ejb.containers.EJBLocalObjectInvocationHandler.invoke(EJBLocalObjectInvocationHandler.java:182)
> at com.sun.ejb.containers.EJBLocalObjectInvocationHandlerDelegate.invoke(EJBLocalObjectInvocationHandlerDelegate.java:118)
> at $Proxy148.getQuestionsForRegistrantWithAnswers(Unknown Source)
>...
>--8<--
>
>(A) EAR:
> sun-application.xml
>
>
> registrant_role
> registrant
>

> ...
> file
>

>
>(B) EJB:
> @Stateless
> public class QuestionManagerBean implements IQuestionManagerLocal, IQuestionManagerRemote
> {
> ...
> }
>
> @Local
> @RolesAllowed({"registrant_role", "registration_officer_role", "registration_manager_role"})
> public interface IQuestionManagerLocal
> {
> ...
> }
>
> @Remote
> @RolesAllowed({"registrant_role", "registration_officer_role", "registration_manager_role"})
> public interface IQuestionManagerRemote
> {
> ...
> }
>
>
>(C) WEB:
> public class ActivateAccount extends HttpServlet
> {
> ...
> }
>
> web.xml
>
>
> ActivateAccount
> test.ActivateAccount
>
> ejb_registrant_role
>

>

> ...
>
> ejb_registrant_role
>

>

>
> sun-web.xml
>
>
> ActivateAccount
>
registrant >

> ...
>

>
>(D) Server configuration
>- in Configuration > Security
> - default realm is 'file'
> - default principal is deliberately left blank
> - default role to group mapping is NOT active
>- in Configuration > Security > Realms > file
> - user 'registant' with group(s) 'registrant' is present
>
>(E) Generated granted.policy file:
>grant principal com.sun.enterprise.deployment.Group "registrant" {
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", ",Local";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", ",Remote";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "createQuestion,Local,com.digitalsteps.lisa.questionmanager.SecurityQuestion,long";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "createQuestion,Remote,com.digitalsteps.lisa.questionmanager.SecurityQuestion,long";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "createQuestions,Local,java.util.List,java.lang.String";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "createQuestions,Local,java.util.List,long";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "createQuestions,Remote,java.util.List,java.lang.String";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "createQuestions,Remote,java.util.List,long";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getAllSystemQuestions,Local,";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getAllSystemQuestions,Remote,";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getQuestionsForRegistrant,Local,java.lang.String";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getQuestionsForRegistrant,Local,long";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getQuestionsForRegistrant,Remote,java.lang.String";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getQuestionsForRegistrant,Remote,long";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getQuestionsForRegistrantWithAnswers,Local,java.lang.String";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getQuestionsForRegistrantWithAnswers,Local,long";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getQuestionsForRegistrantWithAnswers,Remote,java.lang.String";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "getQuestionsForRegistrantWithAnswers,Remote,long";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "setQuestions,Local,java.util.List,long";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "setQuestions,Remote,java.util.List,long";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "validateAnswers,Local,java.util.List,java.lang.String";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "validateAnswers,Local,java.util.List,long";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "validateAnswers,Remote,java.util.List,java.lang.String";
> permission javax.security.jacc.EJBMethodPermission "QuestionManager", "validateAnswers,Remote,java.util.List,long";
> ...
>};
>
>(F) Generated ejb-jar.xml:
>
> ...
>
>
> registrant_role
>

> ...
>
> registrant_role
>
> QuestionManager
> Local
> *
>

>
> QuestionManager
> Remote
> *
>

>

> ...
>

>
>Environment:
>JDK1.6.0_01
>SJSAS 9.0_01(b02_p01)
>Windows XP
>
>Any idea on how to diagnose this further or any observations / corrections are very
>welcome.
>
>Thanks,
>Marcus
>[Message sent by forum member 'redentis' (redentis)]
>
>http://forums.java.net/jive/thread.jspa?messageID=226525
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
>For additional commands, e-mail: users-help@glassfish.dev.java.net
>
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@glassfish.dev.java.net
For additional commands, e-mail: users-help@glassfish.dev.java.net