Bug 1288670 - [GSS] (6.4.z) Improve error message for EJBs with restricted access permission but no security-domain
Summary: [GSS] (6.4.z) Improve error message for EJBs with restricted access permissio...
Keywords:
Status: CLOSED EOL
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: EJB
Version: 6.4.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Radovan STANCEL
QA Contact: Jan Martiska
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-12-04 23:19 UTC by dhorton
Modified: 2021-12-02 02:55 UTC (History)
8 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2019-08-19 12:46:20 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description dhorton 2015-12-04 23:19:05 UTC
Description of problem:
Improve error the message for EJBs that have restricted access permission but are not assigned to a security-domain.

In this situation, the EJB security will fallback to the "other" security-domain which will most likely end up with an "Invalid User" error message getting logged.

In this situation, it might be better to log something like: "No security domain associated to this enterprise bean"

Comment 1 Enrique Gonzalez Martinez 2015-12-11 11:21:39 UTC
Not really sure if changing the message would make sense as the logic of the security manager is to say if the user is valid or not. 

Regarding the "other" as the default security-domain, this is the current behaviour of the app server.

Not sure if this change is a good idea. 

PS: Maybe adding some debug info about which security domain is being used could help in this sort of use case :?

Comment 9 dhorton 2017-03-13 15:40:09 UTC
To reproduce:

- build an application with a secured web application, assign the web application to a valid security-domain
- make the servlet invoke a secured EJB
  - the ejb should use the @RolesAllowed annotation
  - the ejb should _not_ be assigned to a security-domain
  - it will fallback to using "other" by default

There isn't a good warning in the logs about this behavior.  You will see the servlet get authenticated using the security-domain that is assigned to it, but when the servlet invokes the secured EJB you will see that it "falls back" to the "other" security-domain which cannot authenticate the user...leading to an error.




10:17:34,664 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000200: Begin isValid, principal: admin, cache entry: null
10:17:34,664 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000209: defaultLogin, principal: admin
10:17:34,665 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000221: Begin getAppConfigurationEntry(other), size: 4
10:17:34,665 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000224: End getAppConfigurationEntry(other), AuthInfo: AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.as.security.remoting.RemotingLoginModule
ControlFlag: LoginModuleControlFlag: optional
Options:
name=password-stacking, value=useFirstPass
[1]
LoginModule Class: org.jboss.as.security.RealmDirectLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=password-stacking, value=useFirstPass

10:17:34,665 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000236: Begin initialize method
10:17:34,665 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000240: Begin login method
10:17:34,666 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000236: Begin initialize method
10:17:34,666 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000240: Begin login method
10:17:34,676 DEBUG [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000283: Bad password for username admin
10:17:34,677 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000244: Begin abort method
10:17:34,677 TRACE [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000244: Begin abort method
10:17:34,677 DEBUG [org.jboss.security] (http-127.0.0.1:8080-1) PBOX000206: Login failure: javax.security.auth.login.FailedLoginException: PBOX000070: Password invalid/Password required
        at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:286) [picketbox-4.1.3.Final-redhat-1.jar:4.1.3.Final-redhat-1]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.8.0_111]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [rt.jar:1.8.0_111]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.8.0_111]
        at java.lang.reflect.Method.invoke(Method.java:498) [rt.jar:1.8.0_111]
        at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755) [rt.jar:1.8.0_111]
        at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195) [rt.jar:1.8.0_111]


Note You need to log in before you can comment on or make changes to this bug.