在wildfly中注入EJB时的安全性异常

在wildfly中注入EJB时的安全性异常

本文介绍了在wildfly中注入EJB时的安全性异常的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我尝试从JBoss AS 7迁移到Wildfly 8.2。从Java 1.6到Java 1.7。在将ejb bean注入我的批处理作业时,我得到了一些安全性异常。

I try to migrate from JBoss AS 7 to Wildfly 8.2. and from Java 1.6 to Java 1.7. and I get some security exceptions when injecting an ejb bean to my batch job.

这是我的调度程序:(每分钟运行一次)

Here is my scheduler: (runs every minute)

@Startup
@Singleton
public class MyBatchScheduler {

    @Inject
    MyBatch myBatch;

    @Schedule(second = "30", minute = "*/1", hour = "*", persistent = false)
    public void runBackgroundTasks() {
        myBatch.runBackgroundTasksAsync();
    }
}

这是我的批次:(每分钟由调度程序调用)

Here is my batch: (called by scheduler every minute)

 @Stateless
 public class MyBatch {

    @Inject
    MyTestbean myTestbean;

    @Asynchronous
    public void runBackgroundTasksAsync() {
        myTestbean.doSomething();
        System.out.println("Batch");
    }
 }

这是我的无状态bean产生问题:(只是一个空方法)

Here is my stateless bean which makes problem: (just an empty methode)

public class MyTestbean implements Serializable {

    private static final long serialVersionUID = 1L;

    public void doSomething() {

    }
}

我的带安全域的jboss-ejb3.xml:

My jboss-ejb3.xml with security-domain:

<?xml version="1.1" encoding="UTF-8"?>
<jboss:ejb-jar
    xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
    xmlns="http://xmlns.jcp.org/xml/ns/javaee"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:s="urn:security"
    xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/ejb-jar_3_2.xsd"
    version="3.2">
    <assembly-descriptor>
        <s:security>
            <ejb-name>*</ejb-name>
            <s:security-domain>myXXXRealm</s:security-domain>
        </s:security>
    </assembly-descriptor>
</jboss:ejb-jar>

我的jboss-web.xml与我的安全域:

My jboss-web.xml with my security-domain:

<?xml version="1.1" encoding="UTF-8"?>
<jboss-web>
    <security-domain>myXXXRealm</security-domain>
    <context-root>/</context-root>
</jboss-web>

在我的standalone.xml中,我还将myXXXRealm定义为安全域:

In my standalone.xml I also defined the myXXXRealm as security-domain:

<subsystem xmlns="urn:jboss:domain:security:1.2">
   <security-domains>
       <security-domain name="other" cache-type="default">
           <authentication>
               <login-module code="Remoting" flag="optional">
                   <module-option name="password-stacking" value="useFirstPass"/>
               </login-module>
               <login-module code="RealmUsersRoles" flag="required">
                   <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
                   <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
                   <module-option name="realm" value="ApplicationRealm"/>
                   <module-option name="password-stacking" value="useFirstPass"/>
               </login-module>
           </authentication>
       </security-domain>
       <security-domain name="jboss-web-policy" cache-type="default">
           <authorization>
               <policy-module code="Delegating" flag="required"/>
           </authorization>
       </security-domain>
       <security-domain name="jboss-ejb-policy" cache-type="default">
           <authorization>
               <policy-module code="Delegating" flag="required"/>
           </authorization>
       </security-domain>
       <security-domain name="myXXXRealm">
           <authentication>
               <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
                   <module-option name="dsJndiName" value="java:/db/auraDS"/>
                   <module-option name="principalsQuery" value="select &quot;PASSWORD&quot; from aura.&quot;USER&quot; where &quot;USERNAME&quot;=?"/>
                   <module-option name="rolesQuery" value="SELECT r.&quot;NAME&quot;, 'Roles' FROM aura.&quot;ROLE&quot; r, aura.&quot;USER_ROLE&quot; ur, aura.&quot;USER&quot; u WHERE u.&quot;USERNAME&quot;=? AND u.&quot;ID&quot;=ur.&quot;USER_ID&quot; AND ur.&quot;ROLE_ID&quot;=r.&quot;ID&quot;"/>
                   <module-option name="hashAlgorithm" value="MD5"/>
                   <module-option name="hashEncoding" value="hex"/>
               </login-module>
           </authentication>
       </security-domain>
   </security-domains>
</subsystem>

但我总是遇到例外方法权限不足和JBAS014134:EJB调用在组件上失败 :

But I get always the exceptions "Insufficient method permissions" and "JBAS014134: EJB Invocation failed on component":

14:09:30,005 DEBUG [org.jboss.security] (EJB default - 8) PBOX000291: Method: runBackgroundTasksAsync, interface: Local, required roles: Roles(<NOBODY>,)
14:09:30,005 DEBUG [org.jboss.security] (EJB default - 8) PBOX000292: Insufficient method permissions [principal: null, EJB name: MyBatch, method: runBackgroundTasksAsync, interface: Local, required roles: Roles(<NOBODY>,), principal roles: Roles(), run-as roles: null]
14:09:30,005 DEBUG [org.jboss.security] (EJB default - 8) PBOX000299: Required module org.jboss.security.authorization.modules.DelegatingAuthorizationModule failed
14:09:30,005 DEBUG [org.jboss.security] (EJB default - 8) PBOX000325: Authorization processing error: org.jboss.security.authorization.AuthorizationException: PBOX000017: Acces denied: authorization failed
    at org.jboss.security.plugins.authorization.JBossAuthorizationContext.invokeAuthorize(JBossAuthorizationContext.java:268) [picketbox-4.0.21.Final.jar:4.0.21.Final]
    at org.jboss.security.plugins.authorization.JBossAuthorizationContext.access$000(JBossAuthorizationContext.java:71) [picketbox-4.0.21.Final.jar:4.0.21.Final]
    at org.jboss.security.plugins.authorization.JBossAuthorizationContext$1.run(JBossAuthorizationContext.java:147) [picketbox-4.0.21.Final.jar:4.0.21.Final]
    at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_65]
    at org.jboss.security.plugins.authorization.JBossAuthorizationContext.authorize(JBossAuthorizationContext.java:143) [picketbox-4.0.21.Final.jar:4.0.21.Final]
    at org.jboss.security.plugins.JBossAuthorizationManager.internalAuthorization(JBossAuthorizationManager.java:429) [picketbox-4.0.21.Final.jar:4.0.21.Final]
    at org.jboss.security.plugins.JBossAuthorizationManager.authorize(JBossAuthorizationManager.java:115) [picketbox-4.0.21.Final.jar:4.0.21.Final]
    at org.jboss.security.plugins.javaee.EJBAuthorizationHelper.authorize(EJBAuthorizationHelper.java:318) [picketbox-4.0.21.Final.jar:4.0.21.Final]
    at org.jboss.as.security.service.SimpleSecurityManager.authorize(SimpleSecurityManager.java:303) [wildfly-security-8.2.0.Final.jar:8.2.0.Final]
    at org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:133) [wildfly-ejb3-8.2.0.Final.jar:8.2.0.Final]
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
    at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:95) [wildfly-ejb3-8.2.0.Final.jar:8.2.0.Final]
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
    at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) [wildfly-ejb3-8.2.0.Final.jar:8.2.0.Final]
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
    at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [wildfly-ejb3-8.2.0.Final.jar:8.2.0.Final]
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
    at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
    at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55) [wildfly-ejb3-8.2.0.Final.jar:8.2.0.Final]
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
    at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:64)
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
    at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)
    at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:439)
    at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:61)
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
    at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)
    at org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(PrivilegedWithCombinerInterceptor.java:80)
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
    at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
    at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185)
    at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:182)
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
    at org.jboss.as.ejb3.component.interceptors.LogDiagnosticContextRecoveryInterceptor.processInvocation(LogDiagnosticContextRecoveryInterceptor.java:79) [wildfly-ejb3-8.2.0.Final.jar:8.2.0.Final]
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
    at org.jboss.as.ejb3.component.interceptors.AsyncFutureInterceptorFactory$1$2.runInvocation(AsyncFutureInterceptorFactory.java:97) [wildfly-ejb3-8.2.0.Final.jar:8.2.0.Final]
    at org.jboss.as.ejb3.component.interceptors.AsyncInvocationTask.run(AsyncInvocationTask.java:73) [wildfly-ejb3-8.2.0.Final.jar:8.2.0.Final]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_65]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_65]
    at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_65]
    at org.jboss.threads.JBossThread.run(JBossThread.java:122)

14:09:30,008 TRACE [org.jboss.security.audit] (EJB default - 8) [Failure]Source=org.jboss.security.plugins.javaee.EJBAuthorizationHelper;Action=authorization;Resource:=[org.jboss.security.authorization.resources.EJBResource:contextMap={policyRegistration=null}:method=public void hugo.MyBatch.runBackgroundTasksAsync():ejbMethodInterface=Local:ejbName=MyBatch:ejbPrincipal=null:MethodRoles=Roles(<NOBODY>,):securityRoleReferences=null:callerSubject=Subject:
    Principal: anonymous
:callerRunAs=null:callerRunAs=null:ejbRestrictionEnforcement=false:ejbVersion=2.0];Exception:=PBOX000017: Acces denied: authorization failed ;policyRegistration=null;
14:09:30,008 TRACE [org.jboss.security] (EJB default - 8) PBOX000354: Setting security roles ThreadLocal: null
14:09:30,008 ERROR [org.jboss.as.ejb3.invocation] (EJB default - 8) JBAS014134: EJB Invocation failed on component MyBatch for method public void hugo.MyBatch.runBackgroundTasksAsync(): javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public void hugo.MyBatch.runBackgroundTasksAsync() of bean: MyBatch is not allowed
    at org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:135) [wildfly-ejb3-8.2.0.Final.jar:8.2.0.Final]
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
    at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:95) [wildfly-ejb3-8.2.0.Final.jar:8.2.0.Final]
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
    at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) [wildfly-ejb3-8.2.0.Final.jar:8.2.0.Final]
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
    at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) [wildfly-ejb3-8.2.0.Final.jar:8.2.0.Final]
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
    at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
    at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55) [wildfly-ejb3-8.2.0.Final.jar:8.2.0.Final]
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
    at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:64)
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
    at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)
    at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:439)
    at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:61)
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
    at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:326)
    at org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(PrivilegedWithCombinerInterceptor.java:80)
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
    at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
    at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185)
    at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:182)
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
    at org.jboss.as.ejb3.component.interceptors.LogDiagnosticContextRecoveryInterceptor.processInvocation(LogDiagnosticContextRecoveryInterceptor.java:79) [wildfly-ejb3-8.2.0.Final.jar:8.2.0.Final]
    at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:309)
    at org.jboss.as.ejb3.component.interceptors.AsyncFutureInterceptorFactory$1$2.runInvocation(AsyncFutureInterceptorFactory.java:97) [wildfly-ejb3-8.2.0.Final.jar:8.2.0.Final]
    at org.jboss.as.ejb3.component.interceptors.AsyncInvocationTask.run(AsyncInvocationTask.java:73) [wildfly-ejb3-8.2.0.Final.jar:8.2.0.Final]
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_65]
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_65]
    at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_65]
    at org.jboss.threads.JBossThread.run(JBossThread.java:122)

什么我到底做错了什么?

What the hell am I doing wrong?

推荐答案

使用JBoss 7.2,调用EJB方法的行为变得更加受限制。
因此,如果存在安全域,则在没有明确许可的情况下,每次调用没有安全限制的EJB(PermitAll,RolesAllowed或类似的注释/描述符条目)都将被拒绝。

With JBoss 7.2 the behavior at calling EJB methods has become more restricted.Thus if there is a security domain every call to a EJB without security restriction (PermitAll, RolesAllowed or similar annotations/descriptor entries) will be rejected without explicit permission.

要更改此行为,您可以在 jboss-ejb3.xml 描述符中添加以下选项:

To change this behavior you can add in jboss-ejb3.xml descriptor the following option:

<jboss:jboss
        xmlns="http://java.sun.com/xml/ns/javaee"
        xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
        xmlns:s="urn:security:1.1"
        version="3.1" impl-version="2.0">

    <assembly-descriptor>
        <s:security>
            <ejb-name>*</ejb-name>
            <s:missing-method-permissions-deny-access>false</s:missing-method-permissions-deny-access>
        </s:security>
    </assembly-descriptor>
</jboss:jboss>





    • jboss-ejb3.xml Reference
    • 这篇关于在wildfly中注入EJB时的安全性异常的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-01 17:50