Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

JWS Security problem

0 views
Skip to first unread message

Paul Folbrecht

unread,
Nov 6, 2002, 10:05:29 AM11/6/02
to
I am getting a security-related exception on a bean call when running
the Rome client through JWS, even though the bean specifies unchecked
permissions (which actually has nothing at all to do with it) and
WebStart app is given "all-permissions".

The trace:

THREAD 'AWT-EventQueue-1': WARN: Error calling
InstrumentWriterService: java.security.AccessControlException: access
denied (java.lang.RuntimePermission
org.jboss.security.SecurityAssociation.getPrincipalInfo)
java.security.AccessControlException: access denied
(java.lang.RuntimePermission
org.jboss.security.SecurityAssociation.getPrincipalInfo) at
java.security.AccessControlContext.checkPermission(AccessControlContext.java:270)
at java.security.AccessController.checkPermission(AccessController.java:401)
at java.lang.SecurityManager.checkPermission(SecurityManager.java:542)
at org.jboss.security.SecurityAssociation.getPrincipal(SecurityAssociation.java:109)
at org.jboss.proxy.SecurityInterceptor.invoke(SecurityInterceptor.java:72)
at org.jboss.proxy.ejb.HomeInterceptor.invoke(HomeInterceptor.java:198)
at org.jboss.proxy.ClientContainer.invoke(ClientContainer.java:76) at
$Proxy0.create(Unknown Source)
at com.starkinvestments.rigor.client.model.InstrumentWriterProxy.write(InstrumentWriterProxy.java:43)

From the .JNLP file:

<security>
<all-permissions/>
</security>

From the bean's dd:

<method-permission>
<unchecked/>
<method>
<ejb-name>com.starkinvestments.service.instrument.writer.InstrumentWriterServiceHome</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>

Now, obviously JWS always installs a SecurityManager even when a given
app has all-permissions set; however, you'd think any
SecurityManager.checkXXX() method would pass in that case. It
doesn't, which seems totally screwy to me.

I think what I might need to do to fix this would be to add another
<security> tag in the JNLP to grant a RuntimePermission of
"org.jboss.security.SecurityAssociation.getPrincipalInfo". I guess
the problem would be that this JBoss-specific Permission simply never
gets added. When org.jboss.proxy.SecurityInterceptor.invoke() is
called, it finds the installed SecurityManager, calls
checkPermission() looking for this specific Permission, and this call
throws the AccessControlException as it always does when the specified
Permission doesn't exist.

So, though only thing I need to know is the JNLP syntax for adding a
RuntimePermission, which I haven't been able to find.

0 new messages