You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@geronimo.apache.org by Quintin Beukes <qu...@last.za.net> on 2009/10/19 12:15:34 UTC
Geronimo 2.2 fails can't load beans with @RunAs("Role")
Hey,
I have the following in my deploy plan:
<sec:security>
<sec:role-mappings>
<sec:role role-name="Admin">
<sec:principal
class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
name="Admin"/>
</sec:role>
</sec:role-mappings>
</sec:security>
When I add @RunAs("Admin") to a bean, I get the following:
2009-10-19 12:11:30,857 INFO [startup] Assembling app:
/opt/kms/server/geronimo-2.2-20091019/var/temp/geronimo-deployer49287.tmpdir/KMSPlatform-ejb.jar
2009-10-19 12:11:30,891 INFO [startup] Jndi(name=SiteBeanLocal) -->
Ejb(deployment-id=KMSPlatform-ejb/SiteBean)
2009-10-19 12:11:30,891 INFO [startup] Jndi(name=SiteBeanRemote) -->
Ejb(deployment-id=KMSPlatform-ejb/SiteBean)
2009-10-19 12:11:30,892 INFO [startup]
Jndi(name=InitializeDataBeanLocal) -->
Ejb(deployment-id=KMSPlatform-ejb/InitializeDataBean)
2009-10-19 12:11:30,892 INFO [startup]
Jndi(name=KMSPlatformEjbStartupBeanLocal) -->
Ejb(deployment-id=KMSPlatform-ejb/KMSPlatformEjbStartupBean)
2009-10-19 12:11:30,892 INFO [startup]
Jndi(name=SpringContextBeanLocal) -->
Ejb(deployment-id=KMSPlatform-ejb/SpringContextBean)
2009-10-19 12:11:30,892 INFO [startup] Created
Ejb(deployment-id=KMSPlatform-ejb/KMSPlatformEjbStartupBean,
ejb-name=KMSPlatformEjbStartupBean,
container=DefaultStatelessContainer)
2009-10-19 12:11:30,892 INFO [startup] Created
Ejb(deployment-id=KMSPlatform-ejb/SpringContextBean,
ejb-name=SpringContextBean, container=DefaultStatelessContainer)
2009-10-19 12:11:30,892 INFO [startup] Created
Ejb(deployment-id=KMSPlatform-ejb/SiteBean, ejb-name=SiteBean,
container=DefaultStatelessContainer)
2009-10-19 12:11:30,892 INFO [startup] Created
Ejb(deployment-id=KMSPlatform-ejb/InitializeDataBean,
ejb-name=InitializeDataBean, container=DefaultStatelessContainer)
2009-10-19 12:11:30,892 INFO [startup] Deployed
Application(path=/opt/kms/server/geronimo-2.2-20091019/var/temp/geronimo-deployer49287.tmpdir/KMSPlatform-ejb.jar)
2009-10-19 12:11:30,894 ERROR [GBeanInstanceState] Error while
starting; GBean is now in the FAILED state:
abstractName="net.kunye/KMSPlatform-ejb/1.0/jar?EJBModule=net.kunye/KMSPlatform-ejb/1.0/jar,J2EEApplication=null,j2eeType=StatelessSessionBean,name=KMSPlatformEjbStartupBean"
java.lang.IllegalStateException: no run-as identity configured for role: Admin
at org.apache.geronimo.security.jacc.mappingprovider.ApplicationPrincipalRoleConfigurationManager.getSubjectForRole(ApplicationPrincipalRoleConfigurationManager.java:109)
at org.apache.geronimo.openejb.EjbDeployment.<init>(EjbDeployment.java:109)
at org.apache.geronimo.openejb.EjbDeploymentGBean.<init>(EjbDeploymentGBean.java:56)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
at org.apache.xbean.recipe.ReflectionUtil$ConstructorFactory.create(ReflectionUtil.java:952)
at org.apache.xbean.recipe.ObjectRecipe.internalCreate(ObjectRecipe.java:276)
at org.apache.xbean.recipe.AbstractRecipe.create(AbstractRecipe.java:96)
at org.apache.xbean.recipe.AbstractRecipe.create(AbstractRecipe.java:61)
at org.apache.geronimo.gbean.runtime.GBeanInstance.createInstance(GBeanInstance.java:911)
at org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:269)
at org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:103)
at org.apache.geronimo.gbean.runtime.GBeanInstance.start(GBeanInstance.java:525)
at org.apache.geronimo.gbean.runtime.GBeanDependency.attemptFullStart(GBeanDependency.java:110)
at org.apache.geronimo.gbean.runtime.GBeanDependency.addTarget(GBeanDependency.java:145)
at org.apache.geronimo.gbean.runtime.GBeanDependency$1.running(GBeanDependency.java:119)
at org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.fireRunningEvent(BasicLifecycleMonitor.java:175)
at org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.access$300(BasicLifecycleMonitor.java:44)
at org.apache.geronimo.kernel.basic.BasicLifecycleMonitor$RawLifecycleBroadcaster.fireRunningEvent(BasicLifecycleMonitor.java:253)
at org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:295)
at org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:103)
at org.apache.geronimo.gbean.runtime.GBeanInstanceState.startRecursive(GBeanInstanceState.java:125)
at org.apache.geronimo.gbean.runtime.GBeanInstance.startRecursive(GBeanInstance.java:539)
at org.apache.geronimo.kernel.basic.BasicKernel.startRecursiveGBean(BasicKernel.java:377)
at org.apache.geronimo.kernel.config.ConfigurationUtil.startConfigurationGBeans(ConfigurationUtil.java:456)
at org.apache.geronimo.kernel.config.KernelConfigurationManager.start(KernelConfigurationManager.java:190)
at org.apache.geronimo.kernel.config.SimpleConfigurationManager.startConfiguration(SimpleConfigurationManager.java:546)
at org.apache.geronimo.kernel.config.SimpleConfigurationManager.startConfiguration(SimpleConfigurationManager.java:527)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.geronimo.gbean.runtime.ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34)
at org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:130)
at org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:851)
at org.apache.geronimo.kernel.basic.BasicKernel.invoke(BasicKernel.java:237)
at org.apache.geronimo.kernel.KernelGBean.invoke(KernelGBean.java:342)
at sun.reflect.GeneratedMethodAccessor105.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.geronimo.gbean.runtime.ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34)
at org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:130)
at org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:851)
at org.apache.geronimo.kernel.basic.BasicKernel.invoke(BasicKernel.java:237)
at org.apache.geronimo.system.jmx.MBeanGBeanBridge.invoke(MBeanGBeanBridge.java:172)
at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836)
at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761)
at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1426)
at javax.management.remote.rmi.RMIConnectionImpl.access$200(RMIConnectionImpl.java:72)
at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1264)
at java.security.AccessController.doPrivileged(Native Method)
at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1366)
at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788)
at sun.reflect.GeneratedMethodAccessor25.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:305)
at sun.rmi.transport.Transport$1.run(Transport.java:159)
at java.security.AccessController.doPrivileged(Native Method)
at sun.rmi.transport.Transport.serviceCall(Transport.java:155)
at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:535)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:790)
at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:649)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:885)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)
at java.lang.Thread.run(Thread.java:619)
2009-10-19 12:11:30,894 INFO [SessionFactoryImpl] closing
Can someone please advise.
Quintin Beukes
Re: Geronimo 2.2 fails can't load beans with @RunAs("Role")
Posted by David Jencks <da...@yahoo.com>.
On Oct 21, 2009, at 12:31 PM, Quintin Beukes wrote:
> Hey,
>
> I figured if I can get something like this going it would work
> perfectly.
>
> a. Create a security realm with a single user, which has a single
> GroupPrinciple of "Admin".
> b. Configure the EJB to authenticate against this user/realm.
> c. Disable the security realm from outside authentication. Meaning,
> ONLY applications can authenticate against it (ie. no remote clients
> via OpenEJB).
>
> Anyone can give me a basic overview of how this is possible. Even if a
> some server modifications need to be made.
(2.2 only)
IIRC openejb only uses security realms with the global flag set to
true. So I think you can set up a non-global security realm, refer to
it from a credentials store instance, and get this to work. You
should check that I'm right about this.
thanks
david jencks
>
> Quintin Beukes
>
>
>
> On Mon, Oct 19, 2009 at 8:35 PM, Quintin Beukes
> <qu...@skywalk.co.za> wrote:
>> It has to run secured methods like managing the modules, roles, etc.
>> It's all specified via Spring beans loaded when the application is
>> deployed. The @Startup singleton in each module would be called,
>> queries the module management to see if it has been installed, and if
>> not starts setting up the module.
>>
>> It's very important for some of the methods it access to be secure. I
>> temporarily deactivated the security, but will need to find a way to
>> run as role "Admin".
>>
>> Can you please explain
>> 1. Security configured in a GBean instead of EJB
>> 2. Dummy security realm. I was thinking of this one as well. I was
>> thinking of a simple properties realm. Is there something simpler?
>> And
>> if I do this, do I then use the CredentialStore for the run-as?
>>
>> Quintin Beukes
>>
>>
>>
>> On Mon, Oct 19, 2009 at 6:26 PM, David Jencks
>> <da...@yahoo.com> wrote:
>>> As far as I understand what you are trying to do, you can't do this.
>>>
>>> Does the postConstruct method need to call some other secured ejbs?
>>> otherwise it seems as if you could just run it with no role...
>>>
>>> I can think of a number of possible ways to get around this but
>>> I'd like to
>>> know more about your situation.... e.g. maybe setting up security
>>> in a gbean
>>> rather than an ejb, or constructing another dummy security realm
>>> with a
>>> principal that maps to role "Admin".
>>>
>>> thanks
>>> david jencks
>>>
>>> On Oct 19, 2009, at 3:20 AM, Quintin Beukes wrote:
>>>
>>>> I failed to add that I can't specify credentials for this runas,
>>>> because this is the bean that is supposed to initialize those
>>>> credentials, so if it's the first time it loads, it will fail to
>>>> log
>>>> in, which means it will never work.
>>>>
>>>> I need some way to run-as "Admin" without having to specify
>>>> credentials. It's not a security leak, as this bean ONLY has an
>>>> @PostConstruct method, so no methods are exposed which can be
>>>> exploited, so magic execution as "Admin" is acceptable.
>>>>
>>>> Quintin Beukes
>>>>
>>>>
>>>>
>>>> On Mon, Oct 19, 2009 at 12:15 PM, Quintin Beukes <quintin@last.za.net
>>>> >
>>>> wrote:
>>>>>
>>>>> Hey,
>>>>>
>>>>> I have the following in my deploy plan:
>>>>> <sec:security>
>>>>> <sec:role-mappings>
>>>>> <sec:role role-name="Admin">
>>>>> <sec:principal
>>>>>
>>>>> class
>>>>> =
>>>>> "org
>>>>> .apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
>>>>> name="Admin"/>
>>>>> </sec:role>
>>>>> </sec:role-mappings>
>>>>> </sec:security>
>>>>>
>>>>> When I add @RunAs("Admin") to a bean, I get the following:
>>>>> 2009-10-19 12:11:30,857 INFO [startup] Assembling app:
>>>>>
>>>>> /opt/kms/server/geronimo-2.2-20091019/var/temp/geronimo-
>>>>> deployer49287.tmpdir/KMSPlatform-ejb.jar
>>>>> 2009-10-19 12:11:30,891 INFO [startup] Jndi(name=SiteBeanLocal)
>>>>> -->
>>>>> Ejb(deployment-id=KMSPlatform-ejb/SiteBean)
>>>>> 2009-10-19 12:11:30,891 INFO [startup]
>>>>> Jndi(name=SiteBeanRemote) -->
>>>>> Ejb(deployment-id=KMSPlatform-ejb/SiteBean)
>>>>> 2009-10-19 12:11:30,892 INFO [startup]
>>>>> Jndi(name=InitializeDataBeanLocal) -->
>>>>> Ejb(deployment-id=KMSPlatform-ejb/InitializeDataBean)
>>>>> 2009-10-19 12:11:30,892 INFO [startup]
>>>>> Jndi(name=KMSPlatformEjbStartupBeanLocal) -->
>>>>> Ejb(deployment-id=KMSPlatform-ejb/KMSPlatformEjbStartupBean)
>>>>> 2009-10-19 12:11:30,892 INFO [startup]
>>>>> Jndi(name=SpringContextBeanLocal) -->
>>>>> Ejb(deployment-id=KMSPlatform-ejb/SpringContextBean)
>>>>> 2009-10-19 12:11:30,892 INFO [startup] Created
>>>>> Ejb(deployment-id=KMSPlatform-ejb/KMSPlatformEjbStartupBean,
>>>>> ejb-name=KMSPlatformEjbStartupBean,
>>>>> container=DefaultStatelessContainer)
>>>>> 2009-10-19 12:11:30,892 INFO [startup] Created
>>>>> Ejb(deployment-id=KMSPlatform-ejb/SpringContextBean,
>>>>> ejb-name=SpringContextBean, container=DefaultStatelessContainer)
>>>>> 2009-10-19 12:11:30,892 INFO [startup] Created
>>>>> Ejb(deployment-id=KMSPlatform-ejb/SiteBean, ejb-name=SiteBean,
>>>>> container=DefaultStatelessContainer)
>>>>> 2009-10-19 12:11:30,892 INFO [startup] Created
>>>>> Ejb(deployment-id=KMSPlatform-ejb/InitializeDataBean,
>>>>> ejb-name=InitializeDataBean, container=DefaultStatelessContainer)
>>>>> 2009-10-19 12:11:30,892 INFO [startup] Deployed
>>>>>
>>>>> Application(path=/opt/kms/server/geronimo-2.2-20091019/var/temp/
>>>>> geronimo-deployer49287.tmpdir/KMSPlatform-ejb.jar)
>>>>> 2009-10-19 12:11:30,894 ERROR [GBeanInstanceState] Error while
>>>>> starting; GBean is now in the FAILED state:
>>>>>
>>>>> abstractName="net.kunye/KMSPlatform-ejb/1.0/jar?
>>>>> EJBModule=net.kunye/KMSPlatform-ejb/1.0/
>>>>> jar
>>>>> ,J2EEApplication
>>>>> =
>>>>> null,j2eeType=StatelessSessionBean,name=KMSPlatformEjbStartupBean"
>>>>> java.lang.IllegalStateException: no run-as identity configured
>>>>> for role:
>>>>> Admin
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo
>>>>> .security
>>>>> .jacc
>>>>> .mappingprovider
>>>>> .ApplicationPrincipalRoleConfigurationManager
>>>>> .getSubjectForRole
>>>>> (ApplicationPrincipalRoleConfigurationManager.java:109)
>>>>> at
>>>>> org
>>>>> .apache.geronimo.openejb.EjbDeployment.<init>(EjbDeployment.java:
>>>>> 109)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo
>>>>> .openejb.EjbDeploymentGBean.<init>(EjbDeploymentGBean.java:56)
>>>>> at
>>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>>>> Method)
>>>>> at
>>>>> sun
>>>>> .reflect
>>>>> .NativeConstructorAccessorImpl
>>>>> .newInstance(NativeConstructorAccessorImpl.java:39)
>>>>> at
>>>>> sun
>>>>> .reflect
>>>>> .DelegatingConstructorAccessorImpl
>>>>> .newInstance(DelegatingConstructorAccessorImpl.java:27)
>>>>> at
>>>>> java.lang.reflect.Constructor.newInstance(Constructor.java:513)
>>>>> at
>>>>> org.apache.xbean.recipe.ReflectionUtil
>>>>> $ConstructorFactory.create(ReflectionUtil.java:952)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .xbean.recipe.ObjectRecipe.internalCreate(ObjectRecipe.java:276)
>>>>> at
>>>>> org
>>>>> .apache.xbean.recipe.AbstractRecipe.create(AbstractRecipe.java:96)
>>>>> at
>>>>> org
>>>>> .apache.xbean.recipe.AbstractRecipe.create(AbstractRecipe.java:61)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo
>>>>> .gbean.runtime.GBeanInstance.createInstance(GBeanInstance.java:
>>>>> 911)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo
>>>>> .gbean
>>>>> .runtime
>>>>> .GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:269)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo
>>>>> .gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:
>>>>> 103)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo.gbean.runtime.GBeanInstance.start(GBeanInstance.java:
>>>>> 525)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo
>>>>> .gbean
>>>>> .runtime.GBeanDependency.attemptFullStart(GBeanDependency.java:
>>>>> 110)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo
>>>>> .gbean.runtime.GBeanDependency.addTarget(GBeanDependency.java:145)
>>>>> at
>>>>> org.apache.geronimo.gbean.runtime.GBeanDependency
>>>>> $1.running(GBeanDependency.java:119)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo
>>>>> .kernel
>>>>> .basic
>>>>> .BasicLifecycleMonitor
>>>>> .fireRunningEvent(BasicLifecycleMonitor.java:175)
>>>>> at
>>>>> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.access
>>>>> $300(BasicLifecycleMonitor.java:44)
>>>>> at
>>>>> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor
>>>>> $
>>>>> RawLifecycleBroadcaster
>>>>> .fireRunningEvent(BasicLifecycleMonitor.java:253)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo
>>>>> .gbean
>>>>> .runtime
>>>>> .GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:295)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo
>>>>> .gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:
>>>>> 103)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo
>>>>> .gbean
>>>>> .runtime
>>>>> .GBeanInstanceState.startRecursive(GBeanInstanceState.java:125)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo
>>>>> .gbean.runtime.GBeanInstance.startRecursive(GBeanInstance.java:
>>>>> 539)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo
>>>>> .kernel.basic.BasicKernel.startRecursiveGBean(BasicKernel.java:
>>>>> 377)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo
>>>>> .kernel
>>>>> .config
>>>>> .ConfigurationUtil
>>>>> .startConfigurationGBeans(ConfigurationUtil.java:456)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo
>>>>> .kernel
>>>>> .config
>>>>> .KernelConfigurationManager
>>>>> .start(KernelConfigurationManager.java:190)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo
>>>>> .kernel
>>>>> .config
>>>>> .SimpleConfigurationManager
>>>>> .startConfiguration(SimpleConfigurationManager.java:546)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo
>>>>> .kernel
>>>>> .config
>>>>> .SimpleConfigurationManager
>>>>> .startConfiguration(SimpleConfigurationManager.java:527)
>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>>>>> Method)
>>>>> at
>>>>> sun
>>>>> .reflect
>>>>> .NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>>>> at
>>>>> sun
>>>>> .reflect
>>>>> .DelegatingMethodAccessorImpl
>>>>> .invoke(DelegatingMethodAccessorImpl.java:25)
>>>>> at java.lang.reflect.Method.invoke(Method.java:597)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo
>>>>> .gbean
>>>>> .runtime
>>>>> .ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo
>>>>> .gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:130)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:
>>>>> 851)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo.kernel.basic.BasicKernel.invoke(BasicKernel.java:237)
>>>>> at
>>>>> org.apache.geronimo.kernel.KernelGBean.invoke(KernelGBean.java:
>>>>> 342)
>>>>> at sun.reflect.GeneratedMethodAccessor105.invoke(Unknown
>>>>> Source)
>>>>> at
>>>>> sun
>>>>> .reflect
>>>>> .DelegatingMethodAccessorImpl
>>>>> .invoke(DelegatingMethodAccessorImpl.java:25)
>>>>> at java.lang.reflect.Method.invoke(Method.java:597)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo
>>>>> .gbean
>>>>> .runtime
>>>>> .ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo
>>>>> .gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:130)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:
>>>>> 851)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo.kernel.basic.BasicKernel.invoke(BasicKernel.java:237)
>>>>> at
>>>>> org
>>>>> .apache
>>>>> .geronimo
>>>>> .system.jmx.MBeanGBeanBridge.invoke(MBeanGBeanBridge.java:172)
>>>>> at
>>>>> com
>>>>> .sun
>>>>> .jmx
>>>>> .interceptor
>>>>> .DefaultMBeanServerInterceptor
>>>>> .invoke(DefaultMBeanServerInterceptor.java:836)
>>>>> at
>>>>> com
>>>>> .sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:
>>>>> 761)
>>>>> at
>>>>> javax
>>>>> .management
>>>>> .remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:
>>>>> 1426)
>>>>> at
>>>>> javax.management.remote.rmi.RMIConnectionImpl.access
>>>>> $200(RMIConnectionImpl.java:72)
>>>>> at
>>>>> javax.management.remote.rmi.RMIConnectionImpl
>>>>> $PrivilegedOperation.run(RMIConnectionImpl.java:1264)
>>>>> at java.security.AccessController.doPrivileged(Native
>>>>> Method)
>>>>> at
>>>>> javax
>>>>> .management
>>>>> .remote
>>>>> .rmi
>>>>> .RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:
>>>>> 1366)
>>>>> at
>>>>> javax
>>>>> .management
>>>>> .remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788)
>>>>> at sun.reflect.GeneratedMethodAccessor25.invoke(Unknown
>>>>> Source)
>>>>> at
>>>>> sun
>>>>> .reflect
>>>>> .DelegatingMethodAccessorImpl
>>>>> .invoke(DelegatingMethodAccessorImpl.java:25)
>>>>> at java.lang.reflect.Method.invoke(Method.java:597)
>>>>> at
>>>>> sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:
>>>>> 305)
>>>>> at sun.rmi.transport.Transport$1.run(Transport.java:159)
>>>>> at java.security.AccessController.doPrivileged(Native
>>>>> Method)
>>>>> at sun.rmi.transport.Transport.serviceCall(Transport.java:
>>>>> 155)
>>>>> at
>>>>> sun
>>>>> .rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:
>>>>> 535)
>>>>> at
>>>>> sun.rmi.transport.tcp.TCPTransport
>>>>> $ConnectionHandler.run0(TCPTransport.java:790)
>>>>> at
>>>>> sun.rmi.transport.tcp.TCPTransport
>>>>> $ConnectionHandler.run(TCPTransport.java:649)
>>>>> at
>>>>> java.util.concurrent.ThreadPoolExecutor
>>>>> $Worker.runTask(ThreadPoolExecutor.java:885)
>>>>> at
>>>>> java.util.concurrent.ThreadPoolExecutor
>>>>> $Worker.run(ThreadPoolExecutor.java:907)
>>>>> at java.lang.Thread.run(Thread.java:619)
>>>>> 2009-10-19 12:11:30,894 INFO [SessionFactoryImpl] closing
>>>>>
>>>>> Can someone please advise.
>>>>>
>>>>> Quintin Beukes
>>>>>
>>>
>>>
>>
Re: Geronimo 2.2 fails can't load beans with @RunAs("Role")
Posted by Quintin Beukes <qu...@skywalk.co.za>.
Hey,
I figured if I can get something like this going it would work perfectly.
a. Create a security realm with a single user, which has a single
GroupPrinciple of "Admin".
b. Configure the EJB to authenticate against this user/realm.
c. Disable the security realm from outside authentication. Meaning,
ONLY applications can authenticate against it (ie. no remote clients
via OpenEJB).
Anyone can give me a basic overview of how this is possible. Even if a
some server modifications need to be made.
Quintin Beukes
On Mon, Oct 19, 2009 at 8:35 PM, Quintin Beukes <qu...@skywalk.co.za> wrote:
> It has to run secured methods like managing the modules, roles, etc.
> It's all specified via Spring beans loaded when the application is
> deployed. The @Startup singleton in each module would be called,
> queries the module management to see if it has been installed, and if
> not starts setting up the module.
>
> It's very important for some of the methods it access to be secure. I
> temporarily deactivated the security, but will need to find a way to
> run as role "Admin".
>
> Can you please explain
> 1. Security configured in a GBean instead of EJB
> 2. Dummy security realm. I was thinking of this one as well. I was
> thinking of a simple properties realm. Is there something simpler? And
> if I do this, do I then use the CredentialStore for the run-as?
>
> Quintin Beukes
>
>
>
> On Mon, Oct 19, 2009 at 6:26 PM, David Jencks <da...@yahoo.com> wrote:
>> As far as I understand what you are trying to do, you can't do this.
>>
>> Does the postConstruct method need to call some other secured ejbs?
>> otherwise it seems as if you could just run it with no role...
>>
>> I can think of a number of possible ways to get around this but I'd like to
>> know more about your situation.... e.g. maybe setting up security in a gbean
>> rather than an ejb, or constructing another dummy security realm with a
>> principal that maps to role "Admin".
>>
>> thanks
>> david jencks
>>
>> On Oct 19, 2009, at 3:20 AM, Quintin Beukes wrote:
>>
>>> I failed to add that I can't specify credentials for this runas,
>>> because this is the bean that is supposed to initialize those
>>> credentials, so if it's the first time it loads, it will fail to log
>>> in, which means it will never work.
>>>
>>> I need some way to run-as "Admin" without having to specify
>>> credentials. It's not a security leak, as this bean ONLY has an
>>> @PostConstruct method, so no methods are exposed which can be
>>> exploited, so magic execution as "Admin" is acceptable.
>>>
>>> Quintin Beukes
>>>
>>>
>>>
>>> On Mon, Oct 19, 2009 at 12:15 PM, Quintin Beukes <qu...@last.za.net>
>>> wrote:
>>>>
>>>> Hey,
>>>>
>>>> I have the following in my deploy plan:
>>>> <sec:security>
>>>> <sec:role-mappings>
>>>> <sec:role role-name="Admin">
>>>> <sec:principal
>>>>
>>>> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
>>>> name="Admin"/>
>>>> </sec:role>
>>>> </sec:role-mappings>
>>>> </sec:security>
>>>>
>>>> When I add @RunAs("Admin") to a bean, I get the following:
>>>> 2009-10-19 12:11:30,857 INFO [startup] Assembling app:
>>>>
>>>> /opt/kms/server/geronimo-2.2-20091019/var/temp/geronimo-deployer49287.tmpdir/KMSPlatform-ejb.jar
>>>> 2009-10-19 12:11:30,891 INFO [startup] Jndi(name=SiteBeanLocal) -->
>>>> Ejb(deployment-id=KMSPlatform-ejb/SiteBean)
>>>> 2009-10-19 12:11:30,891 INFO [startup] Jndi(name=SiteBeanRemote) -->
>>>> Ejb(deployment-id=KMSPlatform-ejb/SiteBean)
>>>> 2009-10-19 12:11:30,892 INFO [startup]
>>>> Jndi(name=InitializeDataBeanLocal) -->
>>>> Ejb(deployment-id=KMSPlatform-ejb/InitializeDataBean)
>>>> 2009-10-19 12:11:30,892 INFO [startup]
>>>> Jndi(name=KMSPlatformEjbStartupBeanLocal) -->
>>>> Ejb(deployment-id=KMSPlatform-ejb/KMSPlatformEjbStartupBean)
>>>> 2009-10-19 12:11:30,892 INFO [startup]
>>>> Jndi(name=SpringContextBeanLocal) -->
>>>> Ejb(deployment-id=KMSPlatform-ejb/SpringContextBean)
>>>> 2009-10-19 12:11:30,892 INFO [startup] Created
>>>> Ejb(deployment-id=KMSPlatform-ejb/KMSPlatformEjbStartupBean,
>>>> ejb-name=KMSPlatformEjbStartupBean,
>>>> container=DefaultStatelessContainer)
>>>> 2009-10-19 12:11:30,892 INFO [startup] Created
>>>> Ejb(deployment-id=KMSPlatform-ejb/SpringContextBean,
>>>> ejb-name=SpringContextBean, container=DefaultStatelessContainer)
>>>> 2009-10-19 12:11:30,892 INFO [startup] Created
>>>> Ejb(deployment-id=KMSPlatform-ejb/SiteBean, ejb-name=SiteBean,
>>>> container=DefaultStatelessContainer)
>>>> 2009-10-19 12:11:30,892 INFO [startup] Created
>>>> Ejb(deployment-id=KMSPlatform-ejb/InitializeDataBean,
>>>> ejb-name=InitializeDataBean, container=DefaultStatelessContainer)
>>>> 2009-10-19 12:11:30,892 INFO [startup] Deployed
>>>>
>>>> Application(path=/opt/kms/server/geronimo-2.2-20091019/var/temp/geronimo-deployer49287.tmpdir/KMSPlatform-ejb.jar)
>>>> 2009-10-19 12:11:30,894 ERROR [GBeanInstanceState] Error while
>>>> starting; GBean is now in the FAILED state:
>>>>
>>>> abstractName="net.kunye/KMSPlatform-ejb/1.0/jar?EJBModule=net.kunye/KMSPlatform-ejb/1.0/jar,J2EEApplication=null,j2eeType=StatelessSessionBean,name=KMSPlatformEjbStartupBean"
>>>> java.lang.IllegalStateException: no run-as identity configured for role:
>>>> Admin
>>>> at
>>>> org.apache.geronimo.security.jacc.mappingprovider.ApplicationPrincipalRoleConfigurationManager.getSubjectForRole(ApplicationPrincipalRoleConfigurationManager.java:109)
>>>> at
>>>> org.apache.geronimo.openejb.EjbDeployment.<init>(EjbDeployment.java:109)
>>>> at
>>>> org.apache.geronimo.openejb.EjbDeploymentGBean.<init>(EjbDeploymentGBean.java:56)
>>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>>> Method)
>>>> at
>>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
>>>> at
>>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
>>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
>>>> at
>>>> org.apache.xbean.recipe.ReflectionUtil$ConstructorFactory.create(ReflectionUtil.java:952)
>>>> at
>>>> org.apache.xbean.recipe.ObjectRecipe.internalCreate(ObjectRecipe.java:276)
>>>> at
>>>> org.apache.xbean.recipe.AbstractRecipe.create(AbstractRecipe.java:96)
>>>> at
>>>> org.apache.xbean.recipe.AbstractRecipe.create(AbstractRecipe.java:61)
>>>> at
>>>> org.apache.geronimo.gbean.runtime.GBeanInstance.createInstance(GBeanInstance.java:911)
>>>> at
>>>> org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:269)
>>>> at
>>>> org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:103)
>>>> at
>>>> org.apache.geronimo.gbean.runtime.GBeanInstance.start(GBeanInstance.java:525)
>>>> at
>>>> org.apache.geronimo.gbean.runtime.GBeanDependency.attemptFullStart(GBeanDependency.java:110)
>>>> at
>>>> org.apache.geronimo.gbean.runtime.GBeanDependency.addTarget(GBeanDependency.java:145)
>>>> at
>>>> org.apache.geronimo.gbean.runtime.GBeanDependency$1.running(GBeanDependency.java:119)
>>>> at
>>>> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.fireRunningEvent(BasicLifecycleMonitor.java:175)
>>>> at
>>>> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.access$300(BasicLifecycleMonitor.java:44)
>>>> at
>>>> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor$RawLifecycleBroadcaster.fireRunningEvent(BasicLifecycleMonitor.java:253)
>>>> at
>>>> org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:295)
>>>> at
>>>> org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:103)
>>>> at
>>>> org.apache.geronimo.gbean.runtime.GBeanInstanceState.startRecursive(GBeanInstanceState.java:125)
>>>> at
>>>> org.apache.geronimo.gbean.runtime.GBeanInstance.startRecursive(GBeanInstance.java:539)
>>>> at
>>>> org.apache.geronimo.kernel.basic.BasicKernel.startRecursiveGBean(BasicKernel.java:377)
>>>> at
>>>> org.apache.geronimo.kernel.config.ConfigurationUtil.startConfigurationGBeans(ConfigurationUtil.java:456)
>>>> at
>>>> org.apache.geronimo.kernel.config.KernelConfigurationManager.start(KernelConfigurationManager.java:190)
>>>> at
>>>> org.apache.geronimo.kernel.config.SimpleConfigurationManager.startConfiguration(SimpleConfigurationManager.java:546)
>>>> at
>>>> org.apache.geronimo.kernel.config.SimpleConfigurationManager.startConfiguration(SimpleConfigurationManager.java:527)
>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>> at
>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>>> at
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>>> at java.lang.reflect.Method.invoke(Method.java:597)
>>>> at
>>>> org.apache.geronimo.gbean.runtime.ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34)
>>>> at
>>>> org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:130)
>>>> at
>>>> org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:851)
>>>> at
>>>> org.apache.geronimo.kernel.basic.BasicKernel.invoke(BasicKernel.java:237)
>>>> at
>>>> org.apache.geronimo.kernel.KernelGBean.invoke(KernelGBean.java:342)
>>>> at sun.reflect.GeneratedMethodAccessor105.invoke(Unknown Source)
>>>> at
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>>> at java.lang.reflect.Method.invoke(Method.java:597)
>>>> at
>>>> org.apache.geronimo.gbean.runtime.ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34)
>>>> at
>>>> org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:130)
>>>> at
>>>> org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:851)
>>>> at
>>>> org.apache.geronimo.kernel.basic.BasicKernel.invoke(BasicKernel.java:237)
>>>> at
>>>> org.apache.geronimo.system.jmx.MBeanGBeanBridge.invoke(MBeanGBeanBridge.java:172)
>>>> at
>>>> com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836)
>>>> at
>>>> com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761)
>>>> at
>>>> javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1426)
>>>> at
>>>> javax.management.remote.rmi.RMIConnectionImpl.access$200(RMIConnectionImpl.java:72)
>>>> at
>>>> javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1264)
>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>> at
>>>> javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1366)
>>>> at
>>>> javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788)
>>>> at sun.reflect.GeneratedMethodAccessor25.invoke(Unknown Source)
>>>> at
>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>>> at java.lang.reflect.Method.invoke(Method.java:597)
>>>> at
>>>> sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:305)
>>>> at sun.rmi.transport.Transport$1.run(Transport.java:159)
>>>> at java.security.AccessController.doPrivileged(Native Method)
>>>> at sun.rmi.transport.Transport.serviceCall(Transport.java:155)
>>>> at
>>>> sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:535)
>>>> at
>>>> sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:790)
>>>> at
>>>> sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:649)
>>>> at
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:885)
>>>> at
>>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)
>>>> at java.lang.Thread.run(Thread.java:619)
>>>> 2009-10-19 12:11:30,894 INFO [SessionFactoryImpl] closing
>>>>
>>>> Can someone please advise.
>>>>
>>>> Quintin Beukes
>>>>
>>
>>
>
Re: Geronimo 2.2 fails can't load beans with @RunAs("Role")
Posted by Quintin Beukes <qu...@skywalk.co.za>.
It has to run secured methods like managing the modules, roles, etc.
It's all specified via Spring beans loaded when the application is
deployed. The @Startup singleton in each module would be called,
queries the module management to see if it has been installed, and if
not starts setting up the module.
It's very important for some of the methods it access to be secure. I
temporarily deactivated the security, but will need to find a way to
run as role "Admin".
Can you please explain
1. Security configured in a GBean instead of EJB
2. Dummy security realm. I was thinking of this one as well. I was
thinking of a simple properties realm. Is there something simpler? And
if I do this, do I then use the CredentialStore for the run-as?
Quintin Beukes
On Mon, Oct 19, 2009 at 6:26 PM, David Jencks <da...@yahoo.com> wrote:
> As far as I understand what you are trying to do, you can't do this.
>
> Does the postConstruct method need to call some other secured ejbs?
> otherwise it seems as if you could just run it with no role...
>
> I can think of a number of possible ways to get around this but I'd like to
> know more about your situation.... e.g. maybe setting up security in a gbean
> rather than an ejb, or constructing another dummy security realm with a
> principal that maps to role "Admin".
>
> thanks
> david jencks
>
> On Oct 19, 2009, at 3:20 AM, Quintin Beukes wrote:
>
>> I failed to add that I can't specify credentials for this runas,
>> because this is the bean that is supposed to initialize those
>> credentials, so if it's the first time it loads, it will fail to log
>> in, which means it will never work.
>>
>> I need some way to run-as "Admin" without having to specify
>> credentials. It's not a security leak, as this bean ONLY has an
>> @PostConstruct method, so no methods are exposed which can be
>> exploited, so magic execution as "Admin" is acceptable.
>>
>> Quintin Beukes
>>
>>
>>
>> On Mon, Oct 19, 2009 at 12:15 PM, Quintin Beukes <qu...@last.za.net>
>> wrote:
>>>
>>> Hey,
>>>
>>> I have the following in my deploy plan:
>>> <sec:security>
>>> <sec:role-mappings>
>>> <sec:role role-name="Admin">
>>> <sec:principal
>>>
>>> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
>>> name="Admin"/>
>>> </sec:role>
>>> </sec:role-mappings>
>>> </sec:security>
>>>
>>> When I add @RunAs("Admin") to a bean, I get the following:
>>> 2009-10-19 12:11:30,857 INFO [startup] Assembling app:
>>>
>>> /opt/kms/server/geronimo-2.2-20091019/var/temp/geronimo-deployer49287.tmpdir/KMSPlatform-ejb.jar
>>> 2009-10-19 12:11:30,891 INFO [startup] Jndi(name=SiteBeanLocal) -->
>>> Ejb(deployment-id=KMSPlatform-ejb/SiteBean)
>>> 2009-10-19 12:11:30,891 INFO [startup] Jndi(name=SiteBeanRemote) -->
>>> Ejb(deployment-id=KMSPlatform-ejb/SiteBean)
>>> 2009-10-19 12:11:30,892 INFO [startup]
>>> Jndi(name=InitializeDataBeanLocal) -->
>>> Ejb(deployment-id=KMSPlatform-ejb/InitializeDataBean)
>>> 2009-10-19 12:11:30,892 INFO [startup]
>>> Jndi(name=KMSPlatformEjbStartupBeanLocal) -->
>>> Ejb(deployment-id=KMSPlatform-ejb/KMSPlatformEjbStartupBean)
>>> 2009-10-19 12:11:30,892 INFO [startup]
>>> Jndi(name=SpringContextBeanLocal) -->
>>> Ejb(deployment-id=KMSPlatform-ejb/SpringContextBean)
>>> 2009-10-19 12:11:30,892 INFO [startup] Created
>>> Ejb(deployment-id=KMSPlatform-ejb/KMSPlatformEjbStartupBean,
>>> ejb-name=KMSPlatformEjbStartupBean,
>>> container=DefaultStatelessContainer)
>>> 2009-10-19 12:11:30,892 INFO [startup] Created
>>> Ejb(deployment-id=KMSPlatform-ejb/SpringContextBean,
>>> ejb-name=SpringContextBean, container=DefaultStatelessContainer)
>>> 2009-10-19 12:11:30,892 INFO [startup] Created
>>> Ejb(deployment-id=KMSPlatform-ejb/SiteBean, ejb-name=SiteBean,
>>> container=DefaultStatelessContainer)
>>> 2009-10-19 12:11:30,892 INFO [startup] Created
>>> Ejb(deployment-id=KMSPlatform-ejb/InitializeDataBean,
>>> ejb-name=InitializeDataBean, container=DefaultStatelessContainer)
>>> 2009-10-19 12:11:30,892 INFO [startup] Deployed
>>>
>>> Application(path=/opt/kms/server/geronimo-2.2-20091019/var/temp/geronimo-deployer49287.tmpdir/KMSPlatform-ejb.jar)
>>> 2009-10-19 12:11:30,894 ERROR [GBeanInstanceState] Error while
>>> starting; GBean is now in the FAILED state:
>>>
>>> abstractName="net.kunye/KMSPlatform-ejb/1.0/jar?EJBModule=net.kunye/KMSPlatform-ejb/1.0/jar,J2EEApplication=null,j2eeType=StatelessSessionBean,name=KMSPlatformEjbStartupBean"
>>> java.lang.IllegalStateException: no run-as identity configured for role:
>>> Admin
>>> at
>>> org.apache.geronimo.security.jacc.mappingprovider.ApplicationPrincipalRoleConfigurationManager.getSubjectForRole(ApplicationPrincipalRoleConfigurationManager.java:109)
>>> at
>>> org.apache.geronimo.openejb.EjbDeployment.<init>(EjbDeployment.java:109)
>>> at
>>> org.apache.geronimo.openejb.EjbDeploymentGBean.<init>(EjbDeploymentGBean.java:56)
>>> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
>>> Method)
>>> at
>>> sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
>>> at
>>> sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
>>> at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
>>> at
>>> org.apache.xbean.recipe.ReflectionUtil$ConstructorFactory.create(ReflectionUtil.java:952)
>>> at
>>> org.apache.xbean.recipe.ObjectRecipe.internalCreate(ObjectRecipe.java:276)
>>> at
>>> org.apache.xbean.recipe.AbstractRecipe.create(AbstractRecipe.java:96)
>>> at
>>> org.apache.xbean.recipe.AbstractRecipe.create(AbstractRecipe.java:61)
>>> at
>>> org.apache.geronimo.gbean.runtime.GBeanInstance.createInstance(GBeanInstance.java:911)
>>> at
>>> org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:269)
>>> at
>>> org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:103)
>>> at
>>> org.apache.geronimo.gbean.runtime.GBeanInstance.start(GBeanInstance.java:525)
>>> at
>>> org.apache.geronimo.gbean.runtime.GBeanDependency.attemptFullStart(GBeanDependency.java:110)
>>> at
>>> org.apache.geronimo.gbean.runtime.GBeanDependency.addTarget(GBeanDependency.java:145)
>>> at
>>> org.apache.geronimo.gbean.runtime.GBeanDependency$1.running(GBeanDependency.java:119)
>>> at
>>> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.fireRunningEvent(BasicLifecycleMonitor.java:175)
>>> at
>>> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.access$300(BasicLifecycleMonitor.java:44)
>>> at
>>> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor$RawLifecycleBroadcaster.fireRunningEvent(BasicLifecycleMonitor.java:253)
>>> at
>>> org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:295)
>>> at
>>> org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:103)
>>> at
>>> org.apache.geronimo.gbean.runtime.GBeanInstanceState.startRecursive(GBeanInstanceState.java:125)
>>> at
>>> org.apache.geronimo.gbean.runtime.GBeanInstance.startRecursive(GBeanInstance.java:539)
>>> at
>>> org.apache.geronimo.kernel.basic.BasicKernel.startRecursiveGBean(BasicKernel.java:377)
>>> at
>>> org.apache.geronimo.kernel.config.ConfigurationUtil.startConfigurationGBeans(ConfigurationUtil.java:456)
>>> at
>>> org.apache.geronimo.kernel.config.KernelConfigurationManager.start(KernelConfigurationManager.java:190)
>>> at
>>> org.apache.geronimo.kernel.config.SimpleConfigurationManager.startConfiguration(SimpleConfigurationManager.java:546)
>>> at
>>> org.apache.geronimo.kernel.config.SimpleConfigurationManager.startConfiguration(SimpleConfigurationManager.java:527)
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> at
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>> at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>> at java.lang.reflect.Method.invoke(Method.java:597)
>>> at
>>> org.apache.geronimo.gbean.runtime.ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34)
>>> at
>>> org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:130)
>>> at
>>> org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:851)
>>> at
>>> org.apache.geronimo.kernel.basic.BasicKernel.invoke(BasicKernel.java:237)
>>> at
>>> org.apache.geronimo.kernel.KernelGBean.invoke(KernelGBean.java:342)
>>> at sun.reflect.GeneratedMethodAccessor105.invoke(Unknown Source)
>>> at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>> at java.lang.reflect.Method.invoke(Method.java:597)
>>> at
>>> org.apache.geronimo.gbean.runtime.ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34)
>>> at
>>> org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:130)
>>> at
>>> org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:851)
>>> at
>>> org.apache.geronimo.kernel.basic.BasicKernel.invoke(BasicKernel.java:237)
>>> at
>>> org.apache.geronimo.system.jmx.MBeanGBeanBridge.invoke(MBeanGBeanBridge.java:172)
>>> at
>>> com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836)
>>> at
>>> com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761)
>>> at
>>> javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1426)
>>> at
>>> javax.management.remote.rmi.RMIConnectionImpl.access$200(RMIConnectionImpl.java:72)
>>> at
>>> javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1264)
>>> at java.security.AccessController.doPrivileged(Native Method)
>>> at
>>> javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1366)
>>> at
>>> javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788)
>>> at sun.reflect.GeneratedMethodAccessor25.invoke(Unknown Source)
>>> at
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>> at java.lang.reflect.Method.invoke(Method.java:597)
>>> at
>>> sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:305)
>>> at sun.rmi.transport.Transport$1.run(Transport.java:159)
>>> at java.security.AccessController.doPrivileged(Native Method)
>>> at sun.rmi.transport.Transport.serviceCall(Transport.java:155)
>>> at
>>> sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:535)
>>> at
>>> sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:790)
>>> at
>>> sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:649)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:885)
>>> at
>>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)
>>> at java.lang.Thread.run(Thread.java:619)
>>> 2009-10-19 12:11:30,894 INFO [SessionFactoryImpl] closing
>>>
>>> Can someone please advise.
>>>
>>> Quintin Beukes
>>>
>
>
Re: Geronimo 2.2 fails can't load beans with @RunAs("Role")
Posted by David Jencks <da...@yahoo.com>.
As far as I understand what you are trying to do, you can't do this.
Does the postConstruct method need to call some other secured ejbs?
otherwise it seems as if you could just run it with no role...
I can think of a number of possible ways to get around this but I'd
like to know more about your situation.... e.g. maybe setting up
security in a gbean rather than an ejb, or constructing another dummy
security realm with a principal that maps to role "Admin".
thanks
david jencks
On Oct 19, 2009, at 3:20 AM, Quintin Beukes wrote:
> I failed to add that I can't specify credentials for this runas,
> because this is the bean that is supposed to initialize those
> credentials, so if it's the first time it loads, it will fail to log
> in, which means it will never work.
>
> I need some way to run-as "Admin" without having to specify
> credentials. It's not a security leak, as this bean ONLY has an
> @PostConstruct method, so no methods are exposed which can be
> exploited, so magic execution as "Admin" is acceptable.
>
> Quintin Beukes
>
>
>
> On Mon, Oct 19, 2009 at 12:15 PM, Quintin Beukes
> <qu...@last.za.net> wrote:
>> Hey,
>>
>> I have the following in my deploy plan:
>> <sec:security>
>> <sec:role-mappings>
>> <sec:role role-name="Admin">
>> <sec:principal
>> class
>> =
>> "org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
>> name="Admin"/>
>> </sec:role>
>> </sec:role-mappings>
>> </sec:security>
>>
>> When I add @RunAs("Admin") to a bean, I get the following:
>> 2009-10-19 12:11:30,857 INFO [startup] Assembling app:
>> /opt/kms/server/geronimo-2.2-20091019/var/temp/geronimo-
>> deployer49287.tmpdir/KMSPlatform-ejb.jar
>> 2009-10-19 12:11:30,891 INFO [startup] Jndi(name=SiteBeanLocal) -->
>> Ejb(deployment-id=KMSPlatform-ejb/SiteBean)
>> 2009-10-19 12:11:30,891 INFO [startup] Jndi(name=SiteBeanRemote) -->
>> Ejb(deployment-id=KMSPlatform-ejb/SiteBean)
>> 2009-10-19 12:11:30,892 INFO [startup]
>> Jndi(name=InitializeDataBeanLocal) -->
>> Ejb(deployment-id=KMSPlatform-ejb/InitializeDataBean)
>> 2009-10-19 12:11:30,892 INFO [startup]
>> Jndi(name=KMSPlatformEjbStartupBeanLocal) -->
>> Ejb(deployment-id=KMSPlatform-ejb/KMSPlatformEjbStartupBean)
>> 2009-10-19 12:11:30,892 INFO [startup]
>> Jndi(name=SpringContextBeanLocal) -->
>> Ejb(deployment-id=KMSPlatform-ejb/SpringContextBean)
>> 2009-10-19 12:11:30,892 INFO [startup] Created
>> Ejb(deployment-id=KMSPlatform-ejb/KMSPlatformEjbStartupBean,
>> ejb-name=KMSPlatformEjbStartupBean,
>> container=DefaultStatelessContainer)
>> 2009-10-19 12:11:30,892 INFO [startup] Created
>> Ejb(deployment-id=KMSPlatform-ejb/SpringContextBean,
>> ejb-name=SpringContextBean, container=DefaultStatelessContainer)
>> 2009-10-19 12:11:30,892 INFO [startup] Created
>> Ejb(deployment-id=KMSPlatform-ejb/SiteBean, ejb-name=SiteBean,
>> container=DefaultStatelessContainer)
>> 2009-10-19 12:11:30,892 INFO [startup] Created
>> Ejb(deployment-id=KMSPlatform-ejb/InitializeDataBean,
>> ejb-name=InitializeDataBean, container=DefaultStatelessContainer)
>> 2009-10-19 12:11:30,892 INFO [startup] Deployed
>> Application(path=/opt/kms/server/geronimo-2.2-20091019/var/temp/
>> geronimo-deployer49287.tmpdir/KMSPlatform-ejb.jar)
>> 2009-10-19 12:11:30,894 ERROR [GBeanInstanceState] Error while
>> starting; GBean is now in the FAILED state:
>> abstractName="net.kunye/KMSPlatform-ejb/1.0/jar?EJBModule=net.kunye/
>> KMSPlatform-ejb/1.0/
>> jar
>> ,J2EEApplication
>> =null,j2eeType=StatelessSessionBean,name=KMSPlatformEjbStartupBean"
>> java.lang.IllegalStateException: no run-as identity configured for
>> role: Admin
>> at
>> org
>> .apache
>> .geronimo
>> .security
>> .jacc
>> .mappingprovider
>> .ApplicationPrincipalRoleConfigurationManager
>> .getSubjectForRole
>> (ApplicationPrincipalRoleConfigurationManager.java:109)
>> at
>> org.apache.geronimo.openejb.EjbDeployment.<init>(EjbDeployment.java:
>> 109)
>> at
>> org
>> .apache
>> .geronimo.openejb.EjbDeploymentGBean.<init>(EjbDeploymentGBean.java:
>> 56)
>> at
>> sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
>> at
>> sun
>> .reflect
>> .NativeConstructorAccessorImpl
>> .newInstance(NativeConstructorAccessorImpl.java:39)
>> at
>> sun
>> .reflect
>> .DelegatingConstructorAccessorImpl
>> .newInstance(DelegatingConstructorAccessorImpl.java:27)
>> at
>> java.lang.reflect.Constructor.newInstance(Constructor.java:513)
>> at org.apache.xbean.recipe.ReflectionUtil
>> $ConstructorFactory.create(ReflectionUtil.java:952)
>> at
>> org
>> .apache.xbean.recipe.ObjectRecipe.internalCreate(ObjectRecipe.java:
>> 276)
>> at
>> org.apache.xbean.recipe.AbstractRecipe.create(AbstractRecipe.java:96)
>> at
>> org.apache.xbean.recipe.AbstractRecipe.create(AbstractRecipe.java:61)
>> at
>> org
>> .apache
>> .geronimo
>> .gbean.runtime.GBeanInstance.createInstance(GBeanInstance.java:911)
>> at
>> org
>> .apache
>> .geronimo
>> .gbean
>> .runtime
>> .GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:269)
>> at
>> org
>> .apache
>> .geronimo
>> .gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:103)
>> at
>> org
>> .apache
>> .geronimo.gbean.runtime.GBeanInstance.start(GBeanInstance.java:525)
>> at
>> org
>> .apache
>> .geronimo
>> .gbean
>> .runtime.GBeanDependency.attemptFullStart(GBeanDependency.java:110)
>> at
>> org
>> .apache
>> .geronimo
>> .gbean.runtime.GBeanDependency.addTarget(GBeanDependency.java:145)
>> at org.apache.geronimo.gbean.runtime.GBeanDependency
>> $1.running(GBeanDependency.java:119)
>> at
>> org
>> .apache
>> .geronimo
>> .kernel
>> .basic
>> .BasicLifecycleMonitor.fireRunningEvent(BasicLifecycleMonitor.java:
>> 175)
>> at
>> org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.access
>> $300(BasicLifecycleMonitor.java:44)
>> at org.apache.geronimo.kernel.basic.BasicLifecycleMonitor
>> $
>> RawLifecycleBroadcaster.fireRunningEvent(BasicLifecycleMonitor.java:
>> 253)
>> at
>> org
>> .apache
>> .geronimo
>> .gbean
>> .runtime
>> .GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:295)
>> at
>> org
>> .apache
>> .geronimo
>> .gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:103)
>> at
>> org
>> .apache
>> .geronimo
>> .gbean
>> .runtime.GBeanInstanceState.startRecursive(GBeanInstanceState.java:
>> 125)
>> at
>> org
>> .apache
>> .geronimo
>> .gbean.runtime.GBeanInstance.startRecursive(GBeanInstance.java:539)
>> at
>> org
>> .apache
>> .geronimo
>> .kernel.basic.BasicKernel.startRecursiveGBean(BasicKernel.java:377)
>> at
>> org
>> .apache
>> .geronimo
>> .kernel
>> .config
>> .ConfigurationUtil.startConfigurationGBeans(ConfigurationUtil.java:
>> 456)
>> at
>> org
>> .apache
>> .geronimo
>> .kernel
>> .config
>> .KernelConfigurationManager.start(KernelConfigurationManager.java:
>> 190)
>> at
>> org
>> .apache
>> .geronimo
>> .kernel
>> .config
>> .SimpleConfigurationManager
>> .startConfiguration(SimpleConfigurationManager.java:546)
>> at
>> org
>> .apache
>> .geronimo
>> .kernel
>> .config
>> .SimpleConfigurationManager
>> .startConfiguration(SimpleConfigurationManager.java:527)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at
>> sun
>> .reflect
>> .NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>> at
>> sun
>> .reflect
>> .DelegatingMethodAccessorImpl
>> .invoke(DelegatingMethodAccessorImpl.java:25)
>> at java.lang.reflect.Method.invoke(Method.java:597)
>> at
>> org
>> .apache
>> .geronimo
>> .gbean
>> .runtime
>> .ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34)
>> at
>> org
>> .apache
>> .geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:
>> 130)
>> at
>> org
>> .apache
>> .geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:851)
>> at
>> org
>> .apache.geronimo.kernel.basic.BasicKernel.invoke(BasicKernel.java:
>> 237)
>> at
>> org.apache.geronimo.kernel.KernelGBean.invoke(KernelGBean.java:342)
>> at sun.reflect.GeneratedMethodAccessor105.invoke(Unknown
>> Source)
>> at
>> sun
>> .reflect
>> .DelegatingMethodAccessorImpl
>> .invoke(DelegatingMethodAccessorImpl.java:25)
>> at java.lang.reflect.Method.invoke(Method.java:597)
>> at
>> org
>> .apache
>> .geronimo
>> .gbean
>> .runtime
>> .ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34)
>> at
>> org
>> .apache
>> .geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:
>> 130)
>> at
>> org
>> .apache
>> .geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:851)
>> at
>> org
>> .apache.geronimo.kernel.basic.BasicKernel.invoke(BasicKernel.java:
>> 237)
>> at
>> org
>> .apache
>> .geronimo.system.jmx.MBeanGBeanBridge.invoke(MBeanGBeanBridge.java:
>> 172)
>> at
>> com
>> .sun
>> .jmx
>> .interceptor
>> .DefaultMBeanServerInterceptor
>> .invoke(DefaultMBeanServerInterceptor.java:836)
>> at
>> com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:
>> 761)
>> at
>> javax
>> .management
>> .remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:
>> 1426)
>> at javax.management.remote.rmi.RMIConnectionImpl.access
>> $200(RMIConnectionImpl.java:72)
>> at javax.management.remote.rmi.RMIConnectionImpl
>> $PrivilegedOperation.run(RMIConnectionImpl.java:1264)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at
>> javax
>> .management
>> .remote
>> .rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:
>> 1366)
>> at
>> javax
>> .management
>> .remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788)
>> at sun.reflect.GeneratedMethodAccessor25.invoke(Unknown
>> Source)
>> at
>> sun
>> .reflect
>> .DelegatingMethodAccessorImpl
>> .invoke(DelegatingMethodAccessorImpl.java:25)
>> at java.lang.reflect.Method.invoke(Method.java:597)
>> at
>> sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:305)
>> at sun.rmi.transport.Transport$1.run(Transport.java:159)
>> at java.security.AccessController.doPrivileged(Native Method)
>> at sun.rmi.transport.Transport.serviceCall(Transport.java:155)
>> at
>> sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:
>> 535)
>> at sun.rmi.transport.tcp.TCPTransport
>> $ConnectionHandler.run0(TCPTransport.java:790)
>> at sun.rmi.transport.tcp.TCPTransport
>> $ConnectionHandler.run(TCPTransport.java:649)
>> at java.util.concurrent.ThreadPoolExecutor
>> $Worker.runTask(ThreadPoolExecutor.java:885)
>> at java.util.concurrent.ThreadPoolExecutor
>> $Worker.run(ThreadPoolExecutor.java:907)
>> at java.lang.Thread.run(Thread.java:619)
>> 2009-10-19 12:11:30,894 INFO [SessionFactoryImpl] closing
>>
>> Can someone please advise.
>>
>> Quintin Beukes
>>
Re: Geronimo 2.2 fails can't load beans with @RunAs("Role")
Posted by Quintin Beukes <qu...@last.za.net>.
I failed to add that I can't specify credentials for this runas,
because this is the bean that is supposed to initialize those
credentials, so if it's the first time it loads, it will fail to log
in, which means it will never work.
I need some way to run-as "Admin" without having to specify
credentials. It's not a security leak, as this bean ONLY has an
@PostConstruct method, so no methods are exposed which can be
exploited, so magic execution as "Admin" is acceptable.
Quintin Beukes
On Mon, Oct 19, 2009 at 12:15 PM, Quintin Beukes <qu...@last.za.net> wrote:
> Hey,
>
> I have the following in my deploy plan:
> <sec:security>
> <sec:role-mappings>
> <sec:role role-name="Admin">
> <sec:principal
> class="org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal"
> name="Admin"/>
> </sec:role>
> </sec:role-mappings>
> </sec:security>
>
> When I add @RunAs("Admin") to a bean, I get the following:
> 2009-10-19 12:11:30,857 INFO [startup] Assembling app:
> /opt/kms/server/geronimo-2.2-20091019/var/temp/geronimo-deployer49287.tmpdir/KMSPlatform-ejb.jar
> 2009-10-19 12:11:30,891 INFO [startup] Jndi(name=SiteBeanLocal) -->
> Ejb(deployment-id=KMSPlatform-ejb/SiteBean)
> 2009-10-19 12:11:30,891 INFO [startup] Jndi(name=SiteBeanRemote) -->
> Ejb(deployment-id=KMSPlatform-ejb/SiteBean)
> 2009-10-19 12:11:30,892 INFO [startup]
> Jndi(name=InitializeDataBeanLocal) -->
> Ejb(deployment-id=KMSPlatform-ejb/InitializeDataBean)
> 2009-10-19 12:11:30,892 INFO [startup]
> Jndi(name=KMSPlatformEjbStartupBeanLocal) -->
> Ejb(deployment-id=KMSPlatform-ejb/KMSPlatformEjbStartupBean)
> 2009-10-19 12:11:30,892 INFO [startup]
> Jndi(name=SpringContextBeanLocal) -->
> Ejb(deployment-id=KMSPlatform-ejb/SpringContextBean)
> 2009-10-19 12:11:30,892 INFO [startup] Created
> Ejb(deployment-id=KMSPlatform-ejb/KMSPlatformEjbStartupBean,
> ejb-name=KMSPlatformEjbStartupBean,
> container=DefaultStatelessContainer)
> 2009-10-19 12:11:30,892 INFO [startup] Created
> Ejb(deployment-id=KMSPlatform-ejb/SpringContextBean,
> ejb-name=SpringContextBean, container=DefaultStatelessContainer)
> 2009-10-19 12:11:30,892 INFO [startup] Created
> Ejb(deployment-id=KMSPlatform-ejb/SiteBean, ejb-name=SiteBean,
> container=DefaultStatelessContainer)
> 2009-10-19 12:11:30,892 INFO [startup] Created
> Ejb(deployment-id=KMSPlatform-ejb/InitializeDataBean,
> ejb-name=InitializeDataBean, container=DefaultStatelessContainer)
> 2009-10-19 12:11:30,892 INFO [startup] Deployed
> Application(path=/opt/kms/server/geronimo-2.2-20091019/var/temp/geronimo-deployer49287.tmpdir/KMSPlatform-ejb.jar)
> 2009-10-19 12:11:30,894 ERROR [GBeanInstanceState] Error while
> starting; GBean is now in the FAILED state:
> abstractName="net.kunye/KMSPlatform-ejb/1.0/jar?EJBModule=net.kunye/KMSPlatform-ejb/1.0/jar,J2EEApplication=null,j2eeType=StatelessSessionBean,name=KMSPlatformEjbStartupBean"
> java.lang.IllegalStateException: no run-as identity configured for role: Admin
> at org.apache.geronimo.security.jacc.mappingprovider.ApplicationPrincipalRoleConfigurationManager.getSubjectForRole(ApplicationPrincipalRoleConfigurationManager.java:109)
> at org.apache.geronimo.openejb.EjbDeployment.<init>(EjbDeployment.java:109)
> at org.apache.geronimo.openejb.EjbDeploymentGBean.<init>(EjbDeploymentGBean.java:56)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
> at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:39)
> at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:27)
> at java.lang.reflect.Constructor.newInstance(Constructor.java:513)
> at org.apache.xbean.recipe.ReflectionUtil$ConstructorFactory.create(ReflectionUtil.java:952)
> at org.apache.xbean.recipe.ObjectRecipe.internalCreate(ObjectRecipe.java:276)
> at org.apache.xbean.recipe.AbstractRecipe.create(AbstractRecipe.java:96)
> at org.apache.xbean.recipe.AbstractRecipe.create(AbstractRecipe.java:61)
> at org.apache.geronimo.gbean.runtime.GBeanInstance.createInstance(GBeanInstance.java:911)
> at org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:269)
> at org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:103)
> at org.apache.geronimo.gbean.runtime.GBeanInstance.start(GBeanInstance.java:525)
> at org.apache.geronimo.gbean.runtime.GBeanDependency.attemptFullStart(GBeanDependency.java:110)
> at org.apache.geronimo.gbean.runtime.GBeanDependency.addTarget(GBeanDependency.java:145)
> at org.apache.geronimo.gbean.runtime.GBeanDependency$1.running(GBeanDependency.java:119)
> at org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.fireRunningEvent(BasicLifecycleMonitor.java:175)
> at org.apache.geronimo.kernel.basic.BasicLifecycleMonitor.access$300(BasicLifecycleMonitor.java:44)
> at org.apache.geronimo.kernel.basic.BasicLifecycleMonitor$RawLifecycleBroadcaster.fireRunningEvent(BasicLifecycleMonitor.java:253)
> at org.apache.geronimo.gbean.runtime.GBeanInstanceState.attemptFullStart(GBeanInstanceState.java:295)
> at org.apache.geronimo.gbean.runtime.GBeanInstanceState.start(GBeanInstanceState.java:103)
> at org.apache.geronimo.gbean.runtime.GBeanInstanceState.startRecursive(GBeanInstanceState.java:125)
> at org.apache.geronimo.gbean.runtime.GBeanInstance.startRecursive(GBeanInstance.java:539)
> at org.apache.geronimo.kernel.basic.BasicKernel.startRecursiveGBean(BasicKernel.java:377)
> at org.apache.geronimo.kernel.config.ConfigurationUtil.startConfigurationGBeans(ConfigurationUtil.java:456)
> at org.apache.geronimo.kernel.config.KernelConfigurationManager.start(KernelConfigurationManager.java:190)
> at org.apache.geronimo.kernel.config.SimpleConfigurationManager.startConfiguration(SimpleConfigurationManager.java:546)
> at org.apache.geronimo.kernel.config.SimpleConfigurationManager.startConfiguration(SimpleConfigurationManager.java:527)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.geronimo.gbean.runtime.ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34)
> at org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:130)
> at org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:851)
> at org.apache.geronimo.kernel.basic.BasicKernel.invoke(BasicKernel.java:237)
> at org.apache.geronimo.kernel.KernelGBean.invoke(KernelGBean.java:342)
> at sun.reflect.GeneratedMethodAccessor105.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.geronimo.gbean.runtime.ReflectionMethodInvoker.invoke(ReflectionMethodInvoker.java:34)
> at org.apache.geronimo.gbean.runtime.GBeanOperation.invoke(GBeanOperation.java:130)
> at org.apache.geronimo.gbean.runtime.GBeanInstance.invoke(GBeanInstance.java:851)
> at org.apache.geronimo.kernel.basic.BasicKernel.invoke(BasicKernel.java:237)
> at org.apache.geronimo.system.jmx.MBeanGBeanBridge.invoke(MBeanGBeanBridge.java:172)
> at com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:836)
> at com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:761)
> at javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1426)
> at javax.management.remote.rmi.RMIConnectionImpl.access$200(RMIConnectionImpl.java:72)
> at javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1264)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1366)
> at javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:788)
> at sun.reflect.GeneratedMethodAccessor25.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:305)
> at sun.rmi.transport.Transport$1.run(Transport.java:159)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.rmi.transport.Transport.serviceCall(Transport.java:155)
> at sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:535)
> at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:790)
> at sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:649)
> at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:885)
> at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:907)
> at java.lang.Thread.run(Thread.java:619)
> 2009-10-19 12:11:30,894 INFO [SessionFactoryImpl] closing
>
> Can someone please advise.
>
> Quintin Beukes
>