Hello,
I'm a student and currently doing some evaluation of the declarative security feature of Hibernate. Unfortunately I can't get it running. To be more precise, I use JBoss 4.0.3, Hibernate 3.1.3 and MySQL 5.0.17 and that is what I've done so far for getting it running:
I've written a SessionBean (J2EE 1.4) with a simple method named "doSimpleTest" that uses Hibernate to persist a entity(models.Book) that was created in this same method. Only users in role "admin" are allowed to access this method. For having a subject which can be augmented with roles, i enabled the LoginModule "org.jboss.security.auth.spi.DatabaseServerLoginModule"
in login-config.xml for my application-policy named "foo". I access the bean via a standalone client which uses "org.jboss.security.ClientLoginModule" to pass the user's credentials to the server side which then uses them for the authentication and authorization in the "org.jboss.security.auth.spi.DatabaseServerLoginModule".
This authentication and authorization mechanism works, so, when I try to access the bean with a user in role admin, i'm granted access, but with a user not in role admin, access is denied, which is signaled by an exception.
But when the user gets access and the hibernate code in method "doSimpleTest" is executed, i get the following exception stack trace:
13:29:24,000 ERROR [STDERR] java.lang.SecurityException: Denied: (javax.security
.jacc.EJBMethodPermission models.Book insert)[*:insert()], caller=Betreff:
Principal: admin
Principal: Roles(members:admin)
13:29:24,000 ERROR [STDERR] at org.hibernate.secure.JACCPermissions.checkPer
mission(JACCPermissions.java:49)
13:29:24,000 ERROR [STDERR] at org.hibernate.secure.JACCPreInsertEventListen
er.onPreInsert(JACCPreInsertEventListener.java:29)
13:29:24,000 ERROR [STDERR] at org.hibernate.action.EntityInsertAction.preIn
sert(EntityInsertAction.java:138)
13:29:24,000 ERROR [STDERR] at org.hibernate.action.EntityInsertAction.execu
te(EntityInsertAction.java:44)
13:29:24,000 ERROR [STDERR] at org.hibernate.engine.ActionQueue.execute(Acti
onQueue.java:248)
13:29:24,000 ERROR [STDERR] at org.hibernate.engine.ActionQueue.executeActio
ns(ActionQueue.java:232)
13:29:24,000 ERROR [STDERR] at org.hibernate.engine.ActionQueue.executeActio
ns(ActionQueue.java:139)
So apparently, JACC is not supported by JBoss. At least, I couldn't find any faults in the Hibernate source code regarding the use of the JACC API.
That is my hibernate.cfg.xml containing the listener setup for the persistence events and the permissions for the role "admin":
<hibernate-configuration>
<!-- a SessionFactory instance listed as /jndi/name -->
<session-factory>
<!-- properties -->
<property name="dialect">org.hibernate.dialect.MySQLInnoDBDialect</property>
<property name="show_sql">true</property>
<property name="use_outer_join">false</property>
<property name="hibernate.transaction.factory_class">org.hibernate.transaction.JTATransactionFactory</property>
<property name="hibernate.transaction.manager_lookup_class">org.hibernate.transaction.JBossTransactionManagerLookup</property>
<property name="hibernate.connection.datasource">java:/MySqlDS</property>
<property name="hibernate.max_fetch_depth">3</property>
<!-- mapping files -->
<mapping resource="models/Book.hbm.xml"/>
<!-- HERE IS THE PROBLEM RELATED PART -->
<listener type="pre-delete" class="org.hibernate.secure.JACCPreDeleteEventListener"/>
<listener type="pre-update" class="org.hibernate.secure.JACCPreUpdateEventListener"/>
<listener type="pre-insert" class="org.hibernate.secure.JACCPreInsertEventListener"/>
<listener type="pre-load" class="org.hibernate.secure.JACCPreLoadEventListener"/>
</session-factory>
<security context="foo">
<grant role="admin" entity-name="models.Book" actions="insert,update,read"/>
</security>
</hibernate-configuration>
As you can see, I've also chosen the name "foo" for the id of the JACC security context, although i don't think that it has to be the same as the name of the application policy in login-config.xml
What exactly do I have to do to get this work or where have I made a fault?
Login
FAQ
Search