Reputation: 884
Problems in accessing secure Ejb's
I am new to WebSphere, I have written an ejb and have even deployed it.
But when I try to accesss it.
I am getting the following error. Is the problem is with the bindings or configuring security or realm?
javax.ejb.EJBAccessException: SERVER (id=4773e3aa, host=localhost) TRACE START: javax.ejb.EJBAccessException: SECJ0053E: Authorization failed for ??? while invoking (Bean)d365-EB_OFSConnectorService-ejb_jar#d365-ModuleConnectorService-ejb.jar#ModuleConnectorServiceBean processOFS:java.lang.String:1 is not granted any of the required roles: d365user at com.ibm.ws.security.core.SecurityCollaborator.performAuthorization(SecurityCollaborator.java:626) at com.ibm.ws.security.core.EJSSecurityCollaborator.preInvoke(EJSSecurityCollaborator.java:265) at com.ibm.ws.ejbcontainer.runtime.EJBSecurityCollaboratorAdapter.preInvoke(EJBSecurityCollaboratorAdapter.java:82) at com.ibm.ws.ejbcontainer.runtime.EJBSecurityCollaboratorAdapter.preInvoke(EJBSecurityCollaboratorAdapter.java:43) at com.ibm.ejs.container.EJSContainer.notifySecurityCollaboratorPreInvoke(EJSContainer.java:3895) at com.ibm.ejs.container.EJSContainer.preInvokeAfterActivate(EJSContainer.java:3825) at com.ibm.ejs.container.EJSContainer.EjbPreInvoke(EJSContainer.java:3046) at com.kaiser.services.ofsconnector.ejb.EJSRemote0SLModuleConnectorServiceBean_8c753384.processOFS(EJSRemote0SLModuleConnectorServiceBean_8c753384.java) at com.kaiser.services.ofsconnector.ejb._EJSRemote0SLModuleConnectorServiceBean_8c753384_Tie.processOFS__CORBA_WStringValue(_EJSRemote0SLModuleConnectorServiceBean_8c753384_Tie.java:1) at com.kaiser.services.ofsconnector.ejb._EJSRemote0SLModuleConnectorServiceBean_8c753384_Tie._invoke(_EJSRemote0SLModuleConnectorServiceBean_8c753384_Tie.java) at com.ibm.CORBA.iiop.ServerDelegate.dispatchInvokeHandler(ServerDelegate.java:669) at com.ibm.CORBA.iiop.ServerDelegate.dispatch(ServerDelegate.java:523) at com.ibm.rmi.iiop.ORB.process(ORB.java:523) at com.ibm.CORBA.iiop.ORB.process(ORB.java:1575) at com.ibm.rmi.iiop.Connection.doRequestWork(Connection.java:3039) at com.ibm.rmi.iiop.Connection.doWork(Connection.java:2922) at com.ibm.rmi.iiop.WorkUnitImpl.doWork(WorkUnitImpl.java:64) at com.ibm.ejs.oa.pool.PooledThread.run(ThreadPool.java:118) at com.ibm.ws.util.ThreadPool$Worker.run(ThreadPool.java:1862) SERVER (id=4773e3aa, host=localhost) TRACE END.
I have tried looking for it in google but was not successful in it. suggestions are welcome.
Updates-1 In my ejb-jar.xml, security has been defined as
<assembly-descriptor>
<security-role>
<role-name>d365user</role-name>
</security-role>
<method-permission>
<role-name>d365user</role-name>
<method>
<ejb-name>ModuleConnectorServiceBean</ejb-name>
<method-name>*</method-name>
</method>
<method>
<ejb-name>ModuleConnectorServiceBeanOMS</ejb-name>
<method-name>*</method-name>
</method>
</method-permission>
</assembly-descriptor>
ibm-ejb-jar-bnd.xml
<?xml version="1.0" encoding="UTF-8"?>
<ejb-jar-bnd xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://websphere.ibm.com/xml/ns/javaee"
xsi:schemaLocation="http://websphere.ibm.com/xml/ns/javaee http://websphere.ibm.com/xml/ns/javaee/ibm-ejb-jar-bnd_1_0.xsd" version="1.0">
<session name="ModuleConnectorServiceBean">
<resource-ref binding-name="jdbc/t24DataSource" name="jdbc/d365DataSource"/>
<resource-ref binding-name="jdbc/d365LockingDataSource" name="jdbc/d365LockingDataSource"/>
</session>
<session name="ModuleConnectorServiceBeanOMS">
<resource-ref name="jdbc/d365DataSource" binding-name="jdbc/d365DataSource"/>
<resource-ref name="jdbc/d365LockingDataSource" binding-name="jdbc/d365LockingDataSource"/>
</session>
</ejb-jar-bnd>
Upvotes: 0
Views: 1947
Answers (2)
Reputation: 18030
SECJ0053E: Authorization failed for ??? while invoking (Bean)d365-EB_OFSConnectorService-ejb_jar#d365-ModuleConnectorService-ejb.jar#ModuleConnectorServiceBean
processOFS:java.lang.String:1 is not granted any of the required roles: d365user
Looks like your client is not performing correct authentication and is not passing credentials. If this is stand alone client, make sure you are invoking it with the correct config for SSL and CORBA, like this:
<java_install_root>/bin/java
-classpath com.ibm.ws.ejb.thinclient_8.5.0.jar:<list_of_your_application_jars_and_classes>
-Djava.naming.provider.url=iiop://<your_application_server_machine_name>
-Dcom.ibm.SSL.ConfigURL=file:///home/user1/ssl.client.props
-Dcom.ibm.CORBA.ConfigURL=file:///home/user1/sas.client.props
<fully_qualified_class_name_to_run>
For more details check this Running the IBM Thin Client for Enterprise JavaBeans (EJB)
Upvotes: 1
Reputation: 386
I see authorization error above. Please check security annotations like @RolesAllowed("roleName") in your ejb or deployment descriptor (ejb-jar.xml) to see what roles used to secure EJB.
You need to map those roles to valid users in user registry (i.e. LDAP). Only valid users will be allowed to access your EJB. You can use admin console to map security roles to users/groups as mentioned below:
Applications -> WebSphere enterprise applications-> -> Security role to user/group mapping -> select the appropriate role and clck on "Map user" to map users. Map Special Subject -> All Authenticated in Application's Realm can be used to give all authenticated users access instead of mapping individual users.
Upvotes: 0
Related Questions
- EJBConfigurationException IBM websphere 9.0.11
- WebSphere javax.naming.NamingException and connection refused
- Error Attempting to Bind EJB in WebSphere Liberty 8.5.5.8
- Websphere 85 ejb 3 deploy issue
- WAS cannot load the EJB interface
- ejb Issue in WebSphere 8
- How to write EJB 3.1 client for WebSphere 8.5?
- Access unsecured resource that uses EJB after succesful JAAS login (WebSpere 7)
- Access EJB 3.0 as an EJB and as a web service on Websphere 7
- Unable to lookup remote EJB on Websphere 8