1

I'm trying to log all EJB method authorization calls, but am having some difficulty configuring my aspect to be called. I've created my pointcut as generically as possible to advise my EJBs directly, but I'm not having success.

Primarily, I need to log any failed authorizations.

My application server is JBoss 4.2.1GA, but it's own authorization aspect/interceptor seems to be taking precedence over my own pointcut. I am not entirely sure why as I have set my pointcut to call() instead of execute(), expecting that my advice would be executed before anything else, but that does not seem to work.

I'm using LTW with AspectJ 1.6.

This is my aspect definition:

@Pointcut("call( @(javax.annotation.security..*) * *.*(..))")
public void securedEJB(){}

@Around( "securedEJB()" )
public Object logEJBAccess( ProceedingJoinPoint pjp ) throws Throwable{
    logger.warn("EJB CHECK HERE!!!!!!!!!!!");
    Object o = null;
    try {
        o = pjp.proceed();
    } catch (Throwable e) {
        logger.error("EJB Threw Exception " + e );
        e.printStackTrace();
        throw e;
    }
    return o;
}

Yet, for all my secured EJB methods, I get the JBoss aspect that is checking for security rights prior to my own calls to method and hence this advice is never ever run.

An example of a call is:

OrganizationManager om = (OrganizationManager)SessionBeanLocator.getSessionBean(OrganizationManager.class);
om.getThirdPartyOrgsForLogin( "asdf", null );
System.out.println( "OM" + om );

Where OM is the interface to the EJB bean:

   @RolesAllowed({UserRole.ADMINISTRATOR})
   @TransactionAttribute(TransactionAttributeType.NEVER)
   public List getThirdPartyOrgsForLogin(String username, ContextInfo contextInfo) throws BusinessException {
   ...
   ...
   }

When I add a debugger into the mix, and set a breakpoint on the first log statement, it doesn't even get hit. The logger isn't even called. But I do see JBoss' org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor class invoked.

I even tried adding a precendence to aop.xml, but that failed (not surprisingly):

<aspectj>
    <aspects>
        <aspect name="security.ejbAccessLogger" />
        <concrete-aspect name="security.ejbAccessLogger" precedence="security.logger.EJBAccessLogger,org.jboss.ejb3.security.RoleBasedAuthorizationInterceptor"/>
    </aspects>
    <weaver options="-verbose -showWeaveInfo -debug" />
</aspectj>

Is there a reason why JBoss' interceptor would be called prior to mine? Is there any way I can advise my EJB authorization calls?

Eric B.
  • 23,425
  • 50
  • 169
  • 316
  • It would be easier to write a JBoss interceptor and include that in the `standardjboss.xml` configuration file. – Steve C Aug 23 '16 at 12:01
  • @Stevec I was hoping to make it container agnostic, but if I can't then I'm happy to look at alternatives. Can you provide some more details on jboss interceptors? I've never had the need/occasion to write one before. – Eric B. Aug 23 '16 at 12:03
  • There's no point in making it container agnostic as Java EE has had a standard way of implementing EJB interceptors since version 5. Have a look in `standardjboss.xml` and then google any of the interceptor classes. It's open source and the source code will pop up. – Steve C Aug 23 '16 at 12:20
  • @SteveC Thanks. Based on your suggestion, I tried a few things, but the RoleBasedAuthorizationInterceptor keeps firing before my own interceptor, so I can't catch an `EJBAccessException`. A little more digging and I found an `ejb-interceptors-aop.xml` file that declares this interceptor at the top of a stack. From what I can tell, the only way to "wrap" / "beat" the `RoleBasedAuthorizationInterceptor` is to create my own JBoss interceptor, but then it becomes very much a container thing. Docs for JBoss interceptors are lacking/missing. And I was hoping to avoid that with AspectJ. – Eric B. Aug 23 '16 at 20:01
  • Obviously AspectJ is the inner and JBoss AOP the outer shell of AOP code wrapped around your actual business code. This and the fact that according to the documentation "RoleBasedAuthorizationInterceptor checks that the **caller** principal is authorized to call a method..." tells you that the JBoss interceptor is also conceptually a `call()` pointcut rather than an `execution()` one. If you want to "beat" this interceptor it means you want to actually hack JBoss security. Is that your purpose? – kriegaex Sep 03 '16 at 08:08
  • If so and your LTW weaving agent is initialised before JBoss container classes are initialised, theoretically you could intercept `RoleBasedAuthorizationInterceptor.invoke(Invocation)` in order to catch any exceptions. But you would not be very nice then. ;-) – kriegaex Sep 03 '16 at 08:21
  • Another question: Do any of your aspects work? I mean, have you verified that AspectJ is configured correctly at all? – kriegaex Sep 03 '16 at 08:23

0 Answers0