2 Replies Latest reply on Jan 4, 2012 7:02 AM by rodakr

    Remote EJB Client with SASL and Kerberos Authentication fails on jboss-as-7.1.0.Final-SNAPSHOT ( 02.02.2012)

    rodakr

      Hi

       

      I tried to use SASL and GSSAPI  for Authentication on jboss-as-7.1.0.Final-SNAPSHOT but it fails...

       

      I did what is wroten here:  http://community.jboss.org/wiki/SASLAndKerberos

       

      Client Code  is able to execute createSaslClient in Privileged Action after successfull KRB5 Jaas Login:

       

      Sasl.createSaslClient(new String[]{"GSSAPI"}, null, "remoting", "test2", Collections.EMPTY_MAP, new NamePasswordCallbackHandler2("someuser","somepass" ) );

       

       

      , but it fails with this Exception... :

       

         [java] Client Addresses  Null

           [java] Initial Context created

           [java] lookupejb:/sl-securityTestEjb3//TestServiceSLEJB3Bean!ch.swisslife.test.ejb3.TestServiceItf @RolesAllowed({"BackofficeRole"})

           [java] 03.01.2012 13:54:35 org.jboss.ejb.client.EJBClient <clinit>

           [java] INFO: JBoss EJB Client version 1.0.0.Beta11

           [java] lookup testEjbJndi successful

           [java]  call unsecured Method permittAllMethod()

           [java] 03.01.2012 13:54:36 org.xnio.Xnio <clinit>

           [java] INFO: XNIO Version 3.0.0.GA

           [java] 03.01.2012 13:54:36 org.xnio.nio.NioXnio <clinit>

           [java] INFO: XNIO NIO Implementation Version 3.0.0.GA

           [java] 03.01.2012 13:54:36 org.jboss.remoting3.EndpointImpl <clinit>

           [java] INFO: JBoss Remoting version 3.2.0.CR8

           [java] 03.01.2012 13:54:36 org.jboss.remoting3.remote.RemoteConnection handleException

           [java] ERROR: JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

           [java] 03.01.2012 13:54:36 org.jboss.ejb.client.ConfigBasedEJBClientContextSelector createConnections

           [java] ERROR: Could not create connection for connection named default

           [java] java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

           [java]     at org.jboss.ejb.client.remoting.IoFutureHelper.get(IoFutureHelper.java:91)

           [java]     at org.jboss.ejb.client.ConfigBasedEJBClientContextSelector.createConnection(ConfigBasedEJBClientContextSelector.java:292)

           [java]     at org.jboss.ejb.client.ConfigBasedEJBClientContextSelector.createConnections(ConfigBasedEJBClientContextSelector.java:209)

           [java]     at org.jboss.ejb.client.ConfigBasedEJBClientContextSelector.setupEJBReceivers(ConfigBasedEJBClientContextSelector.java:138)

           [java]     at org.jboss.ejb.client.ConfigBasedEJBClientContextSelector.<init>(ConfigBasedEJBClientContextSelector.java:120)

           [java]     at org.jboss.ejb.client.ConfigBasedEJBClientContextSelector.<clinit>(ConfigBasedEJBClientContextSelector.java:110)

           [java]     at org.jboss.ejb.client.EJBClientContext.<clinit>(EJBClientContext.java:57)

           [java]     at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:91)

           [java]     at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:83)

           [java]     at $Proxy0.permittAllMethod(Unknown Source)

           [java]     at ch.swisslife.client.krb5.GetAction.run(TestServiceClient.java:154)

           [java]     at ch.swisslife.client.krb5.GetAction.run(TestServiceClient.java:114)

           [java]     at java.security.AccessController.doPrivileged(Native Method)

           [java]     at javax.security.auth.Subject.doAs(Subject.java:396)

           [java]     at TestServiceClient.main(TestServiceClient.java:76)

           [java] Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

           [java]     at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:358)

           [java]     at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:207)

           [java]     at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)

           [java]     at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189)

           [java]     at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103)

           [java]     at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)

           [java]     at org.xnio.nio.NioHandle.run(NioHandle.java:90)

           [java]     at org.xnio.nio.WorkerThread.run(WorkerThread.java:184)

           [java]     at ...asynchronous invocation...(Unknown Source)

           [java]     at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:268)

           [java]     at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:250)

           [java]     at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:359)

           [java]     at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:343)

           [java]     at org.jboss.ejb.client.ConfigBasedEJBClientContextSelector.createConnection(ConfigBasedEJBClientContextSelector.java:290)

           [java]     ... 13 more

           [java] 03.01.2012 13:54:36 org.jboss.ejb.client.ConfigBasedEJBClientContextSelector createConnections

           [java] INFO: Connection default will not be available in EJB client context org.jboss.ejb.client.EJBClientContext@e2dae9

           [java] java.lang.IllegalStateException: No EJB receiver available for handling [appName:,modulename:sl-securityTestEjb3,distinctname:] combination

           [java]     at org.jboss.ejb.client.EJBClientContext.requireEJBReceiver(EJBClientContext.java:344)

           [java]     at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:92)

           [java]     at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:83)

           [java]     at $Proxy0.permittAllMethod(Unknown Source)

           [java]     at GetAction.run(TestServiceClient.java:154)

           [java]     at GetAction.run(TestServiceClient.java:114)

           [java]     at java.security.AccessController.doPrivileged(Native Method)

           [java]     at javax.security.auth.Subject.doAs(Subject.java:396)

           [java]     at TestServiceClient.main(TestServiceClient.java:76)

       

      I tried using those client jars:

       

      jboss-ejb-api_3.1_spec-1.0.1.Final.jar

      jboss-ejb-client-1.0.0.Beta11.jar

      jboss-jacc-api_1.4_spec-1.0.1.Final.jar

      jboss-logging-3.1.0.CR2.jar

      jboss-marshalling-1.3.4.GA.jar

      jboss-marshalling-river-1.3.4.GA.jar

      jboss-remoting-3.2.0.CR8.jar

      jboss-sasl-1.0.0.Beta9.jar

      jboss-transaction-api_1.1_spec-1.0.0.Final.jar

      xnio-api-3.0.0.GA.jar

      xnio-nio-3.0.0.GA.jar

       

      Some hints what's wrong... or is this not yet supported?

        • 1. Re: Remote EJB Client with SASL and Kerberos Authentication fails on jboss-as-7.1.0.Final-SNAPSHOT ( 02.02.2012)
          dlofthouse

          The issue REM3-129 is still in progress, the article you are referring to is a developer document describing the changes we need to make with Remoting to enable support for Kerberos.

          • 2. Re: Remote EJB Client with SASL and Kerberos Authentication fails on jboss-as-7.1.0.Final-SNAPSHOT ( 02.02.2012)
            rodakr

            Thanks for Information.

             

            My thoughts was Stand Alone Client over Jboss Remote3 Security Propagation  will work same ( or similare ) way for calling  remote EJB between EJB Containers. I guest remote3 will be used also for this.

             

            I have working example of  Java Client ( java 6 ), which does JAAS Login ( krb5 ) and call an SPNEGO Protected URL on Jboss AS 7, SPNEGO ( picketbox valve ) take place over HTTP and standard Java JAAS Login Module configured on JBoss AS 7 Server Side successfully authenticates the Users.

             

            I thought mabe , calling EJB after successful JAAS Login over remote3 , remote 3 ( or the jboss-ejb-client Layer above ) will try to read Security from Context ( Threadlocal ? ), and if there is one, use it to Authenticate on Server Side Realm...

             

            I'm familiar with picketbox on JBoss AS 7.1, where I wrote some custom JAAS Login Modules/Valve ... just need a hint what is possible from Client Side to plug Security for remote calls with jboss ejb client. Guest one way will be to take closer look on source code of jboss-ejb-client... right?

             

            Mabe you have a Link to a blog with few words about the concept...

             

            Kind regards

            Radek Rodak