3 Replies Latest reply on Feb 29, 2012 4:42 AM by wutongjoe

    why "Client authentication failed for mechanism DIGEST-MD5"

    wutongjoe

      Hi all,

       

      I have created a simple ejb and deployed on the JBAS7.1 with a modified configuration file. I then invoke remote ejb from a standalone app.

       

      Anything wrong ?

       

      code snap

       

        Properties props = new Properties();

        props.put(Context.URL_PKG_PREFIXES,"org.jboss.ejb.client.naming");

        context = new InitialContext(props);

       

      jboss-ejb-client.properties

       

      endpoint.name=my_end_point
      remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false

      remote.connections=default
      remote.connection.default.host=127.0.0.1
      remote.connection.default.port=4447
      remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false

      remote.connection.default.username=myname
      remote.connection.default.password=123456

       

      standalone-full-ha.xml modifications 

      <security-realm name="ApplicationRealm">

      <authentication>

      <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>

      </authentication>

      </security-realm>

      ....

      <subsystem xmlns="urn:jboss:domain:remoting:1.1">

      <connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>

      </subsystem>

      ....

       

      <security-domain name="my-security-domain" cache-type="default">

      <authentication>

      <login-module code="Remoting" flag="optional">

      <module-option name="password-stacking" value="useFirstPass"/>

      </login-module>

      <login-module code="RealmUsersRoles" flag="required">

      <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>

      <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>

      <module-option name="realm" value="ApplicationRealm"/>

      <module-option name="password-stacking" value="useFirstPass"/>

      </login-module>

      </authentication>

      </security-domain>

      ....

       

      client side log :

       

      16:30:42,156 DEBUG [org.jboss.logging] Logging Provider: org.jboss.logging.JBossLogManagerProvider

      16:30:42,186 INFO  [org.jboss.ejb.client] JBoss EJB Client version 1.0.2.Final

      16:30:42,201 DEBUG [org.jboss.ejb.client.EJBClientPropertiesLoader] Looking for jboss-ejb-client.properties using classloader sun.misc.Launcher$AppClassLoader@5224ee

      16:30:42,204 DEBUG [org.jboss.ejb.client.EJBClientPropertiesLoader] Found jboss-ejb-client.properties using classloader sun.misc.Launcher$AppClassLoader@5224ee

      16:30:42,221 DEBUG [org.jboss.ejb.client.PropertiesBasedEJBClientConfiguration] endpoint.create.options. has the following options {}

      16:30:42,224 DEBUG [org.jboss.ejb.client.PropertiesBasedEJBClientConfiguration] remote.connectionprovider.create.options. has the following options {org.xnio.Options.SSL_ENABLED=>false}

      16:30:42,226 DEBUG [org.jboss.ejb.client.PropertiesBasedEJBClientConfiguration] remote.connection.default.connect.options. has the following options {org.xnio.Options.SASL_POLICY_NOANONYMOUS=>false}

      16:30:42,231 DEBUG [org.jboss.ejb.client.PropertiesBasedEJBClientConfiguration] remote.connection.default.channel.options. has the following options {}

      16:30:42,231 DEBUG [org.jboss.ejb.client.PropertiesBasedEJBClientConfiguration] Connection org.jboss.ejb.client.PropertiesBasedEJBClientConfiguration$RemotingConnectionConfigurationImpl@a4e743 successfully created for connection named default

      16:30:42,234 DEBUG [org.jboss.ejb.client.PropertiesBasedEJBClientConfiguration] No clusters configured in properties

      16:30:42,259 INFO  [org.xnio] XNIO Version 3.0.3.GA

      16:30:42,264 INFO  [org.xnio.nio] XNIO NIO Implementation Version 3.0.3.GA

      16:30:42,276 INFO  [org.jboss.remoting] JBoss Remoting version 3.2.2.GA

      16:30:42,351 DEBUG [org.xnio.nio] Started channel thread 'Remoting "my_end_point" read-1', selector sun.nio.ch.WindowsSelectorImpl@175d6ab

      16:30:42,354 DEBUG [org.xnio.nio] Started channel thread 'Remoting "my_end_point" write-1', selector sun.nio.ch.WindowsSelectorImpl@1f66cff

      16:30:42,541 DEBUG [org.jboss.ejb.client.remoting.RemotingConnectionEJBReceiver] Channel Channel ID ad618570 (outbound) of Remoting connection 00ae533a to /127.0.0.1:4447 opened for context EJBReceiverContext{clientContext=org.jboss.ejb.client.EJBClientContext@7a5a19, receiver=Remoting connection EJB receiver [connection=Remoting connection <1e808ca>,channel=jboss.ejb,nodename=joe-pc]} Waiting for version handshake message from server

      16:30:42,546 INFO  [org.jboss.ejb.client.remoting.VersionReceiver] Received server version 1 and marshalling strategies [river]

      16:30:42,559 INFO  [org.jboss.ejb.client.remoting.RemotingConnectionEJBReceiver] Successful version handshake completed for receiver context EJBReceiverContext{clientContext=org.jboss.ejb.client.EJBClientContext@7a5a19, receiver=Remoting connection EJB receiver [connection=Remoting connection <1e808ca>,channel=jboss.ejb,nodename=joe-pc]} on channel Channel ID ad618570 (outbound) of Remoting connection 00ae533a to /127.0.0.1:4447

      16:30:42,561 DEBUG [org.jboss.ejb.client.remoting.RemotingConnectionEJBReceiver] Received module availability report for 2 modules

      16:30:42,564 DEBUG [org.jboss.ejb.client.remoting.RemotingConnectionEJBReceiver] Registering module EJBModuleIdentifier{appName='jsr-77', moduleName='jsr-77', distinctName=''} availability for receiver context EJBReceiverContext{clientContext=org.jboss.ejb.client.EJBClientContext@7a5a19, receiver=Remoting connection EJB receiver [connection=Remoting connection <1e808ca>,channel=jboss.ejb,nodename=joe-pc]}

      16:30:42,566 DEBUG [org.jboss.ejb.client.remoting.RemotingConnectionEJBReceiver] Registering module EJBModuleIdentifier{appName='', moduleName='testEJB', distinctName=''} availability for receiver context EJBReceiverContext{clientContext=org.jboss.ejb.client.EJBClientContext@7a5a19, receiver=Remoting connection EJB receiver [connection=Remoting connection <1e808ca>,channel=jboss.ejb,nodename=joe-pc]}

      16:30:42,566 DEBUG [org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector] Registered 1 remoting EJB receivers for EJB client context org.jboss.ejb.client.EJBClientContext@7a5a19

      16:30:42,634 DEBUG [org.jboss.ejb.client.remoting.ClusterNode] Checking for a match of client address /fe80:0:0:0:8ceb:a33f:1190:79ca%10 with client mapping ClientMapping{sourceNetworkAddress=/0:0:0:0:0:0:0:0, sourceNetworkMaskBits=0, destinationAddress='127.0.0.1', destinationPort=4447}

      16:30:42,634 DEBUG [org.jboss.ejb.client.remoting.ClusterNode] Client mapping ClientMapping{sourceNetworkAddress=/0:0:0:0:0:0:0:0, sourceNetworkMaskBits=0, destinationAddress='127.0.0.1', destinationPort=4447} matches client address /fe80:0:0:0:8ceb:a33f:1190:79ca%10

      16:30:42,636 DEBUG [org.jboss.ejb.client.remoting.ClusterTopologyMessageHandler] Received a cluster node(s) addition message, for cluster named ejb with 1 nodes [ClusterNode{clusterName='ejb', nodeName='joe-pc', clientMappings=[ClientMapping{sourceNetworkAddress=/0:0:0:0:0:0:0:0, sourceNetworkMaskBits=0, destinationAddress='127.0.0.1', destinationPort=4447}], resolvedDestination=[Destination address=127.0.0.1, destination port=4447]}]

      16:30:42,661 DEBUG [org.jboss.remoting.remote.client] Client authentication failed for mechanism DIGEST-MD5: javax.security.sasl.SaslException: DIGEST-MD5: Cannot perform callback to acquire realm, authentication ID or password [Caused by javax.security.auth.callback.UnsupportedCallbackException]

      16:30:42,668 ERROR [org.jboss.remoting.remote.connection] JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

      16:30:42,673 INFO  [org.jboss.ejb.client.remoting.ChannelAssociation] Discarding result for invocation id 0 since no waiting context found

      javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public abstract java.lang.String com.biz.ejb.face.HellowWorldRemote.hello(java.lang.String) of bean: wutong_test_hello is not allowed

      at org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:101)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)

      at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:76)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)

      at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)

      at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)

      at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45)

      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)

      at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)

      at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165)

      at org.jboss.as.ejb3.remote.protocol.versionone.MethodInvocationMessageHandler.invokeMethod(MethodInvocationMessageHandler.java:300)

      at org.jboss.as.ejb3.remote.protocol.versionone.MethodInvocationMessageHandler.access$200(MethodInvocationMessageHandler.java:64)

      at org.jboss.as.ejb3.remote.protocol.versionone.MethodInvocationMessageHandler$1.run(MethodInvocationMessageHandler.java:194)

      at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)

      at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)

      at java.util.concurrent.FutureTask.run(FutureTask.java:138)

      at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)

      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)

      at java.lang.Thread.run(Thread.java:662)

      at org.jboss.threads.JBossThread.run(JBossThread.java:122)

      16:30:42,716 DEBUG [org.jboss.ejb.client.remoting.AutoConnectionCloser] Closing Remoting connection <1e808ca>

      16:30:42,728 INFO  [org.jboss.ejb.client.remoting.ChannelAssociation] Channel Channel ID ad618570 (outbound) of Remoting connection 00ae533a to /127.0.0.1:4447 can no longer process messages

      16:30:42,731 DEBUG [org.jboss.ejb.client.remoting.RemotingConnectionEJBReceiver] Closing channelChannel ID ad618570 (outbound) of Remoting connection 00ae533a to /127.0.0.1:4447

      16:30:42,731 DEBUG [org.jboss.ejb.client.remoting.ChannelAssociation] Closing channel Channel ID ad618570 (outbound) of Remoting connection 00ae533a to /127.0.0.1:4447

      16:30:42,733 DEBUG [org.jboss.ejb.client.remoting.ChannelAssociation] Registering a re-connect handler org.jboss.ejb.client.remoting.EJBClientContextConnectionReconnectHandler@1d6747b for broken channel Channel ID ad618570 (outbound) of Remoting connection 00ae533a to /127.0.0.1:4447 in EJB client context org.jboss.ejb.client.EJBClientContext@7a5a19

      16:30:42,736 DEBUG [org.jboss.ejb.client.remoting.AutoConnectionCloser] Closing endpoint "my_end_point" <df0438>

       

       

       

       

      thanks a lot

        • 1. Re: why "Client authentication failed for mechanism DIGEST-MD5"
          jaikiran

          16:30:42,636 DEBUG [org.jboss.ejb.client.remoting.ClusterTopologyMessageHandler] Received a cluster node(s) addition message, for cluster named ejb with 1 nodes [ClusterNode{clusterName='ejb', nodeName='joe-pc', clientMappings=[ClientMapping{sourceNetworkAddress=/0:0:0:0:0:0:0:0, sourceNetworkMaskBits=0, destinationAddress='127.0.0.1', destinationPort=4447}], resolvedDestination=[Destination address=127.0.0.1, destination port=4447]}]

          16:30:42,661 DEBUG [org.jboss.remoting.remote.client] Client authentication failed for mechanism DIGEST-MD5: javax.security.sasl.SaslException: DIGEST-MD5: Cannot perform callback to acquire realm, authentication ID or password [Caused by javax.security.auth.callback.UnsupportedCallbackException]

          16:30:42,668 ERROR [org.jboss.remoting.remote.connection] JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

          The server (which is started in a clustered mode) is sending back the cluster topology to the client. The client on receiving it, tries to create a connection to the nodes (the number can be configured). In this case, the connection creation is using the default configurations since the connection configurations for the cluster haven't been configured. You can add the following properties to the jboss-ejb-client.properties so that they are applicable to the entire cluster (which by the way is named "ejb"):

           

          remote.clusters=ejb
          
          remote.cluster.ejb.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=true
          remote.cluster.ejb.username=myname
          remote.cluster.ejb.password=123456
          

           

          That's just the example. The general syntax is:

           

          remote.clusters=<comma separated cluster names>
          
          remote.cluster.<clustername>.<propertyname>=<property value>
          

           

          If you just want to configure some specific nodes in that cluster, then the syntax is:

           

          remote.clusters=<comma separated cluster names>
          
          remote.cluster.<clustername>.node.<nodename>.<property name>=<property value>
          
          • 2. Re: why "Client authentication failed for mechanism DIGEST-MD5"
            wutongjoe

            Thank you jaikiran

             

            the authentication failure related to mechanism DIGEST-MD5 is gone with your suggestion on prop file,but why the following exception remain? I have thought that JBAS014502 was caused by DIGEST-MD5 auth problem and https://issues.jboss.org/browse/AS7-2942 is very similar to mine one but was fixed for JBAS 7.1.0 final which is the server version I am using now and it should not happend...

            16:30:42,673 INFO [org.jboss.ejb.client.remoting.ChannelAssociation] Discarding result for invocation id 0 since no waiting context found

            javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public abstract java.lang.String com.biz.ejb.face.HellowWorldRemote.hello(java.lang.String) of bean: wutong_test_hello is not allowed

            at org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:101)

            at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)

            at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:76)

            at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)

             

             

            I saw that server log has following lines which I think the ejb has deployed successfully

             

            10:11:09,988 INFO  [org.jboss.as.ejb3.deployment.processors.EjbJndiBindingsDeploymentUnitProcessor] (MSC service thread 1-8) JNDI bindings for session bean named wutong_test_hello in deployment unit deployment "testEJB.jar" are as follows:

            java:global/testEJB/wutong_test_hello!com.biz.ejb.face.HellowWorldLocal
            java:app/testEJB/wutong_test_hello!com.biz.ejb.face.HellowWorldLocal
            java:module/wutong_test_hello!com.biz.ejb.face.HellowWorldLocal
            java:global/testEJB/wutong_test_hello!com.biz.ejb.face.HellowWorldRemote
            java:app/testEJB/wutong_test_hello!com.biz.ejb.face.HellowWorldRemote
            java:module/wutong_test_hello!com.biz.ejb.face.HellowWorldRemote
            java:jboss/exported/testEJB/wutong_test_hello!com.biz.ejb.face.HellowWorldRemote

             

             

            code snap listed below

             

             

            server side

             

            @Stateless(name = "wutong_test_hello")
            @Clustered
            @Remote(HellowWorldRemote.class)
            @Local(HellowWorldLocal.class)
            @SecurityDomain(value = "my-security-domain")
            public class HellowWorldImpl implements HellowWorldRemote, HellowWorldLocal {

             

            @RolesAllowed(value = { "testuserrole" })
            public String hello(String name) {
              String ret = "hello: " + name ;
              log.info(ret + ",hashcode:" + hashCode());
              return ret;
            }

             

            ......

            client side

               HellowWorldRemote remo=(HellowWorldRemote)EJBHomeFactory.getInstance().lookup("ejb:/testEJB//wutong_test_hello!com.biz.ejb.face.HellowWorldRemote", HellowWorldRemote.class);
            ......

            client side

            public Object lookup(String jndiName, Class homeInterfaceClass) throws NamingException {
              Object homeInterface;

              Object obj = context.lookup(jndiName);
              homeInterface = PortableRemoteObject.narrow(obj, homeInterfaceClass);
              return homeInterface;

            }

             

            anything that I missed ?

            • 3. Re: why "Client authentication failed for mechanism DIGEST-MD5"
              wutongjoe

              second problem solved...I put the annotations

              @RolesAllowed(value = { "testuserrole" })

              and

               

              @SecurityDomain(value = "my-security-domain")

              at the concrete class.It should be on the interface like following

               

              @SecurityDomain(value = "my-security-domain")

               

              public interface HellowWorldRemote {

              @RolesAllowed(value = { "testuserrole" })
              String hello(String name);
               
              }

               

              1 of 1 people found this helpful