2 Replies Latest reply on Sep 27, 2012 10:59 AM by olszowi

    Error JMS client lookup with a custom login module

    muza71

      Hi,

      Following problem: We have a Swing based fat client application with a JBoss7 as backend. I need to do a lookup for a JMS ConnectionFactory from our client-application to a JBoss7 instance after a JAAS login process via a custom login module.

      To do the lookup I need to initialize the InitialContext, during the creation of the InitialContext I get following exception:

       

      ERROR org.jboss.remoting.remote.connection:99 - JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

       

      Details:

      JBoss 7.1.1-Final.

       

      We have a custom JAAS login module with a own security-realm. We first need to login via a technical user, make a real logout and then login with the username/password of the user. Thus we need a real logout, we implemented it with the new EJBClientContext (described here https://community.jboss.org/thread/198414?start=0&tstart=0):

       

      // Login: change the client context for each login

          Properties clientProps = new Properties();

          clientProps.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "false");

          clientProps.put("remote.connections", "default");

          clientProps.put("remote.connection.default.host", "192.168.0.55");

          clientProps.put("remote.connection.default.port", "4447");

          clientProps.put("remote.connection.default.username", username);

          clientProps.put("remote.connection.default.password", password);

          clientProps.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "false");

       

          EJBClientConfiguration clientConfiguration = new PropertiesBasedEJBClientConfiguration(clientProps);

          ContextSelector<EJBClientContext> contextSelector =   new ConfigBasedEJBClientContextSelector(clientConfiguration);

          EJBClientContext.setSelector(contextSelector);

       

      // Lookup a Stateless Session Bean:

      Hashtable properties = new Hashtable();

      properties.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");

      Context ctx = new InitialContext(properties);

      MyBeanRemoteInterface remoteService = (MyBeanRemote) ctx.lookup("ejb:appName/moduleName/MyBean!de.a.b.c.MyBeanRemoteInterface");

       

       

      We do not use the jboss-ejb-client.properties ! And we don't have a jndi.properties file, because we do it programatically

       

      This works perfekt for the login procedure and the lookup for stateless EJB's.

      But now we need to connect to a JMS queue. As I understand I have to do it in this way:

       

      Hashtable props = new Hashtable();

      props.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");

      props.put(Context.PROVIDER_URL, "remote://192.168.0.55:4447");

      Context ctx = new InitialContext(props);   <--- Exception

       

      ConnectionFactory factory = (ConnectionFactory) ctx.lookup("jms/RemoteConnectionFactory");

       

       

      During creation of the InitialContext we get following Exception:

       

      javax.naming.NamingException: Failed to create remoting connection [Root exception is java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed]

          at org.jboss.naming.remote.client.ClientUtil.namingException(ClientUtil.java:36)

          at org.jboss.naming.remote.client.InitialContextFactory.getInitialContext(InitialContextFactory.java:121)

          at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)

          at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)

          at javax.naming.InitialContext.init(InitialContext.java:223)

          at javax.naming.InitialContext.<init>(InitialContext.java:197)

          at de.a.b.c.JMSNotificationCenter.<init>(JMSNotificationCenter.java:144)

      Caused by: java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

          at org.jboss.naming.remote.protocol.IoFutureHelper.get(IoFutureHelper.java:87)

          at org.jboss.naming.remote.client.NamingStoreCache.getRemoteNamingStore(NamingStoreCache.java:56)

          at org.jboss.naming.remote.client.InitialContextFactory.getOrCreateCachedNamingStore(InitialContextFactory.java:166)

          at org.jboss.naming.remote.client.InitialContextFactory.getOrCreateNamingStore(InitialContextFactory.java:139)

          at org.jboss.naming.remote.client.InitialContextFactory.getInitialContext(InitialContextFactory.java:104)

          ... 13 more

      Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

          at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:365)

          at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:214)

          at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)

          at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189)

          at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103)

          at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)

          at org.xnio.nio.NioHandle.run(NioHandle.java:90)

          at org.xnio.nio.WorkerThread.run(WorkerThread.java:184)

          at ...asynchronous invocation...(Unknown Source)

          at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:270)

          at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:251)

          at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:349)

          at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:333)

          at org.jboss.naming.remote.client.EndpointCache$EndpointWrapper.connect(EndpointCache.java:105)

          at org.jboss.naming.remote.client.NamingStoreCache.getRemoteNamingStore(NamingStoreCache.java:55)

          ... 16 more

       

       

      If I add

      props.put(Context.SECURITY_PRINCIPAL, "jmsUser");

      props.put(Context.SECURITY_CREDENTIALS, "jms");

       

      I get the same Exception (doesn't matter, if it is a user which is defined in the ApplicationRealm property file or which is a valid user in our JAAS realm, the user has always the role "messaging").

       

      I tried it with any combinations of these properties...same effekt:

      props.put("jboss.naming.client.ejb.context", true);

      props.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "false");

      props.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");

      props.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");

       

      This is our configuration of the jboss:

      ...

       

      <security-realm name="ApplicationRealm">

                      <authentication>

                          <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>

                      </authentication>

      </security-realm>

      <security-realm name="BobyRealm">

                      <authentication>

                          <jaas name="b3db"/>

                      </authentication>

      </security-realm>

      ...

      <subsystem xmlns="urn:jboss:domain:messaging:1.1">

                  <hornetq-server>

                      <persistence-enabled>true</persistence-enabled>

                      <journal-file-size>102400</journal-file-size>

                      <journal-min-files>2</journal-min-files>

       

      ....

                     <security-settings>

                          <security-setting match="#">

                              <permission type="send" roles="messaging"/>

                              <permission type="consume" roles="messaging"/>

                              <permission type="createNonDurableQueue" roles="messaging"/>

                              <permission type="deleteNonDurableQueue" roles="messaging"/>

                          </security-setting>

                      </security-settings>

       

      ....

                       <connection-factory name="RemoteConnectionFactory">

                              <connectors>

                                  <connector-ref connector-name="netty"/>

                              </connectors>

                              <entries>

                                  <entry name="RemoteConnectionFactory"/>

                                  <entry name="java:jboss/exported/jms/RemoteConnectionFactory"/>

                              </entries>

                          </connection-factory>

                      </jms-connection-factories>

      ....

                  </hornetq-server>

      </subsystem>

       

      ...

      <subsystem xmlns="urn:jboss:domain:remoting:1.1">

                  <connector name="remoting-connector" socket-binding="remoting" security-realm="BobyRealm"/>

      </subsystem>

      ....

       

      <subsystem xmlns="urn:jboss:domain:security:1.1">

                  <security-domains>

                      <security-domain name="other" cache-type="default">

                          <authentication>

                              <login-module code="Remoting" flag="optional">

                                  <module-option name="password-stacking" value="useFirstPass"/>

                              </login-module>

                              <login-module code="RealmUsersRoles" flag="required">

                                  <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>

                                  <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>

                                  <module-option name="realm" value="ApplicationRealm"/>

                                  <module-option name="password-stacking" value="useFirstPass"/>

                              </login-module>

                          </authentication>

                      </security-domain>

                      <security-domain name="jboss-web-policy" cache-type="default">

                          <authorization>

                              <policy-module code="Delegating" flag="required"/>

                          </authorization>

                      </security-domain>

                      <security-domain name="jboss-ejb-policy" cache-type="default">

                          <authorization>

                              <policy-module code="Delegating" flag="required"/>

                          </authorization>

                      </security-domain>

                      <security-domain name="b3db" cache-type="default">

                          <authentication>

                              <login-module code="Remoting" flag="optional">

                                  <module-option name="password-stacking" value="useFirstPass"/>

                              </login-module>

                              <login-module code="de.a.b.c.B4DBLoginModule" flag="required" module="com.ourloginmodule">

                                  <module-option name="dsJndiName" value="java:jboss/datasources/BobyDS"/>

                                  <module-option name="password-stacking" value="useFirstPass"/>

                              </login-module>

                          </authentication>

                      </security-domain>

                  </security-domains>

      </subsystem>

      ...

      <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">

              <socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>

              <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>

              <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/>

              <socket-binding name="ajp" port="8009"/>

              <socket-binding name="http" port="8080"/>

              <socket-binding name="https" port="8443"/>

              <socket-binding name="jacorb" interface="unsecure" port="3528"/>

              <socket-binding name="jacorb-ssl" interface="unsecure" port="3529"/>

              <socket-binding name="messaging" port="5445"/>

              <socket-binding name="messaging-throughput" port="5455"/>

              <socket-binding name="osgi-http" interface="management" port="8090"/>

              <socket-binding name="remoting" port="4447"/>

              <socket-binding name="txn-recovery-environment" port="4712"/>

              <socket-binding name="txn-status-manager" port="4713"/>

              <outbound-socket-binding name="mail-smtp">

                  <remote-destination host="localhost" port="25"/>

              </outbound-socket-binding>

      </socket-binding-group>

       

      During login I get following in the server log:

       

      TRACE [org.xnio.listener] (Remoting "myserver" read-1) Setting channel listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial@5544b978

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) No EXTERNAL mechanism due to explicit exclusion

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory org.jboss.sasl.localuser.LocalUserServerFactory@12eca104

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Added mechanism JBOSS-LOCAL-USER

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory org.jboss.sasl.digest.DigestMD5ServerFactory@6d3f1750

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Excluding mechanism DIGEST-MD5 because it is not in the allowed list

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory org.jboss.sasl.plain.PlainServerFactory@4913bd38

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Added mechanism PLAIN

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory org.jboss.sasl.anonymous.AnonymousServerFactory@2eebcd03

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory com.sun.security.sasl.digest.FactoryImpl@7ae09805

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Excluding mechanism DIGEST-MD5 because it is not in the allowed list

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory com.sun.security.sasl.ServerFactoryImpl@2f1caf49

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Excluding mechanism CRAM-MD5 because it is not in the allowed list

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory com.sun.security.sasl.gsskerb.FactoryImpl@437f9c9

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Excluding mechanism GSSAPI because it is not in the allowed list

      TRACE [org.xnio.channels.framed] (Remoting "myserver" read-1) Accepting java.nio.HeapByteBuffer[pos=0 lim=41 cap=8192] into java.nio.HeapByteBuffer[pos=0 lim=8196 cap=8196]

      TRACE [org.xnio.channels.framed] (Remoting "myserver" read-1) Accepted a message into java.nio.HeapByteBuffer[pos=45 lim=8196 cap=8196]

       

      If I try to to create the InitialContext for the ConnectionFactory lookup I get following:

       

      TRACE [org.xnio.channels.framed] (Remoting "myserver" read-1) Copying message from java.nio.HeapByteBuffer[pos=4 lim=45 cap=8196] into java.nio.HeapByteBuffer[pos=0 lim=8192 cap=8192]

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Server received capabilities request

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Server received capability: version 1

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Server received capability: remote endpoint name "config-based-naming-client-endpoint"

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) No EXTERNAL mechanism due to explicit exclusion

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory org.jboss.sasl.localuser.LocalUserServerFactory@3e7aaa11

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Added mechanism JBOSS-LOCAL-USER

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory org.jboss.sasl.digest.DigestMD5ServerFactory@67336222

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Excluding mechanism DIGEST-MD5 because it is not in the allowed list

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory org.jboss.sasl.plain.PlainServerFactory@5e6fdb1c

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Added mechanism PLAIN

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory org.jboss.sasl.anonymous.AnonymousServerFactory@19a3bb4

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory com.sun.security.sasl.digest.FactoryImpl@34c5a73e

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Excluding mechanism DIGEST-MD5 because it is not in the allowed list

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory com.sun.security.sasl.ServerFactoryImpl@1c66f283

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Excluding mechanism CRAM-MD5 because it is not in the allowed list

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory com.sun.security.sasl.gsskerb.FactoryImpl@2abb8506

      TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Excluding mechanism GSSAPI because it is not in the allowed list

      TRACE [org.xnio.channels.framed] (Remoting "myserver" read-1) Accepting java.nio.HeapByteBuffer[pos=0 lim=41 cap=8192] into java.nio.HeapByteBuffer[pos=0 lim=8196 cap=8196]

       

      I don't know if this has something to do with the EJBClientContext mechanism.

      Does anybody has any ideas ?

       

      Thank you

      Jürgen

        • 1. Re: Error JMS client lookup with a custom login module
          shadowcreeper

          Using "EJBClientContext.setSelector(contextSelector)" is dangerous. Hopefully it only affects your ear, and not any other ears. Since you know at runtime how you want the properties to be, you should probably just include the properties file in your classpath.

           

          You get that exception because you don't have a properties file in your classpath. The PROVIDER_URL property is ignored (along with your SECURITY_* properties). If you want to use this method, see:

          https://community.jboss.org/thread/200117

           

          Wolf-Dieter Fink and Jaikiran Pai show you how to lookup an EJB without using the properties file.

          • 2. Re: Error JMS client lookup with a custom login module
            olszowi

            Hi Jürgen,

             

            I'm also using the JBoss 7.1.1.

             

            I have the same problem with exaclty the same exceptions:

            remote secured EJB calls are working unless i want to get the JMS connection factory using a JNDI lookup. Specifing the InitialContextFactory and the security realms the access to the secured EJBs fails and the creation of the context throws an exception.

             

            Do you have any solution for the problem so far?

             

            BR

            Klaus