11 Replies Latest reply on Jun 19, 2012 4:20 AM by jaikiran

EJB Authentication fails in 7.1.2, works on 7.1.1

anssih Jun 1, 2012 9:01 AM

Hi!

We have problems to authenticate our standalone client ejb call against JBoss 7.1.2. Same mechanism works on JBoss 7.1.1. We are using custom login module

<security-domain name="our-domain" cache-type="default">
                    <authentication>
                        <login-module code="Database" flag="required" module="deployment.Some.ear.SomeEJBs.jar">
                            <module-option name="dsJndiName" value="java:/jdbc/databaseDS"/>
                            <module-option name="principalsQuery" value="SELECT password FROM employee WHERE attribute = ?"/>
                            <module-option name="ignorePasswordCase" value="true"/>
                            <module-option name="hashAlgorithm" value="MD5"/>
                            <module-option name="hashEncoding" value="hex"/>
                            <module-option name="principalClass" value="com.company.auth.User"/>
                            <module-option name="password-stacking" value="useFirstPass"/>
                        </login-module>
                    </authentication>
                </security-domain>

We are creating EJBClientConfiguration from properties file

public static void setUpEJBClientContext(String ejbHostsString, String username, String password) {

        List<EJBHost> ejbHosts = parseHosts(ejbHostsString);
        final Properties clientProps = 
            buildClientProperties(username, password, ejbHosts);
        final EJBClientConfiguration ejbClientConfiguration = new PropertiesBasedEJBClientConfiguration(clientProps);
        LOG.debug("ejbClientConfiguration done");
        final ContextSelector<EJBClientContext> ejbClientContextSelector = new ConfigBasedEJBClientContextSelector(ejbClientConfiguration);
        LOG.debug("ejbClientContextSelector done");
        final ContextSelector<EJBClientContext> previousSelector = EJBClientContext.setSelector(ejbClientContextSelector);
        LOG.debug("previousSelector done");
    }

private static Properties buildClientProperties(String username, String password, List<EJBHost> hosts) {
                 final Properties clientConfigProps = new Properties();
                 clientConfigProps.put("endpoint.name", "client-endpoint");
                 clientConfigProps.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "false");

               List<String> connectionNames = new ArrayList<String>(hosts.size());
                int counter = 0;
                 for (EJBHost ejbHost : hosts) {
                      String connectionName = CONNECTION_NAME_PREFIX + counter++; 
                      connectionNames.add(connectionName); 
                     String propertyPrefix = "remote.connection."+ connectionName; 
                     clientConfigProps.put(propertyPrefix +".host", ejbHost.getHost());
                     clientConfigProps.put(propertyPrefix +".port", ejbHost.getPort());
                     clientConfigProps.put(propertyPrefix +".connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "false");
                     clientConfigProps.put(propertyPrefix +".connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");
                    clientConfigProps.put(propertyPrefix +".username", username);
                    clientConfigProps.put(propertyPrefix +".password", password);              
        }

        clientConfigProps.put("remote.connections", StringUtils.join(connectionNames.iterator(), ",")); 
        return clientConfigProps;

    }

There can be more than one host but this time there is only one used. I did try jboss-ejb-client.properties file I came up with same error as with dynamically created properties-file.

I have set org.jboss.security to logging level TRACE but nothing comes to server log.

Client log:

06-01@14:37:25 DEBUG ( ?:?) - setUpEJBClientContext

ejbHostsString=localhost:4447

06-01@14:37:25 DEBUG ( ?:?) - Host: localhost, port: 4447

06-01@14:37:25 DEBUG ( ?:?) - Validate done

06-01@14:37:25 DEBUG ( ?:?) - Properties building starting

06-01@14:37:25 DEBUG ( ?:?) - Properties building done

06-01@14:37:25 DEBUG ( ?:?) - clientProps

{remote.connection.connection_0.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false,

endpoint.name=client-endpoint,

remote.connection.connection_0.host=localhost,

remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false,

remote.connection.connection_0.username=TTM,

remote.connection.connection_0.port=4447,

remote.connection.connection_0.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER,

remote.connections=connection_0,

remote.connection.connection_0.password=ttmm2keh}

06-01@14:37:25 DEBUG (PropertiesBasedEJBClientConfiguration.java:230)

- endpoint.create.options. has the following options {}

06-01@14:37:25 DEBUG (PropertiesBasedEJBClientConfiguration.java:230)

- remote.connectionprovider.create.options. has the following options

{org.xnio.Options.SSL_ENABLED=>false}

06-01@14:37:25 DEBUG (PropertiesBasedEJBClientConfiguration.java:230)

- remote.connection.connection_0.connect.options. has the following

options {org.xnio.Options.SASL_POLICY_NOANONYMOUS=>false,org.xnio.Options.SASL_DISALLOWED_MECHANISMS=>[JBOSS-LOCAL-USER]}

06-01@14:37:25 DEBUG (PropertiesBasedEJBClientConfiguration.java:230)

- remote.connection.connection_0.channel.options. has the following

options {}

06-01@14:37:25 DEBUG (PropertiesBasedEJBClientConfiguration.java:464)

- Connection org.jboss.ejb.client.PropertiesBasedEJBClientConfiguration$RemotingConnectionConfigurationImpl@465ff916

successfully created for connection named connection_0

06-01@14:37:25 DEBUG (PropertiesBasedEJBClientConfiguration.java:283)

- No clusters configured in properties

06-01@14:37:25 DEBUG ( ?:?) - ejbClientConfiguration done

06-01@14:37:25 DEBUG (WorkerThread.java:88) - Started channel thread

'Remoting "client-endpoint" read-1', selector

sun.nio.ch.KQueueSelectorImpl@269be2b5

06-01@14:37:25 DEBUG (WorkerThread.java:88) - Started channel thread

'Remoting "client-endpoint" write-1', selector

sun.nio.ch.KQueueSelectorImpl@d896a4c

06-01@14:37:25 ERROR (RemoteConnection.java:99) - JBREM000200: Remote

connection failed: javax.security.sasl.SaslException: Authentication

failed: all available authentication mechanisms failed

06-01@14:37:25 WARN (ConfigBasedEJBClientContextSelector.java:131) -

Could not register a EJB receiver for connection to localhost:4447

java.lang.RuntimeException: javax.security.sasl.SaslException:

Authentication failed: all available authentication mechanisms failed

at org.jboss.ejb.client.remoting.IoFutureHelper.get(IoFutureHelper.java:91)

at org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector.setupEJBReceivers(ConfigBasedEJBClientContextSelector.java:119)

at org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector.<init>(ConfigBasedEJBClientContextSelector.java:76)

at fi.soft.util.EJBClientUtil.setUpEJBClientContext(Unknown Source)

**** SNIP ***

Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:365)

at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:214)

at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)

at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189)

at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103)

at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)

at org.xnio.nio.NioHandle.run(NioHandle.java:90)

at org.xnio.nio.WorkerThread.run(WorkerThread.java:184)

at ...asynchronous invocation...(Unknown Source)

at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:270)

at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:386)

at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:151)

at org.jboss.ejb.client.remoting.NetworkUtil.connect(NetworkUtil.java:132)

at org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector.setupEJBReceivers(ConfigBasedEJBClientContextSelector.java:117)

... 53 more

06-01@13:24:49 DEBUG (ConfigBasedEJBClientContextSelector.java:135) - Registered a reconnect handler in EJB client context org.jboss.ejb.client.EJBClientContext@181b7c76 for remote://localhost:4447

06-01@13:24:49 DEBUG (ConfigBasedEJBClientContextSelector.java:140) - Registered 0 remoting EJB receivers for EJB client context org.jboss.ejb.client.EJBClientContext@181b7c76

06-01@13:24:49 DEBUG (WorkerThread.java:88) - Started channel thread 'Remoting "client-endpoint" read-1', selector sun.nio.ch.KQueueSelectorImpl@317cfd38

06-01@13:24:49 DEBUG (WorkerThread.java:88) - Started channel thread 'Remoting "client-endpoint" write-1', selector sun.nio.ch.KQueueSelectorImpl@49aacd5f

06-01@13:24:49 ERROR (RemoteConnection.java:99) - JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

However if I use jboss-ejb-client.jar from 7.1.1 with my standlone app authentication is done against security-domain domain and after that user is in cache

14:18:54,650 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (Remoting "zoo-kuo-24" task-3) Begin isValid, principal:USER, cache entry: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@4689ad

14:18:54,650 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (Remoting "zoo-kuo-24" task-3) Begin validateCache, info=org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@4689ad;credential.class=java.lang.String@21680077

14:18:54,650 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (Remoting "zoo-kuo-24" task-3) End validateCache, isValid=true

14:18:54,651 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (Remoting "zoo-kuo-24" task-3) End isValid, true

14:18:54,855 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (Remoting "zoo-kuo-24" task-4) Begin isValid, principal:USER, cache entry: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@4689ad

14:18:54,855 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (Remoting "zoo-kuo-24" task-4) Begin validateCache, info=org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@4689ad;credential.class=java.lang.String@21680077

14:18:54,855 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (Remoting "zoo-kuo-24" task-4) End validateCache, isValid=true

14:18:54,855 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (Remoting "zoo-kuo-24" task-4) End isValid, true

14:18:55,484 DEBUG [org.jboss.jca.core.connectionmanager.pool.idle.IdleRemover] (IdleRemover) Notifying pools, interval: 30000

Client still logs same error as with jboss-ejb-client.jar from 7.1.2.

Good ideas where to start looking for a solution to the problem?

1. Re: EJB Authentication fails in 7.1.2, works on 7.1.1

anssih Jun 5, 2012 5:38 AM (in response to anssih)

After some testing I found out that authentication was actually done and it went ok. For some reason autentication did still fail and when I searched with error message i came up with this jira issue: https://issues.jboss.org/browse/AS7-4824

So perhaps I will give a try for a newer JBoss. :-)
1 of 1 people found this helpful
Actions
2. Re: EJB Authentication fails in 7.1.2, works on 7.1.1

jaikiran Jun 5, 2012 5:44 AM (in response to anssih)

Anssi Hagman wrote:

So perhaps I will give a try for a newer JBoss. :-)
You can find the nightly build here https://community.jboss.org/thread/167590
Actions
3. Re: EJB Authentication fails in 7.1.2, works on 7.1.1

anssih Jun 5, 2012 5:52 AM (in response to jaikiran)

jaikiran pai wrote:

Anssi Hagman wrote:

So perhaps I will give a try for a newer JBoss. :-)
You can find the nightly build here https://community.jboss.org/thread/167590

Thanks, I will give it a try. I let you know if this solved the problem.
Actions
4. Re: EJB Authentication fails in 7.1.2, works on 7.1.1

anssih Jun 6, 2012 4:11 AM (in response to anssih)

Anssi Hagman wrote:

jaikiran pai wrote:

Anssi Hagman wrote:

So perhaps I will give a try for a newer JBoss. :-)
You can find the nightly build here https://community.jboss.org/thread/167590

Thanks, I will give it a try. I let you know if this solved the problem.

I tried latest succeed nightly build and still same error. I also build Jboss from latest codes and no help from there either.

10:55:37,396 TRACE [org.jboss.modules] (Remoting "zoo-kuo-58" task-1) Defined class org.jboss.as.domain.management.security.PasswordCredential in Module "org.jboss.as.domain-management:main" from local module loader @76ab2f (roots: /servers/jboss-as-7.2.0.Alpha1-SNAPSHOT/modules)
10:55:37,396 TRACE [org.jboss.modules] (Remoting "zoo-kuo-58" task-1) Finding class javax.security.sasl.AuthorizeCallback from Module "org.jboss.sasl:main" from local module loader @76ab2f (roots: /servers/jboss-as-7.2.0.Alpha1-SNAPSHOT/modules)
10:55:37,396 TRACE [org.jboss.remoting.remote.server] (Remoting "zoo-kuo-58" task-1) Server sending authentication rejected (javax.security.sasl.SaslException: Callback handler invocation failed [Caused by javax.security.auth.callback.UnsupportedCallbackException])
10:55:37,397 TRACE [org.xnio.channels.framed] (Remoting "zoo-kuo-58" task-1) Accepting java.nio.HeapByteBuffer[pos=0 lim=1 cap=8192] into java.nio.HeapByteBuffer[pos=0 lim=8196 cap=8196]
10:55:37,397 TRACE [org.xnio.channels.framed] (Remoting "zoo-kuo-58" task-1) Accepted a message into java.nio.HeapByteBuffer[pos=5 lim=8196 cap=8196]
10:55:37,397 TRACE [org.xnio.channels.framed] (Remoting "zoo-kuo-58" task-1) Fully flushed org.xnio.channels.FramedMessageChannel around TCP socket channel (NIO) <e4860e>
Actions
5. Re: EJB Authentication fails in 7.1.2, works on 7.1.1

rodakr Jun 18, 2012 11:29 AM (in response to anssih)

Hi

I have same Exception , when I try it on EAP6 final ( from https://access.redhat.com/ , I'm customer with subscription )...
On nightly snapshot it works without problems...

You know when there will be another EAP6 release ( with AS 7.1.3 ) ?
Actions
6. Re: EJB Authentication fails in 7.1.2, works on 7.1.1

dlofthouse Jun 18, 2012 11:35 AM (in response to rodakr)

Radek, At this stage you should be directing your question through a support case in the customer portal. Our engineers there will be able to discuss the future releases and also ensure as a customer that the fix you require is tracked.
Actions
7. Re: EJB Authentication fails in 7.1.2, works on 7.1.1

jbertram Jun 18, 2012 11:39 AM (in response to rodakr)

If you want to know about Red Hat product road-maps, updates, etc. you should ask on the Red Hat Customer Portal rather than the community forum. If you have a specific problem which is addressed upstream it's likely they can provide you with a patch.
Actions
8. Re: EJB Authentication fails in 7.1.2, works on 7.1.1

rodakr Jun 18, 2012 11:42 AM (in response to jbertram)

.. I'm just asking, because EAP6 is not official out yet.. even if I can download it from customer portal...you right , I will ask the support
Actions
9. Re: EJB Authentication fails in 7.1.2, works on 7.1.1

jbertram Jun 18, 2012 11:51 AM (in response to rodakr)

As for whether or not the EAP6 download is "official" or not is a question you should raise on the Red Hat Customer Portal. However, whether it is or not the community forum is still not the place to get information on Red Hat products.
Actions
10. Re: EJB Authentication fails in 7.1.2, works on 7.1.1

rodakr Jun 19, 2012 4:16 AM (in response to jbertram)

Ok. I think I understand slowly the difference ..... EAP6 == red hat product; AS 7.1.2 == community products
I will try to use right words depends on cotext
Actions
11. Re: EJB Authentication fails in 7.1.2, works on 7.1.1

jaikiran Jun 19, 2012 4:20 AM (in response to rodakr)

Radek Rodak wrote:

ok , I think I understand slowly the difference ..... EAP6 -> red hat product; AS 7.1.2 community products....
That's correct. Just in case you or anyone else is curious to know more details about the difference between EAP and the community bits, then take a look at http://www.jboss.com/products/community-enterprise/. The "How do they fit together" image on that page illustrates this pretty well.
Actions

Go to original post