Security Realms, Security Domains, and remote EJB invocation
Hi there - I've gone through a lot of documentation and forum posts but I'm still unclear on some things and I'm hoping someone can shed some light. This is JBoss AS7.1.1Final.
I want to invoke a remote EJB, and from this part of standalone.xml I understand that it will use the ApplicationRealm to authenticate:
{code:xml}
<subsystem xmlns="urn:jboss:domain:remoting:1.1">
<connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>
</subsystem>
{code}
However, I don't want to use the ApplicationRealm's usual application-users.properties and application-roles.properties files, with associated add-user.sh script and hashed passwords. Instead, I've defined my own security domain with my own plaintext users.properties and roles.properties files:
{code:xml}
<security-domain name="myDomain" cache-type="default">
<authentication>
<login-module code="UsersRoles" flag="required">
<module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
</login-module>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
{code}
My realms are set up as follows:
{code:xml}
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
<security-realm name="ApplicationRealm">
<authentication>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
</security-realms>
{code}
This works quite well for logging into my web application (ported from JBoss 5.1) - users added to my own users.properties file can login.
Unfortunately, when invoking a remote EJB the users/passwords in my users.properties file are NOT used. Instead, only the application-users.properties file is consulted.
Here's how I'm creating an inital context:
{code}
properties.setProperty(Context.SECURITY_PRINCIPAL, "user20");
properties.setProperty(Context.SECURITY_CREDENTIALS, "password");
properties.setProperty("java.naming.factory.initial", "org.jboss.naming.remote.client.InitialContextFactory");
properties.setProperty("java.naming.provider.url", "remote://localhost:4447");
properties.setProperty("jboss.naming.client.ejb.context", "true");
properties.setProperty(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
context = new InitialContext(properties);
{code}
Do I also need to set the Context.SECURITY_PROTOCOL to something?
users.properties contains the line "user20=password" - but I get the following exception:
javax.naming.NamingException: Failed to create remoting connection [Root exception is java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed]
at org.jboss.naming.remote.client.ClientUtil.namingException(ClientUtil.java:36)
at org.jboss.naming.remote.client.InitialContextFactory.getInitialContext(InitialContextFactory.java:121)
I then used the add-user.sh script to add user20 to application-users.properties with a hashed password, and was able to create an initial context no problem.
The bean lookup then succeeds using the ejb-client method, but on the server side all I see is the anonymous user.
So the questions are:
1) What's the correct way to get ApplicationRealm to use the myDomain security domain to authenticate? Or should I be creating a separate Realm?
2) Once I've succeded in obtaining an InitialContext and invoking my bean, how can I propogate the security credentials to the server?
Thanks for any help!