8 Replies Latest reply on Nov 15, 2012 5:20 AM by dweil

    Arquillian test for remote EJB on JBoss 7.1.1 looses caller principal

    dweil

      I'm testing the propagation of caller principals to a remote ejb on JBoss 7.1.1.Final. I've written a simple EJB which allows the retrieval of the current user. A JUnit test compares this with the expected user which was supplied when initiating the remote connection.

       

      If I deploy the EJB manually, the test works as expected, i. e. the remote user is the expected one.

       

      But if I use Arquillian for deploying the archive, the returned user ist always the same ("anonymous" in my case). I checked the manually created archive against the one Arquillian produced - they are the same. I even deployed the latter manually once, which resulted in the expected behaviour of my tests...

       

      The Arqullian controlled tests fail in a way, as if the additional deployment descriptor META-INF/jboss-ejb3.xml was missing, but it is definitely there!

       

      Does Arquillian deploy the archive in some other way (other than e. g. deploying in via admin concole)?

       

      I've attached the test project to this article. A short explanation for it:

      • de.gedoplan.beantrial.jboss7remoteejb.UserInfo, de.gedoplan.beantrial.jboss7remoteejb.UserInfoBean and META-INF/jboss-ejb3.xml form the simple EJB mentioned above.
      • The JBoss 7.1.1.Final instance used for testing is a vanilla installation with two users added to ApplicationRealm: anonymous/anonymousanonymous and baselibsTestuser1/pwd4baselibsTestuser1 (user/pwd).
      • The unit test de.gedoplan.beantrial.jboss7remoteejb.DirectUserInfoTest assumes that the EJB is deployed on the server. All test execute succesfully.
      • The unit test de.gedoplan.beantrial.jboss7remoteejb.DirectArquillianUserInfoTest deployes the EJB via ShrinkWrap/Arqullian and performes the same tests as above. Now the one for the user baselibsTestuser1 failes (server side user is anonymous instead of baselibsTestuser1).
      • de.gedoplan.beantrial.jboss7remoteejb.BaselibsUserInfoTest is off scope. It is not used in the scenario described.

       

      Is this an Arquillian/JBoss 7 bug or do I miss something?

       

      Thanks for your help!

       

      Dirk

        • 1. Re: Arquillian test for remote EJB on JBoss 7.1.1 looses caller principal
          aslak

          Could you try using @Deployment @OverProtocol("Servlet 3.0") on your deployment method?

           

          The default Protocol in AS7 is a JMX based on that calls into a Service deployed in AS7, it might be this behaves a bit differently then trough a normal Servlet.

          • 2. Re: Arquillian test for remote EJB on JBoss 7.1.1 looses caller principal
            dweil

            Using @OverProtocol("Servlet 3.0") didn't change the user reported by the test - it is still anonymous instead of the correct user.

             

            I investigated a little further by logging org.jboss.sasl on TRACE level: The negotiation of realm and user is exacly the same when calling the test directly or via Arquillian. In both cases the correct user "baselibsTestuser1" seems to be negotiated:

             

            12:21:04,902 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" read-1) Preferred qop property: null

            12:21:04,903 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" read-1) Preferred qop mask: 1

            12:21:04,903 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" read-1) Preferred QOPs : 1

            12:21:04,904 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" read-1) Preferred strength: null

            12:21:04,904 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" read-1) Cipher strengths: 4 2 1

            12:21:04,904 TRACE [org.jboss.sasl.digest.server] (Remoting "dw-pc" read-1) Server supports realm ApplicationRealm

            12:21:04,904 TRACE [org.jboss.sasl.digest.server] (Remoting "dw-pc" read-1) Server using pre-digested hashes (TRUE)

            12:21:04,910 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) DIGEST11:Directive charset = utf-8

            12:21:04,911 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) DIGEST11:Directive username = baselibsTestuser1

            12:21:04,911 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) DIGEST11:Directive realm = ApplicationRealm

            12:21:04,912 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) DIGEST11:Directive nonce = 9011OflhtUnTDX8+PICUVa5EzqQK1+8wE+lgpdfi

            12:21:04,912 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) DIGEST11:Directive cnonce = 0jroICIiGQtgvbnETpOXDTeAsVURd7qj09QjMAd+

            12:21:04,913 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) DIGEST11:Directive digest-uri = remote/127.0.0.1

            12:21:04,913 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) DIGEST11:Directive maxbuf = 65536

            12:21:04,914 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) DIGEST11:Directive response = 5b821ea1fd6c7dd7524c6c683ea32c13

            12:21:04,914 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) DIGEST11:Directive qop = auth

            12:21:04,914 TRACE [org.jboss.sasl.digest.server] (Remoting "dw-pc" task-4) Username: baselibsTestuser1

            12:21:04,915 TRACE [org.jboss.sasl.digest.server] (Remoting "dw-pc" task-4) Client negotiated realm: ApplicationRealm

            12:21:04,915 TRACE [org.jboss.sasl.digest.server] (Remoting "dw-pc" task-4) Client negotiated qop: auth

            12:21:04,916 TRACE [org.jboss.sasl.digest.server] (Remoting "dw-pc" task-4) DIGEST87:digest URI: remote/127.0.0.1

             

            But the principal object returned by ejbContext.getCallerPrincipal() is of different type: When calling the test directly, this method returns an object of type org.jboss.remoting3.security.UserPrincipal, whereas a SimplePrincipal object is returned, when running the test by Arquillian. It seems as if the security principal constructed by the remoting connector is not propagated to the application, when using Arquillian.

             

            But now I have no clue where to dig in deeper ...

             

            Dirk

            • 3. Re: Arquillian test for remote EJB on JBoss 7.1.1 looses caller principal
              alrubinger

              Security Context association is per-Thread.  I'm guessing that somewhere in the chain, your client call is getting put into a new Thread; recommend configuring Logging to output the Thread name and see what pops up.

               

              S,

              ALR

              • 4. Re: Arquillian test for remote EJB on JBoss 7.1.1 looses caller principal
                alrubinger

                ...unless that "Remoting dw-pc task N" stuff is the name of the Threads in play.  If so, you can see there are different ones used.  When "caling the test directly", what does this output look like?

                • 5. Re: Arquillian test for remote EJB on JBoss 7.1.1 looses caller principal
                  dweil

                  Yes, the "Remoting dw-pc task N" stuff is the thread name. So there are different threads in play. But these are exactly the same if running the test with or without Arquillian:

                   

                  Server side log of test run of de.gedoplan.beantrial.jboss7remoteejb.DirectUserInfoTest (the "direct" one without Arquillian):

                   

                  12:24:12,235 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" read-1) Preferred qop property: null

                  12:24:12,236 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" read-1) Preferred qop mask: 1

                  12:24:12,236 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" read-1) Preferred QOPs : 1

                  12:24:12,237 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" read-1) Preferred strength: null

                  12:24:12,237 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" read-1) Cipher strengths: 4 2 1

                  12:24:12,237 TRACE [org.jboss.sasl.digest.server] (Remoting "dw-pc" read-1) Server supports realm ApplicationRealm

                  12:24:12,238 TRACE [org.jboss.sasl.digest.server] (Remoting "dw-pc" read-1) Server using pre-digested hashes (TRUE)

                  12:24:12,244 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) DIGEST11:Directive charset = utf-8

                  12:24:12,245 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) DIGEST11:Directive username = baselibsTestuser1

                  12:24:12,245 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) DIGEST11:Directive realm = ApplicationRealm

                  12:24:12,245 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) DIGEST11:Directive nonce = YqzHEzbTxMepzvATCzJHf+kfofFw3nxTy3JQXvsl

                  12:24:12,246 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) DIGEST11:Directive cnonce = jHZQmkCGKwEWirionCKBHoSyRQR2J3dLvc4AG43D

                  12:24:12,246 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) DIGEST11:Directive digest-uri = remote/127.0.0.1

                  12:24:12,247 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) DIGEST11:Directive maxbuf = 65536

                  12:24:12,247 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) DIGEST11:Directive response = d4c07c16a40ecea430c311483ddfda4a

                  12:24:12,247 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) DIGEST11:Directive qop = auth

                  12:24:12,248 TRACE [org.jboss.sasl.digest.server] (Remoting "dw-pc" task-4) Username: baselibsTestuser1

                  12:24:12,248 TRACE [org.jboss.sasl.digest.server] (Remoting "dw-pc" task-4) Client negotiated realm: ApplicationRealm

                  12:24:12,248 TRACE [org.jboss.sasl.digest.server] (Remoting "dw-pc" task-4) Client negotiated qop: auth

                  12:24:12,249 TRACE [org.jboss.sasl.digest.server] (Remoting "dw-pc" task-4) DIGEST87:digest URI: remote/127.0.0.1

                  12:24:12,249 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) A2: AUTHENTICATE:remote/127.0.0.1

                  12:24:12,249 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) HEX(H(A2)): e2afbfb33926596cc3370aa828da3131

                  12:24:12,250 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) H(ˆ#Ä I ÷ÃFè äj/) = 8823c4204914f7c346e808fe00e46a2f

                  12:24:12,250 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) H(A1): e14f7cb9e2b7bf518e95797e0d737af4

                  12:24:12,250 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) KD: e14f7cb9e2b7bf518e95797e0d737af4:YqzHEzbTxMepzvATCzJHf+kfofFw3nxTy3JQXvsl:00000001:jHZQmkCGKwEWirionCKBHoSyRQR2J3dLvc4AG43D:auth:e2afbfb33926596cc3370aa828da3131

                  12:24:12,251 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) response-value: d4c07c16a40ecea430c311483ddfda4a

                  12:24:12,252 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) A2: :remote/127.0.0.1

                  12:24:12,252 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) HEX(H(A2)): a675d66c8bbe05dc878b9853b46e63ef

                  12:24:12,252 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) H(ˆ#Ä I ÷ÃFèäj/) = 8823c4204914f7c346e808fe00e46a2f

                  12:24:12,253 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) H(A1): e14f7cb9e2b7bf518e95797e0d737af4

                  12:24:12,253 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) KD: e14f7cb9e2b7bf518e95797e0d737af4:YqzHEzbTxMepzvATCzJHf+kfofFw3nxTy3JQXvsl:00000001:jHZQmkCGKwEWirionCKBHoSyRQR2J3dLvc4AG43D:auth:a675d66c8bbe05dc878b9853b46e63ef

                  12:24:12,253 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) response-value: 1452c65d92dabb2c77adad0793c76d1d

                  12:24:12,677 DEBUG [de.gedoplan.beantrial.jboss7remoteejb.UserInfoBean] (EJB default - 9) getUserId()

                  12:24:12,677 DEBUG [de.gedoplan.beantrial.jboss7remoteejb.UserInfoBean] (EJB default - 9) callerPrincipal: org.jboss.remoting3.security.UserPrincipal@895b9a55

                   

                  Server side log of test run of de.gedoplan.beantrial.jboss7remoteejb.DirectArquillianUserInfoTest (the one with Arquillian):

                   

                  12:21:04,902 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" read-1) Preferred qop property: null

                  12:21:04,903 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" read-1) Preferred qop mask: 1

                  12:21:04,903 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" read-1) Preferred QOPs : 1

                  12:21:04,904 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" read-1) Preferred strength: null

                  12:21:04,904 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" read-1) Cipher strengths: 4 2 1

                  12:21:04,904 TRACE [org.jboss.sasl.digest.server] (Remoting "dw-pc" read-1) Server supports realm ApplicationRealm

                  12:21:04,904 TRACE [org.jboss.sasl.digest.server] (Remoting "dw-pc" read-1) Server using pre-digested hashes (TRUE)

                  12:21:04,910 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) DIGEST11:Directive charset = utf-8

                  12:21:04,911 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) DIGEST11:Directive username = baselibsTestuser1

                  12:21:04,911 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) DIGEST11:Directive realm = ApplicationRealm

                  12:21:04,912 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) DIGEST11:Directive nonce = 9011OflhtUnTDX8+PICUVa5EzqQK1+8wE+lgpdfi

                  12:21:04,912 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) DIGEST11:Directive cnonce = 0jroICIiGQtgvbnETpOXDTeAsVURd7qj09QjMAd+

                  12:21:04,913 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) DIGEST11:Directive digest-uri = remote/127.0.0.1

                  12:21:04,913 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) DIGEST11:Directive maxbuf = 65536

                  12:21:04,914 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) DIGEST11:Directive response = 5b821ea1fd6c7dd7524c6c683ea32c13

                  12:21:04,914 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) DIGEST11:Directive qop = auth

                  12:21:04,914 TRACE [org.jboss.sasl.digest.server] (Remoting "dw-pc" task-4) Username: baselibsTestuser1

                  12:21:04,915 TRACE [org.jboss.sasl.digest.server] (Remoting "dw-pc" task-4) Client negotiated realm: ApplicationRealm

                  12:21:04,915 TRACE [org.jboss.sasl.digest.server] (Remoting "dw-pc" task-4) Client negotiated qop: auth

                  12:21:04,916 TRACE [org.jboss.sasl.digest.server] (Remoting "dw-pc" task-4) DIGEST87:digest URI: remote/127.0.0.1

                  12:21:04,916 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) A2: AUTHENTICATE:remote/127.0.0.1

                  12:21:04,917 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) HEX(H(A2)): e2afbfb33926596cc3370aa828da3131

                  12:21:04,917 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) H(ˆ#Ä I ÷ÃFèäj/) = 8823c4204914f7c346e808fe00e46a2f

                  12:21:04,917 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) H(A1): d1669ca8a896c40376652ac12a16bef0

                  12:21:04,918 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) KD: d1669ca8a896c40376652ac12a16bef0:9011OflhtUnTDX8+PICUVa5EzqQK1+8wE+lgpdfi:00000001:0jroICIiGQtgvbnETpOXDTeAsVURd7qj09QjMAd+:auth:e2afbfb33926596cc3370aa828da3131

                  12:21:04,918 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) response-value: 5b821ea1fd6c7dd7524c6c683ea32c13

                  12:21:04,919 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) A2: :remote/127.0.0.1

                  12:21:04,919 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) HEX(H(A2)): a675d66c8bbe05dc878b9853b46e63ef

                  12:21:04,920 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) H(ˆ#Ä I ÷ÃFèäj/) = 8823c4204914f7c346e808fe00e46a2f

                  12:21:04,920 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) H(A1): d1669ca8a896c40376652ac12a16bef0

                  12:21:04,920 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) KD: d1669ca8a896c40376652ac12a16bef0:9011OflhtUnTDX8+PICUVa5EzqQK1+8wE+lgpdfi:00000001:0jroICIiGQtgvbnETpOXDTeAsVURd7qj09QjMAd+:auth:a675d66c8bbe05dc878b9853b46e63ef

                  12:21:04,921 TRACE [org.jboss.sasl.digest] (Remoting "dw-pc" task-4) response-value: caa77f28b510bad3e59cd6de8eb88dab

                  12:21:05,238 DEBUG [de.gedoplan.beantrial.jboss7remoteejb.UserInfoBean] (EJB default - 8) getUserId()

                  12:21:05,239 DEBUG [de.gedoplan.beantrial.jboss7remoteejb.UserInfoBean] (EJB default - 8) callerPrincipal: anonymous

                   

                  If I deploy the EJB manually and have that called by the Arquillian test run, it works as expected. So the cause must be somewhere in the deployment of the EJB. But again: The deployed archive is identical ...

                  • 6. Re: Arquillian test for remote EJB on JBoss 7.1.1 looses caller principal
                    alrubinger

                    Sorry, should have specified: client-side logs would be the place I'd look for Security Context (ie. Thread) information.


                    S,

                    ALR

                    • 7. Re: Arquillian test for remote EJB on JBoss 7.1.1 looses caller principal
                      dweil

                      Andrew,

                       

                      I've run both test with client side log level TRACE - see attached files. At first glance I don't see a significant difference.

                       

                      The thing to keep in mind is, that the following scenario produces a correct server side user:

                      - Deploy the EJB manually as "jboss7remoteEjb.jar"

                      - Use  "jboss7remoteEjb/UserInfoBean!de.gedoplan.beantrial.jboss7remoteejb.UserInfo" as lookup name for the EJB, i. e. use the manually deployed EJB

                      - Run the test DirectArquillianUserInfoTest; this will ...

                        - ... deploy the EJB again, but with a different deployment unit name "arqJBoss7remoteEjb"

                        - ... call the manually deployed EJB as explained before

                       

                      If the lookup name is changed to "arqJBoss7remoteEjb/UserInfoBean!de.gedoplan.beantrial.jboss7remoteejb.UserInfo", the same test failes. The two deployment JARs are identical. So calling the EJB from the manually deployed JAR produces correct results, running the same test, but calling the Arquillian deployed EJB returns the wrong user. That seems very weird ...

                       

                      Regards

                      Dirk

                      • 8. Re: Arquillian test for remote EJB on JBoss 7.1.1 looses caller principal
                        dweil

                        I found the reason - it is horrible and simple at the same time: I used an archive name without extension for packing the deployment with ShrinkWrap. JBoss 7.1.1 deployes this without any complains, but does not process additional descriptors like jboss-ejb3.xml. So it is essential to use correct deployment unit names including an extension like .jar, .war etc.:

                         

                        @RunWith(Arquillian.class)

                        public class DirectArquillianUserInfoTest extends DirectUserInfoTest

                        {

                          protected static final String ARCHIVE_NAME = "arqJBoss7remoteEjb";

                         

                          @Deployment(testable = false)

                          @OverProtocol("Servlet 3.0")

                          public static JavaArchive createDeployment()

                          {

                            JavaArchive archive = ShrinkWrap.create(JavaArchive.class, ARCHIVE_NAME + ".jar");

                         

                            archive.addClasses(UserInfo.class, UserInfoBean.class);

                            archive.addAsResource("META-INF/ejb-jar.xml");

                            archive.addAsResource("META-INF/jboss-ejb3.xml");

                         

                            return archive;

                          }

                         

                        It would be nice, if Arquillian issued a warning at least - would have saved me some days and frustration!

                         

                        CU, Dirk