2 Replies Latest reply on Oct 15, 2012 8:00 AM by kferkic

    Authentication of a remote client

    kferkic

      Hi,

       

      currently I'm porting an application from JBoss 4.2.3 to JBoss 7.1.1

      Till now everything went well. But now I'm stuck a little bit with the security.

      We have a remote client which is a desktop application. The remote client is used for administrating the server application.

      For that, the client have to login with his username and password. For the authentication we also send other things to the server like app-version, mandator...

      On the server-side we use a custom authentication module which is based on the DatabaseServerLoginModule. We do not deploy that login-module as a module to the AS,

      but with our application, cause it uses some ejbs from the application to authenticate the user.

      We used the SecurityAssociation to pass the (custom) principal and credentials from the client to the server. Basically it was just using the setters on the clientside and the getters on the serverside

      for the principal and credentials in the SecurityAssociation class.

      Now here comes the problem:

      There is no SecurityAssociation anymore. I found a SecurityContextAssociation class which has the same methods as the SecurityAssociation class. But if I set the principal and credentials on it,

      they do not get sent to the server. On the serverside the principal and credentials in the SecurityContextAssociation are allways null. Same in the custom login module: The subject is allways empty

      and the principal and credentials in the callback handler are some random UUIDs.

      So I tried to put the principal and credentials in the environment properties for the jndi lookup - same thing

       

      {code}

      final Properties props = new Properties();

      props.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");

      props.put(Context.PROVIDER_URL, "remote://localhost:4447");

      props.put("jboss.naming.client.ejb.context", true);

      props.put(Context.SECURITY_PRINCIPAL, "testUserName");

      props.put(Context.SECURITY_CREDENTIALS, "testPassword");

      props.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");

      props.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", false);

       

      InitialContext ctx = new InitialContext(props);

      {code}

       

      I've seen somewhere an example with the SecurityClient, so I've tried that, but no luck:

       

      {code}

      SecurityClient sc = SecurityClientFactory.getSecurityClient();

      sc.setSimple("testUserName", "testPassword");

      sc.login();

      {code}

       

      Also I've found some examples with the LoginContext, but I couldn't get this to work.

      Here is my standalone.xml:

       

      {code:xml}

      ...

      <security-realms>

           <security-realm name="ManagementRealm">

                <authentication>

                     <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>

                </authentication>

           </security-realm>

           <security-realm name="ApplicationRealm">

                <authentication>

                     <jaas name="testSD" />

                </authentication>

           </security-realm>

      </security-realms>


      ...


      <security-domains>

           <security-domain name="testSD" cache-type="default">

                <authentication>

                     <login-module code="de.kf.CustomLoginModule" flag="required" />

                </authentication>

           </security-domain>

          

           <security-domain name="other" cache-type="default">

                <authentication>

                     <login-module code="Remoting" flag="required">

                          <module-option name="password-stacking" value="useFirstPass"/>

                     </login-module>

                     <login-module code="RealmUsersRoles" flag="required">

                          <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>

                          <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>

                          <module-option name="realm" value="ApplicationRealm"/>

                          <module-option name="password-stacking" value="useFirstPass"/>

                      </login-module>

                </authentication>

           </security-domain>

       

           <security-domain name="jboss-web-policy" cache-type="default">

                <authorization>

                     <policy-module code="Delegating" flag="required"/>

                </authorization>

           </security-domain>

           <security-domain name="jboss-ejb-policy" cache-type="default">

                <authorization>

                     <policy-module code="Delegating" flag="required"/>

                </authorization>

           </security-domain>

      </security-domains>


      {code}

       

      I'm realy a little bit desperate right now. I hope you guys can help me out.

       

      What is the right (usual) way to do this? And why all this I've tried till now didn't worked?

       

      Thank you in advance!

        • 1. Re: Authentication of a remote client
          ksreen

          I think you should set userProperties and roleProperties for your new sceurity domain "testSD", just like it has been set for "other" security domain or atleast associate it with a Realm.

          • 2. Re: Authentication of a remote client
            kferkic

            Thanks for your answer.

             

            You mean these tags:

             

            <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
            <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
            <module-option name="realm" value="ApplicationRealm"/>

             

            Isn't that just a configuration for the default login mechanism? So that the login-module searches in the application-users.properties file for the username

            and in the application-roles.properties file for the role?

            I have the user names and roles stored in a DB. I don't use these *.properties files.

            I know there are module-options for the DatabaseServerLoginModule like userQuery, rolesQuery where you can pass your SQL statement to get these things,

            but in my case there are also other things I have to check (besides username and password). That's why I have to use a custom login-module.

             

            If I set these module-options like in the "other" security domain, I can access these properties in the initialize-method of my login-module. But like I said, I don't need this, I just need the principal and the credentials.