JBoss7.1.1Final JAAS CertificateRoles
hlkandrew Aug 13, 2012 2:34 AMHi all,
I had read from here on setting up the Jboss+SSL+JAAS but I have yet to make a complete transaction from EJBClient (with client certificate) to the server. I'm not sure where I should continue...should I extend the CertificateRoles's LoginModule to capture the cert? I can't find a way for CertificateRole modules to capture the cert and pass the principal to the server?
The SSL connection between the client and the server works fine.
The error I got in the client
13/08/2012 6:06:34 PM org.jboss.ejb.client.EJBClient <clinit>
INFO: JBoss EJB Client version 1.0.5.Final
13/08/2012 6:06:34 PM org.xnio.Xnio <clinit>
INFO: XNIO Version 3.0.3.GA
13/08/2012 6:06:34 PM org.xnio.nio.NioXnio <clinit>
INFO: XNIO NIO Implementation Version 3.0.3.GA
13/08/2012 6:06:34 PM org.jboss.remoting3.EndpointImpl <clinit>
INFO: JBoss Remoting version 3.2.3.GA
13/08/2012 6:06:38 PM org.jboss.remoting3.remote.RemoteConnection handleException
ERROR: JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
13/08/2012 6:06:38 PM org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector setupEJBReceivers
WARN: Could not register a EJB receiver for connection to remote://localhost:4447
java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
at org.jboss.ejb.client.remoting.IoFutureHelper.get(IoFutureHelper.java:91)
at org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector.setupEJBReceivers(ConfigBasedEJBClientContextSelector.java:121)
at org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector.<init>(ConfigBasedEJBClientContextSelector.java:78)
at org.jboss.ejb.client.EJBClientContext.<clinit>(EJBClientContext.java:77)
at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:120)
at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:104)
at $Proxy0.getNextCommand(Unknown Source)
at net.healthlink.keymgr.command.client.RemoteEJBClient.queryBy(RemoteEJBClient.java:80)
at net.healthlink.keymgr.command.client.RemoteEJBClient.run(RemoteEJBClient.java:98)
at net.healthlink.keymgr.command.client.ClientHandler.main(ClientHandler.java:48)
Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:315)
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:214)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)
at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189)
at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)
at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189)
at org.xnio.ssl.JsseConnectedSslStreamChannel.handleReadable(JsseConnectedSslStreamChannel.java:180)
at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)
at org.xnio.nio.NioHandle.run(NioHandle.java:90)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:184)
at ...asynchronous invocation...(Unknown Source)
at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:270)
at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:251)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:349)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:333)
at org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector.setupEJBReceivers(ConfigBasedEJBClientContextSelector.java:119)
... 8 more
13/08/2012 6:06:41 PM org.jboss.remoting3.remote.RemoteConnection handleException
ERROR: JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
java.lang.IllegalStateException: No EJBReceiver available for node name hlk-andrewl
at org.jboss.ejb.client.EJBClientContext.requireNodeEJBReceiver(EJBClientContext.java:613)
at org.jboss.ejb.client.EJBClientContext.requireNodeEJBReceiverContext(EJBClientContext.java:648)
at org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(ReceiverInterceptor.java:48)
at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:181)
at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:136)
at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:121)
at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:104)
at $Proxy0.getNextCommand(Unknown Source)
at net.healthlink.keymgr.command.client.RemoteEJBClient.queryBy(RemoteEJBClient.java:80)
at net.healthlink.keymgr.command.client.RemoteEJBClient.run(RemoteEJBClient.java:98)
at net.healthlink.keymgr.command.client.ClientHandler.main(ClientHandler.java:48)
trx rollback..trx status:0
13/08/2012 6:06:45 PM org.jboss.remoting3.remote.RemoteConnection handleException
ERROR: JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
java.lang.IllegalStateException: No EJBReceiver available for node name hlk-andrewl
at org.jboss.ejb.client.EJBClientContext.requireNodeEJBReceiver(EJBClientContext.java:613)
at org.jboss.ejb.client.EJBClientContext.requireNodeEJBReceiverContext(EJBClientContext.java:648)
at org.jboss.ejb.client.EJBClientUserTransactionContext$UserTransactionImpl.rollback(EJBClientUserTransactionContext.java:155)
at net.healthlink.keymgr.command.client.RemoteEJBClient.run(RemoteEJBClient.java:145)
at net.healthlink.keymgr.command.client.ClientHandler.main(ClientHandler.java:48)
trx rollback failed:No EJBReceiver available for node name hlk-andrewl
I have setup the client as followed;
endpoint.name=client-endpoint
remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=true
remote.connections=command
remote.connection.command.host=localhost
remote.connection.command.port = 4447
remote.connection.command.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false
remote.connection.command.connect.options.org.xnio.Options.SSL_STARTTLS=true
remote.connection.command.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER
remote.connection.command.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false
remote.connection.command.username=appuser
remote.connection.command.password=apppassword
and the client runs with client's keystore and truststore.
The standalone.xml
<security-domain name="my-security-domain" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="CertificateRoles" flag="required">
<module-option name="securityDomain" value="my-security-domain"/>
<module-option name="verifier" value="org.jboss.security.auth.certs.AnyCertVerifier"/>
<module-option name="rolesProperties" value="file:/E:/Programs/jboss-as-7.1.1.Final/standalone/configuration/cert-roles.properties"/>
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
<jsse keystore-password="1" keystore-url="file:/E:/Programs/jboss-as-7.1.1.Final/standalone/configuration/server.jks" truststore-password="1" truststore-url="file:/E:/Programs/jboss-as-7.1.1.Final/standalone/configuration/server.truststore"/>
</security-domain>
The cert-roles.properties contains the DN of the user
ST\=Auckland,\ O\=HLK,\ OU\=Dev,\ CN\=000001=approle
where the approle is declared in the EJB's method
@RolesAllowed(value = {"approle"})
public Command findName(String id)
Are there some settings I miss out? Hope someone out there knows the answer!
Thanks
Andrew