Remoting and security domains (Jboss 7.1.1)
cfillot Nov 16, 2012 12:42 PMHello,
I've an application with EJBs that need to check users and roles. The EJBs are called in two ways:
- By web servlets ;
- By a remote standalone client, using remoting on port 4447 ;
The authentication methods are different for the remote part and the servlets (Jasig CAS, with CASLoginModule).
The domain used by the web part is called "cas-auth" (specified in jboss-web.xml) and is defined like this :
<security-domain name="cas-auth" cache-type="default">
<authentication>
<login-module code="org.jasig.cas.client.jaas.CasLoginModule" flag="required" module="cas">
<module-option name="ticketValidatorClass" value="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"/>
<module-option name="casServerUrlPrefix" value="https://cas-server.internal/cas"/>
<module-option name="principalGroupName" value="CallerPrincipal"/>
<module-option name="roleGroupName" value="Roles"/>
<module-option name="defaultRoles" value="cas-user"/>
</login-module>
</authentication>
</security-domain>
The domain used by EJBs is called "domain1" (specified in jboss-ejb3.xml), and is defined as follows:
<security-domain name="domain1" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="fr.utc.dsi.jboss.DatabaseRoleLoginModule" flag="required" module="fr.utc.dsi.jboss">
<module-option name="dsJndiName" value="java:jboss/datasources/accounts"/>
<module-option name="rolesQuery" value="select groupname,'Roles' from accounts_groups where username=?"/>
</login-module>
</authentication>
</security-domain>
The DatabaseRoleLoginModule is a custom module I wrote, by extending DatabaseServerLoginModule, but which doesn't check usernames (to sum up, the login method always returns true). It simply fetch additional roles from a database. I can provide the code for it if needed.
The servlet -> EJB part works. I wanted to add support for remoting, and after a lot of trials/errors, I could get something working with the following configuration:
<security-realm name="RemotingRealm">
<authentication>
<jaas name="other"/>
</authentication>
</security-realm>
<subsystem xmlns="urn:jboss:domain:remoting:1.1">
<connector name="remoting-connector" socket-binding="remoting" security-realm="RemotingRealm"/>
</subsystem>
(If I kept the "default" configuration, I got UUID as usernames).
At the client level, I use the following for jboss-client-ejb.properties (I found xnio options by browsing the forums):
endpoint.name=my-remote-client
remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false
remote.connections=default
remote.connection.default.host=127.0.0.1
remote.connection.default.port=4447
remote.connection.default.username=SECRET_USERNAME
remote.connection.default.password=SECRET_PASSWORD
remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=true
remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER
And for jndi.properties:
java.naming.factory.url.pkgs=org.jboss.ejb.client.naming
java.naming.provider.url=remote://127.0.0.1:4447
java.naming.factory.initial=org.jboss.naming.remote.client.InitialContextFactory
java.naming.security.principal=SECRET_USERNAME
java.naming.security.credentials=SECRET_PASSWORD
jboss.naming.client.ejb.context=true
jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false
"SECRET_USERNAME" has role entries in the database (and is defined in application-users.properties)
Since I'm a total beginner with Jboss, I would like to have opinions about all of the above. Is it the correct way to do or is it a total mess ? I know the JAAS/SASL part in clear-text is not secure (I can indeed see the username/password by using wireshark).
BTW, I tried to use role mapping in "domain1" security domain with the following configuration (instead of using my custom LoginModule):
<mapping>
<mapping-module code="DatabaseRoles" type="role">
<module-option name="dsJndiName" value="java:jboss/datasources/accounts"/>
<module-option name="rolesQuery" value="select groupname,'Roles' from accounts_groups where username=?"/>
</mapping-module>
</mapping>
But if I remove the custom LoginModule, I get a "Login failure: javax.security.auth.login.LoginException: Login Failure: all modules ignored" exception. I guess this is because no module handled the authentication. I thought of using
ClientLoginModule, but if I use it, I get this message:
17:14:39,578 TRACE [org.jboss.security.plugins.mapping.JBossMappingManager] (EJB default - 1) Application Policy not found for domain=CLIENT_LOGIN_MODULE.Mapping framework will use the default domain:other
I don't understand why the domain seems to be changed to "CLIENT_LOGIN_MODULE".
Do I have to create some custom dummy LoginModule that would always return "true" for the login() method ?
Thanks in advance for any help and comments !