Hello,

I've an application with EJBs that need to check users and roles. The EJBs are called in two ways:

- By web servlets ;

- By a remote standalone client, using remoting on port 4447 ;

The authentication methods are different for the remote part and the servlets (Jasig CAS, with CASLoginModule).

The domain used by the web part is called "cas-auth" (specified in jboss-web.xml) and is defined like this :

                <security-domain name="cas-auth" cache-type="default">

                    <authentication>

                        <login-module code="org.jasig.cas.client.jaas.CasLoginModule" flag="required" module="cas">

                            <module-option name="ticketValidatorClass" value="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"/>

                            <module-option name="casServerUrlPrefix" value="https://cas-server.internal/cas"/>

                            <module-option name="principalGroupName" value="CallerPrincipal"/>

                            <module-option name="roleGroupName" value="Roles"/>

                            <module-option name="defaultRoles" value="cas-user"/>

                        </login-module>

                    </authentication>

                </security-domain>

The domain used by EJBs is called "domain1" (specified in jboss-ejb3.xml), and is defined as follows:

                <security-domain name="domain1" cache-type="default">

                    <authentication>

                        <login-module code="Remoting" flag="optional">

                            <module-option name="password-stacking" value="useFirstPass"/>

                        </login-module>

                        <login-module code="fr.utc.dsi.jboss.DatabaseRoleLoginModule" flag="required" module="fr.utc.dsi.jboss">

                            <module-option name="dsJndiName" value="java:jboss/datasources/accounts"/>

                            <module-option name="rolesQuery" value="select groupname,'Roles' from accounts_groups where username=?"/>

                        </login-module>

                    </authentication>

                </security-domain>

The DatabaseRoleLoginModule is a custom module I wrote, by extending DatabaseServerLoginModule, but which doesn't check usernames (to sum up, the login method always returns true). It simply fetch additional roles from a database. I can provide the code for it if needed.

The servlet -> EJB part works. I wanted to add support for remoting, and after a lot of trials/errors, I could get something working with the following configuration:

            <security-realm name="RemotingRealm">

                <authentication>

                    <jaas name="other"/>

                </authentication>

            </security-realm>

        <subsystem xmlns="urn:jboss:domain:remoting:1.1">

            <connector name="remoting-connector" socket-binding="remoting" security-realm="RemotingRealm"/>

        </subsystem>

(If I kept the "default" configuration, I got UUID as usernames).

At the client level, I use the following for jboss-client-ejb.properties (I found xnio options by browsing the forums):

endpoint.name=my-remote-client

remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false

remote.connections=default

remote.connection.default.host=127.0.0.1

remote.connection.default.port=4447

remote.connection.default.username=SECRET_USERNAME

remote.connection.default.password=SECRET_PASSWORD

remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=true

remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER

And for jndi.properties:

java.naming.factory.url.pkgs=org.jboss.ejb.client.naming

java.naming.provider.url=remote://127.0.0.1:4447

java.naming.factory.initial=org.jboss.naming.remote.client.InitialContextFactory

java.naming.security.principal=SECRET_USERNAME

java.naming.security.credentials=SECRET_PASSWORD

jboss.naming.client.ejb.context=true

jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false

"SECRET_USERNAME" has role entries in the database (and is defined in application-users.properties)

Since I'm a total beginner with Jboss, I would like to have opinions about all of the above. Is it the correct way to do or is it a total mess ? I know the JAAS/SASL part in clear-text is not secure (I can indeed see the username/password by using wireshark).

BTW, I tried to use role mapping in "domain1" security domain with the following configuration (instead of using my custom LoginModule):

                    <mapping>

                        <mapping-module code="DatabaseRoles" type="role">

                            <module-option name="dsJndiName" value="java:jboss/datasources/accounts"/>

                            <module-option name="rolesQuery" value="select groupname,'Roles' from accounts_groups where username=?"/>

                        </mapping-module>

                    </mapping>

But if I remove the custom LoginModule, I get a "Login failure: javax.security.auth.login.LoginException: Login Failure: all modules ignored" exception. I guess this is because no module handled the authentication. I thought of using

ClientLoginModule, but if I use it, I get this message:

17:14:39,578 TRACE [org.jboss.security.plugins.mapping.JBossMappingManager] (EJB default - 1) Application Policy not found for domain=CLIENT_LOGIN_MODULE.Mapping framework will use the default domain:other

I don't understand why the domain seems to be changed to "CLIENT_LOGIN_MODULE".

Do I have to create some custom dummy LoginModule that would always return "true" for the login() method ?

Thanks in advance for any help and comments !