1 of 1 people found this helpful
so that the password is passed in plain text (for JAAS login module).
That did not help. Password is still coming to my JAAS module as something like a655be3c-dece-4bcf-8480-35d75d890c49. At the same time user name is fine. I want to add that I have not done any changes to the configuration of remoting subsystem.
What does the realm definition currently associated with the Remoting connection currently look that?
The realm needs to be configured to delegate to JAAS.
It is as came with the distribution:
<security-realm name="ApplicationRealm"> <authentication> <local default-user="$local" allowed-users="*"/> <properties path="application-users.properties" relative-to="jboss.server.config.dir"/> </authentication> <authorization> <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/> </authorization> </security-realm> <subsystem xmlns="urn:jboss:domain:remoting:1.1"> <connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/> </subsystem>
Thanks to the replies, I got it working. Packaged my login code as JBoss module and configured remoting to use it for the authentication.
SASL_POLICY_NOPLAINTEXToption was required on the client side as Jakirian pointed out.
<security-realm name="ApplicationRealm"> <authentication> <jaas name="MyDomain"/> </authentication> </security-realm>
Just want to confirm, is it the recommended way? The other thing I noticed, is that EJB client fails to connect (times out) if I introduce 5sec sleep in my login module. Is there a way to configure that time out behavior?
Thanks, for your help.
Before we go further with the discussion, I just want to make sure that you are intentionally using remote-naming instead of the EJB client API approach for remote EJB invocations. Take a look at this for the difference https://docs.jboss.org/author/display/AS71/Remote+EJB+invocations+via+JNDI+-+EJB+client+API+or+remote-naming+project
I am using remote naming because of the following requirements:
- Client communicates with multiple servers which all run the same EAR.
- Client gets remote connection info at runtime - no property file with the list of servers (like jboss-ejb-client.properties) on the client side.
- Client needs full control on which remote server to call (all of them run the same EAR with the same JNDI names). There is an application level load balancing and other reasons.
In terms of comparing JNDI vs EJB client i want to confirm that the difference is only on the client side, right? The server deployment is identical, including security, which as I understood from this discussion is server level securing of the remoting subsystem (will apply to all apps).
I read the article you pointed to before, it is really helpful. One question I have about it is the example of how EJB client api improves performance by avoiding remote call at the point of lookup. All apps I have seen cache remote JNDI proxy in some way. So it is not really a factor.
Sergey Zhigunov wrote:
It's not only about performance. The "late" lookup optimization in EJB client API allows users to lookup the EJBs even when the server isn't up. This can't be done with remote-naming. So when using EJB client API, the lookups can be done before hand. Of course it depends on the applications on how good that feature is for them.
Sergey Zhigunov wrote: