6 Replies Latest reply on Nov 22, 2017 6:23 AM by lakshmanan032

Data source with security domain does not work in 7.1.1.Final

atulkc Apr 18, 2013 8:42 PM

I am trying to migrate our server from JBoss 5.1 GA to JBoss AS 7.1.1 Final. I have configured the data source to use the custom security domain as I need the password to be encrypted.However, whenever I specify data source to use security domain I get following exception:

16:38:02,113 ERROR [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-2) Exception during createSubject()PB00024: Access Denied:Unauthenticated caller:null: java.lang.SecurityException: PB00024: Access Denied:Unauthenticated caller:null
          at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:89) [picketbox-4.0.7.Final.jar:4.0.7.Final]
          at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1019) [ironjacamar-deployers-common-1.0.9.Final.jar:1.0.9.Final]
          at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1014) [ironjacamar-deployers-common-1.0.9.Final.jar:1.0.9.Final]
          at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_07]
          at org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:1013) [ironjacamar-deployers-common-1.0.9.Final.jar:1.0.9.Final]
          at org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:562) [ironjacamar-deployers-common-1.0.9.Final.jar:1.0.9.Final]
          at org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:282) [ironjacamar-deployers-common-1.0.9.Final.jar:1.0.9.Final]
          at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:271) [jboss-as-connector-7.1.1.Final.jar:7.1.1.Final]
          at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:111) [jboss-as-connector-7.1.1.Final.jar:7.1.1.Final]
          at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1811) [jboss-msc-1.0.2.GA.jar:1.0.2.GA]
          at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1746) [jboss-msc-1.0.2.GA.jar:1.0.2.GA]
          at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110) [rt.jar:1.7.0_07]
          at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603) [rt.jar:1.7.0_07]
          at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_07]

After googling for the issue I saw that there is already an issue filed (https://issues.jboss.org/browse/AS7-3923) and resolved in 7.1.1 Final. I am using 7.1.1 Final but still seeing this issue.

(Also, looking at the comments on JIRA it appeared to me that the issue was in test code and the only changes that were done were to SecurityTest.java and DsWithSecurityDomainTestCase.java.)

Inspite of the above exception I see following entry in server.log indicating that the data source is actually bound:

16:38:02,144 INFO  [org.jboss.as.connector.subsystems.datasources] (MSC service thread 1-2) JBAS010400: Bound data source [java:jboss/datasources/MyNoTxDS]

But when I am trying to use this data source then I get following exception:

Error while parsing config file, cannot read configuration!: java.lang.SecurityException: PB00024: Access Denied:Unauthenticated caller:null
          at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:89) [picketbox-4.0.7.Final.jar:4.0.7.Final]
          at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.getSubject(AbstractConnectionManager.java:689)
          at org.jboss.jca.core.connectionmanager.AbstractConnectionManager.allocateConnection(AbstractConnectionManager.java:463)
          at org.jboss.jca.adapters.jdbc.WrapperDataSource.getConnection(WrapperDataSource.java:129)
          at com.ibatis.sqlmap.engine.transaction.jdbc.JdbcTransaction.init(Unknown Source) [ibatis-2.jar:]
          at com.ibatis.sqlmap.engine.transaction.jdbc.JdbcTransaction.getConnection(Unknown Source) [ibatis-2.jar:]
          at com.ibatis.sqlmap.engine.mapping.statement.MappedStatement.executeQueryForList(Unknown Source) [ibatis-2.jar:]
          at com.ibatis.sqlmap.engine.impl.SqlMapExecutorDelegate.queryForList(Unknown Source) [ibatis-2.jar:]
          at com.ibatis.sqlmap.engine.impl.SqlMapExecutorDelegate.queryForList(Unknown Source) [ibatis-2.jar:]
          at com.ibatis.sqlmap.engine.impl.SqlMapSessionImpl.queryForList(Unknown Source) [ibatis-2.jar:]
          at com.ibatis.sqlmap.engine.impl.SqlMapClientImpl.queryForList(Unknown Source) [ibatis-2.jar:]
          at com.ibatis.dao.client.template.SqlMapDaoTemplate.queryForList(SqlMapDaoTemplate.java:282) [ibatis-dao-2.jar:]
          at com.brocade.efcm.domain.dao.others.SystemPropertyDAOImpl.selectByExample(SystemPropertyDAOImpl.java:61) [domain.jar:]
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [rt.jar:1.7.0_07]
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) [rt.jar:1.7.0_07]
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [rt.jar:1.7.0_07]
          at java.lang.reflect.Method.invoke(Method.java:601) [rt.jar:1.7.0_07]

Below given is my data source configuration:

<datasources>
                <datasource jta="false" jndi-name="java:jboss/datasources/MyNoTxDS" pool-name="MyNoTxDS" enabled="true" use-java-context="true">
                    <connection-url>jdbc:postgresql://localhost:5432/dcmdb</connection-url>
                    <driver-class>org.postgresql.Driver</driver-class>
                    <connection-property name="char.encoding">
                        UTF-8
                    </connection-property>
                    <connection-property name="loglevel">
                        0
                    </connection-property>
                    <connection-property name="logUnclosedConnections">
                        false
                    </connection-property>
                    <connection-property name="loginTimeout">
                        30
                    </connection-property>
                    <connection-property name="socketTimeout">
                        0
                    </connection-property>
                    <driver>postgresql</driver>
                    <new-connection-sql>select 1</new-connection-sql>
                    <transaction-isolation>TRANSACTION_READ_COMMITTED</transaction-isolation>
                    <pool>
                        <min-pool-size>5</min-pool-size>
                        <max-pool-size>30</max-pool-size>
                        <use-strict-min>true</use-strict-min>
                    </pool>
                    <security>
                        <security-domain>MyDbRealm</security-domain>                        
                    </security>
                    <validation>
                        <check-valid-connection-sql>select 1</check-valid-connection-sql>
                    </validation>
                    <timeout>
                        <blocking-timeout-millis>90000</blocking-timeout-millis>
                        <idle-timeout-minutes>15</idle-timeout-minutes>
                    </timeout>
                    <statement>
                        <track-statements>false</track-statements>
                    </statement>
                </datasource>
                <drivers>
                    <driver name="postgresql" module="org.postgresql"/>
                </drivers>
 </datasources>

Here's my security domain configuration:

<security-domain name="MyDbRealm">
                    <authentication>
                        <login-module code="SecureIdentity" flag="required">
                            <module-option name="username" value="dcmadmin"/>
                            <module-option name="password" value="4BzGG0V+s3IAAAN/Jdvwi116NROzqnT/frxR4g=="/>
                            <module-option name="managedConnectionFactoryName" value="jboss.jca:name=MyNoTxDS,service=NoTxCM"/>
                        </login-module>
                    </authentication>
</security-domain>

Can someone point me to what I am doing wrong? Or the fix for this is not yet available?

1. Re: Data source with security domain does not work in 7.1.1.Final

atulkc Apr 22, 2013 8:44 PM (in response to atulkc)

I debugged this issue further and found that I had two issues:
1) I was passing the password encrypted using PBE when SecureIdentity was expecting it to be encrypted using blowfish. This was because my eventual goal was to use my own custom login module extending from SecureIdentityLoginModule which was supposed to use PBE encryption. I got carried away and forgot to change the encrypted password. With blowfish encrypted password the login module using "SecureIdentity" works fine.
2) I then changed it to use my custom login module class that extends from SecureIdentityLoginModule to use PBE encryption. Class com.mymodule.MyLoginModule was packaged in ejb jar within my ear. It continued to fail with same error as I reported in my original post.
<security-domain name="MyDbRealm">                     <authentication>                         <login-module code="com.mymodule.MyLoginModule" flag="required">                             <module-option name="username" value="dcmadmin"/>                             <module-option name="password" value="4BzGG0V+s3IAAAN/Jdvwi116NROzqnT/frxR4g=="/>                             <module-option name="managedConnectionFactoryName" value="jboss.jca:name=MyNoTxDS,service=NoTxCM"/>                         </login-module>                     </authentication> </security-domain>

Turning ON trace level logs for org.jboss showed me that jboss was not able to find the class.
I searched around but didn't see any documentation/posting on what should be done to fix this issue. So finally, I packaged this class in a jar and deployed it as a module and changed the login module as follows:
<security-domain name="MyDbRealm">
                    <authentication>
                        <login-module code="com.mymodule.MyLoginModule" flag="required" module="myModule">
                            <module-option name="username" value="dcmadmin"/>
                            <module-option name="password" value="4BzGG0V+s3IAAAN/Jdvwi116NROzqnT/frxR4g=="/>
                            <module-option name="managedConnectionFactoryName" value="jboss.jca:name=MyNoTxDS,service=NoTxCM"/>
                        </login-module>
                    </authentication>
</security-domain>

This worked and I was able to use PBE encrypted passwords for data source.

Any idea on what needs to be done to let jboss pick the custom login module from ear?
1 of 1 people found this helpful
Actions
2. Re: Data source with security domain does not work in 7.1.1.Final

sfcoy Apr 22, 2013 10:18 PM (in response to atulkc)

The security subsystem cannot see the classes in your application.

You could try implementing a security plugin as described in AS71 Security Plug+Ins.
Actions
3. Re: Data source with security domain does not work in 7.1.1.Final

atulkc Apr 23, 2013 4:19 PM (in response to sfcoy)

I will give it a try and see how I can use authentication plugin to provide username/password for my datasource. However, even this approach will need that I deploy it as module. Since username/password for the datasource will always be constant I am thinking security-domain will suffice for my needs. Any comments on which approach (security-domain vs security-realm) is better when there will be only one username/password? Basically it will be the db username/password that will be used by JDBC connection.
Actions
4. Re: Data source with security domain does not work in 7.1.1.Final

sfcoy Apr 23, 2013 9:56 PM (in response to atulkc)

For your purpose you may also want to have a look at JBoss AS7 Securing Passwords.
1 of 1 people found this helpful
Actions
5. Re: Data source with security domain does not work in 7.1.1.Final

atulkc Apr 24, 2013 8:36 PM (in response to sfcoy)

This looks very interesting and might address our usecase of securing the password. Thanks.
Actions
6. Re: Data source with security domain does not work in 7.1.1.Final

lakshmanan032 Nov 22, 2017 6:23 AM (in response to atulkc)

Could you share your MyLoginModule.java file. Because I get the below error while trying to custom encrypt the password,

2017-11-22 15:17:44,680 ERROR [org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer] (MSC service thread 1-8) Exception during createSubject() for java:/StorageDS_1: PBOX00016: Access denied: authentication failed: java.lang.SecurityException: PBOX00016: Access denied: authentication failed
at org.jboss.security.plugins.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:84) [picketbox-4.9.6.Final.jar:4.9.6.Final]
at org.jboss.jca.core.security.picketbox.PicketBoxSubjectFactory.createSubject(PicketBoxSubjectFactory.java:66) [ironjacamar-core-impl-1.3.4.Final.jar:1.3.4.Final]
at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer$1.createSubject(AbstractDataSourceService.java:444) [wildfly-connector-10.1.0.Final.jar:10.1.0.Final]
at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1453) [ironjacamar-deployers-common-1.3.4.Final.jar:1.3.4.Final]
at org.jboss.jca.deployers.common.AbstractDsDeployer$1.run(AbstractDsDeployer.java:1448) [ironjacamar-deployers-common-1.3.4.Final.jar:1.3.4.Final]
at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.8.0_25]
at org.jboss.jca.deployers.common.AbstractDsDeployer.createSubject(AbstractDsDeployer.java:1447) [ironjacamar-deployers-common-1.3.4.Final.jar:1.3.4.Final]
at org.jboss.jca.deployers.common.AbstractDsDeployer.deployDataSource(AbstractDsDeployer.java:766) [ironjacamar-deployers-common-1.3.4.Final.jar:1.3.4.Final]
at org.jboss.jca.deployers.common.AbstractDsDeployer.createObjectsAndInjectValue(AbstractDsDeployer.java:312) [ironjacamar-deployers-common-1.3.4.Final.jar:1.3.4.Final]
at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService$AS7DataSourceDeployer.deploy(AbstractDataSourceService.java:371) [wildfly-connector-10.1.0.Final.jar:10.1.0.Final]
at org.jboss.as.connector.subsystems.datasources.AbstractDataSourceService.start(AbstractDataSourceService.java:149) [wildfly-connector-10.1.0.Final.jar:10.1.0.Final]
at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1948) [jboss-msc-1.2.6.Final.jar:1.2.6.Final]
at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1881) [jboss-msc-1.2.6.Final.jar:1.2.6.Final]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [rt.jar:1.8.0_25]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [rt.jar:1.8.0_25]
at java.lang.Thread.run(Thread.java:745) [rt.jar:1.8.0_25]

Below is my security-domain in standalone.xml,

<security-domain name="encrypted-ds" cache-type="default">
<authentication>
<login-module code="com.durr.ecoemos.security.base64encrypt.PrmCryptoSimple" flag="required" module="base64encrypt-common">
   <module-option name="username" value="user"/>
   <module-option name="password" value="4D4556424D4555324D454E424D455530"/>
   <module-option name="managedConnectionFactoryName" value="jboss.jca:service=NoTxCM,name=ResourcesDS" />
   <module-option name="managedConnectionFactoryName" value="jboss.jca:service=NoTxCM,name=RptngAutmDS" />
   <module-option name="managedConnectionFactoryName" value="jboss.jca:service=NoTxCM,name=ClassicDS" />
   <module-option name="managedConnectionFactoryName" value="jboss.jca:service=NoTxCM,name=AlarmDS" />
   <module-option name="managedConnectionFactoryName" value="jboss.jca:service=NoTxCM,name=StorageDS_1" />
   <module-option name="managedConnectionFactoryName" value="jboss.jca:service=NoTxCM,name=StorageDS_2" />
   <module-option name="managedConnectionFactoryName" value="jboss.jca:service=NoTxCM,name=StorageDS_3" />
   <module-option name="managedConnectionFactoryName" value="jboss.jca:service=NoTxCM,name=StorageDS_4" />
   <module-option name="managedConnectionFactoryName" value="jboss.jca:service=NoTxCM,name=StorageDS_5" />
</login-module>
    </authentication>
</security-domain>
Actions

Go to original post