Problems with Security Realm plugin
atulkc Apr 25, 2013 8:02 PMHi All,
We are migrating our application from JBoss AS 5.1 to JBoss 7.2.x (actually I am now using the latest nightly build from jenkins, which says its Jboss AS 8.0.0 Alpha1-SNAPSHOT). In our application we do not use JAAS for authentication but have our custom authentication mechanism. So basically our ejb calls are unsecure and can be called without specifying any username/password. Once the authentication is done using our custom authentication mechanism (it could be DB based, LDAP, RADIUS...etc based on configuration and is done by making EJB call), we get back a session ID. We then use this session ID as userName in SecurityClient so that we can inject SessionContext in subsequent EJB calls and retrieve that sessionId using SessionContext.getCallerPrincipal method. Here is the code snippet:
SecurityClient client = SecurityClientFactory.getSecurityClient(); // Clear any stale security context association by doing a logout client.logout(); // Perform a VM-wide association of security context client.setVmwideAssociation(true); client.setSimple(sessionId, null); // Login to inject Session ID into the security context client.login();
EJBs in turn use this session ID to lookup the corresponding user data from one of the JBoss Service (annotated using @Service) and use it appropriately.
We want to preserve this behavior when we migrate to JBoss 8.0 (code base is too huge to change all the places to pass sessionId as argument to all EJB calls). I removed the security-realm attribute in remoting-connector to allow unsecured access and tried to use the above snippet expecting that SessionContext that is injected will return sessionId as the caller principal. However, I always got 'Anonymous'. Based on https://docs.jboss.org/author/display/AS71/Security+Realms it looks like this is expected as for remoting connection anonymous mechanism will be used if no security realm is defined. Further in this section there is a subsection on defining plugins for security realm. Based on the description in this subsection I thought if I define my custom security realm that just acts as pass through then I can achieve this behavior. The idea was that until the authentication ejb is called the Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS would be empty or some hardcoded strings and once we get session id then we will set Context.SECURITY_PRINCIPAL to this sessionId. But after installing this new plugin and enabling remoting-connector to have this realm I started getting following exception:
javax.naming.NamingException: Failed to connect to any server. Servers tried: [remote://10.24.49.148:4447] at org.jboss.naming.remote.client.HaRemoteNamingStore.failOverSequence(HaRemoteNamingStore.java:213) at org.jboss.naming.remote.client.HaRemoteNamingStore.namingStore(HaRemoteNamingStore.java:144) at org.jboss.naming.remote.client.HaRemoteNamingStore.namingOperation(HaRemoteNamingStore.java:125) at org.jboss.naming.remote.client.HaRemoteNamingStore.lookup(HaRemoteNamingStore.java:241) at org.jboss.naming.remote.client.RemoteContext.lookup(RemoteContext.java:79) at org.jboss.naming.remote.client.RemoteContext.lookup(RemoteContext.java:83) at javax.naming.InitialContext.lookup(InitialContext.java:411) at com.brocade.dcm.util.inject.ServiceLocator.lookup(ServiceLocator.java:102) ... 25 more
There is no exception/error on server side log.Can anyone point out what I am doing wrong here?
standalone-full.xml:
<security-realm name="DCMRealm"> <plug-ins> <plug-in module="com.appclient"/> </plug-ins> <authentication> <plug-in name="Anonymous" /> </authentication> </security-realm> ... ... <subsystem xmlns="urn:jboss:domain:remoting:1.1"> <connector name="remoting-connector" socket-binding="remoting" security-realm="DCMRealm"/> </subsystem>
For the com.appclient module following is the module.xml:
<?xml version="1.0" encoding="UTF-8"?> <module xmlns="urn:jboss:module:1.0" name="com.appclient"> <resources> <resource-root path="bna-appclient-module.jar"/> </resources> <dependencies> <module name="org.jboss.as.domain-management"/> </dependencies> </module>
As indicated in the documentation I created the jar file with PlugInProvider implementation as well as AuthenticationPlugin implementation. I added META-INF/services/org.jboss.as.domain.management.plugin.PlugInProvider file containing the fully qualified class name of PlugInProvider implementation. Attached are the files used in this module.
Following is the client code that does the lookup:
Hashtable jndiProperties = new Hashtable<>(); jndiProperties.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming"); jndiProperties.put("java.naming.factory.initial", "org.jboss.naming.remote.client.InitialContextFactory"); jndiProperties.put("java.naming.provider.url", "remote://10.24.49.148:4447"); jndiProperties.put("jboss.naming.client.ejb.context", true); jndiProperties.put(Context.SECURITY_PRINCIPAL, "abc"); jndiProperties.put(Context.SECURITY_CREDENTIALS, "123"); InitialContext context = new InitialContext(jndiProperties); // 1) Using the context do the lookup of Authentication bean // 2) call authenticate user method, which returns sessionId if the authentication is successful // 3) Now change the SECURITY_PRINCIPAL to sessionId
Note that I get that excpetion on #1 in the above code.
If I remove the security-realm from remoting-connector then I am able to lookup ejbs and make ejb calls.Why am I getting exception that it failed to connect to server when I turn on security? My security realm plugin doesn't even get any callbacks.
Any help is highly appreciated.
Thanks,
Atul
-
DcmAuthenticationPlugin.java.zip 571 bytes
-
DcmPluginProvider.java.zip 436 bytes