13 Replies Latest reply on May 13, 2013 3:18 AM by sketcha

Jboss 7.2 Custom login module Ejb invocation error

sketcha May 7, 2013 6:36 AM

Hi we are using the Jboss 7.2. when i use prediefined configuration with ApplicationRelm, the ejb invocation goes through without any error.

How ever if i make use of my own custom login module, I get below exception

15:52:37,724 ERROR connection:105 - JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

javax.naming.NamingException: Failed to connect to any server. Servers tried: [remote://127.0.0.1:4447]

at org.jboss.naming.remote.client.HaRemoteNamingStore.failOverSequence(HaRemoteNamingStore.java:200)

at org.jboss.naming.remote.client.HaRemoteNamingStore.namingStore(HaRemoteNamingStore.java:131)

at org.jboss.naming.remote.client.HaRemoteNamingStore.namingOperation(HaRemoteNamingStore.java:112)

at org.jboss.naming.remote.client.HaRemoteNamingStore.lookup(HaRemoteNamingStore.java:223)

at org.jboss.naming.remote.client.RemoteContext.lookup(RemoteContext.java:79)

at org.jboss.naming.remote.client.RemoteContext.lookup(RemoteContext.java:83)

at javax.naming.InitialContext.lookup(Unknown Source)

at Client.main(Client.java:37)

here is my security domain configuration

<security-domain name="ejb-security-domain" cache-type="default">

<login-module code="test.security.auth.spi.ServerLoginModule" flag="required" module="mymodule"/>

</authentication>

</security-domain>

<security-realm name="ApplicationRealm">

<!--local default-user="$local" allowed-users="*"/>

</authentication>

</authorization-->

</authentication>

</security-realm>

if i remove the jaas from ApplicationRealm and retain the commented out part above everything goes fine

Can anybody guide me if i am missing some thing over here

Thanks in advance

1. Re: Jboss 7.2 Custom login module Ejb invocation error

sketcha May 7, 2013 9:08 AM (in response to sketcha)

Can any one please help me over here
Actions
2. Re: Jboss 7.2 Custom login module Ejb invocation error

ctomc May 7, 2013 9:26 AM (in response to sketcha)

enable trace logging for org.jboss.as.security and org.jboss.securtiy

that will show you what is going on.
Actions
3. Re: Jboss 7.2 Custom login module Ejb invocation error

sketcha May 7, 2013 9:37 AM (in response to sketcha)

After i enabled to client side log i see the following exception trace
.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
    at org.jboss.naming.remote.protocol.IoFutureHelper.get(IoFutureHelper.java:87)
    at org.jboss.naming.remote.client.HaRemoteNamingStore.failOverSequence(HaRemoteNamingStore.java:180)
    at org.jboss.naming.remote.client.HaRemoteNamingStore.namingStore(HaRemoteNamingStore.java:131)
    at org.jboss.naming.remote.client.HaRemoteNamingStore.namingOperation(HaRemoteNamingStore.java:112)
    at org.jboss.naming.remote.client.HaRemoteNamingStore.lookup(HaRemoteNamingStore.java:223)
    at org.jboss.naming.remote.client.RemoteContext.lookup(RemoteContext.java:79)
    at org.jboss.naming.remote.client.RemoteContext.lookup(RemoteContext.java:83)
    at javax.naming.InitialContext.lookup(InitialContext.java:411)
    at ClassA.main(ClassA.java:42)
Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
    at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:382)
    at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:225)
    at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)
    at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189)
    at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103)
    at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)
    at org.xnio.nio.NioHandle.run(NioHandle.java:90)
    at org.xnio.nio.WorkerThread.run(WorkerThread.java:187)
    at ...asynchronous invocation...(Unknown Source)
    at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:270)
    at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:251)
    at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:349)
    at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:333)
    at org.jboss.naming.remote.client.EndpointCache$EndpointWrapper.connect(EndpointCache.java:105)
    at org.jboss.naming.remote.client.HaRemoteNamingStore.failOverSequence(HaRemoteNamingStore.java:179)
    ... 7 more

javax.naming.NamingException: Failed to connect to any server. Servers tried: [remote://10.64.66.191:4447]
    at org.jboss.naming.remote.client.HaRemoteNamingStore.failOverSequence(HaRemoteNamingStore.java:200)
    at org.jboss.naming.remote.client.HaRemoteNamingStore.namingStore(HaRemoteNamingStore.java:131)
    at org.jboss.naming.remote.client.HaRemoteNamingStore.namingOperation(HaRemoteNamingStore.java:112)
    at org.jboss.naming.remote.client.HaRemoteNamingStore.lookup(HaRemoteNamingStore.java:223)
    at org.jboss.naming.remote.client.RemoteContext.lookup(RemoteContext.java:79)
    at org.jboss.naming.remote.client.RemoteContext.lookup(RemoteContext.java:83)javax.naming.NamingException: Failed to connect to any server. Servers tried: [remote://10.64.66.191:4447]

    at javax.naming.InitialContext.lookup(InitialContext.java:411)
    at ClassA.main(ClassA.java:42)
Actions
4. Re: Jboss 7.2 Custom login module Ejb invocation error

sketcha May 7, 2013 11:54 AM (in response to ctomc)

Added the trace level logs for org.jboss.security and org.jboss.as.security but it did not showed any error
further i added trace level for org.jboss.remoting and the following message were displayed. anything wrong going on here?

21:19:27,363 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Server received capabilities request
21:19:27,363 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Server received capability: version 1
21:19:27,363 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Server received capability: remote endpoint name "config-based-naming-client-endpoint"
21:19:27,363 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Server received capability: message close protocol supported
21:19:27,441 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) No EXTERNAL mechanism due to explicit exclusion
21:19:27,441 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Trying SASL server factory org.jboss.sasl.localuser.LocalUserServerFactory@4edb89c2
21:19:27,441 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Excluding mechanism JBOSS-LOCAL-USER because it is not in the allowed list
21:19:27,441 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Trying SASL server factory org.jboss.sasl.digest.DigestMD5ServerFactory@b1ae4cc
21:19:27,441 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Excluding mechanism DIGEST-MD5 because it is not in the allowed list
21:19:27,441 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Trying SASL server factory org.jboss.sasl.plain.PlainServerFactory@11bd1bf7
21:19:27,441 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Added mechanism PLAIN
21:19:27,441 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Trying SASL server factory org.jboss.sasl.anonymous.AnonymousServerFactory@30c01f1c
21:19:27,441 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Trying SASL server factory com.sun.security.sasl.digest.FactoryImpl@7d4e3c21
21:19:27,442 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Excluding mechanism DIGEST-MD5 because it is not in the allowed list
21:19:27,442 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Trying SASL server factory com.sun.security.sasl.ServerFactoryImpl@1fca022
21:19:27,442 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Excluding mechanism CRAM-MD5 because it is not in the allowed list
21:19:27,442 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Trying SASL server factory com.sun.security.sasl.gsskerb.FactoryImpl@2488e6c7
21:19:27,442 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Excluding mechanism GSSAPI because it is not in the allowed list
Actions
5. Re: Jboss 7.2 Custom login module Ejb invocation error

sketcha May 8, 2013 2:02 AM (in response to sketcha)

Hi,
Can anyone help me here. i tried the same in Jboss 7.1.1 aswell and same issue appears there also.
i am stuck in this.
Actions
6. Re: Jboss 7.2 Custom login module Ejb invocation error

jaikiran May 8, 2013 2:07 AM (in response to sketcha)

1) Please be patient
2) When you say you are using 7.2, which exact version is that? Where did you build/download it from? Have you tried the latest available release from the downloads page?
3) When you enable TRACE level logs for org.jboss.security and org.jboss.as.security, please attach those logs to this thread.
Actions
7. Re: Jboss 7.2 Custom login module Ejb invocation error

sketcha May 8, 2013 2:26 AM (in response to jaikiran)
the version i am using is jboss 7.2.0 Final
I tried the same in Jboss 7.1.1 Final aswell and observed the same issue.
i have attached the server log after enabling the TRACE level for org.jboss.security and org.jboss.as.security

server.log.zip 4.6 KB
Actions
8. Re: Jboss 7.2 Custom login module Ejb invocation error

jaikiran May 8, 2013 3:40 AM (in response to sketcha)

k koushik wrote:

.
i have attached the server log after enabling the TRACE level for org.jboss.security and org.jboss.as.security
I see no TRACE logging of those packages, in those logs. How did you enable it?
Actions

9. Re: Jboss 7.2 Custom login module Ejb invocation error

sketcha May 8, 2013 3:47 AM (in response to jaikiran)

this is the log configuration i used.

	<logger category="org.jboss.remoting">
	<level name="TRACE"/>
	</logger>
	<logger category="org.jboss.as.remoting" >
	<level name="TRACE"/>
	</logger>

earlier there was an attribute use-parent-handlers="true" set. i removed it and executed the test again

logs are attached again. But what i observed is while the client tries to obtain the connection there is no security related logs printed.

server.log.zip 4.8 KB

10. Re: Jboss 7.2 Custom login module Ejb invocation error

jaikiran May 8, 2013 4:07 AM (in response to sketcha)

k koushik wrote:

this is the log configuration i used.
<logger category="org.jboss.remoting">
            <level name="TRACE"/>
        </logger>
<logger category="org.jboss.as.remoting" >
            <level name="TRACE"/>
        </logger>

Please read our responses again. That's not the package we are interested in (for now).

11. Re: Jboss 7.2 Custom login module Ejb invocation error

sketcha May 8, 2013 4:16 AM (in response to jaikiran)

Hi,I am very sorry i mentioned wrong packages in my earlier reply.i am already using the Trace level for org.jboss.security and org.jboss.as.security.here is my complete log configuration which i had used in my application

	<logger category="com.arjuna">
	<level name="WARN"/>
	</logger>
	<logger category="org.apache.tomcat.util.modeler">
	<level name="WARN"/>
	</logger>
	<logger category="org.jboss.as.config">
	<level name="DEBUG"/>
	</logger>
	<logger category="sun.rmi">
	<level name="WARN"/>
	</logger>
	<logger category="jacorb">
	<level name="WARN"/>
	</logger>
	<logger category="jacorb.config">
	<level name="ERROR"/>
	</logger>
	<logger category="org.jboss.as.security">
	<level name="TRACE"/>
	</logger>
	<logger category="org.jboss.securtiy">
	<level name="TRACE"/>
	</logger>
	<logger category="org.jboss.remoting">
	<level name="TRACE"/>
	</logger>
			<logger category="org.jboss.as.remoting" >
	<level name="TRACE"/>
	</logger>
	<!--logger category="org.xnio.nio" use-parent-handlers="true">
	<level name="TRACE"/>
	</logger-->
	<logger category="org.jboss.msc.service" use-parent-handlers="true">
	<level name="TRACE"/>
	</logger>
	<logger category="org.jboss.as.domain.management.security">
	<level name="TRACE"/>
	</logger>
	<root-logger>
	<level name="INFO"/>
	<handlers>
	<handler name="CONSOLE"/>
	<handler name="FILE"/>
	</handlers>
	</root-logger>

12. Re: Jboss 7.2 Custom login module Ejb invocation error

sketcha May 9, 2013 8:20 AM (in response to sketcha)

Hi,
I did Further experiments with this issue by introducing different combinations of realms and security domain.
I observed that the above mentioned exceptions (SaslException) doesn't occur if i configure my Realm like
            <security-realm name="MyRealm">
                <authentication>
                <jaas name="mydomain"/>
                    <local default-user="$local" allowed-users="*"/>
                </authentication>
            </security-realm>
can any one please let me know the implication of including <local default-user="$local" allowed-users="*"/> ?

But now i am facing different issue. The custom login module extend the UserNamePasswordLoginModule. while validating the password i observed that the comes in an encoded format something like "db034ebe-8d93-4f4c-8cb4-fbeec9566ecd" and the expected password is in clear text which is returned from getUserPassword method. what is the encoding format we have to use? or is there any way to decrypt the input password which i could use in the validate method.

Thanks in advance.
Actions
13. Re: Jboss 7.2 Custom login module Ejb invocation error

sketcha May 13, 2013 3:18 AM (in response to sketcha)

Hi,
Can anyone provide me hint over here. I am totally clueless.
All i want to achieve is to authenticate remote ejb invocation with a custome relam with my own implementation of loginmodule extending usernamepasswordLoginmodule
Actions

Go to original post