1 2 Previous Next 26 Replies Latest reply on Aug 7, 2013 11:05 AM by massassa

    Custom login module is never called

    massassa

      Hi,

       

      I'm trying to migrate an application from JBoss 6.0.0 to JBoss 7.1.0. Unfortunatly I'm encoutering one problem after the other. The latest is that my custom login module is never called.

      It's a 3-tier application with a RCP-Client that uses EJB remote procedure calls. I did all the configuration of the security domain and added the my custom login module as described in the documentation. But I don't see that it is called nor can I see an error message indicating that there's something wront with my login module. I stripped down this problem to a very simple example which uses a login module that extends UsersRolesLoginModule and just adds some loging to it. The login module is inside my applications ear file.

       

      Here's my security configuration in the standalone.xml

       

      <security-realm name="MyRealm">

        <authentication>

            <jaas name="MySecurityDomain"/>

        </authentication>

      </security-realm>

       

      ...

       

      <security-realm name="MyRealm">

        <authentication>

           <jaas name="MySecurityDomain"/>

        </authentication>

      </security-realm>

       

      ...

       

      <security-domain name="MySecurityDomain" cache-type="default">

        <authentication>

          <login-module code="Remoting" flag="optional">

            <module-option name="password-stacking" value="useFirstPass"/>

          </login-module>

          <login-module code="org.jboss7app.ejb.MyLoginModule" flag="required">

            <module-option name="usersProperties" value="${jboss.server.config.dir}/my-users.properties"/>

            <module-option name="rolesProperties" value="${jboss.server.config.dir}/my-roles.properties"/>

            <module-option name="password-stacking" value="useFirstPass"/>

          </login-module>

        </authentication>

      </security-domain>

       

       

      Login module looks like this:

       

      public class MyLoginModule extends UsersRolesLoginModule

      {

          private Log LOG = LogFactory.getLog(MyLoginModule.class);

       

       

          @Override

          public void initialize(Subject arg0, CallbackHandler arg1, Map<String, ?> arg2, Map<String, ?> arg3)

          {

              LOG.info("Initializing");

              super.initialize(arg0, arg1, arg2, arg3);

          }

       

       

          @Override

          public boolean login() throws LoginException

          {

              LOG.info("Calling Login");

              return super.login();

          }

      }

       

      Your help is highly appreciated.

        • 1. Re: Custom login module is never called
          jim_b_o

          Did you change the default security domain and/or ensure that you have the correct annotations or config to require your EJBs to use your Realm?

           

          <subsystem xmlns="urn:jboss:domain:ejb3:1.4">

               ...

               <default-security-domain value="other"/>

               <default-missing-method-permissions-deny-access value="true"/>

          </subsystem>

          • 2. Re: Custom login module is never called
            massassa

            I use the @SecurityDomain annotation on my stateless session bean to ensure that communcation is secured. I also set the remoting subsystem to be in my realm in general so that each and every remote bean call is authenticated.

             

            <subsystem xmlns="urn:jboss:domain:remoting:1.1">

                        <connector name="remoting-connector" socket-binding="remoting" security-realm="MyRealm"/>

            </subsystem>

            • 3. Re: Custom login module is never called
              massassa

              It's weird. I thought this was a common use case. Is nobody using custom login module for EJB Security?

              • 4. Re: Custom login module is never called
                sfcoy

                The package name of the @SecurityDomain annotation changed in AS7. Did you catch this?

                • 5. Re: Custom login module is never called
                  massassa

                  I'm using this annotation: org.jboss.ejb3.annotation.SecurityDomain

                  It doesn't seem to be an issue because it doesn't cause any trouble when I'm using the standard login modules that are shipped with JBoss 7.

                  • 6. Re: Custom login module is never called
                    sfcoy

                    I think that annotation class is OK. There were some other JBoss annotations that had package name changes in AS7, but I dont think this was one of them.

                     

                    How have you indicated to the container that your EJB method calls should be protected?

                     

                    Have you read https://docs.jboss.org/author/display/AS72/Securing+EJBs?

                    • 7. Re: Custom login module is never called
                      massassa

                      Yes. I explicitly annotated my bean with my security domain. Also the EJB-Transport is already secured by my security domain.

                       

                      As I mentioned before. All security mechanisms work exactly as described in the docu iff I use one of the bundeled login modules. It all starts to go terribly wrong when I want to use my own login module which is in my application's EAR-file.

                      • 8. Re: Custom login module is never called
                        sfcoy

                        The JBoss security system cannot see classes that are deployed with your application.

                         

                        You will need to create  a JBoss module containing your login module code and add a "module" attribute to your login-module element with the name of the JBoss module that you added. 

                        • 9. Re: Custom login module is never called
                          massassa

                          Yes you're right. This used to work in JBoss 6 but obviously the behaviour was changed. I'm not sure if I'm liking this new behaviour.

                           

                          The problem is, that it doesn't even work if I put my login module in it's own module. The only way I got my login module to function was by adding it to jboss' EJB module.

                          • 10. Re: Custom login module is never called
                            sfcoy

                            If you're using JBossAS 7.1.1 or newer I believe that using your own module should work.

                             

                            Did you set the "module" attribute to the name of your module?

                             

                            Is the security subsystem configured as version 1.1:

                            {code:xml}<subsystem xmlns="urn:jboss:domain:security:1.1">{code}

                            ?

                            • 11. Re: Custom login module is never called
                              massassa

                              I'm using JBoss AS 7.1.1 and I also used the module attribute... But it didn't work... But I shall try again.

                               

                              I'm having trouble understanding why it's not possbile to include the login module in your application. Is it uncommon to use the user object from the application module within the login module? Is that bad design?

                               

                              I understand that the EJB-transport istself is protected by a security domain. So is there a security layer that is more application specific?

                              • 12. Re: Custom login module is never called
                                sfcoy

                                massassa wrote:

                                 

                                ...

                                Is it uncommon to use the user object from the application module within the login module? Is that bad design?

                                ...

                                 

                                Sometimes I think it's a Java EE rite of passage to try and do this (yes - I tried to do it once many years ago too).

                                 

                                The problem is that the code that is supposed to be securing your application can wind up trying to secure itself. Can you say "recursion"?

                                 

                                You would have trouble getting this to work with other vendor's platforms as well.

                                1 of 1 people found this helpful
                                • 13. Re: Custom login module is never called
                                  sfcoy

                                  massassa wrote:

                                   

                                  ...

                                  The problem is, that it doesn't even work if I put my login module in it's own module. The only way I got my login module to function was by adding it to jboss' EJB module.

                                  ...

                                   

                                  Chances are you need to specify the correct dependencies in your module.xml.

                                  • 14. Re: Custom login module is never called
                                    jaikiran

                                    Moaffak Assassa wrote:

                                     

                                    I'm using JBoss AS 7.1.1 and I also used the module attribute... But it didn't work... But I shall try again.

                                     

                                    I'm having trouble understanding why it's not possbile to include the login module in your application. Is it uncommon to use the user object from the application module within the login module? Is that bad design?

                                    You can package them in the application. The module attribute should be specified something like this https://community.jboss.org/message/739247#739247 (you might want to read some of the posts in that thread).

                                    1 2 Previous Next