AS 7.1.1 remote ejb call with JAAS
bomc Nov 9, 2012 3:48 PMHello all,
I'm trying to invoke an ejb from a remote client using JAAS.
I've read the article here https://community.jboss.org/wiki/JBoss7AndEjbRemoteCallWithSecurity and following the steps, but after invoking the EJB I get the following Exception:
javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public abstract java.lang.String RemoteSecure.getSecurityInfo() of bean: SecureEJB is not allowed
For my test I have a .ear with following structure
MyEar.ear
+---META-INF
+---application.xml
+---jboss-app.xml
+---MyEjb.jar
+---META-INF
+---jboss-ejb3.xml
+---RemoteSecure.class
+---SecureEJB
I add a security realm to the standard-full.xml
<security-realm name="BomcRealm">
<authentication>
<jaas name="BomcDomain"/>
</authentication>
</security-realm>
my security domain with a DatabaseServerLoginModule
<security-domain name="BomcDomain" cache-type="default">
<authentication>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<module-option name="dsJndiName" value="java:jboss/datasources/Bomc-ServerDS"/>
<module-option name="principalsQuery" value="SELECT C_PASSWORD FROM COR_USER WHERE C_USERNAME=?"/>
<module-option name="rolesQuery" value="SELECT C_ROLE_NAME COR_ROLE, 'Role' FROM ... WHERE u.C_USERNAME=?"/>
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
I change the security-realm of the remoting-connector to:
<subsystem xmlns="urn:jboss:domain:remoting:1.1">
connector name="remoting-connector" socket-binding="remoting" security-realm="BomcRealm"/>
</subsystem>
my EJB:
@Stateless
@Remote(RemoteSecure.class)
public class SecureEJB implements RemoteSecure {
@Resource
private SessionContext ctx;
@RolesAllowed("write")
public String getSecurityInfo() {
Principal principal = ctx.getCallerPrincipal();
return principal.toString();
}
}
the jboss-ejb3.xml:
<?xml version="1.0" encoding="UTF-8"?>
<jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
xmlns="http://java.sun.com/xml/ns/javaee"
xmlns:s="urn:security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd
http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_1.xsd"
version="3.1"
impl-version="2.0">
<assembly-descriptor xmlns="http://java.sun.com/xml/ns/javaee">
<security:security xmlns:security="urn:security">
<ejb-name>*</ejb-name>
<security:security-domain>BomcDomain</security:security-domain>
</security:security>
</assembly-descriptor>
</jboss:ejb-jar>
the jboss-app.xml
<jboss-app xmlns="http://www.jboss.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="7.0" >
<security-domain>BomcDomain</security-domain>
</jboss-app>
my client:
public static void main(String... args) throws Exception {
final String appName = "Bomc-Server";
final String moduleName = "Bomc-Server-ejb-1.0.0-SNAPSHOT";
final String distinctName = "";
final String beanName = SecureEJB.class.getSimpleName();
final String viewClassName = RemoteSecure.class.getName();
String jndiHomeName = "ejb:" + appName + "/" + moduleName + "/" + distinctName + "/" + beanName + "!" + viewClassName;
Properties p = new Properties();
p.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "false");
p.put("remote.connections", "default");
p.put("remote.connection.default.host", "127.0.0.1");
p.put("remote.connection.default.port", "4447");
p.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "true");
p.put("remote.connection.default.username", "bomc_admin");
p.put("remote.connection.default.password", "bomc");
p.put("remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");
p.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
EJBClientConfiguration cc = new PropertiesBasedEJBClientConfiguration(p);
ContextSelector<EJBClientContext> selector = new ConfigBasedEJBClientContextSelector(cc);
EJBClientContext.setSelector(selector);
Properties props = new Properties();
props.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
InitialContext context = new InitialContext(props);
RemoteSecure r = (RemoteSecure) context.lookup(jndiHomeName)
System.out.println(r.getSecurityInfo());
}
The logs shows the user is authenticated and the roles will be assigned.
21:17:22,500 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (Remoting "chabomc0-pc" task-4) Begin getAppConfigurationEntry(BomcDomain), size=4
21:17:22,501 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (Remoting "chabomc0-pc" task-4) End getAppConfigurationEntry(BomcDomain), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.as.security.remoting.RemotingLoginModule
ControlFlag: Anmeldemodul-Steuerflag: optional
Options:
name=password-stacking, value=useFirstPass
[1]
LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
ControlFlag: Anmeldemodul-Steuerflag: required
Options:
name=principalsQuery, value=SELECT C_PASSWORD FROM COR_USER WHERE C_USERNAME=?
name=dsJndiName, value=java:jboss/datasources/Bomc-ServerDS
name=password-stacking, value=useFirstPass
name=rolesQuery, value=SELECT C_ROLE_NAME COR_ROLE, 'Role' FROM ... WHERE u.C_USERNAME=?
21:17:22,505 TRACE [org.jboss.as.security.remoting.RemotingLoginModule] (Remoting "c-pc" task-4) initialize
21:17:22,506 TRACE [org.jboss.as.security.remoting.RemotingLoginModule] (Remoting "c-pc" task-4) Security domain: BomcDomain
21:17:22,506 TRACE [org.jboss.as.security.remoting.RemotingLoginModule] (Remoting "c-pc" task-4) login
21:17:22,507 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) initialize
21:17:22,507 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) Security domain: BomcDomain
21:17:22,508 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) DatabaseServerLoginModule, dsJndiName=java:jboss/datasources/Bomc-ServerDS
21:17:22,509 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) principalsQuery=SELECT C_PASSWORD FROM COR_USER WHERE C_USERNAME=?
21:17:22,510 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) rolesQuery=SELECT C_ROLE_NAME COR_ROLE, 'Role' FROM ... WHERE u.C_USERNAME=?
21:17:22,511 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) suspendResume=true
21:17:22,513 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) login
21:17:22,514 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) suspendAnyTransaction
21:17:22,515 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) Excuting query: SELECT C_PASSWORD FROM COR_USER WHERE C_USERNAME=?, with username: bomc_admin
21:17:22,517 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) Obtained user password
21:17:22,518 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) resumeAnyTransaction
21:17:22,518 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) User 'bomc_admin' authenticated, loginOk=true
21:17:22,519 TRACE [org.jboss.as.security.remoting.RemotingLoginModule] (Remoting "c-pc" task-4) commit, loginOk=false
21:17:22,520 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) commit, loginOk=true
21:17:22,520 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) getRoleSets using rolesQuery: SELECT C_ROLE_NAME COR_ROLE, 'Role' FROM ... WHERE u.C_USERNAME=?, username: bomc_admin
21:17:22,522 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) suspendAnyTransaction
21:17:22,523 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) Excuting query: SELECT C_ROLE_NAME COR_ROLE, 'Role' FROM ... WHERE u.C_USERNAME=?, with username: bomc_admin
21:17:22,526 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) Assign user to role read
21:17:22,526 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) Assign user to role write
21:17:22,527 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) Assign user to role delete
21:17:22,528 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) resumeAnyTransaction
21:17:22,674 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (EJB default - 3) Begin isValid, principal:bomc_admin, cache entry: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@2253d4bf
21:17:22,676 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (EJB default - 3) Begin validateCache, info=org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@2253d4bf;credential.class=java.lang.String@745957924
21:17:22,677 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (EJB default - 3) End validateCache, isValid=true
21:17:22,678 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (EJB default - 3) End isValid, true
21:17:22,679 ERROR [org.jboss.ejb3.invocation] (EJB default - 3) JBAS014134: EJB Invocation failed on component SecureEJB for method public abstract java.lang.String de.bomc.server.core.service.security.RemoteSecure.getSecurityInfo(): javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public abstract java.lang.String de.bomc.server.core.service.security.RemoteSecure.getSecurityInfo() of bean: SecureEJB is not allowed
At the end I get a javax.ejb.EJBAccessException, what is missing or wrong?
Many thanks in advance for any help in this regard.