1 2 Previous Next 21 Replies Latest reply on Aug 16, 2013 9:45 AM by philba

    Server2Server remote ejb call: authentification issues

    philba

      Hello,

       

      currently im trying to make a remote ejb call between two JBoss 7.1.1 AS instances.

       

      I got the connection working, but I am having troubles with the authentication.

       

      jboss-ejb-client.xml:

       

      <jboss-ejb-client xmlns="urn:jboss:ejb-client:1.0">
          <client-context>
              <ejb-receivers>
                  <remoting-ejb-receiver outbound-connection-ref="remote-ejb-connection"/>
              </ejb-receivers>
          </client-context>
      </jboss-ejb-client>
      

       

      client standalone.xml:

      - ...
      <security-realm name="SimpleRealm">     <authentication>         <properties path="simple.properties" relative-to="jboss.server.config.dir" plain-text="true" /> 
          </authentication>
      
      
      
             </security-realm>
      ...
       <subsystem xmlns="urn:jboss:domain:remoting:1.1">  <connector name="remoting-connector" socket-binding="remoting" /> 
             <outbound-connections>
            <remote-outbound-connection name="remote-ejb-connection" outbound-socket-binding-ref="remote-ejb" username="ejb" security-realm="SimpleRealm">     <properties>       <property name="SSL_ENABLED" value="false" /> 
             <property name="SECURE" value="false" /> 
             <property name="SASL_POLICY_NOANONYMOUS" value="true" /> 
             <property name="SASL_POLICY_NOPLAINTEXT" value="false" /> 
             <property name="SASL_DISALLOWED_MECHANISMS" value="JBOSS-LOCAL-USER" /> 
             </properties>
      
      
             </remote-outbound-connection>
      
      
           </outbound-connections>
      
      
        </subsystem>
      ...
      
      
      
      
      
      
      

       

      host stabdalone.xml:

      ...
      <security-realm name="jaasRealm">
                      <authentication>
                          <jaas name="ps-my-auth"/>
                      </authentication>
      </security-realm>
      ...
       <subsystem xmlns="urn:jboss:domain:remoting:1.1">
               <connector name="remoting-connector" socket-binding="remoting" security-realm="SimpleRealm"/>
       </subsystem>
      ...
      <security-domain name="ps-my-auth">
             <authentication>
                  <login-module code="com.MyLoginModule" flag="required" module="com.my.security">
                        <module-option name="password-stacking" value="useFirstPass"/>
                   </login-module>
             </authentication>
      </security-domain>
      ..
      

       

      When I try to make the remote ejb call, I get the following output.

      Client's Console:

       

      16:05:29,388 TRACE [org.jboss.remoting.endpoint] (ejb-client-remote-connection-reconnect-3-thread-2) Allocated tick to 3 of endpoint "Client-JBoss" <6029c853> (opened Connection to /127.0.0.1:14447)
      16:05:29,389 TRACE [org.jboss.remoting.remote] (ejb-client-remote-connection-reconnect-3-thread-2) Attempting to connect to "/127.0.0.1:14447" with options {org.xnio.Options.SASL_POLICY_NOPLAINTEXT=>false,org.xnio.Options.SECURE=>false,org.xnio.Options.SASL_DISALLOWED_MECHANISMS=>[JBOSS-LOCAL-USER],org.xnio.Options.SSL_STARTTLS=>true,org.xnio.Options.SSL_ENABLED=>true,org.xnio.Options.SASL_POLICY_NOANONYMOUS=>false}
      16:05:29,393 TRACE [org.jboss.remoting.remote] (Remoting "CL-JBoss" read-1) Setting read listener to org.jboss.remoting3.remote.ClientConnectionOpenListener$Greeting@27cb6fa9
      16:05:29,393 TRACE [org.jboss.remoting.remote.client] (Remoting "CL-JBoss" read-1) Received java.nio.HeapByteBuffer[pos=12 lim=8192 cap=8192]
      16:05:29,394 TRACE [org.jboss.remoting.remote.client] (Remoting "CL-JBoss" read-1) Client received greeting
      16:05:29,394 TRACE [org.jboss.remoting.remote.client] (Remoting "CL-JBoss" read-1) Client received server name: 127.0.0.1
      16:05:29,394 TRACE [org.jboss.remoting.remote.client] (Remoting "CL-JBoss" read-1) Client sending capabilities request
      16:05:29,394 TRACE [org.jboss.remoting.remote] (Remoting "Client-JBoss" read-1) Setting read listener to org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities@1d0fd4a8
      16:05:29,394 TRACE [org.jboss.remoting.remote.connection] (Remoting "CL-JBoss" read-1) Sent message java.nio.HeapByteBuffer[pos=14 lim=14 cap=8192] (direct)
      16:05:29,395 TRACE [org.jboss.remoting.remote.connection] (Remoting "CL-JBoss" read-1) Flushed channel (direct)
      16:05:29,400 TRACE [org.jboss.remoting.remote.client] (Remoting "CL-JBoss" read-1) Client received capabilities response
      16:05:29,400 TRACE [org.jboss.remoting.remote.client] (Remoting "CL-JBoss" read-1) Client received capability: version 1
      16:05:29,400 TRACE [org.jboss.remoting.remote.client] (Remoting "CL-JBoss" read-1) Client received capability: remote endpoint name "HOST-JBoss"
      16:05:29,401 TRACE [org.jboss.remoting.remote.client] (Remoting "CL-JBoss" read-1) Client received capability: SASL mechanism JBOSS-LOCAL-USER
      16:05:29,401 TRACE [org.jboss.remoting.remote.client] (Remoting "CL-JBoss" read-1) Client received capability: SASL mechanism PLAIN
      16:05:29,401 TRACE [org.jboss.remoting.remote.client] (Remoting "CL-JBoss" read-1) SASL mechanism PLAIN added to allowed set
      16:05:29,403 TRACE [org.jboss.remoting.remote.connection] (Remoting "Client-JBoss" read-1) Connection error detail: javax.security.sasl.SaslException: Cannot get userid/password [Caused by javax.security.auth.callback.UnsupportedCallbackException]
          at com.sun.security.sasl.ClientFactoryImpl.getUserInfo(ClientFactoryImpl.java:157) [rt.jar:1.7.0_13]
          at com.sun.security.sasl.ClientFactoryImpl.createSaslClient(ClientFactoryImpl.java:94) [rt.jar:1.7.0_13]
      

       

      So the ejb call is failing, and my login module isnt even called. Honest I think the host's standalone.xml is wrong, since even local ejb calls on the host wont be working.

       

      If I change the host's standalone like this, my login module gets called, but the credetials i get are hashed(ie. e2fe909a-e9b3-4f3d-a294-5b3915a874d6) and thus cant be used for the login.

      The local ejb calls on the host are working as expected

      <subsystem xmlns="urn:jboss:domain:remoting:1.1">
                  <connector name="remoting-connector" socket-binding="remoting"/> <!-- no security realm-->
      </subsystem>
      

      I read everything i could about this topic, but I'm out of ideas so could anyone please help me?

        • 1. Re: Server2Server remote ejb call: authentification issues
          jaikiran

          Phil, welcome to the forums.

           

          Can you try this against a later released version (like EAP 6.1.0.Alpha1, EAP6.1.0.Final or WildFly 8.0.0.Alpha3) to see if it works there. I'm not sure if that UnsupportedCallbackException is one of the bugs we had fixed after 7.1.1.Final.

          • 2. Re: Server2Server remote ejb call: authentification issues
            philba

            Hi jaikiran, thanks for your post. You are just the person I was hoping for

            As I mentioned in my post, I am able to bypass the UnsupportedCallbackException, if i configure remoting on the host like this:

            <subsystem xmlns="urn:jboss:domain:remoting:1.1">
                        <connector name="remoting-connector" socket-binding="remoting"/> <!-- no security realm-->
            </subsystem>

            But then I get unuseable, hashed credentials in my login module, and I dont understand why.

            • 3. Re: Server2Server remote ejb call: authentification issues
              jaikiran

              This is the bug I was referring to https://issues.jboss.org/browse/AS7-4824. I think you are running into it. It's fixed in a later version.

              • 4. Re: Server2Server remote ejb call: authentification issues
                philba

                Thank you, I read the posts refering to this post, and iirc they were happening on 7.1.2 and not 7.1.1 .

                Also when I use the configuration to get this bug, local ejb calls arent working either, because then I get unuseable, hashed credentials

                for them.

                I will still try it out with eap 6.1

                • 5. Re: Server2Server remote ejb call: authentification issues
                  philba

                  EAP 6.1 yielded the same results.

                  With the security-realm entry on client host side, I get an error on client side:

                  15:12:04,116 TRACE [org.jboss.remoting.remote.connection] (Remoting "Client-JBoss" read-1) Connection error detail: javax.security.sasl.SaslException: Cannot get userid/password [Caused by javax.security.auth.callback.UnsupportedCallbackException]

                      at com.sun.security.sasl.ClientFactoryImpl.getUserInfo(ClientFactoryImpl.java:157) [rt.jar:1.7.0_13]

                  Without the security realm, my login module gets called but the login failed.

                  What I noticed howver, was that the username this time was unhashed and that an anonymous user was used

                  • 6. Re: Server2Server remote ejb call: authentification issues
                    jaikiran

                    at com.sun.security.sasl.ClientFactoryImpl.getUserInfo(ClientFactoryImpl.java:157) [rt.jar:1.7.0_13]

                    That looks odd. What does the entire exception stacktrace look like?

                    • 7. Re: Server2Server remote ejb call: authentification issues
                      philba

                      15:12:04,119 ERROR [org.jboss.remoting.remote.connection] (Remoting "Client-JBoss" read-1) JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Cannot get userid/password [Caused by javax.security.auth.callback.UnsupportedCallbackException]

                      15:12:04,119 TRACE [org.jboss.remoting.endpoint] (Remoting "Client-JBoss" read-1) Registered exception result: javax.security.sasl.SaslException: Cannot get userid/password [Caused by javax.security.auth.callback.UnsupportedCallbackException]

                          at com.sun.security.sasl.ClientFactoryImpl.getUserInfo(ClientFactoryImpl.java:157) [rt.jar:1.7.0_13]

                          at com.sun.security.sasl.ClientFactoryImpl.createSaslClient(ClientFactoryImpl.java:94) [rt.jar:1.7.0_13]

                          at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities$1.run(ClientConnectionOpenListener.java:381) [jboss-remoting-3.2.16.GA-redhat-1.jar:3.2.16.GA-redhat-1]

                          at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities$1.run(ClientConnectionOpenListener.java:379) [jboss-remoting-3.2.16.GA-redhat-1.jar:3.2.16.GA-redhat-1]

                          at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_13]

                          at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:379) [jboss-remoting-3.2.16.GA-redhat-1.jar:3.2.16.GA-redhat-1]

                          at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:227) [jboss-remoting-3.2.16.GA-redhat-1.jar:3.2.16.GA-redhat-1]

                          at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72) [xnio-api-3.0.7.GA-redhat-1.jar:3.0.7.GA-redhat-1]

                          at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189) [xnio-api-3.0.7.GA-redhat-1.jar:3.0.7.GA-redhat-1]

                          at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103) [xnio-api-3.0.7.GA-redhat-1.jar:3.0.7.GA-redhat-1]

                          at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72) [xnio-api-3.0.7.GA-redhat-1.jar:3.0.7.GA-redhat-1]

                          at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189) [xnio-api-3.0.7.GA-redhat-1.jar:3.0.7.GA-redhat-1]

                          at org.xnio.ssl.JsseConnectedSslStreamChannel.handleReadable(JsseConnectedSslStreamChannel.java:180) [xnio-api-3.0.7.GA-redhat-1.jar:3.0.7.GA-redhat-1]

                          at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103) [xnio-api-3.0.7.GA-redhat-1.jar:3.0.7.GA-redhat-1]

                          at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72) [xnio-api-3.0.7.GA-redhat-1.jar:3.0.7.GA-redhat-1]

                          at org.xnio.nio.NioHandle.run(NioHandle.java:90)

                          at org.xnio.nio.WorkerThread.run(WorkerThread.java:187)

                      Caused by: javax.security.auth.callback.UnsupportedCallbackException

                          at org.jboss.as.remoting.AbstractOutboundConnectionService$AnonymousCallbackHandler.handle(AbstractOutboundConnectionService.java:103) [jboss-as-remoting-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

                          at com.sun.security.sasl.ClientFactoryImpl.getUserInfo(ClientFactoryImpl.java:136) [rt.jar:1.7.0_13]

                          ... 16 more

                      • 8. Re: Server2Server remote ejb call: authentification issues
                        jaikiran

                        Have you done any changes to the installation? Like chaning the modules or some such thing. Especially the jboss-sasl library?

                        • 9. Re: Server2Server remote ejb call: authentification issues
                          philba

                          Hmm, I did have to add some modules which are beeing used by the application and of course I also had to add my login module.

                          I tried to do everything proper, and dont think I copied any of the sasl stuff. Currently this is my org/jboss/sasl/main module: jboss-sasl-1.0.3.Final-redhat-1

                          • 10. Re: Server2Server remote ejb call: authentification issues
                            philba

                            I really dont understand why I'm seeing this on the client/host

                            10:56:53,151 TRACE [org.jboss.remoting.remote.server] (Remoting "Host-JBoss" read-1) Trying SASL server factory org.jboss.sasl.plain.PlainServerFactory@1083834d

                            10:56:53,151 TRACE [org.jboss.remoting.remote.server] (Remoting "Host-JBoss" read-1) Trying SASL server factory org.jboss.sasl.anonymous.AnonymousServerFactory@2a213cb3

                            10:56:53,151 TRACE [org.jboss.remoting.remote.server] (Remoting "Host-JBoss" read-1) Added mechanism ANONYMOUS

                            when I set up my client with this property


                            <property name="SASL_POLICY_NOANONYMOUS" value="true"/>

                             

                            So why is my client doing an anonymous login?

                             

                            Edit:

                            Probably because in this case I dont have a security realm defined on the host for remoting.

                            • 11. Re: Server2Server remote ejb call: authentification issues
                              philba

                              Hmm,

                              interestingly even with a security realm, which subsequently causes a sasl exception, an anonymous login is being tried

                               

                              Registered exception result: javax.security.sasl.SaslException: Cannot get userid/password [Caused by javax.security.auth.callback.UnsupportedCallbackException]

                                  at com.sun.security.sasl.ClientFactoryImpl.getUserInfo(ClientFactoryImpl.java:157) [rt.jar:1.7.0_13]

                                  at com.sun.security.sasl.ClientFactoryImpl.createSaslClient(ClientFactoryImpl.java:94) [rt.jar:1.7.0_13]

                                  at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities$1.run(ClientConnectionOpenListener.java:381) [jboss-remoting-3.2.16.GA-redhat-1.jar:3.2.16.GA-redhat-1]

                                  at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities$1.run(ClientConnectionOpenListener.java:379) [jboss-remoting-3.2.16.GA-redhat-1.jar:3.2.16.GA-redhat-1]

                                  at java.security.AccessController.doPrivileged(Native Method) [rt.jar:1.7.0_13]

                                  at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:379) [jboss-remoting-3.2.16.GA-redhat-1.jar:3.2.16.GA-redhat-1]

                                  at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:227) [jboss-remoting-3.2.16.GA-redhat-1.jar:3.2.16.GA-redhat-1]

                                  at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72) [xnio-api-3.0.7.GA-redhat-1.jar:3.0.7.GA-redhat-1]

                                  at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189) [xnio-api-3.0.7.GA-redhat-1.jar:3.0.7.GA-redhat-1]

                                  at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103) [xnio-api-3.0.7.GA-redhat-1.jar:3.0.7.GA-redhat-1]

                                  at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72) [xnio-api-3.0.7.GA-redhat-1.jar:3.0.7.GA-redhat-1]

                                  at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189) [xnio-api-3.0.7.GA-redhat-1.jar:3.0.7.GA-redhat-1]

                                  at org.xnio.ssl.JsseConnectedSslStreamChannel.handleReadable(JsseConnectedSslStreamChannel.java:180) [xnio-api-3.0.7.GA-redhat-1.jar:3.0.7.GA-redhat-1]

                                  at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103) [xnio-api-3.0.7.GA-redhat-1.jar:3.0.7.GA-redhat-1]

                                  at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72) [xnio-api-3.0.7.GA-redhat-1.jar:3.0.7.GA-redhat-1]

                                  at org.xnio.nio.NioHandle.run(NioHandle.java:90)

                                  at org.xnio.nio.WorkerThread.run(WorkerThread.java:187)

                              Caused by: javax.security.auth.callback.UnsupportedCallbackException

                                  at org.jboss.as.remoting.AbstractOutboundConnectionService$AnonymousCallbackHandler.handle(AbstractOutboundConnectionService.java:103) [jboss-as-remoting-7.2.0.Final-redhat-8.jar:7.2.0.Final-redhat-8]

                                  at com.sun.security.sasl.ClientFactoryImpl.getUserInfo(ClientFactoryImpl.java:136) [rt.jar:1.7.0_13]

                              EDIT:

                              i'm pretty sure now that the anonymous login is the underlying cause for my problems, since the AnonymousCallbackHandler cant handle a whole lot of callbacks

                               

                                public void handle(Callback[] callbacks)    throws IOException, UnsupportedCallbackException

                                {

                                  for (Callback current : callbacks)

                                    if ((current instanceof NameCallback)) {

                                      NameCallback ncb = (NameCallback)current;

                                      ncb.setName("anonymous");

                                    } else {

                                      throw RemotingMessages.MESSAGES.unsupportedCallback(current);

                                    }

                                }

                               

                              Really really weird, on the console I see this:

                              15:14:39,617 TRACE [org.jboss.security] (http-/0.0.0.0:8080-2) PBOX000354: Setting security roles ThreadLocal: null

                              15:14:42,693 TRACE [org.jboss.remoting.endpoint] (ejb-client-context-tasks-3-thread-3) Allocated tick to 2 of endpoint "Client-JBoss" <d52c7d0> (opened Connection to /127.0.0.1:14447)

                              15:14:42,693 TRACE [org.jboss.remoting.remote] (ejb-client-context-tasks-3-thread-3) Attempting to connect to "/127.0.0.1:14447" with options {org.xnio.Options.SASL_POLICY_NOPLAINTEXT=>false,org.xnio.Options.SECURE=>false,org.xnio.Options.SSL_STARTTLS=>true,org.xnio.Options.SASL_POLICY_NOANONYMOUS=>false,org.xnio.Options.SSL_ENABLED=>true,org.xnio.Options.SASL_DISALLOWED_MECHANISMS=>[JBOSS-LOCAL-USER]}

                              15:14:42,696 TRACE [org.jboss.remoting.remote] (Remoting "Client-JBoss" read-1) Setting read listener to org.jboss.remoting3.remote.ClientConnectionOpenListener$Greeting@12842756

                              15:14:42,696 TRACE [org.jboss.remoting.remote.client] (Remoting "Client-JBoss" read-1) Received java.nio.HeapByteBuffer[pos=12 lim=8192 cap=8192]

                              15:14:42,696 TRACE [org.jboss.remoting.remote.client] (Remoting "Client-JBoss" read-1) Client received greeting

                              Despite setting the options in my client standalone.xml:


                              <property name="SSL_ENABLED" value="false"/>

                              <property name="SECURE" value="false"/>

                              <property name="SASL_POLICY_NOANONYMOUS" value="true"/>

                              <property name="SASL_POLICY_NOPLAINTEXT" value="false"/>

                              <property name="SASL_DISALLOWED_MECHANISMS" value="JBOSS-LOCAL-USER"/>

                              The plot thickens

                              • 12. Re: Server2Server remote ejb call: authentification issues
                                philba

                                I also tried setting the options in the jboss-ejb-client.xml like this

                                 

                                <jboss-ejb-client xmlns="urn:jboss:ejb-client:1.2">
                                    <client-context>
                                        <ejb-receivers>
                                            <remoting-ejb-receiver outbound-connection-ref="remote-ejb-connection"/>
                                        </ejb-receivers>
                                       
                                              <clusters>
                                      <!-- cluster of remote-ejb-connection-1 -->
                                      <cluster name="ejb" security-realm="SimpleRealm" username="testuser">
                                        <connection-creation-options>
                                          <property name="org.xnio.Options.SSL_ENABLED" value="false" />
                                          <property name="org.xnio.Options.SASL_POLICY_NOANONYMOUS" value="true" />
                                        </connection-creation-options>
                                      </cluster>
                                    </clusters>
                                    </client-context>
                                </jboss-ejb-client>

                                 

                                But at runtime I still get

                                org.xnio.Options.SASL_POLICY_NOANONYMOUS=>false

                                in the console

                                • 13. Re: Server2Server remote ejb call: authentification issues
                                  jaikiran

                                  I actually have lost a bit of track on the issue. Let's take a step back and not do these many changes. Attach (click on the Use advanced editor link in the message editor window for the attach option) the complete standalone*.xml which is causing this problem.

                                  • 14. Re: Server2Server remote ejb call: authentification issues
                                    philba

                                    Short resume:

                                    During the remote ejb call, the authentication fails with a UnsupportedCallbackException.I found that the root issue is, that an anonymous login is being used, which doesnt support password callbacks(amongst other callbacks).

                                    For why an anonymous login is used, I have two theories:

                                    -It seems like not all options are being used on client side(ie. name="org.xnio.Options.SASL_POLICY_NOANONYMOUS" value="true")

                                    -Security isnt configured correctly on the host side(even though the ejb is annotated with @PermitAll and @SecurityDomain)

                                     

                                    Here is the standalone.xml of the client(I deleted non-relevant sections)

                                    1 2 Previous Next