9 Replies Latest reply on Aug 17, 2015 10:17 AM by ymajoros

    SASL - how to propagate custom Principal and Credential?

    henrikdeluxe

      Hello,

       

      i got another problem migrating my application from AS 5.1.0 to AS 7.2.0

       

      my architecture looks like this:

      • some standalone client apps calling secured remote-ejb's
      • client apps passing an custom principal and an plain password for authentication
      • server uses an own LoginModule (extends org.jboss.security.auth.spi.LdapExtLoginModule)

       

       

      --> using AS 5.1.0 everything works fine

      --> using AS 7.2.0 my custom LoginModule dont get the correct principal and password from the calling client

       

      I have tried to find solutions in quickstart-projects and other discussions here and in other forums, but nothing works for me.

      If i disable security in my EJB everything works fine (but with unauthenticated identiy).

      I suggest my fault either in standalone-configuration or clientside security implementation, but i've tried everything comes into my mind but i'm shortly before surrender.

       

      Could anyone please give an advise?

      I have attached my standalone.xml and my maven projects to offer full implementation.

      Server contains of an EJB-project, an API-project, an JAR-project for security. All is packaged in an EAR-project.

      Client only contains of an JAR-Project also using servers api- and security-projects.

       

       

      I have tried following server configurations:

      1. own SecurityDomain with custom LoginModule for EJB  + securing remoting-connector with default "ApplicationRealm" (local-authentication)
        • remote ejb lookup works fine
        • remote ejb method call invoke custom LoginModule on serverside, but send wrong Principal & Password ($local & random-password)
        • --> raises EJBAccessException: JBAS013323: invalid user

      2. own SecurityDomain with custom LoginModule for EJB  + securing remoting-connector with own Realm (jaas-authentication with own LoginModule)
        • causes exception during ejb lookup and custom LoginModule is never called (javax.naming.NamingException: Failed to connect to any server. Servers tried: [remote://localhost:4447])

      3. own SecurityDomain with custom LoginModule for EJB  + remoting-connector without security
        • remote ejb lookup works fine
        • remote ejb method call invoke custom LoginModule on serverside, but send wrong Principal & Password (anonymous & random-password)
        • --> raises EJBAccessException: JBAS013323: invalid user

       

       

      In JBoss AS 5.1 i'm pass my principal object an password credential on clientside as follows:

      final SecurityClient client = SecurityClientFactory.getSecurityClient(JBossSecurityClient.class);
      client.setVmwideAssociation(true);
      client.setSimple(customPrincipal, plainPass);
      client.login();
      
      
      
      

       

      This works fine for AS 5.1 but seems to be ignored in AS 7.1.

       

      So my question is how to propagate the principal object and password (plain) correct, to use these values in my LoginModule??

        • 1. Re: SASL not working with custom LoginModule - how to propagate custom Principal and Credential?
          jaikiran
          • remote ejb method call invoke custom LoginModule on serverside, but send wrong Principal & Password ($local & random-password)
          • --> raises EJBAccessException: JBAS013323: invalid user

          You should disable the "local client authentication". See this thread for details https://community.jboss.org/thread/176963?start=0&tstart=0

          • 2. Re: Re: SASL not working with custom LoginModule - how to propagate custom Principal and Credential?
            henrikdeluxe

            Hi Jaikiran,

             

            as mentioned i have allready tried to use an own Realm with my LoginModule as jass-authentication, without local authentication.

            Addionally i added "jndiProperties.put("remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");" before processing the ejb lookup.

             

            "2. own SecurityDomain with custom LoginModule for EJB  + securing remoting-connector with own Realm (jaas-authentication with own LoginModule)causes exception during ejb lookup and custom LoginModule is never called (javax.naming.NamingException: Failed to connect to any server. Servers tried: [remote://localhost:4447])"

             

             

            If I try to process the lookup i got an Exception on client side - my LoginModule is never called - on serverside there are no errors or warnings :-/

            client-side:

            do remote lookup for name RemoteCalculator

            Error on lookup RemoteBean: RemoteCalculator

            javax.naming.NamingException: Failed to connect to any server. Servers tried: [remote://localhost:4447]

                at org.jboss.naming.remote.client.HaRemoteNamingStore.failOverSequence(HaRemoteNamingStore.java:200)

                at org.jboss.naming.remote.client.HaRemoteNamingStore.namingStore(HaRemoteNamingStore.java:131)

                at org.jboss.naming.remote.client.HaRemoteNamingStore.namingOperation(HaRemoteNamingStore.java:112)

                at org.jboss.naming.remote.client.HaRemoteNamingStore.lookup(HaRemoteNamingStore.java:223)

                at org.jboss.naming.remote.client.RemoteContext.lookup(RemoteContext.java:79)

                at org.jboss.naming.remote.client.RemoteContext.lookup(RemoteContext.java:83)

                at javax.naming.InitialContext.lookup(InitialContext.java:411)

                at de.ejb.remote.client.MyRemoteClient.lookupRemoteBean(MyRemoteClient.java:151)

                at de.ejb.remote.client.MyRemoteClient.main(MyRemoteClient.java:46)

            RemoteCalculator not found

             

             

             

            server-side:

            15:52:47,605 TRACE [org.jboss.remoting.remote] (Remoting "csepchh" read-1) Accepted connection from /127.0.0.1:51340 to 127.0.0.1/127.0.0.1:4447

            15:52:47,605 TRACE [org.jboss.remoting.remote] (Remoting "csepchh" read-1) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial@2e45d01e

            15:52:47,606 TRACE [org.jboss.remoting.remote.connection] (Remoting "csepchh" read-1) Sent message java.nio.HeapByteBuffer[pos=12 lim=12 cap=8192] (direct)

            15:52:47,606 TRACE [org.jboss.remoting.remote.connection] (Remoting "csepchh" read-1) Flushed channel (direct)

            15:52:47,618 TRACE [org.jboss.remoting.remote.server] (Remoting "csepchh" read-1) Server received capabilities request

            15:52:47,618 TRACE [org.jboss.remoting.remote.server] (Remoting "csepchh" read-1) Server received capability: version 1

            15:52:47,619 TRACE [org.jboss.remoting.remote.server] (Remoting "csepchh" read-1) Server received capability: remote endpoint name "config-based-naming-client-endpoint"

            15:52:47,619 TRACE [org.jboss.remoting.remote.server] (Remoting "csepchh" read-1) Server received capability: message close protocol supported

            15:52:47,621 TRACE [org.jboss.remoting.remote.server] (Remoting "csepchh" read-1) No EXTERNAL mechanism due to explicit exclusion

            15:52:47,621 TRACE [org.jboss.remoting.remote.server] (Remoting "csepchh" read-1) Trying SASL server factory org.jboss.sasl.localuser.LocalUserServerFactory@4c99e353

            15:52:47,621 TRACE [org.jboss.remoting.remote.server] (Remoting "csepchh" read-1) Excluding mechanism JBOSS-LOCAL-USER because it is not in the allowed list

            15:52:47,621 TRACE [org.jboss.remoting.remote.server] (Remoting "csepchh" read-1) Trying SASL server factory org.jboss.sasl.digest.DigestMD5ServerFactory@b1b856f

            15:52:47,621 TRACE [org.jboss.remoting.remote.server] (Remoting "csepchh" read-1) Excluding mechanism DIGEST-MD5 because it is not in the allowed list

            15:52:47,621 TRACE [org.jboss.remoting.remote.server] (Remoting "csepchh" read-1) Trying SASL server factory org.jboss.sasl.plain.PlainServerFactory@3bd5401b

            15:52:47,622 TRACE [org.jboss.remoting.remote.server] (Remoting "csepchh" read-1) Added mechanism PLAIN

            15:52:47,622 TRACE [org.jboss.remoting.remote.server] (Remoting "csepchh" read-1) Trying SASL server factory org.jboss.sasl.anonymous.AnonymousServerFactory@2d63cb4d

            15:52:47,622 TRACE [org.jboss.remoting.remote.server] (Remoting "csepchh" read-1) Trying SASL server factory com.sun.security.sasl.ntlm.FactoryImpl@1f5846a5

            15:52:47,622 TRACE [org.jboss.remoting.remote.server] (Remoting "csepchh" read-1) Excluding mechanism NTLM because it is not in the allowed list

            15:52:47,622 TRACE [org.jboss.remoting.remote.server] (Remoting "csepchh" read-1) Trying SASL server factory com.sun.security.sasl.digest.FactoryImpl@5c860ab6

            15:52:47,622 TRACE [org.jboss.remoting.remote.server] (Remoting "csepchh" read-1) Excluding mechanism DIGEST-MD5 because it is not in the allowed list

            15:52:47,623 TRACE [org.jboss.remoting.remote.server] (Remoting "csepchh" read-1) Trying SASL server factory com.sun.security.sasl.ServerFactoryImpl@6429622e

            15:52:47,623 TRACE [org.jboss.remoting.remote.server] (Remoting "csepchh" read-1) Excluding mechanism CRAM-MD5 because it is not in the allowed list

            15:52:47,623 TRACE [org.jboss.remoting.remote.server] (Remoting "csepchh" read-1) Trying SASL server factory com.sun.security.sasl.gsskerb.FactoryImpl@58eced61

            15:52:47,623 TRACE [org.jboss.remoting.remote.server] (Remoting "csepchh" read-1) Excluding mechanism GSSAPI because it is not in the allowed list

            15:52:47,623 TRACE [org.jboss.remoting.remote.connection] (Remoting "csepchh" read-1) Sent message java.nio.HeapByteBuffer[pos=42 lim=42 cap=8192] (direct)

            15:52:47,623 TRACE [org.jboss.remoting.remote.connection] (Remoting "csepchh" read-1) Flushed channel (direct)

            15:52:47,697 TRACE [org.jboss.remoting.remote] (Remoting "csepchh" read-1) Received connection end-of-stream

             

             

            Addionally there are also no startup/deployment errors.
            I tried this authentication with my custom LoginModule deployed whithin the EAR and globaly deployed as addional jar within the org.jboss.as.remoting module.

             

            unfortunatly it does not work

            • 3. Re: Re: Re: SASL not working with custom LoginModule - how to propagate custom Principal and Credential?
              henrikdeluxe

              in addition to the logs here the relevant parts of my standalone configuration to the logs of my previous posting:

              what am i doing wrong?? i guess that shouldn`t be such difficult

               

              <management>
                  <security-realms>
                       <security-realm name="ManagementRealm">
                           <authentication>
                               <local default-user="$local"/>
                               <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                           </authentication>
                       </security-realm>
                       <security-realm name="ApplicationRealm">
                           <authentication>
                               <local default-user="$local" allowed-users="*"/>
                               <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                           </authentication>
                           <authorization>
                               <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
                           </authorization>
                       </security-realm>
                      
                      <!-- my security realm with custom LoginModule -->
                      <security-realm name="MyAppRealm">
                          <authentication>
                              <jaas name="myDomain"/>
                         </authentication>
                      </security-realm>
              
                  </security-realms>
                  <management-interfaces>
                      <native-interface security-realm="ManagementRealm">
                          <socket-binding native="management-native"/>
                      </native-interface>
                      <http-interface security-realm="ManagementRealm">
                          <socket-binding http="management-http"/>
                      </http-interface>
                  </management-interfaces>
              </management>
              

               

              <subsystem xmlns="urn:jboss:domain:remoting:1.1">
                  <!-- securing remote connector with custom realm & LoginModule 
                  result: causes exception during ejb lookup but custom LoginModule is never called (javax.naming.NamingException: Failed to connect to any server. Servers tried: [remote://localhost:4447])-->
                  <connector name="remoting-connector" socket-binding="remoting" security-realm="MyAppRealm"/> 
              </subsystem>
              

               

              <subsystem xmlns="urn:jboss:domain:security:1.2">
                  <security-domains>
                  <!-- my security domain with custom LoginModule -->
                      <security-domain name="myDomain" cache-type="default">
                          <authentication>
                              <login-module code="de.ejb.remote.server.security.MyLDAPLogin" flag="required">
                                  <module-option name="principalClass" value="de.ejb.remote.server.security.MyAppPrincipal"/> <!-- custom principal -->
                                  <module-option name="java.naming.security.authentication" value="simple"/>
                                  <module-option name="unauthenticatedIdentity" value="jboss"/>
                                  <module-option name="password-stacking" value="useFirstPass"/>
                                          
                                  <!-- some LDAP specifics --> 
                                  <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                                  <module-option name="java.naming.provider.url" value="ldap://ldaphost:389"/>
                                  <module-option name="bindDN" value="MyDomain\ldap"/>
                                  <module-option name="bindCredential" value="myCredential4ldap"/>
                                  <module-option name="baseCtxDN" value="cn=Users,dc=mydomain,dc=de"/>
                                  <module-option name="baseFilter" value="(sAMAccountName={0})"/>
                                  <module-option name="rolesCtxDN" value="CN=Users,DC=mydoamin,DC=de"/>
                                  <module-option name="roleFilter" value="(member={1})"/>
                                  <module-option name="roleAttributeID" value="cn"/>
                                  <module-option name="roleAttributeIsDN" value="false"/>
                                  <module-option name="roleRecursion" value="2"/>
                                  <module-option name="searchScope" value="ONELEVEL_SCOPE"/>
                                  <module-option name="allowEmptyPasswords" value="false"/>
                                  <module-option name="java.naming.referral" value="follow"/>
                              </login-module>
                          </authentication>
                      </security-domain>
                      <security-domain name="other" cache-type="default">
                          <authentication>
                              <login-module code="Remoting" flag="optional">
                                  <module-option name="password-stacking" value="useFirstPass"/>
                              </login-module>
                              <login-module code="RealmDirect" flag="required">
                                  <module-option name="password-stacking" value="useFirstPass"/>
                              </login-module>
                          </authentication>
                      </security-domain>
                      <security-domain name="jboss-web-policy" cache-type="default">
                          <authorization>
                              <policy-module code="Delegating" flag="required"/>
                          </authorization>
                      </security-domain>
                      <security-domain name="jboss-ejb-policy" cache-type="default">
                          <authorization>
                              <policy-module code="Delegating" flag="required"/>
                          </authorization>
                      </security-domain>
                  </security-domains>
              </subsystem>
              
              • 4. Re: SASL not working with custom LoginModule - how to propagate custom Principal and Credential?
                seeberger

                Hi There,

                 

                1.

                when i secured the remoting-connector with my custom realm it wasn't sufficient to just put the jar with the loginmodule into org.jboss.as.remoting.module. I also had to put all jars that where needed during the loginProcess of the loginModule into org.jboss.as.remoting.module.

                Reason was that in my LoginModule i load the User-Entity and fill it with all relevant data from the Database, so for Example i had to put the User.class and all needed DTOs and DAOs into org.jboss.as.remoting module. Maybe that helps.

                 

                2.

                i,ve got exactly the same Problem. I secure the remoting-subsystem with the Application-Realm and the Beans with a CustomLoginModule.

                In the Class "SimpleSecurityManager" (located in jboss-as-security-7.1.1.Final.jar) in the Method "push(final String securityDomain, final String runAs, final String runAsPrincipal, final Set<String> extraRoles)" the call RemotingContext.getConnection().getUserInfo() returns the following:

                Subjekt:

                    Principal: org.jboss.remoting3.security.UserPrincipal@586034f

                    Principal: InetAddressPrincipal <127.0.0.1/127.0.0.1>

                    Principal: admin@ApplicationRealm

                 

                I've set the Option Disallwoed_Mechanisms=JBOSS_LOCAL_USER so the Principal is not $local but when i look into the subject-object i can see that there are no Credentials set (neither privCredentials nor pubCredentials) so it seems that the Credentials dont get passed and because of that the principal and credential are set like:

                if (p == null || credential == null) {

                     p = new SimplePrincipal(UUID.randomUUID().toString());

                     credential = UUID.randomUUID().toString();

                }

                .

                In the Class org.xnio.Options i found the Option "SASL_POLICY_PASS_CREDENTIALS" but when i set this to "true" the Code isnt working becaus in the Class "ClientConnectionOpenListener$Capabilities" in the Method handleEvent(final ConnectedMessageChannel channel) there is no Mechanism found when this Option is set to true.

                My Question is what is this Option good for and how can i pass my credentials so that i can use them in my CustomLoginModule?

                • 5. Re: Re: SASL not working with custom LoginModule - how to propagate custom Principal and Credential?
                  henrikdeluxe

                  oh my godness, seems so i missed the forest for the tress

                   

                  the entire time i used following properties:

                  jndiProperties.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
                  jndiProperties.put("remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");
                  

                   

                  but correct is:

                  jndiProperties.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
                  jndiProperties.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");
                  

                   

                   

                  using these properties i could solve my first problem: getting the plain password in server loginmodule

                   

                   

                  now i'm only guessing how to propagate my custom principal (sometimes also named caller principal)?

                  does anyone has an idea?

                  • 6. Re: SASL not working with custom LoginModule - how to propagate custom Principal and Credential?
                    seeberger

                    It seems like the reason why the credentials don't get propagated is somehow connected to the use of the predefined applicationrealm. Because of that I tried a databaseloginmodule and .... surprise.... The credentials are there.

                    • 7. Re: Re: SASL not working with custom LoginModule - how to propagate custom Principal and Credential?
                      henrikdeluxe

                      ok - so the last question remaining ist, what is the correct way to propagate an custom principal for jaas authentification?

                       

                      In older Versions it was possible to propagate the principal on clienside as follows:

                      final MyAppPrincipal customPrincipal = new MyAppPrincipal("username", "myLocale"); // implements Principal  
                      final SecurityClient client = SecurityClientFactory.getSecurityClient(JBossSecurityClient.class);  
                      client.setVmwideAssociation(true);  
                      client.setSimple(customPrincipal, plainPassword); 
                      client.login(); 
                      
                      

                       

                        Then in my LoginModule i could get this principal on serverside:

                      private MyAppPrincipal getClientPrincipal()  
                      { 
                      final SecurityAssociationCallback callback = new SecurityAssociationCallback();  
                      final Callback[] callbacks =  
                          { callback }; 
                      try  
                          { 
                              callbackHandler.handle(callbacks); 
                      final Principal principal = callback.getPrincipal();  
                      if(principal instanceof MyAppPrincipal)  
                              { 
                      return (MyAppPrincipal) principal;  
                              } 
                          } 
                      catch(final IOException e)  
                          { 
                              LOGGER.error("couldn't get custom principal", e);  
                          } 
                      catch(final UnsupportedCallbackException e)  
                          { 
                              LOGGER.error("couldn't get custom principal", e);  
                          } 
                      return null;  
                      } 
                      
                      

                       

                      With AS 7.2 i only get SimplePrincipal on serverside

                      • 8. Re: SASL - how to propagate custom Principal and Credential?
                        henrikdeluxe

                        could anyone please help passing my custom Principal from client to server?

                        • 9. Re: SASL - how to propagate custom Principal and Credential?
                          ymajoros

                          It's been a while, but anyway, if it's helpful...

                           

                          Had a similar problem.

                           

                          See http://stackoverflow.com/questions/30033105/jaspic-module-not-propagating-principal-to-local-ejb-in-jboss-7-4/30122902#30122902 and https://github.com/javaeekickoff/jboss-as-jaspic-patch/tree/master/src/main/java/patch/jboss

                           

                          It did "solve" it for me. I'll still ask RedHat to correct this, anyway.