1 Reply Latest reply on Oct 24, 2013 9:49 AM by sergiu_pienar

Remote EJB + Custom Login Module + Hibernate

sergiu_pienar Oct 24, 2013 7:59 AM

Using JBoss 7.1.1 Final with Hibernate 3.6.9 (packed in my EAR file).

I'm also using a custom login module define in standalone.xml as:

<security-domain name="myRealm" cache-type="default">

<login-module code="com.login.LoginModule" flag="required">

<module-option name="dsJndiName" value="java:jboss/datasources/myDS"/>

<module-option name="hashAlgorithm" value="SHA"/>

<module-option name="hashEncoding" value="BASE64"/>

<module-option name="principalsQuery" value="SELECT u.password FROM Usr u, Client c, UserRole ur WHERE u.logname = ? AND (u.status = 'active' OR u.status = 'system') AND u.clientid = c.clientid AND (c.status = 'active' OR c.status = 'system') AND (u.passwordExpireDate is null OR u.passwordExpireDate > now()) AND u.userId = ur.userId AND u.lockedStatus != 1 AND ur.roleId=20"/>

<module-option name="rolesQuery" value="SELECT p.label, 'Roles' FROM Usr u, Role r, Privilege p, RolePrivilege rp, UserRole ur WHERE u.logname = ? AND u.userId = ur.userId AND u.clientId = ur.clientId AND ur.roleId = r.roleId AND r.roleId = rp.roleId AND rp.privilegeId = p.privilegeId"/>

</login-module>

</authentication>

</security-domain>

The login module works fine both for remote invocations and local ones. The login module is deployed as a jar inside the remoting module with the remoting module pointing to it:

</properties>

<resource-root path="jboss-as-remoting-7.1.1.Final.jar"/>

<resource-root path="login-module.jar"/>

</resources>

....

My problem is that the custom login class is using Hibernate to track user activity as below:

@Override

public boolean login()

throws LoginException {

String[] info = this.getUsernameAndPassword();

String logname = info[0];

boolean login = false;

try {

if (login) {

Session session = null;

try {

session = BeanUtil.getSessionFactory().openSession();

User user = UserHelper.loadUser(session, logname);

....

where getSessionFactory does:

Context ctx = new InitialContext();

return (SessionFactory)ctx.lookup("java:jboss/HibernateFactory");

This login works fine (manages get the Session and do the proper calls) when used from within the application.

The problem occurs when I try to call a remote EJB that is under the security-domain that the customLogin module is mapped to.

I've added a dependency to hibernate in the remoting's module.xml (for the remoting module to be able to do Hibernate related operations).

I get the following error:

10:57:34,056 TRACE [org.jboss.remoting.remote] (Remoting "myApp" read-1) Accepted connection from /127.0.0.1:63577 to 127.0.0.1/127.0.0.1:4447

10:57:34,058 TRACE [org.jboss.remoting.remote] (Remoting "myApp" read-1) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial@c84e90

10:57:34,059 TRACE [org.jboss.remoting.remote.connection] (Remoting "myApp" read-1) Sent message java.nio.HeapByteBuffer[pos=12 lim=12 cap=8192] (direct)

10:57:34,061 TRACE [org.jboss.remoting.remote.connection] (Remoting "myApp" read-1) Flushed channel (direct)

10:57:34,067 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Server received capabilities request

10:57:34,068 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Server received capability: version 1

10:57:34,069 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Server received capability: remote endpoint name "config-based-naming-client-endpoint"

10:57:34,071 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) No EXTERNAL mechanism due to explicit exclusion

10:57:34,072 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Trying SASL server factory org.jboss.sasl.localuser.LocalUserServerFactory@5e6cf7

10:57:34,074 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Added mechanism JBOSS-LOCAL-USER

10:57:34,075 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Trying SASL server factory org.jboss.sasl.digest.DigestMD5ServerFactory@14405c3

10:57:34,076 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Excluding mechanism DIGEST-MD5 because it is not in the allowed list

10:57:34,078 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Trying SASL server factory org.jboss.sasl.plain.PlainServerFactory@d669c2

10:57:34,079 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Added mechanism PLAIN

10:57:34,080 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Trying SASL server factory org.jboss.sasl.anonymous.AnonymousServerFactory@b961d6

10:57:34,081 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Trying SASL server factory com.sun.security.sasl.digest.FactoryImpl@c62e1a

10:57:34,083 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Excluding mechanism DIGEST-MD5 because it is not in the allowed list

10:57:34,084 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Trying SASL server factory com.sun.security.sasl.ServerFactoryImpl@fcb590

10:57:34,085 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Excluding mechanism CRAM-MD5 because it is not in the allowed list

10:57:34,087 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Trying SASL server factory com.sun.security.sasl.gsskerb.FactoryImpl@f4234b

10:57:34,088 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Excluding mechanism GSSAPI because it is not in the allowed list

10:57:34,090 TRACE [org.jboss.remoting.remote.connection] (Remoting "myApp" read-1) Sent message java.nio.HeapByteBuffer[pos=37 lim=37 cap=8192] (direct)

10:57:34,091 TRACE [org.jboss.remoting.remote.connection] (Remoting "myApp" read-1) Flushed channel (direct)

10:57:34,139 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Server received authentication request

10:57:34,168 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (Remoting "myApp" task-4) Begin getAppConfigurationEntry(myAppRealm), size=6

10:57:34,169 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (Remoting "myApp" task-4) End getAppConfigurationEntry(myAppRealm), authInfo=AppConfigurationEntry[]:

[0]

LoginModule Class: com.login.LoginModule

ControlFlag: LoginModuleControlFlag: required

Options:

name=hashAlgorithm, value=SHA

name=principalsQuery, value=SELECT u.password FROM Usr u, Client c, UserRole ur WHERE u.logname = ? AND (u.status = 'active' OR u.status = 'system') AND u.clientid = c.clientid AND (c.status = 'active' OR c.status = 'system') AND (u.passwordExpireDate is null OR u.passwordExpireDate > now()) AND u.userId = ur.userId AND u.lockedStatus != 1 AND ur.roleId=20

name=hashEncoding, value=BASE64

name=dsJndiName, value=java:jboss/datasources/myAppDS

name=rolesQuery, value=SELECT p.label, 'Roles' FROM Usr u, Role r, Privilege p, RolePrivilege rp, UserRole ur WHERE u.logname = ? AND u.userId = ur.userId AND u.clientId = ur.clientId AND ur.roleId = r.roleId AND r.roleId = rp.roleId AND rp.privilegeId = p.privilegeId

10:57:34,180 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" task-4) Server sending authentication rejected (javax.security.sasl.SaslException: PLAIN password not verified by CallbackHandler)

10:57:34,197 TRACE [org.jboss.remoting.remote.connection] (Remoting "myApp" task-4) Sent message java.nio.HeapByteBuffer[pos=1 lim=1 cap=8192] (direct)

10:57:34,199 TRACE [org.jboss.remoting.remote.connection] (Remoting "myApp" task-4) Flushed channel (direct)

10:57:34,200 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Server received capabilities request

10:57:34,201 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Server received capability: version 1

10:57:34,202 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Server received capability: remote endpoint name "config-based-naming-client-endpoint"

10:57:34,203 TRACE [org.jboss.remoting.remote.connection] (Remoting "myApp" read-1) Sent message java.nio.HeapByteBuffer[pos=37 lim=37 cap=8192] (direct)

Debugging on server-sider shows a ClassNotFoundException - possibly the Session.java but I`m unsure for I could not find the sources for the ModulesClassLoader so I can move the debug in that area.

Any ideas are welcome.

1.PNG 10.9 KB

1. Re: Remote EJB + Custom Login Module + Hibernate

sergiu_pienar Oct 24, 2013 9:49 AM (in response to sergiu_pienar)

I've also tried a different approach in which instead of getting the user directly with the hibernate Session I`m using a EJB a have deployed for this.
Now I'm getting that the UserEJBLocal$$$view can not be cast to UserEJBLocal.

This is most likely that I have the UserEJBLocal in both the EAR and the login-module.jar.
My EJB's are packed in a jar and deployed within the EAR.

I wonder if making the EJB's jar a module in jboss would solve my problem ... if so, how could I declare that my EAR is dependent on that module ?
Actions