Remoting login module does not work if authentication is JAAS-based
pref Mar 29, 2013 12:23 AMHello,
I'm using JBoss EAP 6.1.0-Alpha. As documentation says:
- Remoting
The Remoting login module is used to check if the request currently being authenticated is a request received over a Remoting connection, if so the identity that was created during the authentication process is used and associated with the current request.
If the request did not arrive over a Remoting connection this module does nothing and allows the JAAS based login to continue to the next module.
However, if you use a JAAS-based security realm to authenticate remoting calls, this module does not work as expected. Remoting uses "RemotingRealm" (which uses JAAS authentication via "remoting-domain" security domain), my application uses "application-domain". There is a user "ejb" in both domains, however the passwords are different.
Here is the configuration (standalone.xml)
<management> ... <security-realms> <security-realm name="RemotingRealm"> <authentication> <jaas name="remoting-domain"/> </authentication> </security-realm> </management> ... <subsystem xmlns="urn:jboss:domain:remoting:1.1"> <connector name="remoting-connector" socket-binding="remoting" security-realm="RemotingRealm"/> </subsystem> ... <subsystem xmlns="urn:jboss:domain:security:1.2"> <security-domains> ... <security-domain name="remoting-domain" cache-type="default"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> <module-option name="usersProperties" value="${jboss.server.config.dir}/x-users.properties"/> <module-option name="rolesProperties" value="${jboss.server.config.dir}/x-roles.properties"/> <module-option name="password-stacking" value="useFirstPass"/> </login-module> </authentication> </security-domain> <security-domain name="application-domain" cache-type="default"> <authentication> <login-module code="Remoting" flag="optional"> <module-option name="password-stacking" value="useFirstPass"/> </login-module> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required"> <module-option name="usersProperties" value="${jboss.server.config.dir}/y-users.properties"/> <module-option name="rolesProperties" value="${jboss.server.config.dir}/y-roles.properties"/> <module-option name="password-stacking" value="useFirstPass"/> </login-module> </authentication> </security-domain> </security-domains> </subsystem>
If invoke a remote call, first it authenticates a user via "remoting-domain", then it tries to authenticate the user one more time using "application-domain". Remoting login module does not get already authenticated identity from "remoting-domain" domain.
However if you use non-JAAS based security domain for "RemotingRealm" (for example if you switch it to "ApplicationRealm" and create a user in application-users.properties) "Remoting" login-module works as expected: UsersRolesLoginModule in "application-domain" receives an already authenticated identity and does not try to authenticate the user. I debugged it a bit and found that the problem arises because org.jboss.as.security.service.SimpleSecurityManager.push clears RemotingContext if the current subject contains private password credentials, and this is the case only if JAAS authenticated was used (see org.jboss.as.domain.management.security.JaasCallbackHandler.handle).