-
1. Re: 'login-modules=[{' is not a valid operation name.
ctomc Feb 17, 2014 6:26 AM (in response to morellik)Hi,
it looks like problem are extra line breaks where you should not have any.
you could also modify your script to be bit simplified by using bit different syntax for adding modules.
/subsystem=security/security-domain=app:add(cache-type="default")
/subsystem=security/security-domain=app/authentication=classic:add()
cd ./subsystem=security/security-domain=app/authentication=classic
./login-module=database:add(code="Database",flag="required", module-options={
dsJndiName="java:/jdbc/idpbynmr",
principalsQuery="select password from participant where email=?",
rolesQuery="select groupname, 'Roles'
from users_groups ug inner join participant a on ug.email = a.email
where a.email = ?", hashAlgorithm="SHA-256",
hashEncoding="BASE64",
unauthenticatedIdentity="guest"
}
)
./login-module=RoleMapping:add(code="RoleMapping", flag="required",module-options={ rolesProperties="file:${jboss.server.config.dir}/app.properties",replaceRole="false"})
--
tomaz
-
2. Re: Re: 'login-modules=[{' is not a valid operation name.
brian.stansberry Feb 17, 2014 12:57 PM (in response to ctomc)If you want to break a single operation over multiple lines, use the '\' character. So, starting from Tomaz's variation on the script, a backslash is added to lines 4-12:
/subsystem=security/security-domain=app:add(cache-type="default") /subsystem=security/security-domain=app/authentication=classic:add() cd ./subsystem=security/security-domain=app/authentication=classic ./login-module=database:add(code="Database",flag="required", module-options={ \ dsJndiName="java:/jdbc/idpbynmr", \ principalsQuery="select password from participant where email=?", \ rolesQuery="select groupname, 'Roles' \ from users_groups ug inner join participant a on ug.email = a.email \ where a.email = ?", hashAlgorithm="SHA-256", \ hashEncoding="BASE64", \ unauthenticatedIdentity="guest" \ } \ ) ./login-module=RoleMapping:add(code="RoleMapping", flag="required",module-options={ rolesProperties="file:${jboss.server.config.dir}/app.properties",replaceRole="false"})
There's another weakness in your original script though. Notice that your script had two separate responses from the server:
{"outcome" => "success"} {
"outcome" => "success",
"response-headers" => {
"operation-requires-reload" => true,
"process-state" => "reload-required"
} }
'login-modules=[{' is not a valid operation name.
That's because your script told the server to execute two write operations. (Tomaz's variant has four.) The problem is that the first one succeeded while the second one failed. That leaves your server config in a half-way state. You can't just go fix a typo in your script or something and try again, since the first step has modified the config.
Better is to have your changes execute as an atomic operation. To do this, you would include the 'batch' command as the line before the first of the atomic steps, and then the 'run-batch' command as the line after the atomic steps.
Simply doing that with your original script or Tomaz's though doesn't work. You get this:
$ bin/jboss-cli.sh -c --file=/Users/bstansberry/tmp/trash/tomaz-batch.txt
JBAS014808: Child resource '"security-domain" => "app"' not found
This happens because of the "cd" on line 3. That "cd" is a client side operation, an instruction to change the client side context to a new location. But the CLI validates the validity of that location against the server, and since nothing will happen server-side until 'run-batch' is called, line 1 and 2 will not have executed yet. So when the CLI tries to validate that "/subsystem=security/security-domain=app/authentication=classic" exists, it fails with the "JBAS014808: Child resource '"security-domain" => "app"' not found" message.
Solution is to not use the "cd" in a script and just use full addresses:
batch /subsystem=security/security-domain=app:add(cache-type="default") /subsystem=security/security-domain=app/authentication=classic:add() /subsystem=security/security-domain=app/authentication=classic/login-module=database:add(code="Database",flag="required", module-options={ \ dsJndiName="java:/jdbc/idpbynmr", \ principalsQuery="select password from participant where email=?", \ rolesQuery="select groupname, 'Roles' \ from users_groups ug inner join participant a on ug.email = a.email \ where a.email = ?", hashAlgorithm="SHA-256", \ hashEncoding="BASE64", \ unauthenticatedIdentity="guest" \ } \ ) /subsystem=security/security-domain=app/authentication=classic/login-module=RoleMapping:add(code="RoleMapping", flag="required",module-options={ rolesProperties="file:${jboss.server.config.dir}/app.properties",replaceRole="false"}) run-batch
That succeeds:
$ bin/jboss-cli.sh -c --file=/Users/bstansberry/tmp/trash/absolute-batch.txt
The batch executed successfully
It's best to avoid 'cd' in scripts. The 'cd' saves some typing when creating the script, but makes it more fragile. Generally you only bother with a script if you want to use it multiple times, so the fragility concern should outweigh the extra typing.
/subsystem=security/security-domain=app/authentication=classic/subsystem=security/security-domain=app/authentication=classic
-
3. Re: Re: 'login-modules=[{' is not a valid operation name.
brian.stansberry Feb 17, 2014 1:03 PM (in response to brian.stansberry)I opened https://issues.jboss.org/browse/WFLY-2946 to look into improving the 'cd' behavior in the CLI's batch mode.
-
4. Re: 'login-modules=[{' is not a valid operation name.
morellik Feb 19, 2014 3:44 AM (in response to brian.stansberry)Thanks to all. It's works fine.