-
1. Re: LoginModule#login() called twice in case of login failure
dmlloyd Mar 4, 2014 4:57 PM (in response to pmm)This is in fact a Remoting issue, but it's OK to ask it here!
The reason this happens is, the Remoting client cannot know whether the failure was due to a failure in the SASL mechanism or due to a genuine authentication problem, so it will try out all the agreed-upon mechanisms before giving up (not unlike SSH in fact). The solution is to specify a single supported SASL mechanism on the server side.
-
2. Re: Re: LoginModule#login() called twice in case of login failure
pmm Mar 6, 2014 1:42 AM (in response to dmlloyd)David Lloyd wrote:
This is in fact a Remoting issue, but it's OK to ask it here!
The reason this happens is, the Remoting client cannot know whether the failure was due to a failure in the SASL mechanism or due to a genuine authentication problem, so it will try out all the agreed-upon mechanisms before giving up (not unlike SSH in fact). The solution is to specify a single supported SASL mechanism on the server side.
We tried this and it does not seem to help
<subsystem xmlns="urn:jboss:domain:remoting:1.1"> <connector name="remoting-connector" socket-binding="remoting" security-realm="AcmeRealm"> <sasl> <include-mechanisms value="PLAIN"/> </sasl> </connector> </subsystem>
ClientConnectionOpenListener.Authentication
always issues a capabilities request even if there is just one SASL mechanism or we just tried the last SASL mechanism. We changed the code and to doconnection.handleException(allMechanismsFailed());
instead of
sendCapRequest(serverName);
when we just tried the last SASL mechanism (
saslMechs.size() <= 1
). This worked in the debugger but failed outside of the debugger. It seems that outside of the debugger somebody quickly creates a new channel andClientConnectionOpenListener
.Edit: while CCOL.Authentication issues a second capabilties request it does not issue a second login request. That has to come from somewhere else.
-
3. Re: LoginModule#login() called twice in case of login failure
pmm Mar 6, 2014 4:37 AM (in response to pmm)It seems not to be JBoss Remoting related but rather EJB client related. When configured with just one SASL mechanism the JBoss Remoting works fine. However we're using ConfigBasedEJBClientContextSelector to configure the EJB client. This does the first login with the wrong credentials but swallows the exception. The second login happens by the EJB client when we do the first remoting call. We get the exception and stop there.