-
1. Re: How to secure remote ejb communnication by user name and password only.
wdfink Mar 9, 2014 11:01 AM (in response to samwun9988)What password you set different?
If you change the password with add-user at the client side this will have no effect as the password is set by the security-realm as base64.
-
2. Re: How to secure remote ejb communnication by user name and password only.
samwun9988 Mar 9, 2014 6:54 PM (in response to wdfink)Hi thank your suggestion.
I didn't change the password by add-user script on the client side.
At server side, I changed the password by hand, by adding arbitrary characters to the end of the Base64 SASL generated password, to deliberately make it different to the client side.
Thanks & Best regards
sam
-
3. Re: How to secure remote ejb communnication by user name and password only.
samwun9988 Mar 9, 2014 8:52 PM (in response to wdfink)Even with RolesAccess() on server ejb service method, the client still able to access server ejb without any problem:
Server entity:
public abstract class AbstractFacade<T> {
private Class<T> entityClass;
protected final String ROLES_NAME = "myrole";
public AbstractFacade(Class<T> entityClass) {
this.entityClass = entityClass;
}
protected abstract EntityManager getEntityManager();
@RolesAllowed(ROLES_NAME)
public void create(T entity) {
getEntityManager().persist(entity);
}
@RolesAllowed(ROLES_NAME)
public void edit(T entity) {
getEntityManager().merge(entity);
}
@RolesAllowed(ROLES_NAME)
public void remove(T entity) {
getEntityManager().remove(getEntityManager().merge(entity));
}
@RolesAllowed(ROLES_NAME)
public T find(Object id) {
return getEntityManager().find(entityClass, id);
}
Server configuration:
[jbossserv@portal ~/jboss711Final/standalone/configuration]$ cat application-users.properties
#
# Properties declaration of users for the realm 'ApplicationRealm' which is the default realm
# for application services on a new AS 7.1 installation.
#
# This includes the following protocols: remote ejb, remote jndi, web, remote jms
#
# Users can be added to this properties file at any time, updates after the server has started
# will be automatically detected.
#
# The format of this realm is as follows: -
# username=HEX( MD5( username ':' realm ':' password))
#
# A utility script is provided which can be executed from the bin folder to add the users: -
# - Linux
# bin/add-user.sh
#
# - Windows
# bin\add-user.bat
#
# The following illustrates how an admin user could be defined, this
# is for illustration only and does not correspond to a usable password.
#
#admin=2a0923285184943425d1f53ddd58ec7a
mytest=fb466192463d57497a8d7aa6b739d515
[jbossserv@portal ~/jboss711Final/standalone/configuration]$ cat application-roles.properties
#
# Properties declaration of users roles for the realm 'ApplicationRealm'.
#
# This includes the following protocols: remote ejb, remote jndi, web, remote jms
#
# Users can be added to this properties file at any time, updates after the server has started
# will be automatically detected.
#
# The format of this file is as follows: -
# username=role1,role2,role3
#
# A utility script is provided which can be executed from the bin folder to add the users: -
# - Linux
# bin/add-user.sh
#
# - Windows
# bin\add-user.bat
#
# The following illustrates how an admin user could be defined.
#
#admin=PowerUser,BillingAdmin,
#guest=guest
mytest=myrole
[jbossserv@portal ~/jboss711Final/standalone/configuration]$Client configuration:
<security-realm name="ejb-security-realm">
<server-identities>
<secret value="XXXXXUUUUUUUUUUUUUUUUfb466192463d57497a8d7aa6b739d515"/>
</server-identities>
</security-realm>As shown above, the password on client configuraiton is deliberately written as different to the password in the Server configration.
But the client still able to communicate with server without any problem.
Thank you for reading.
Thanks
Sam
-
4. Re: How to secure remote ejb communnication by user name and password only.
wdfink Mar 10, 2014 4:36 AM (in response to samwun9988)Hmm, as far as I remember that might end in an illegal base64 and the characters at the end get cut and you will end in a correct passwd.
What if you change the password at server side?
Maybe you enable TRACE for org.jboss.security to see more about that.
-
5. Re: How to secure remote ejb communnication by user name and password only.
samwun9988 Mar 10, 2014 7:38 AM (in response to wdfink)Thank you for your suggestion.
I tried it with manually changing its password to completely something else, (eg. I copied the password of the admin user override the password of mytest), to make sure the password is completely different to the client's password and the password is a valid base64 password, but the client still communicate with the server without error.
I really get stuck.
Best regards
sam
-
6. Re: How to secure remote ejb communnication by user name and password only.
wdfink Mar 10, 2014 3:27 PM (in response to samwun9988)Did you restart the server after changing the password?
-
7. Re: How to secure remote ejb communnication by user name and password only.
samwun9988 Mar 10, 2014 10:29 PM (in response to wdfink)Yes
-
8. Re: How to secure remote ejb communnication by user name and password only.
samwun9988 Mar 10, 2014 10:30 PM (in response to samwun9988)Just wondering if there is any body written a programming guide from JBoss team