-
1. Re: DatabaseServerLoginModule broken?
sae_stahlgruber Apr 2, 2014 10:21 AM (in response to sae_stahlgruber)I assume its to early to use WildFly. I could'nt get the jboss-as-ejb-security-interceptors quickstart to work either:
Caused by: java.lang.IllegalStateException: EJBCLIENT000025: No EJB receiver available for handling [appName:, moduleName:jboss-as-ejb-security-interceptors, distinctName:] combination for invocation context org.jboss.ejb.client.EJBClientInvocationContext@38de2e8f
-
2. Re: DatabaseServerLoginModule broken?
jaikiran Apr 3, 2014 7:53 AM (in response to sae_stahlgruber)I just posted a reply to the thread Re: Cannot get password in custom LoginModule. Can you give it a try?
-
3. Re: DatabaseServerLoginModule broken?
sae_stahlgruber Apr 4, 2014 2:21 AM (in response to jaikiran)My problem seems rather to be caused by this new local user thing.
When debugging SimpleSecurityManager.authenticate I see Principal: $local@ApplicationRealm
So I commented out the local tag in the standalone.xml:
<security-realm name="ApplicationRealm">
<authentication>
<!-- <local default-user="$local" allowed-users="*"/> -->
<properties path="application-users.properties" relative-to="jboss.server.config.dir" />
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir" />
</authorization>
</security-realm>But then I get:
javax.security.sasl.SaslException: Authentication failed: the server presented no authentication mechanisms
-
4. Re: DatabaseServerLoginModule broken?
jaikiran Apr 4, 2014 2:38 AM (in response to sae_stahlgruber)You should be disabling the JBOSS-LOCAL-USER auth mechanism in your client configuration, like I suggested hereRe: Cannot get password in custom LoginModule
-
5. Re: DatabaseServerLoginModule broken?
sae_stahlgruber Apr 4, 2014 3:21 AM (in response to jaikiran)
I have had that before -
6. Re: DatabaseServerLoginModule broken?
jaikiran Apr 4, 2014 3:29 AM (in response to sae_stahlgruber)Can you attach an application which reproduces this against WildFly 8 Final?
-
7. Re: DatabaseServerLoginModule broken?
sae_stahlgruber Apr 4, 2014 8:40 AM (in response to jaikiran)All I can give You for now ist my login context.
Properties clientProperties = new Properties(); clientProperties.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "false"); clientProperties.put("remote.connections", "default"); clientProperties.put("remote.connection.default.port", "8080"); clientProperties.put("remote.connection.default.host", "localhost"); clientProperties.put("remote.connection.default.username", "root"); clientProperties.put("remote.connection.default.password", "pw4root"); clientProperties.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "true"); clientProperties.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false"); clientProperties.put("remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER"); EJBClientConfiguration ejbClientConfiguration = new PropertiesBasedEJBClientConfiguration(clientProperties); ContextSelector<EJBClientContext> contextSelector = new ConfigBasedEJBClientContextSelector(ejbClientConfiguration); EJBClientContext.setSelector(contextSelector); Properties properties = new Properties(); properties.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory"); properties.put(Context.PROVIDER_URL, "http-remoting://localhost:8080"); properties.put("jboss.naming.client.ejb.context", true); Context context = new InitialContext(properties); I have read a lot of documentation - which unfortunately is not up-to-date for WildFly.
With all my efforts all I can get is the $local principal on the server side.
-
8. Re: DatabaseServerLoginModule broken?
jaikiran Apr 24, 2014 6:08 AM (in response to sae_stahlgruber)Please give it a try against the latest released 8.1.0.CR1 Downloads · WildFly. If it still fails there, please file a JIRA Browse Projects - JBoss Issue Tracker with an application to reproduce it so that someone can take a look. I have seen 2-3 threads with similar issue on WildFly so it might either be a configuration issue or some real bug. Give it a try soon before the 8.1.0.Final gets released
-
9. Re: DatabaseServerLoginModule broken?
sae_stahlgruber Apr 25, 2014 7:51 AM (in response to jaikiran)With 8.1.0.CR1, although the JNDI-lookup works, a call to any remote method results in:
Exception in thread "main" java.lang.IllegalStateException: EJBCLIENT000025: No EJB receiver available for handling [appName:Universalkatalog, moduleName:UniversalkatalogEJB, distinctName:] combination for invocation context org.jboss.ejb.client.EJBClientInvocationContext@3aa3db4b
at org.jboss.ejb.client.EJBClientContext.requireEJBReceiver(EJBClientContext.java:749)
at org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(ReceiverInterceptor.java:116)
at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183)
at org.jboss.ejb.client.EJBInvocationHandler.sendRequestWithPossibleRetries(EJBInvocationHandler.java:253)
at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:198)
at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:181)
at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:144)
at com.sun.proxy.$Proxy0.log(Unknown Source)
at de.stahlgruber.universal.client.EjbTryoutTestNoAuto.main(EjbTryoutTestNoAuto.java:87)
-
10. Re: DatabaseServerLoginModule broken?
sae_stahlgruber Apr 25, 2014 9:12 AM (in response to jaikiran)Ok. Forget the previous. That was temporary. After restarting the application server it works now - still without authentication.
The trouble - as I unterstand it - seems to be that the http-remoting-connector uses the ApplicationRealm. That way all that arrives within the DatabaseServerLoginModule is a "$local" user.
If I configure the http-remoting-connector with my own UnisecRealm like that:
<security-realm name="UnisecRealm"> <authentication>
<jaas name="unisec"/>
</authentication>
</security-realm>
.. and configure the http-remoting-connector using the UnisecRealm then I get "javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed". The DatabaseServerLoginModule is not called then.
If I I configure the http-remoting-connector without a realm the user id that arrives in the DatabaseServerLoginModule is a "anonymous" user.
As the DatabaseServerLoginModule won't find the user with user ids "$local" or "anonymous" this will result in " javax.ejb.EJBAccessException: JBAS013323: Invalid User".
How would I configure the http-remoting-connector in a way that would pass through the correct user and password information to the DatabaseServerLoginModule as it used to work with JBoss AS 6.1?
The security domain is defined like that:
<security-domain name="unisec" cache-type="default"> <authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
<module-option name="dsJndiName" value="java:/DB2DS"/>
</login-module>
</authentication>
</security-domain>
-
11. Re: DatabaseServerLoginModule broken?
sae_stahlgruber Apr 28, 2014 9:04 AM (in response to sae_stahlgruber)I noticed that now there is a wildfly-ejb-remote quickstart project which works with WildFly 8.0, compiled an ran it successfully.
Then I added @SecurityDomain("unisec") to the wildfly-ejb-remote-server-side/src/main/java/org/jboss/as/quickstarts/ejb/remote/stateless/CalculatorBean.java, and added ..
remote.connection.default.username=myusername
remote.connection.default.password=pw4myusername
remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false
and changed remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=true
in wildfly-ejb-remote-client/src/main/resources/jboss-ejb-client.properties
The org.jboss.security.auth.spi.DatabaseServerLoginModule ist called which I can see by debugging into the method org.jboss.security.auth.spi.UsernamePasswordLoginModule.login() of its base class.
And - debugging -
/* 222 */ this.loginOk = false;
/* 223 */ String[] info = getUsernameAndPassword();
/* 224 */ String username = info[0];
/* 225 */ String password = info[1];
I can see the values of username and password.
That's great, though I have no idea what was wrong before!
-
12. Re: DatabaseServerLoginModule broken?
sae_stahlgruber Apr 29, 2014 3:16 AM (in response to sae_stahlgruber)But for some reason the programmatic way to supply the client settings does not work:
final Properties properties = new Properties();
properties.setProperty("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "false");
properties.setProperty("remote.connections", "default");
properties.setProperty("remote.connection.default.host", "localhost");
properties.setProperty("remote.connection.default.username", "root");
properties.setProperty("remote.connection.default.password", getMD5("pw4root"));
properties.setProperty("remote.connection.default.port", "8080");
properties.setProperty("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "true");
properties.setProperty("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
EJBClientContext.setSelector(
new ConfigBasedEJBClientContextSelector(
new PropertiesBasedEJBClientConfiguration(properties)));
-
13. Re: DatabaseServerLoginModule broken?
sae_stahlgruber Apr 29, 2014 3:27 AM (in response to sae_stahlgruber)org.jboss.security.auth.spi.UsernamePasswordLoginModule.login() returns true, so why does it throw this this?
INFO: EJBCLIENT000013: Successful version handshake completed for receiver context EJBReceiverContext{clientContext=org.jboss.ejb.client.EJBClientContext@14cbd69, receiver=Remoting connection EJB receiver [connection=org.jboss.ejb.client.remoting.ConnectionPool$PooledConnection@55273929,channel=jboss.ejb,nodename=zorglt246]} on channel Channel ID fd76a138 (outbound) of Remoting connection 0167db34 to localhost/127.0.0.1:8080
Exception in thread "main" javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public abstract int org.jboss.as.quickstarts.ejb.remote.stateless.RemoteCalculator.add(int,int) of bean: CalculatorBean is not allowed
at org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:135)
-
14. Re: DatabaseServerLoginModule broken?
sae_stahlgruber Apr 29, 2014 4:49 AM (in response to sae_stahlgruber)The DatabaseServerLoginModule included in JBoss 6.1.0 Final has had a default rolesQuery.
The DatabaseServerLoginModule in newer Picketbox releases has no default rolesQuery!