-
1. Re: EJB invocation denied on Wildfly 8.0 & 8.1
jaikiran May 23, 2014 12:20 AM (in response to fuzao)Take a look at the section "Access to methods without explicit security metadata, on a secured bean" in this documentation Securing EJBs - WildFly 8 - Project Documentation Editor. It explains what's going on and how to fix it.
-
2. Re: EJB invocation denied on Wildfly 8.0 & 8.1
wdfink May 23, 2014 12:21 PM (in response to fuzao)You might set the global configuration missing-method-permission-deny-access of the servers ejb subsystem to false
-
3. Re: EJB invocation denied on Wildfly 8.0 & 8.1
fuzao May 29, 2014 4:48 AM (in response to fuzao)Hi guys, thanks for the help.
That work pretty well a simple EJB 3 example project.
It doesn't work with EJB2 project with method permission defined in ejb-jar.xml. Any help?
But the problem here is that we open the security for bean invocation.
In my real project, in Jboss 6 for now, we have a property file where we set the username and password to access the bean, then the authentication and authorization is responsability of JBoss himself, base on LDAP or property files authentication models.
I can't figure out how to set up this model in Wildfly.
-
4. Re: EJB invocation denied on Wildfly 8.0 & 8.1
fuzao May 7, 2015 6:50 AM (in response to fuzao)I found a way to do this in Wildfly series, a few months ago, after a couple weeks investigating.
I follow some examples, and the strategy is to use a ClientLoginModule and use de LoginContext helper.
<security-domain name="clm" cache-type="default">
<authentication>
<login-module code="Client" flag="required">
<module-option name="multi-threaded" value="true"/>
<module-option name="restore-login-identity" value="true"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="appdomain" cache-type="default">
<authentication>
<login-module code="UsersRoles" flag="required">
<module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
EJBs are secured by a domain (appdomain in the example), but to accessing them from a thread we need a manual authentication as follows:
new LoginContext("clm", new Subject(), new UsernamePasswordCallbackHandler(username, password))
That works like a sharm, BUT I don't understand the link between the ClientLoginModule and the application security domain.
Can anyone have the kindness to tell me how this works ? Appreciated.
-
5. Re: EJB invocation denied on Wildfly 8.0 & 8.1
wdfink Nov 14, 2014 3:32 PM (in response to fuzao)If security is enabled for the remoting connector the client need to have user/passwd to establish the connection. This can be done by properties file jboss-ejb-client.properties or as you did with the JAAS CallbackHandler.