7 Replies Latest reply on Aug 5, 2014 4:29 PM by wolfgangknauf

JAAS login in application client does not work

wolfgangknauf Jun 3, 2014 3:34 PM

Hi all,

I struggle with a small sample that uses an application client module to access a secured stateless session bean. So I configured a security domain (using "jboss-app.xml" and also by using the "@SecurityDomain" annotation). All is fine when I perform a login in a web module and access the EJB.

But in my application client module, I see that a login is performed, by it seems that the password is not sent to the server.

After activating the log of the security layer, I see this output on the server side:

21:23:32,868 TRACE [org.jboss.security] (EJB default - 6) PBOX000263: Executing query SELECT PASSWORT FROM BENUTZER WHERE LOGIN=? with username kunde

21:23:32,868 DEBUG [org.jboss.security] (EJB default - 6) PBOX000283: Bad password for username kunde

So the "Database" login module is kicking in, and the username "kunde" is the one that's provided in the client. But the password is declared "bad", so I assume it must be null.

And the client sees this exception for every ejb method call:

21:23:33,009 INFO [stdout] (Thread-39) Failed (javax.ejb.EJBAccessException): JBAS013323: Invalid User

On the client side, I did this for logging in:

LoginContext loginContext = new LoginContext ("knaufsecurity", callbackHandler);

loginContext.login();

The callback handler just provides a hard coded username and password for the corresponding callbacks - name and password callback are called.

I also declare a "auth.conf" in the client (don't know whether it is required, the sample is migrated from JBoss 5).

knaufsecurity {

org.jboss.security.ClientLoginModule required;

};

And in "%WILDFLY_HOME%\appclient\configuration\appclient.xml", I added this:

<security-domain name="knaufsecurity" cache-type="default">

<login-module code="Client" flag="required"/>

</authentication>

</security-domain>

Attached is my EAR file (contains sources). To reproduce:

1) add this to "standalone.xml":

<security-domain name="knaufsecurity" cache-type="default">

<login-module code="Database" flag="required">

<module-option name="dsJndiName" value="java:jboss/datasources/ExampleDS"/>

<module-option name="principalsQuery" value="SELECT PASSWORT FROM BENUTZER WHERE LOGIN=?"/>

<module-option name="rolesQuery" value="SELECT R.ROLLE, 'Roles' FROM ROLLE AS R, BENUTZER_ROLLE AS BR, BENUTZER AS B WHERE B.LOGIN=? AND BR.ROLLEN_ID = R.ID AND BR.BENUTZER_ID = B.ID"/>

</login-module>

</authentication>

</security-domain>

2) deploy EAR file to server

3) make my changes to "appclient.xml" (if this is necessary at all?)

4) run app client: %WILDFLY_HOME%\bin\appclient.bat c:\path\to\Security.ear#SecurityClient.jar

Hope that someone can shed some light on this. Either I have a misunderstanding in my client side JAAS config, or there is something broken in WildFly...

Best regards

Wolfgang

1. Re: JAAS login in application client does not work

wolfgangknauf Jun 4, 2014 1:41 PM (in response to wolfgangknauf)
Sorry, I forgot the attachment.

Security.ear 16.4 KB
Actions
2. Re: JAAS login in application client does not work

wolfgangknauf Jul 22, 2014 3:52 PM (in response to wolfgangknauf)

Just wanted to bring this back to your attention. Could someone take a look at it and point to a (maybe) configuration error on my side? If it is a bug, I assume there is not much chance that it get's fixed, as WildFly 9 uses Elytron.

Best regards

Wolfgang
Actions
3. Re: JAAS login in application client does not work

pmm Jul 28, 2014 3:19 AM (in response to wolfgangknauf)

To my knowledge JAAS login for the EJB client is no longer supported.
Actions
4. Re: JAAS login in application client does not work

wolfgangknauf Jul 31, 2014 4:10 PM (in response to pmm)

What would be the alternative then?

Best regards

Wolfgang
Actions
5. Re: JAAS login in application client does not work

wolfgangknauf Aug 4, 2014 3:58 PM (in response to wolfgangknauf)

Philippe, I found your reply here: https://community.jboss.org/thread/234591 Using your snippets, I made it working by declaring a custom security realm which delegates to a JAAS login module, and let the remoting connector point to this security realm.
Is this the correct way to go? I assume for WildFly 9, this will be completely different again :-(?

Wolfgang
Actions
6. Re: JAAS login in application client does not work

pmm Aug 5, 2014 3:07 AM (in response to wolfgangknauf)

Wolfgang Knauf wrote:

Philippe, I found your reply here: https://community.jboss.org/thread/234591 Using your snippets, I made it working by declaring a custom security realm which delegates to a JAAS login module, and let the remoting connector point to this security realm.

Is this the correct way to go? I assume for WildFly 9, this will be completely different again :-(?

Wolfgang

We use EJBClientContext.setSelector. We assume this will work until JBoss Remoting gets refactored the next time.
Actions
7. Re: JAAS login in application client does not work

wolfgangknauf Aug 5, 2014 4:29 PM (in response to pmm)

Thanks! Is your workaround based on this sample: https://github.com/wildfly/quickstart/tree/master/ejb-security-interceptors

As your suggestion with the SecurityRealm works for me, I think I am done. Just want to understand the correct way to achieve this all ;-)
Best regards

Wolfgang
Actions

Go to original post