6 Replies Latest reply on Jul 13, 2015 10:05 AM by b1102

    Jboss ejb remote call with JAAS login module

    b1102
    b1102 Jul 13, 2015 10:04 AM

      Hello I have the standalone application, that calls EJB remotely on the JBOSS 7.4. When I am using the security real ApplicationRealm, everything works fine. But when I am tring to use the realm with JASS login module I get the java.lang.IllegalStateException: EJBCLIENT000025: No EJB receiver available for handling. Any ideas why and if it is possible to do in JBOSS?

       

      The realm configuration:

       

      <security-realm name="DoComUeRealm">
   <authentication>
      <jaas name="DoComUeDomain" />
   </authentication>
</security-realm>

      ...

      <security-domain name="DoComUeDomain" cache-type="default">
   <authentication>
      <login-module code="Remoting" flag="optional">
         <module-option name="password-stacking" value="useFirstPass" />
      </login-module>
      <login-module code="Identity" flag="required">
         <module-option name="password-stacking" value="useFirstPass" />
         <module-option name="principal" value="skobiako@T-SYSTEMS.COM" />
      </login-module>
   </authentication>
   <mapping>
      <mapping-module code="DatabaseRoles" type="role">
         <module-option name="dsJndiName" value="java:/jdbc/DoCoMueDS" />
         <module-option name="rolesQuery" value="WITH T_BENUTZER AS( SELECT BEN_ID FROM BENUTZER WHERE BEN_KRB_PRINCIPAL=? AND BEN_ISTGEPERRT=0 ) SELECT 'Authenticated' ROLE_NAME FROM T_BENUTZER UNION ALL SELECT DISTINCT GESCHAEFTSOBJEKT.GEOB_NAME||'.'||RECHT.RECHT_RECHTEART FROM T_BENUTZER, Z_BEN_ROLLE, GESCHAEFTSOBJEKT, RECHT WHERE T_BENUTZER.BEN_ID=Z_BEN_ROLLE.BEN_ID AND Z_BEN_ROLLE.ROLLE_ID=GESCHAEFTSOBJEKT.ROLLE_ID AND GESCHAEFTSOBJEKT.GEOB_ID=RECHT.GEOB_ID" />
      </mapping-module>
   </mapping>
</security-domain>

      ...

      <subsystem xmlns="urn:jboss:domain:remoting:1.1">
   <connector name="remoting-connector" socket-binding="remoting" security-realm="DoComUeRealm" />
</subsystem>
        • 1. Re: Jboss ejb remote call with login-module: Identity
          jaikiran
          jaikiran Jul 13, 2015 8:28 AM (in response to b1102)

          Please post the client side code and configs you use to invoke on the bean.

           

          Secondly, I think there was a bug in AS 7.x which would cause JAAS backed realms to fail when used against remote invocations. I'll have to find that JIRA.

           

          Any reason why you aren't using the latest released WildFly 9.0.0.Final Downloads · WildFly (JBoss AS has been renamed to WildFly) ?

            • Actions
          • 2. Re: Jboss ejb remote call with login-module: Identity
            b1102
            b1102 Jul 13, 2015 8:49 AM (in response to jaikiran)

            The client ejb code:

             

            static {
  Properties properties = getContextProperties();
  try {
  context = (Context) new InitialContext(properties).lookup("ejb:");
  } catch (NamingException e) {
  throw new IllegalArgumentException("Couldn't instantiate initial context", e);
  }
}

private static Properties getContextProperties() {
  Properties properties = new Properties();
  properties.setProperty(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
  properties.setProperty("endpoint.name", "client-endpoint");
  properties.setProperty("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "false");
  properties.setProperty("remote.connections", "default");
  properties.setProperty("remote.connection.default.port", System.getProperty("remote.connection.default.port"));
  properties.setProperty("remote.connection.default.host", System.getProperty("remote.connection.default.host"));
  properties.setProperty("remote.connection.default.username", Authenticator.getPrincipalName());
  properties.setProperty("remote.connection.default.password", Authenticator.getPrincipalSecret());
  properties.setProperty("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "false");
  properties.setProperty("connect.options.org.jboss.remoting3.RemotingOptions.HEARTBEAT_INTERVAL", HEARTBEAT_INTERVAL_VALUE);
  properties.setProperty("org.jboss.ejb.client.scoped.context", "true");
  return properties;
}

public Object lookUpBean(String serviceName, Class serviceClass) {
  LOG.debug("getEJBHome(" + serviceName + ")");
  Object docomueBean;
  LOG.debug("Look up the remote bean for the service: " + serviceName);
  StringBuilder beanLookUpPath = new StringBuilder();
  beanLookUpPath.append(APPLICATION_NAME);
  beanLookUpPath.append("/");
  beanLookUpPath.append(SERVICES_JAR_NAME);
  beanLookUpPath.append("/");
  beanLookUpPath.append(serviceName);
  beanLookUpPath.append(BEAN_POSTFIX);
  beanLookUpPath.append(serviceClass.getName());


  if (STATEFUL_SERVICES_NAMES.contains(serviceName)) {
  beanLookUpPath.append("?stateful");
  }
  try {
  docomueBean = context.lookup(beanLookUpPath.toString());
  } catch (Exception ex) {
  String errmsg = "Failed to return the EJBHome for " + serviceName + " object: ";
  errmsg += ex;
  LOG.error(errmsg);
  throw new BusinessException(BusinessException.CREATE_SESSIONBEAN_FEHLGESCHLAGEN, errmsg, ex);
  }
  return docomueBean;
}

             

            We actually using EAP 6.3, so I am sligthly missed, because inside is the 7.4.0 Final. We using it, because it is the last version of EAP supported by our internal production provider.

              • Actions
            • 3. Re: Jboss ejb remote call with login-module: Identity
              jaikiran
              jaikiran Jul 13, 2015 8:56 AM (in response to b1102)

              Add the following to the properties that you are passing to the context:

               

              properties.setProperty("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");

                • Actions
              • 4. Re: Jboss ejb remote call with JAAS login module
                b1102
                b1102 Jul 13, 2015 9:25 AM (in response to jaikiran)

                Thank you, actually this was mentioned in the JBoss AS 7 : Remote EJB Authentication Howto

                Unfoturnatelly I read it only now(

                Now, everything works!!!

                If you have time and it is possible to explain in short words why this property is so important here? Only explanation of it I wound. This property "specifies that no clear text communication will take place in the client-server communication"

                Looks like for JAAS module it is important, but for the ApplicationRealm not.

                  • Actions
                • 5. Re: Jboss ejb remote call with JAAS login module
                  jaikiran
                  jaikiran Jul 13, 2015 9:37 AM (in response to b1102)

                  Kobiako Sergei wrote:


                  If you have time and it is possible to explain in short words why this property is so important here? Only explanation of it I wound. This property "specifies that no clear text communication will take place in the client-server communication"

                  Looks like for JAAS module it is important, but for the ApplicationRealm not.

                   

                  JAAS login modules require the plain text password to carry out the authentication. So this property needs to be set only if JAAS is involved in your authentication flow for remote invocations.

                    • Actions
                  • 6. Re: Jboss ejb remote call with JAAS login module
                    b1102
                    b1102 Jul 13, 2015 10:05 AM (in response to jaikiran)

                    Thank you very much, once again!

                      • Actions