Skip navigation

This project is read only now. Read more.

8 Replies Latest reply on Nov 22, 2015 4:49 PM by fpezzati

EJB jndi lookup with a custom login module

fpezzati Nov 8, 2015 7:18 AM

Hello,

I'm using Wildfly-9.0.1.Final and I'm facing a strange problem, when I try to invoke an EJB using jndilookup I got this error on Wildfly's log:

19:42:22,640 INFO [it.bytebear.jaas.mongo.module.MongoLoginModule] (EJB default - 4) Initializing MongoLoginModule.

19:42:22,640 INFO [it.bytebear.jaas.mongo.module.MongoLoginModule] (EJB default - 4) login requested.

19:42:27,347 INFO [it.bytebear.jaas.mongo.module.MongoLoginModule] (EJB default - 4) check credentials for: jim with passwd: org.jboss.as.security.remoting.RemotingConnectionCredential@1f6a2a8c

19:42:27,347 INFO [it.bytebear.jaas.mongo.module.MongoLoginModule] (EJB default - 4) abort!

19:42:27,349 ERROR [org.jboss.as.ejb3.invocation] (EJB default - 4) WFLYEJB0034: EJB Invocation failed on component UserServices for method public abstract java.lan

g.String it.bytebear.web.mongo.UserServiceRemote.postUserA(): javax.ejb.EJBAccessException: WFLYSEC0027: Invalid User

at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:69)

at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:49)

at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:97)

at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)

at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)

at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)

at org.jboss.as.ejb3.deployment.processors.EjbSuspendInterceptor.processInvocation(EjbSuspendInterceptor.java:53)

at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)

at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:66)

at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)

at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)

at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)

at org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54)

at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)

at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:64)

at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)

at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:356)

at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:634)

at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:61)

at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)

at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:356)

at org.jboss.invocation.PrivilegedWithCombinerInterceptor.processInvocation(PrivilegedWithCombinerInterceptor.java:80)

at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:340)

at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)

at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:195)

at org.jboss.as.ejb3.remote.protocol.versionone.MethodInvocationMessageHandler.invokeMethod(MethodInvocationMessageHandler.java:331)

at org.jboss.as.ejb3.remote.protocol.versionone.MethodInvocationMessageHandler.access$100(MethodInvocationMessageHandler.java:69)

at org.jboss.as.ejb3.remote.protocol.versionone.MethodInvocationMessageHandler$1.run(MethodInvocationMessageHandler.java:202)

at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)

at java.util.concurrent.FutureTask.run(FutureTask.java:262)

at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)

at java.lang.Thread.run(Thread.java:744)

at org.jboss.threads.JBossThread.run(JBossThread.java:320)

As you can see password callback is returning this weird String value: org.jboss.as.security.remoting.RemotingConnectionCredential@1f6a2a8c. The EJB and the custom login works well. The EJB is exposed as a RESTful web service and I can access it as expected. This is my client, maybe there is something wrong in it:

public class EjbClientTest {

private Context jndiContext;

private Properties jndiProperties;

@Before

public void init() {

jndiProperties = new Properties();

jndiProperties.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "false");

jndiProperties.put("remote.connections", "default");

jndiProperties.put(Context.INITIAL_CONTEXT_FACTORY,

org.jboss.naming.remote.client.InitialContextFactory.class

.getName());

jndiProperties.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "true");

jndiProperties.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");

jndiProperties.put("remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");

jndiProperties.put(Context.PROVIDER_URL, "http-remoting://localhost:8080");

jndiProperties.put(Context.SECURITY_PRINCIPAL, "gino");

jndiProperties.put(Context.SECURITY_CREDENTIALS, "strada");

jndiProperties.put("jboss.naming.client.ejb.context", true);

}

@Test

public void test() {

try {

jndiContext = new InitialContext(jndiProperties);

UserServiceRemote usrv = (UserServiceRemote) jndiContext

.lookup("/MongoWebTest/UserServices!it.bytebear.web.mongo.UserServiceRemote");

System.out.println("Risultato: " + usrv.postUserA());

Assert.assertTrue(true);

} catch (NamingException e) {

e.printStackTrace();

Assert.fail();

} catch (Exception e) {

e.printStackTrace();

Assert.fail();

}

}

}

1. Re: EJB jndi lookup with a custom login module

jaysensharma Nov 8, 2015 12:03 PM (in response to fpezzati)

Looks like you are mixing the EJB Client API based lookup and the Remoting Based EJB Lookup code.

Can you try with any of the following approach:

1). remote-naming project based approach

https://docs.jboss.org/author/display/WFLY8/Remote+EJB+invocations+via+JNDI+-+EJB+client+API+or+remote-naming+project

Example:

          Context context=null;
          try {
                Properties props = new Properties();
                props.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");
                props.put(Context.PROVIDER_URL, "http-remoting://localhost:8080");   // NOTICE: "http-remoting" and port "8080"
                props.put(Context.SECURITY_PRINCIPAL, "ejbuser");
                props.put(Context.SECURITY_CREDENTIALS, "ejbuser@1");
                props.put("jboss.naming.client.ejb.context", true);
                context = new InitialContext(props);
             System.out.println("\n\tGot initial Context: "+context);
           } catch (Exception e) {
                e.printStackTrace();
           }

See the complete code at: MiddlewareMagicDemos/Client.java at master · jaysensharma/MiddlewareMagicDemos · GitHub

2). remote ejb client api based approach

EJB invocations from a remote client using JNDI - WildFly 8 - Project Documentation Editor

Example: Can be seen in the following discussion : Re: EJB Remote Client - reconnect - how to

and

http://middlewaremagic.com/jboss/?p=2744

Regards

Jay SenSharma

2. Re: EJB jndi lookup with a custom login module

jaysensharma Nov 8, 2015 12:05 PM (in response to fpezzati)

Even after changing the client code if you still face the same issue then can you please share more details about the custom login module which you created ?

Also can you tell us from where the Output of your client execution is saying "check credentials for: jim with passwd: ", I do not see that anywhere in your code you used the username as "jim" ? (you seems to be trying to pass the username as "gino")
Actions
3. Re: EJB jndi lookup with a custom login module

fpezzati Nov 8, 2015 3:31 PM (in response to jaysensharma)

Hello Jay,

"jim" or "gino" is simply a cut and paste problem. I did a couple of tests but the client'source is the same (except for "jim" ). I change the code as you suggest in your example (remote-naming approach) but I still get the same error, user is invalid and password looks like this:

org.jboss.as.security.remoting.RemotingConnectionCredential@2fc53c91

This is the client:

public class EjbClientTest {

private Context jndiContext;
private Properties jndiProperties;

@Before
public void init() {
jndiProperties = new Properties();
jndiProperties.put(Context.INITIAL_CONTEXT_FACTORY,
"org.jboss.naming.remote.client.InitialContextFactory");
jndiProperties.put(Context.PROVIDER_URL, "http-remoting://localhost:8080");
jndiProperties.put(Context.SECURITY_PRINCIPAL, "gino");
jndiProperties.put(Context.SECURITY_CREDENTIALS, "strada");
jndiProperties.put("jboss.naming.client.ejb.context", true);
}

@Test
public void test() {
try {
jndiContext = new InitialContext(jndiProperties);
UserServiceRemote usrv = (UserServiceRemote) jndiContext
.lookup("/MongoWebTest/UserServices!it.bytebear.web.mongo.UserServiceRemote");
System.out.println("Risultato: " + usrv.postUserA());
Assert.assertTrue(true);
} catch (NamingException e) {
e.printStackTrace();
Assert.fail();
} catch (Exception e) {
e.printStackTrace();
Assert.fail();
}
}
}

This is my custom login module:

public class MongoLoginModule implements LoginModule {

@Inject
protected MongoDB mongoDb;
protected Subject subject;
protected Principal identity;
protected boolean loginOk;

private CallbackHandler callbackHandler;
@SuppressWarnings({ "rawtypes", "unused" })
private Map sharedState;
@SuppressWarnings({ "rawtypes", "unused" })
private Map options;

private Logger log = LoggerFactory.getLogger(MongoLoginModule.class);

public boolean abort() throws LoginException {
log.info("abort!");
subject = null;
return true;
}

public boolean commit() throws LoginException {
try {
if (loginOk) {
UserGroup userGroup = new UserGroup("Roles");
userGroup.addMember(new RolePrincipal("userA"));
subject.getPrincipals().add(userGroup);
subject.getPublicCredentials().add(userGroup);
log.info("commit!");
return true;
}
log.info("login was not successful");
} catch (Throwable e) {
log.error("Error while committing.", e);
}
return false;
}

public void initialize(Subject subject, CallbackHandler callbackHandler,
Map<String, ?> sharedState, Map<String, ?> options) {
log.info("Initializing MongoLoginModule.");
this.subject = subject;
this.callbackHandler = callbackHandler;
this.sharedState = sharedState;
this.options = options;
}

public boolean login() throws LoginException {
log.info("login requested.");
NameCallback nameCallback = new NameCallback("username:");
PasswordCallback passwordCallback = new PasswordCallback("password:", false);
try {
callbackHandler.handle(new Callback[]{nameCallback, passwordCallback});
String username = nameCallback.getName();
String password = new String(passwordCallback.getPassword());
log.info("check credentials for: "+username+" with passwd: "+password);
if(username.equals("gino") && password.equals("strada")) {
loginOk = true;
identity = new UserPrincipal(username);
subject.getPrincipals().add(identity);
subject.getPublicCredentials().add(identity);
return true;
}
} catch (IOException e) {
e.printStackTrace();
} catch (UnsupportedCallbackException e) {
e.printStackTrace();
}
return false;
}

public boolean logout() throws LoginException {
if(subject != null && identity != null) {
subject.getPrincipals().remove(identity);
return true;
}
return false;
}

public Document getUserByName(String userName) {
FindIterable<Document> results = mongoDb.getCollection().find(new Document("username", userName));
return results.iterator().next();
}

public void getRoles() {
// FindIterable<Document> results = mongoDb.getCollection().find(new Document("username", userName));
// results.iterator().next().get
}
}

Thanks for your reply.
Actions
4. Re: EJB jndi lookup with a custom login module

jaysensharma Nov 8, 2015 10:23 PM (in response to fpezzati)

How are you deploying your custom module in WildFly ? Also may be sharing the "urn:jboss:domain:security" subsystem configuration will also be good.

Looks like there is a very good article on which explains how to create MongoDB loging module by extending the "UsernamePasswordLoginModule" it might give you a good idea.
Configuring a MongoDB Login Module
Actions
5. Re: EJB jndi lookup with a custom login module

fpezzati Nov 9, 2015 8:30 AM (in response to jaysensharma)

This is my security-domain:

<security-domain name="MongoLoginRealm" cache-type="default">
<authentication>
<login-module code="it.bytebear.jaas.mongo.module.MongoLoginModule" flag="required">
<module-option name="mongodb.uri" value="mongodb://localhost:21017/test?collection"/>
</login-module>
</authentication>
</security-domain>

My custom login module extends javax.security.auth.spi.LoginModule. There is something strange about this error. My EJB is also exposed as a RESTFul web service and I can correctly interact with it by http. By http everything works as expected, methods are protected by annotations which I can access when I login with correct credentials, "gino" and "strada". But, when I try to invoke methods by EJB client I got an "invalid user" and this strange password.
Actions
6. Re: EJB jndi lookup with a custom login module

jaysensharma Nov 9, 2015 10:26 AM (in response to fpezzati)

Just wanted to quickly check if you have also changed the "ApplicationRealm" to point to your own realm? As your EJB Client is going to access the EJB over "http-remoting://localhost:8080"

        <subsystem xmlns="urn:jboss:domain:remoting:2.0">
            <endpoint worker="default"/>
            <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
        </subsystem>
Actions
7. Re: EJB jndi lookup with a custom login module

fpezzati Nov 9, 2015 4:47 PM (in response to jaysensharma)

No I did not. I don't add any security-realm, just one security-domain the "MongoLoginRealm".
Actions
8. Re: EJB jndi lookup with a custom login module

fpezzati Nov 22, 2015 4:49 PM (in response to jaysensharma)

Hello Jay. Finally I'm back again on this issue. I tried to change the ApplicationRealm this way:

<security-realm name="ApplicationRealm">
<authentication>
<jaas name="MongoLoginRealm"/>
</authentication>
</security-realm>

I'm not sure about this configuration, I didn't found some docs about it. MongoLoginRealm is my security-domain, is that configuration correct? Now, when I try to do the lookup I got back this exception instead:

javax.naming.AuthenticationException: Failed to connect to any server. Servers tried: [http-remoting://localhost:8080 (Authentication failed: all available authentication mechanisms failed:)] [Root exception is javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed:]
at org.jboss.naming.remote.client.HaRemoteNamingStore.failOverSequence(HaRemoteNamingStore.java:238)
at org.jboss.naming.remote.client.HaRemoteNamingStore.namingStore(HaRemoteNamingStore.java:149)
at org.jboss.naming.remote.client.HaRemoteNamingStore.namingOperation(HaRemoteNamingStore.java:130)
at org.jboss.naming.remote.client.HaRemoteNamingStore.lookup(HaRemoteNamingStore.java:272)
at org.jboss.naming.remote.client.RemoteContext.lookupInternal(RemoteContext.java:104)
at org.jboss.naming.remote.client.RemoteContext.lookup(RemoteContext.java:93)
at org.jboss.naming.remote.client.RemoteContext.lookup(RemoteContext.java:146)
at javax.naming.InitialContext.lookup(InitialContext.java:411)
at it.bytebear.mongo.ejb.EjbClientTest.test(EjbClientTest.java:40)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:50)
at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12)
at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:47)
at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17)
at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26)
at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:325)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:78)
at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:57)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:290)
at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:71)
at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:288)
at org.junit.runners.ParentRunner.access$000(ParentRunner.java:58)
at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:268)
at org.junit.runners.ParentRunner.run(ParentRunner.java:363)
at org.eclipse.jdt.internal.junit4.runner.JUnit4TestReference.run(JUnit4TestReference.java:50)
at org.eclipse.jdt.internal.junit.runner.TestExecution.run(TestExecution.java:38)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:467)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.runTests(RemoteTestRunner.java:683)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.run(RemoteTestRunner.java:390)
at org.eclipse.jdt.internal.junit.runner.RemoteTestRunner.main(RemoteTestRunner.java:197)
Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed:
at org.jboss.remoting3.remote.ClientConnectionOpenListener.allMechanismsFailed(ClientConnectionOpenListener.java:113)
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:433)
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:240)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:196)
at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:110)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.ChannelListeners$DelegatingChannelListener.handleEvent(ChannelListeners.java:1092)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)
at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)
at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:88)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:539)
at ...asynchronous invocation...(Unknown Source)
at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:272)
at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:253)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:351)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:335)
at org.jboss.naming.remote.client.EndpointCache$EndpointWrapper.connect(EndpointCache.java:111)
at org.jboss.naming.remote.client.HaRemoteNamingStore.failOverSequence(HaRemoteNamingStore.java:197)
... 32 more
Actions

Go to original post