0 Replies Latest reply on Dec 2, 2016 5:44 AM by psychollek

    Setting security-domain for JCA connector in rar

    psychollek

      Hi,
      I'm creating a JCA connector for ldap that needs to call ldap over GSSAPI - due to some clashes in JAAS I need my connector to work in a specific security-domain (where I can specify only a limited amount of security modules so the whole thing works). I tried to setup this in ironjackamar.xml :

      <ironjacamar xmlns="http://www.ironjacamar.org/doc/schema"
                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                   xsi:schemaLocation="http://www.ironjacamar.org/doc/schema 
                   http://www.ironjacamar.org/doc/schema/ironjacamar_1_1.xsd">
        <config-property name="authVersion"></config-property>
      
      
        <transaction-support>NoTransaction</transaction-support>
        
        <connection-definitions>
          <connection-definition class-name="org.examle.auth.ldap.LdapManagedConnectionFactory" jndi-name="java:/eis/LdapConnectionFactory" pool-name="LdapConnectionFactory">
              <security>
                  <security-domain>my-ldap</security-domain>
              </security>
          </connection-definition>
        </connection-definitions>
      
      </ironjacamar>
      

       

      This doesn't seem to have any effect (when I tried to deploy this on standalone ironjackamar it failed due to lack of "my-ldap" security domain - and when I deploy it on wildfly it doesn't fail even when the security-domain is commented out.)

       

      Then I tried to use ra.xml authentication mechanism to force wildfly to load only krbv5 module (I would not use it, but if it is only module loaded then the whole thing works) with no effect:

      <connector
          xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
          xmlns='http://xmlns.jcp.org/xml/ns/javaee'
          xsi:schemaLocation='http://xmlns.jcp.org/xml/ns/javaee 
          http://www.oracle.com/webfolder/technetwork/jsc/xml/ns/javaee/connector_1_7.xsd'
          version="1.7">
         <vendor-name>Red Hat Inc</vendor-name>
         <eis-type>LDAP</eis-type>
         <resourceadapter-version>0.1</resourceadapter-version>
         <resourceadapter>
            <resourceadapter-class>org.example.auth.ldap.LdapRa</resourceadapter-class>
            <outbound-resourceadapter>
               <connection-definition>
                  <managedconnectionfactory-class>org.example.auth.ldap.LdapManagedConnectionFactory</managedconnectionfactory-class>
                  <connectionfactory-interface>sample.ldap.ra.api.LdapConnectionFactory</connectionfactory-interface>
                  <connectionfactory-impl-class>org.example.auth.ldap.LdapConnectionFactoryImpl</connectionfactory-impl-class>
                  <connection-interface>sample.ldap.ra.api.LdapConnection</connection-interface>
                  <connection-impl-class>org.example.auth.ldap.LdapConnectionImpl</connection-impl-class>
               </connection-definition>
               <transaction-support>NoTransaction</transaction-support>
               <reauthentication-support>true</reauthentication-support>
               <authentication-mechanism>
                   <credential-interface>javax.resource.spi.security.GenericCredential</credential-interface>
                   <authentication-mechanism-type>Kerbv5</authentication-mechanism-type>
               </authentication-mechanism>
            </outbound-resourceadapter>
         </resourceadapter>
      </connector>
      

       

      my security domain:

      <security-domain name="my-ldap" cache-type="default">
                          <authentication>
                              <login-module code="Remoting" flag="optional">
                                  <module-option name="password-stacking" value="useFirstPass"/>
                              </login-module>
                              <login-module code="RealmDirect" flag="optional">
                                  <module-option name="password-stacking" value="useFirstPass"/>
                              </login-module>
                              <login-module code="com.sun.security.auth.module.Krb5LoginModule" flag="optional"/>
                          </authentication>
                      </security-domain>