5 Replies Latest reply on Jan 15, 2017 10:58 AM by boa_ig001

    Migrate Jboss AS 6 to WildFly 10 (UsersRolesLoginModule, CallerIdentityLoginModule, <security-domain>IG_CallerDS</security-domain>)?

    boa-ig

      Please tell me how to migrate an application from the Jboss AS 6 in WildFly 10?

      (sorry my english).

       

      really want to read an example of realizing the possibilities of Jboss AS 6, if it is possible to implement in WildFly

       

      Configuration Jboss AS 6:

        <application-policy name = "IGRoles">

            <authentication>
                <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
                  flag = "required">
                  <module-option name="usersProperties">IG_users.properties</module-option>
                  <module-option name="rolesProperties">IG_roles.properties</module-option>
                </login-module>
            </authentication>
          </application-policy>
      

       

                  <application-policy name = "IG_CallerDS">
            <authentication>
                <login-module code = "org.jboss.resource.security.CallerIdentityLoginModule"
                  flag = "required">
                  <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=OraDSIG</module-option>
                </login-module>
            </authentication>
          </application-policy>
      

       

      <datasources>
        <local-tx-datasource>
          <jndi-name>OraDSIG</jndi-name>
      <connection-url>jdbc:oracle:thin:@localhost:1521:olg1</connection-url>
      <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
      <security-domain>IG_CallerDS</security-domain>
      <exception-sorter-class-name>org.jboss.resource.adapter.jdbc.vendor.OracleExceptionSorter</exception-sorter-class-name>
      </local-tx-datasource>
      </datasources>
      

       

      Configuration WildFly 10:

      test did the following:

      • standalone.xml

       

                     <security-domain name="ejb-security-domain33" cache-type="default">
                          <authentication>
                              <login-module code="Remoting" flag="optional">
                                  <module-option name="password-stacking" value="useFirstPass"/>
                              </login-module>
                              <login-module code="UsersRoles" flag="required">
                                  <module-option name="defaultUsersProperties" value="${jboss.server.config.dir}/ejb-users.properties"/>
                                  <module-option name="defaultRolesProperties" value="${jboss.server.config.dir}/ejb-roles.properties"/>
                                  <module-option name="usersProperties" value="${jboss.server.config.dir}/ejb-users.properties"/>
                                  <module-option name="rolesProperties" value="${jboss.server.config.dir}/ejb-roles.properties"/>
                                  <module-option name="password-stacking" value="useFirstPass"/>
                              </login-module>
                          </authentication>
                      </security-domain>
      

      does not transmit the password but the file ejb-users.propertis requires

       

                      <security-domain name="ejb-security-domain" cache-type="default">
                          <authentication>
                              <login-module code="Remoting" flag="optional">
                                  <module-option name="password-stacking" value="useFirstPass"/>
                              </login-module>
                              <login-module code="RealmDirect" flag="required">
                                  <module-option name="password-stacking" value="useFirstPass"/>
                              </login-module>
                              <login-module code="DatabaseUsers" flag="required">
                                  <module-option name="dsJndiName" value="java:jboss/OraDSIG"/>
                                  <module-option name="principalsQuery" value="select passwd AS PASSWORD from IG.USERS where login=?"/>
                                  <module-option name="rolesQuery" value="select role 'Roles', RoleGroup from IG.USER_ROLES where login=?"/>
                              </login-module>
                          </authentication>
                      </security-domain>
      

      I checked a lot of variants, but the error is always this:

       

      2016-12-01 10:46:14,472 TRACE [org.jboss.security] (default task-2) PBOX00236: Begin initialize method

      2016-12-01 10:46:14,472 TRACE [org.jboss.security] (default task-2) PBOX00240: Begin login method

      2016-12-01 10:46:14,472 DEBUG [org.jboss.security.auth.spi.AbstractServerLoginModule] (default task-2) Storing username 'ejbUser'

      2016-12-01 10:46:14,472 TRACE [org.jboss.security] (default task-2) PBOX00236: Begin initialize method

      2016-12-01 10:46:14,472 TRACE [org.jboss.security] (default task-2) PBOX00240: Begin login method

      2016-12-01 10:46:14,473 TRACE [org.jboss.security] (default task-2) PBOX00236: Begin initialize method

      2016-12-01 10:46:14,473 TRACE [org.jboss.security] (default task-2) PBOX00262: Module options [dsJndiName: java:jboss/OraDSIG, principalsQuery: select passwd AS PASSWORD from IG.USERS where login=?, rolesQuery: select role 'Roles', RoleGroup from IG.USER_ROLES where login=?, suspendResume: true]

      2016-12-01 10:46:14,474 TRACE [org.jboss.security] (default task-2) PBOX00240: Begin login method

      2016-12-01 10:46:15,283 TRACE [org.jboss.security] (default task-2) PBOX00263: Executing query select passwd AS PASSWORD from IG.USERS where login=? with username ejbUser

      2016-12-01 10:46:15,618 DEBUG [org.jboss.security] (default task-2) PBOX00283: Bad password for username ejbUser

      2016-12-01 10:46:15,619 TRACE [org.jboss.security] (default task-2) PBOX00244: Begin abort method, overall result: true

      2016-12-01 10:46:15,619 TRACE [org.jboss.security] (default task-2) PBOX00244: Begin abort method, overall result: true

      2016-12-01 10:46:15,619 TRACE [org.jboss.security] (default task-2) PBOX00244: Begin abort method, overall result: false

      2016-12-01 10:46:15,619 DEBUG [org.jboss.security] (default task-2) PBOX00206: Login failure: javax.security.auth.login.FailedLoginException: PBOX00070: Password invalid/Password required

       

                      <datasource jta="false" jndi-name="java:jboss/OraDSIG" pool-name="OraDSIG" enabled="true" use-ccm="false">
       <connection-url>jdbc:oracle:thin:@localhost:1521:olg1</connection-url>
       <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
       <driver>oracle</driver>
                          <security>
                                <user-name>ig</user-name>
                              <password>abcd</password>
                          </security>
                          <validation>
       <valid-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleValidConnectionChecker"/>
       <background-validation>true</background-validation>
       <stale-connection-checker class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleStaleConnectionChecker"/>
                              <exception-sorter class-name="org.jboss.jca.adapters.jdbc.extensions.oracle.OracleExceptionSorter"/>
                          </validation>
                      </datasource>
      

                        

      <driver name="oracle" module="com.oracle.jdbc">
       <driver-class>oracle.jdbc.driver.OracleDriver</driver-class>
      </driver>
      

       

      Client WildFly 10

       

      CallerRemote remote=IGGetEJB.getEJBAccess3("ejbUser","1","127.0.0.1","8080");
      

      …..

        public static CallerRemote getEJBAccess3(String uName, String uPass,String serverHost, String serverPort) {
      
      
           String serverUrl = "http-remoting://" + serverHost + ":" + serverPort; // serverPort обычно 4447
           Hashtable<String, Object> params = new Hashtable<String, Object>();
           params.put(Context.PROVIDER_URL, serverUrl);
           params.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
           params.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory"); 
           params.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "true"); 
      //    params.put(Context.SECURITY_PRINCIPAL, uName);  //java.naming.security.principal
      //    params.put(Context.SECURITY_CREDENTIALS, uPass);//java.naming.security.credentials
      
      
           Properties clientProp = new Properties();
           clientProp.put("remote.connections", "default");
           clientProp.put("remote.connection.default.host", serverHost);
           clientProp.put("remote.connection.default.port", serverPort);
           clientProp.put("remote.connection.default.username", uName);
      //    clientProp.put("remote.connection.default.password",uPass);
           
          /* try {
        MessageDigest md = MessageDigest.getInstance("SHA-256");
        byte[] passwordBytes = uPass.getBytes();
        byte[] hash = md.digest(passwordBytes);
        String passwordHash = Base64.getEncoder().encodeToString(hash);
        System.out.println("password hash: "+passwordHash);    
        clientProp.put("remote.connection.default.password", "a4ayc/80/OGda4BO/1o/V0etpOqiLx1JwB5S3beHW0s=");
        } catch (NoSuchAlgorithmException e1) {
        // TODO Auto-generated catch block
        e1.printStackTrace();
        }*/
           
           
           clientProp.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "true");
      //    clientProp.put("remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS","JBOSS-LOCAL-USER");
           clientProp.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "true");
           
           EJBClientConfiguration cc = new PropertiesBasedEJBClientConfiguration(clientProp);
           ContextSelector<EJBClientContext> selector = new ConfigBasedEJBClientContextSelector(cc);
           EJBClientContext.setSelector(selector);
      //    EJBClientContext.getCurrent().registerInterceptor(0, new ClientInterceptor());
      
           try {
        InitialContext context = new InitialContext(params);  
        
        final String jndiName = "/TestRemoteEJBEAR/CallerBean!remote.CallerRemote";
        CallerRemote remote = (CallerRemote) context.lookup(jndiName);
      // CallerRemote remote = connectEjb(context, jndiName);
        return remote;
        } catch (NamingException e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
        }
        return null;
        }
      
        • 1. Re: Migrate Jboss AS 6 to WildFly 10 (UsersRolesLoginModule, CallerIdentityLoginModule, <security-domain>IG_CallerDS</security-domain>)?
          boa-ig

          Good day!

          My EJB authenticates to the database using the user name and password.

          Username and password entered in the Java client.

          Please tell me, how do I pass the password from the client to the EJB Java. Using WildFly.

           

          Or is there only option is to pass in the EJB parameters?

           

          If you use CustomModule extends UsernamePasswordLoginModule {,

          I do not understand where I can get the password.

           

          for previously grateful for the answer.

          • 2. Re: Migrate Jboss AS 6 to WildFly 10 (UsersRolesLoginModule, CallerIdentityLoginModule, <security-domain>IG_CallerDS</security-domain>)?
            boa-ig

            I changed -

            public abstract class UsernamePasswordLoginModule extends AbstractServerLoginModule

             

             

                  public boolean login() throws LoginException

                  {

                  System.out.println("1______________super.login()="+super.login());

                      // See if shared credentials exist

                      if( super.login() == true )

                      {

             

             

            to receive a password from the client, should work **if( super.login() == true )**, but he always false

             

             

                2016-12-05 15:26:21,640 TRACE [org.jboss.security] (default task-10) PBOX00240: Begin login method

                2016-12-05 15:26:21,641 INFO  [stdout] (default task-10) 1______________super.login()=false

                2016-12-05 15:26:21,641 TRACE [org.jboss.security] (default task-10) PBOX00240: Begin login method

             

             

            if( super.login() == false ) then password always =  org.jboss.as.security.remoting.RemotingConnectionCredential@b986e1 and not equal password from DataBase

             

             

                2016-12-05 15:26:22,080 INFO  [stdout] (default task-10) 11______________expectedPassword=Pass_BD

                2016-12-05 15:26:22,081 INFO  [stdout] (default task-10) 12______________password=org.jboss.as.security.remoting.RemotingConnectionCredential@b986e1

             

                      super.loginOk = false;

                      String[] info = getUsernameAndPassword();

                ...

                  protected String[] getUsernameAndPassword() throws LoginException

                  {

                      String[] info = {null, null};

                      // prompt for a username and password

                      if( callbackHandler == null )

                      {

                        throw PicketBoxMessages.MESSAGES.noCallbackHandlerAvailable();

                      }

                    

                      NameCallback nc = new NameCallback(PicketBoxMessages.MESSAGES.enterUsernameMessage(), "guest");

                      PasswordCallback pc = new PasswordCallback(PicketBoxMessages.MESSAGES.enterPasswordMessage(), false);

             

             

            I like the client to transfer your password?

            as I call login() from the EJB client?

             

             

            Tell me please.

            • 3. Re: Migrate Jboss AS 6 to WildFly 10 (UsersRolesLoginModule, CallerIdentityLoginModule, <security-domain>IG_CallerDS</security-domain>)?
              jaikiran

              The org.xnio.Options.SASL_POLICY_NOPLAINTEXT option that you are setting is incorrect. You are setting it to true whereas it should be set to false if you want the password to be transmitted in plain text to the remote side. When using JAAS, that's needed. More details here Overview of Client properties - EJB Client Library (AS7+) - Project Documentation Editor

              • 4. Re: Migrate Jboss AS 6 to WildFly 10 (UsersRolesLoginModule, CallerIdentityLoginModule, <security-domain>IG_CallerDS</security-domain>)?
                boa-ig

                Client:

                public static CallerRemote getEJBAccess44(String uName, String uPass, String serverHost, String serverPort) {
                
                  String provider_url = "http-remoting://localhost:8080";
                  Hashtable<String, Object> params = new Hashtable<String, Object>();
                  params.put("java.naming.provider.url", provider_url);
                  params.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
                  params.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");
                  params.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false"); // !!!!
                
                  Properties clientProp = new Properties();
                  clientProp.put("remote.connections", "default");
                  clientProp.put("remote.connection.default.port", "8080");
                  clientProp.put("remote.connection.default.host", "localhost");
                  clientProp.put("remote.connection.default.Protocol", "http-remoting");
                  clientProp.put("remote.connection.default.username", uName);
                  clientProp.put("remote.connection.default.password", uPass);
                
                  clientProp.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
                  clientProp.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "false");
                
                  EJBClientConfiguration cc = new PropertiesBasedEJBClientConfiguration(clientProp);
                  ContextSelector<EJBClientContext> selector = new ConfigBasedEJBClientContextSelector(cc);
                  EJBClientContext.setSelector(selector);
                  try {
                  InitialContext context = new InitialContext(params);
                  final String rcal = "/TestRemoteEJBEAR/CallerBean!remote.CallerRemote";
                  CallerRemote remote = (CallerRemote) context.lookup(rcal);
                  return remote;
                  } catch (NamingException e) {
                  // TODO Auto-generated catch block
                  e.printStackTrace();
                  }
                  return null;
                }
                

                 

                Server:

                public abstract class AbstractServerLoginModule implements LoginModule
                ...
                   public void initialize(Subject subject, CallbackHandler callbackHandler,
                      Map<String,?> sharedState, Map<String,?> options)
                   {
                      this.subject = subject;
                      this.callbackHandler = callbackHandler;
                      this.sharedState = sharedState;
                      this.options = options;
                
                      PicketBoxLogger.LOGGER.traceBeginInitialize();
                   
                      System.out.println("________sharedState______________ = " + sharedState);
                      System.out.println("________options______________ = " + options);
                ...
                      loginOk = false;
                ...
                            Object identity = sharedState.get("javax.security.auth.login.name");
                            Object credential = sharedState.get("javax.security.auth.login.password");
                   System.out.println("_1_______________identity ==="+identity);
                   System.out.println("_1_______________credential ==="+credential);
                            if( identity != null && credential != null )
                            {
                               loginOk = true;
                               return true;
                            }
                            // Else, fall through and perform the login
                

                 

                Output:

                [0]
                LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
                ControlFlag: LoginModuleControlFlag: required
                Options:
                name=dsJndiName, value=java:jboss/OraDSIG
                name=principalsQuery, value=select passwd AS PASSWORD from IG.USERS where login=?
                name=rolesQuery, value=select role 'Roles', RoleGroup from IG.USER_ROLES where login=?
                name=password-stacking, value=useFirstPass
                
                2016-12-06 04:22:10,712 INFO  [stdout] (default task-16) 22________sharedState______________ = {}
                2016-12-06 04:22:10,713 INFO  [stdout] (default task-16) 22________options______________ = {dsJndiName=java:jboss/OraDSIG, principalsQuery=select passwd AS PASSWORD from IG.USERS where login=?, rolesQuery=select role 'Roles', RoleGroup from IG.USER_ROLES where login=?, jboss.security.security_domain=ejb-security-domain, password-stacking=useFirstPass}
                ...
                2016-12-06 04:22:10,721 INFO  [stdout] (default task-16) _1_______________identity ===null
                2016-12-06 04:22:10,721 INFO  [stdout] (default task-16) _1_______________credential ===null
                

                 

                Standalone.xml

                 

                                <security-domain name="ejb-security-domain" cache-type="default">
                                    <authentication>
                                        <login-module code="DatabaseUsers" flag="required">
                                            <module-option name="dsJndiName" value="java:jboss/OraDSIG"/>
                                            <module-option name="principalsQuery" value="select passwd AS PASSWORD from IG.USERS where login=?"/>
                                            <module-option name="rolesQuery" value="select role 'Roles', RoleGroup from IG.USER_ROLES where login=?"/>
                                            <module-option name="password-stacking" value="useFirstPass"/>
                                        </login-module>
                                    </authentication>
                                </security-domain>
                .....
                            <security-realm name="EJBRealm">
                                <authentication>
                                    <jaas name="ejb-security-domain"/>
                                </authentication>
                            </security-realm>
                

                 

                client settings are not passed.

                I set different parameters, but does not work

                 

                I can not find a source code jboss-client.jar,  please tell me where I can download the source code

                (org.jboss.remotingjmx.RemotingConnector)

                • 5. Re: Migrate Jboss AS 6 to WildFly 10 (UsersRolesLoginModule, CallerIdentityLoginModule, <security-domain>IG_CallerDS</security-domain>)?
                  boa_ig001

                  jaikiran pai thank you, remoute Java client works with this code

                   

                    public static CallerRemote getEJBAccessOK(String uName, String uPass,String serverHost, String serverPort) {
                  
                  
                       String serverUrl = "http-remoting://" + serverHost + ":" + serverPort; // serverPort обычно 4447
                     
                       Hashtable<String, Object> params = new Hashtable<String, Object>();
                       params.put(Context.PROVIDER_URL, serverUrl);
                       params.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
                       params.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory"); 
                       params.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false"); 
                       params.put(Context.SECURITY_PRINCIPAL, uName); 
                       params.put(Context.SECURITY_CREDENTIALS, uPass);
                  
                  
                       Properties clientProp = new Properties();
                       clientProp.put("remote.connections", "default");
                       clientProp.put("remote.connection.default.host", serverHost);
                       clientProp.put("remote.connection.default.port", serverPort);
                       clientProp.put("remote.connection.default.username", uName);
                       clientProp.put("remote.connection.default.password",uPass);
                       clientProp.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
                       
                       EJBClientConfiguration cc = new PropertiesBasedEJBClientConfiguration(clientProp);
                       ContextSelector<EJBClientContext> selector = new ConfigBasedEJBClientContextSelector(cc);
                       EJBClientContext.setSelector(selector);
                       try {
                    InitialContext context = new InitialContext(params);  
                    final String jndiName = "/TestRemoteEJBEAR/CallerBean!remote.CallerRemote";
                    CallerRemote remote = (CallerRemote) context.lookup(jndiName);
                    return remote;
                    } catch (NamingException e) {
                    // TODO Auto-generated catch block
                    e.printStackTrace();
                    }
                    return null;
                  }
                  

                   

                   

                  CREATE TABLE "IG"."USER_ROLES"
                    (    "LOGIN" VARCHAR2(64 BYTE),
                      "ROLE" VARCHAR2(32 BYTE),
                      "ROLEGROUP" VARCHAR2(80 BYTE)
                    )
                  
                  Insert into USER_ROLES (LOGIN,ROLE,ROLEGROUP) values ('ejbUser','ejbRole','Roles');