4 Replies Latest reply on Jul 9, 2018 3:48 AM by milad.jafary

Migrate Wildfly 10 to 12 - RMI custom login module not working

milad.jafary Jun 22, 2018 6:17 PM

Hi.

We are migrating from wilfly 10 to 12. In wildfly 10 we developed custom LoginModule(for making http basic authentication) which make a RMI call to a remote EJB located in another sever and remote EJB on that server find subject through making a query on database. After migrating to wildfly 12 it dose not work and throw this exception:

javax.ejb.NoSuchEJBException: EJBCLIENT000079: Unable to discover destination for request for EJB StatelessEJBLocator for "....", view is interface ..., affinity is None
at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:567)
at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:503)
at org.jboss.ejb.protocol.remote.RemotingEJBClientInterceptor.handleInvocationResult(RemotingEJBClientInterceptor.java:56)
at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:569)
at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:503)
at org.jboss.ejb.client.TransactionPostDiscoveryInterceptor.handleInvocationResult(TransactionPostDiscoveryInterceptor.java:133)
at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:569)
at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:503)
at org.jboss.ejb.client.DiscoveryEJBClientInterceptor.handleInvocationResult(DiscoveryEJBClientInterceptor.java:118)
at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:569)
at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:503)
at org.jboss.ejb.client.NamingEJBClientInterceptor.handleInvocationResult(NamingEJBClientInterceptor.java:78)
at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:569)
at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:503)
at org.jboss.ejb.client.TransactionInterceptor.handleInvocationResult(TransactionInterceptor.java:172)
at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:569)
at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:503)
at org.jboss.ejb.client.EJBClientInvocationContext.awaitResponse(EJBClientInvocationContext.java:907)
at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:165)
at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:100)
at com.sun.proxy.$Proxy120.findSubjectBy(Unknown Source)
at com.common.security.jaas.remote.CustomeRemoteLoginModule.initializeLoginRemote(CustomeRemoteLoginModule.java:85)
at com.common.security.jaas.remote.CustomeRemoteLoginModule.initialize(CustomeRemoteLoginModule.java:54)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)

The remote EJB was deployed and we can found it in log

java:global/test-ear/core/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth
java:app/core/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth
java:module/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth
java:jboss/exported/test-ear/core/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth

The login module configuration in wildfly 12 is :

<security-domain name="test-sec-domain">

<login-module code="com.common.security.jaas.remote.CustomeRemoteLoginModule" flag="required">

<module-option name="hashEncoding" value="base64"/>

<module-option name="hashAlgorithm" value="SHA-256"/>

<module-option name="remoteImplClassName" value="TestSecurityFacade"/>

<module-option name="ignorePasswordCase" value="true"/>

</login-module>

</authentication>

</security-domain>

</subsystem>

The code which is making JNDI lookup for find remote EJB is :

Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, "org.wildfly.naming.client.WildFlyInitialContextFactory");
env.put(Context.URL_PKG_PREFIXES, "org.wildfly.naming.client.NamingProvider");
try {
     InitialContext context = new InitialContext(env);
     RemoteAuth remoteAuth = ((remoteAuth) context.lookup("ejb:test-ear/core/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth"));
     String username = remoteAuth.findSubject("test");
} catch (NamingException e) {
     logger.error("Error in initialise context", e);
}

Is there any idea about this problem? Is there any built-in login module for this purpose? How can I migrate this configuration to elytron?

1. Re: Migrate Wildfly 10 to 12 - RMI custom login module not working

pmm Jun 24, 2018 1:26 PM (in response to milad.jafary)

Have you migrated to the new EJB client:
quickstart/RemoteEJBClient.java at master · wildfly/quickstart · GitHub
Actions
2. Re: Migrate Wildfly 10 to 12 - RMI custom login module not working

milad.jafary Jun 25, 2018 8:33 AM (in response to pmm)

Hi Philippe.

Thank you for reply.

As I mentioned, we migrate to new EJB Client, but the lookup in "ejb:" name space dose not found any thing, but if you lookup the ejb in "java:global/" ejb "java:jboss/exported" it can found the EJB.

It is not work:
RemoteAuth remoteAuth = ((remoteAuth) context.lookup("ejb:test-ear/core/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth"));

It is work:
RemoteAuth remoteAuth = ((remoteAuth) context.lookup("java:global/test-ear/core/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth"));

And also it is work too
RemoteAuth remoteAuth = ((remoteAuth) context.lookup("java:jboss/exported/test-ear/core/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth"));

Any Idea?
Actions
3. Re: Migrate Wildfly 10 to 12 - RMI custom login module not working

mchoma Jul 2, 2018 3:15 AM (in response to milad.jafary)

Please add logging if it shows something strange
Security TRACE logging
/subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL)
/subsystem=logging/logger=org.jboss.security:add(level=ALL)
/subsystem=logging/logger=org.jboss.as.security:add(level=ALL)
/subsystem=logging/logger=org.picketbox:add(level=ALL)
/subsystem=logging/logger=org.apache.catalina.authenticator:add(level=ALL)
/subsystem=logging/logger=org.jboss.as.web.security:add(level=ALL)
/subsystem=logging/logger=org.jboss.as.domain.management.security:add(level=ALL)
/subsystem=logging/logger=org.wildfly.security:add(level=ALL)
/subsystem=logging/logger=org.wildfly.elytron:add(level=ALL)
# With Remoting
/subsystem=logging/logger=org.jboss.sasl:add(level=ALL)
/subsystem=logging/logger=org.jboss.as.ejb3:add(level=ALL)
/subsystem=logging/logger=org.jboss.as.remoting:add(level=ALL)
/subsystem=logging/logger=org.jboss.remoting3:add(level=ALL)
/subsystem=logging/logger=org.jboss.remoting:add(level=ALL)
/subsystem=logging/logger=org.jboss.naming.remote:add(level=ALL)

What exactly does your custom CustomeRemoteLoginModule do? How do you mean http basic authentication in conjuction with EJB over remoting? In Elytron you can secure EJB with some of standard SASL mechanisms (PLAIN, DIGEST-MD5, SCRAM-SHA-256 ...) Or you can still write custom Elytron security realm to fulfill your needs.

[1] Getting started with EJBs and Elytron Part 1: Securing EJBs and invoking them from remote clients
Actions
4. Re: Migrate Wildfly 10 to 12 - RMI custom login module not working

milad.jafary Jul 9, 2018 3:48 AM (in response to mchoma)
Hi Martin Choma.

Thank you for replay.
The customeRemoteLoginModule make an RMI call to an other machine which is connected to DB and user is found by logic which is located in our "core module".

The problem has been solved by this solution :
RemoteAuth remoteAuth = ((remoteAuth) context.lookup("java:global/test-ear/core/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth"));

also if the Context.PROVIDER_URL set by remote machine ip and port then the "ejb:" namespace will be work, otherwise it dose not work. see below code:

Properties properties = new Properties(); properties.put(Context.INITIAL_CONTEXT_FACTORY, "org.wildfly.naming.client.WildFlyInitialContextFactory"); properties.put(Context.PROVIDER_URL, "http-remoting://host:port"); InitialContext context = new InitialContext(properties); RemoteAuth remoteAuth = ((remoteAuth) context.lookup("ejb:test-ear/core/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth"));
Actions

Go to original post

Please add logging if it shows something strange

Security TRACE logging

# With Remoting