4 Replies Latest reply on Jul 9, 2018 3:48 AM by milad.jafary

    Migrate Wildfly 10 to 12 - RMI custom login module not working

    milad.jafary

      Hi.

       

      We are migrating from wilfly 10 to 12. In wildfly 10 we developed custom LoginModule(for making http basic authentication) which make a RMI call to a remote EJB located in another sever and remote EJB on that server find subject through making a query on database. After migrating to wildfly 12 it dose not work and throw this exception:

       

      javax.ejb.NoSuchEJBException: EJBCLIENT000079: Unable to discover destination for request for EJB StatelessEJBLocator for "....", view is interface ..., affinity is None
      at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:567)
      at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:503)
      at org.jboss.ejb.protocol.remote.RemotingEJBClientInterceptor.handleInvocationResult(RemotingEJBClientInterceptor.java:56)
      at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:569)
      at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:503)
      at org.jboss.ejb.client.TransactionPostDiscoveryInterceptor.handleInvocationResult(TransactionPostDiscoveryInterceptor.java:133)
      at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:569)
      at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:503)
      at org.jboss.ejb.client.DiscoveryEJBClientInterceptor.handleInvocationResult(DiscoveryEJBClientInterceptor.java:118)
      at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:569)
      at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:503)
      at org.jboss.ejb.client.NamingEJBClientInterceptor.handleInvocationResult(NamingEJBClientInterceptor.java:78)
      at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:569)
      at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:503)
      at org.jboss.ejb.client.TransactionInterceptor.handleInvocationResult(TransactionInterceptor.java:172)
      at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:569)
      at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:503)
      at org.jboss.ejb.client.EJBClientInvocationContext.awaitResponse(EJBClientInvocationContext.java:907)
      at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:165)
      at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:100)
      at com.sun.proxy.$Proxy120.findSubjectBy(Unknown Source)
      at com.common.security.jaas.remote.CustomeRemoteLoginModule.initializeLoginRemote(CustomeRemoteLoginModule.java:85)
      at com.common.security.jaas.remote.CustomeRemoteLoginModule.initialize(CustomeRemoteLoginModule.java:54)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:498)

       

      The remote EJB was deployed and we can found it in log

      java:global/test-ear/core/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth
      java:app/core/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth
      java:module/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth
      java:jboss/exported/test-ear/core/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth

       

      The login module configuration in wildfly 12 is :

      <subsystem xmlns="urn:jboss:domain:security:2.0">

                 <security-domain name="test-sec-domain">

                          <authentication>

                              <login-module code="com.common.security.jaas.remote.CustomeRemoteLoginModule" flag="required">

                                  <module-option name="hashEncoding" value="base64"/>

                                  <module-option name="hashAlgorithm" value="SHA-256"/>

                                  <module-option name="remoteImplClassName" value="TestSecurityFacade"/>

                                  <module-option name="ignorePasswordCase" value="true"/>

                              </login-module>

                          </authentication>

                </security-domain>

      </subsystem>

       

       

      The code which is making JNDI lookup for find remote EJB is :

      Hashtable env = new Hashtable();
      env.put(Context.INITIAL_CONTEXT_FACTORY, "org.wildfly.naming.client.WildFlyInitialContextFactory");
      env.put(Context.URL_PKG_PREFIXES, "org.wildfly.naming.client.NamingProvider");
      try {
           InitialContext context = new InitialContext(env);
           RemoteAuth remoteAuth = ((remoteAuth) context.lookup("ejb:test-ear/core/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth"));
           String username = remoteAuth.findSubject("test");
      } catch (NamingException e) {
           logger.error("Error in initialise context", e);
      }

       

      Is there any idea about this problem? Is there any built-in login module for this purpose? How can I migrate this configuration to elytron?

        • 1. Re: Migrate Wildfly 10 to 12 - RMI custom login module not working
          pmm
          • 2. Re: Migrate Wildfly 10 to 12 - RMI custom login module not working
            milad.jafary

            Hi Philippe.

             

            Thank you for reply.

             

            As I mentioned, we migrate to new EJB Client, but the lookup in "ejb:" name space dose not found any thing, but if you lookup the ejb in "java:global/" ejb  "java:jboss/exported" it can found the EJB.

             

            It is not work:

            RemoteAuth remoteAuth = ((remoteAuth) context.lookup("ejb:test-ear/core/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth")); 

             

            It is work:

            RemoteAuth remoteAuth = ((remoteAuth) context.lookup("java:global/test-ear/core/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth"));

             

            And also it is work too

            RemoteAuth remoteAuth = ((remoteAuth) context.lookup("java:jboss/exported/test-ear/core/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth"));

             

            Any Idea?

             

            • 3. Re: Migrate Wildfly 10 to 12 - RMI custom login module not working
              mchoma

              Please add logging if it shows something strange

              Security TRACE logging

              /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL)

              /subsystem=logging/logger=org.jboss.security:add(level=ALL)

              /subsystem=logging/logger=org.jboss.as.security:add(level=ALL)

              /subsystem=logging/logger=org.picketbox:add(level=ALL)

              /subsystem=logging/logger=org.apache.catalina.authenticator:add(level=ALL)

              /subsystem=logging/logger=org.jboss.as.web.security:add(level=ALL)

              /subsystem=logging/logger=org.jboss.as.domain.management.security:add(level=ALL)

              /subsystem=logging/logger=org.wildfly.security:add(level=ALL)

              /subsystem=logging/logger=org.wildfly.elytron:add(level=ALL)

              # With Remoting

              /subsystem=logging/logger=org.jboss.sasl:add(level=ALL)

              /subsystem=logging/logger=org.jboss.as.ejb3:add(level=ALL)

              /subsystem=logging/logger=org.jboss.as.remoting:add(level=ALL)

              /subsystem=logging/logger=org.jboss.remoting3:add(level=ALL)

              /subsystem=logging/logger=org.jboss.remoting:add(level=ALL)

              /subsystem=logging/logger=org.jboss.naming.remote:add(level=ALL)

               

               

              What exactly does your custom CustomeRemoteLoginModule do? How do you mean http basic authentication in conjuction with EJB over remoting? In Elytron you can secure EJB with some of standard SASL mechanisms (PLAIN, DIGEST-MD5, SCRAM-SHA-256 ...) Or you can still write custom Elytron security realm to fulfill your needs.

               

              [1] Getting started with EJBs and Elytron Part 1: Securing EJBs and invoking them from remote clients

              • 4. Re: Migrate Wildfly 10 to 12 - RMI custom login module not working
                milad.jafary

                Hi Martin Choma.

                 

                Thank you for replay.

                The customeRemoteLoginModule make an RMI call to an other machine which is connected to DB and user is found by logic which is located in our "core module".

                 

                The problem has been solved by this solution :

                RemoteAuth remoteAuth = ((remoteAuth) context.lookup("java:global/test-ear/core/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth"));

                 

                also if the Context.PROVIDER_URL set by remote machine ip and port then the "ejb:" namespace will be work, otherwise it dose not work. see below code:

                 

                 

                Properties properties = new Properties();
                properties.put(Context.INITIAL_CONTEXT_FACTORY, "org.wildfly.naming.client.WildFlyInitialContextFactory");
                properties.put(Context.PROVIDER_URL, "http-remoting://host:port");
                InitialContext context = new InitialContext(properties);
                RemoteAuth remoteAuth = ((remoteAuth) context.lookup("ejb:test-ear/core/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth"));