-
1. Re: Username & password get mysteriously encoded in custom server login module AS7.1
I have the exact same problem with an extended UsernamePasswordLoginModule. It worked under JBoss 4 and it gets an encrypted username under JBoss 7.1 final. Why is the username encrytpted?
-
2. Re: Username & password get mysteriously encoded in custom server login module AS7.1
It is not encrypted - the value is not getting passed from the SASL authentication tier to the login module so a unique id is being generated.
Can you please show the configuration of both the security realm and your security domain.
-
3. Re: Username & password get mysteriously encoded in custom server login module AS7.1
On the client side in .java.login.config I have:
MyDomain {
org.jboss.security.ClientLoginModule requisite;
};I added this to the JBoss AS configuration file:
<security-domain name="MyDomain" cache-type="default">
<authentication>
<login-module code = "org.jboss.security.auth.spi.RunAsLoginModule" flag="required">
<module-option name="roleName" value="administrator"/>
</login-module>
<login-module code="my.custom.login.module.ClassName" flag="required">
<module-option name="hashUserPassword" value="false"/>
</login-module>
</authentication>
</security-domain> -
4. Re: Username & password get mysteriously encoded in custom server login module AS7.1
I'm facing the same problem. Has somebody an idea?
-
5. Re: Username & password get mysteriously encoded in custom server login module AS7.1
As Darran mentions the username & password I see aren't encoded or encrypted but just anonymous/generated id's generated by the server since there just aren't any credentials passed to the server. I think I now understand why and got closer to a solution.
Darran and Anil explain things in much more detail in this thread: https://community.jboss.org/thread/195501?start=0&tstart=0 .
Disable Local User Authenticaton when developing on one machine
The reason why there wasn't any credentials passed to the server in my case was because my setup was on one computer: The 'remote' client and server both run on the same machine. In this case the remote client will perform a 'local user' authentication which authenticates by proofing it is running on the same machine by reading a jboss-server generated file and telling the server the content of the file. That's nice in some cases but not if your custom login module isn't aware of this and need real world credentials to succeed.
I prevented this from happending by setting the option: "remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER" in the jboss-ejb-client.properties file for my EJB connection.
I shouldn't have removed the security-realm on the remoting-connector
I removed the security-realm="ApplicationRealm" parameter from the remoting-connector in my standalone.xml file and left this connector unsecured. I just secured my EJB by annotating it with a @SecurityDomain("MySecurityDomain"). That caused things not to work, I needed a valid security-realm there.
<subsystem xmlns="urn:jboss:domain:remoting:1.1">
<connector name="remoting-connector" socket-binding="remoting" security-realm="MyRealm"/>
</subsystem>
If I understand Darran correctly in the earlier mentioned thread this is because credentials will not be sent to the server when negotiating a connection if the remoting-connector is not secured. The security domain securing your EJB will not receive any credentials in that case.....
Make my custom login module findable for JBoss
At the time your remote client will authenticate on the remoting-connector JBoss doesn't know which deployment/application you are about to access on the server. So if your custom loginmodule is for example within a specific EAR, JBoss doesn't know about it and authentication will fail with an error looking something like this:
19:20:46,277 TRACE [org.jboss.modules] (Remoting "hattori-hanzo" task-2) Class com.my.CustomSecurityLoginModule not found from Module "org.jboss.as.remoting:main" from local module loader @3d32e42f (roots: C:\jboss\jboss-as-7\modules)
Daniel Jipa mentions a workaround which isn't elegant but worked for me:
I finally got it to work. The issue was the loading of custom security jar. It seems that putting it in the ear is not a solution (or at least not sufficient)
I added it on the jboss_install_dir/modules/org/jboss/as/remoting/main and modified the module.xml file at the same path to also use that resource.
I worked with or without the
jndiProperties.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");Darran Lofthouse mentioned that there is a more elegant solution here
This has been implemented, and will be in the 7.1.1 release that will go out this week.
Basically you can now refer to a deployment in the "module=" attribute on a login module. The format is deployment.name. So for example, foo.jar would be "deployment.foo.jar". You can also refer to static modules as before.
I didn't manage to get that working however.
The relvant parts of my config
standalone.xml file:
<security-realms>
...
<security-realm name="MyRealm">
<authentication>
<jaas name="MySecurityDomain"/>
</authentication>
</security-realm>
</security-realms>
....
<subsystem xmlns="urn:jboss:domain:remoting:1.1">
<connector name="remoting-connector" socket-binding="remoting" security-realm="MyRealm"/>
</subsystem>
....
<security-domain name="MySecurityDomain" cache-type="default">
<authentication>
<login-module code="com.my.CustomLoginModule" flag="required" module="deployment.MyEAR.ear.MyLoginModule.jar">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
Please note that the part 'module="deployment.MyEAR.ear.MyLoginModule.jar"' didn't work for me but I just left it for reference.
jboss-ejb-client.properties file:
remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false
remote.connections=default
remote.connection.default.host=localhost
remote.connection.default.port = 4447
remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false
remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER
remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false
# remote.connection.default.callback.handler.class=com.my.MyLoginCallbackHandler
remote.connection.default.username=username
remote.connection.default.password=password
-
6. Re: Username & password get mysteriously encoded in custom server login module AS7.1
Hi,
I'm trying to configure something similar and struggle based on AS7.1.3:
if I change the security-realm to "MyRealm" the client can't connect any more, because of "javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed"
if the security-realm is set to "ApplicationRealm" I experience the following:
using as custom login module:
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="unauthenticatedIdentity" value="anonymous"/>
<module-option name="defaultUsersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
<module-option name="defaultRolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
<module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>it works fine - like documented in may blogs.
switching the login-module to
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://ldap.acme.com:389"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="principalDNPrefix" value="cn="/>
<module-option name="principalDNSuffix" value=",ou=People,dc=acme,dc=com"/>
<module-option name="searchTimeLimit" value="5000"/>
<module-option name="searchScope" value="ONELEVEL_SCOPE"/>
</login-module>always causes a "PBOX000283: Bad password for username dummy"
at the client I tried same set of properties and lot variants to get it working. Up to my investigation the credential get send encrpyted to the server.
In case of properties based login-module it can get directly compared with the file content, while the LDAP authentication would cause a decrpytion.So how to send the credential plain text to the server? - I'm aware on the security impact :-)
-
7. Re: Username & password get mysteriously encoded in custom server login module AS7.1
Hi,
I'm also trying to get get Username/Password credentials in my custom Login Module, which extends org.jboss.security.auth.spi.UsernamePasswordLoginModule.
My LoginModule is correctly initialized, but I always get a king of an hash instead in the login() method. This, seams to be due to the username/password credentials are not properly propagated from the Remote EJB client to the server.
I Always get the following (in log):
18:41:51,253 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (EJB default - 1) defaultLogin, principal=80e88281-66ed-42d9-acd0-61a13c5880fb
18:41:51,254 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (EJB default - 1) Begin getAppConfigurationEntry(testLoginModule), size=3
18:41:51,254 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (EJB default - 1) End getAppConfigurationEntry(testLoginModule), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: testLoginModule.loginModule.UserPassTestLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:
name=realm, value=ApplicationRealm
name=debug, value=true
name=password-stacking, value=useFirstPass
18:41:51,256 INFO [stdout] (EJB default - 1) UserPassTestLoginModule.login()
18:41:51,256 INFO [stdout] (EJB default - 1) username 80e88281-66ed-42d9-acd0-61a13c5880fb, password 846496d7-8155-41e9-bfef-12d329ba21c4
18:41:51,257 INFO [stdout] (EJB default - 1) username '80e88281-66ed-42d9-acd0-61a13c5880fb', password '846496d7-8155-41e9-bfef-12d329ba21c4'
18:41:51,257 INFO [stdout] (EJB default - 1) Returning result = false
my security configuration in standalone-full.xml in JBoss 7.1.1.FINAL
<security-domain name="testLoginModule" cache-type="default">
<authentication>
<login-module code="testLoginModule.loginModule.UserPassTestLoginModule" flag="required" module="deployment.server-login-module-test.jar">
<module-option name="password-stacking" value="useFirstPass"/>
<module-option name="debug" value="true"/>
<module-option name="realm" value="ApplicationRealm"/>
</login-module>
</authentication>
</security-domain>
my EJB Client
public static void test_protectedBean_approach_1()
{
ProtectedGreeter protectedGreeterBean;
final Properties jndiProperties = new Properties();
jndiProperties.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
jndiProperties.put(Context.PROVIDER_URL, "127.0.0.1:4447");
jndiProperties.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "false");
jndiProperties.put("remote.connections", "default");
jndiProperties.put("remote.connection.default.port", "4447");
jndiProperties.put("remote.connection.default.host", "127.0.0.1");
//jndiProperties.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "false");
//jndiProperties.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
jndiProperties.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
jndiProperties.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");
// This tels JBOss ejb-client to not use remoting instead of ByPassing
jndiProperties.put("remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");
jndiProperties.put("remote.connection.default.username", "appuser1");
jndiProperties.put("remote.connection.default.password", "appuser");
// this is to configure JBoss EJB client API by code instead of jboss-ejb-client.propeties file
EJBClientConfiguration cc = new PropertiesBasedEJBClientConfiguration(jndiProperties);
ContextSelector<EJBClientContext> selector = new ConfigBasedEJBClientContextSelector(cc);
EJBClientContext.setSelector(selector);
try
{
final Context context = new InitialContext(jndiProperties);
String result_message = "";
ProtectedGreeter unprotectedGreeterBean = (ProtectedGreeter) context.lookup(UnprotectedGreeterBean_url);
result_message = unprotectedGreeterBean.tell_me_hello(" Alice");
System.out.println(result_message);
protectedGreeterBean = (ProtectedGreeter) context.lookup(ProtectedGreeter_url);
result_message = protectedGreeterBean.tell_me_hello(" Bob");
System.out.println(result_message);
}
catch (Exception e)
{
e.printStackTrace();
}
}
the call to the unprotectedGreeterBean works just fine. the call to protectedGreeterBean instantiates the my Login module as expected, but the username/password credentials are not passed to the server.
Could please someone tell-me whats wrong/missing?
Please check out my attached code (Just with login-module an EJB Client and standalone configuration file).
- server application with login module:
> mvn clean install && mvn jboss-as:deploy to deploy the server-login-module-test
- to run EJB Client Test
> mvn clean compile assembly:single
> java -jar target/client-login-module-test-jar-with-dependencies.jar