-
1. Re: Custom jdbc login module for remoting
Here are bits of my standalone.xml configuration:
[...]
<management>
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
<security-realm name="ApplicationRealm">
<authentication>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
<security-realm name="MyAppRealm">
<authentication>
<properties path="myapp-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
</security-realms>
<management-interfaces>
<native-interface security-realm="ManagementRealm">
<socket-binding native="management-native"/>
</native-interface>
<http-interface security-realm="ManagementRealm">
<socket-binding http="management-http"/>
</http-interface>
</management-interfaces>
</management>
[...]
<subsystem xmlns="urn:jboss:domain:remoting:1.1">
<connector name="remoting-connector" socket-binding="remoting" security-realm="MyAppRealm"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:resource-adapters:1.0"/>
<subsystem xmlns="urn:jboss:domain:sar:1.0"/>
<subsystem xmlns="urn:jboss:domain:security:1.1">
<security-domains>
<security-domain name="asf-jaas" cache-type="default">
<authentication>
<login-module code="com.asf.security.server.jaas.LdapFallbackJdbcLoginModule" flag="required">
<module-option name="debug" value="true"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
[...]
What should I modify in order that remote JNDI will use my custom login module ?
-
2. Re: Custom jdbc login module for remoting
Looking at your configuration your inbound communications over Remoting are making use of the MyAppRealm - this realm needs to be updated to reference the JAAS domain that you have defined, here is an example of how to reference a JAAS domain from a realm: -
<security-realm name="ManagementRealm"> <authentication> <jaas name="darrans-domain" /> </authentication> </security-realm>
-
3. Re: Custom jdbc login module for remoting
I've managed to make my login module usable.
I've removed the realm restriction for remoting so no the line in standalone.xml is like this:
<connector name="remoting-connector" socket-binding="remoting" />In the security domain the configuration is like this:
<security-domains>
<security-domain name="asf-jaas" cache-type="default">
<authentication-jaspi>
<login-module-stack name="asf-jaas-stack">
<login-module code="com.asf.security.server.jaas.LdapFallbackJdbcLoginModule" flag="required">
<module-option name="debug" value="true"/>
</login-module>
</login-module-stack>
<auth-module code="com.asf.security.server.jaas.LdapFallbackJdbcLoginModule" login-module-stack-ref="asf-jaas-stack"/>
</authentication-jaspi>
</security-domain>
</security-domains>
And I think the biggest mistake I made was the jboss.xml file name which I renamed it jboss-app.xml to store my security-domain.
Now the validateUser method is getting called. I am now facing a new challange with the usernames and passwords because they are encrypted by JBoss.
Are they reversible ? Or should I alter my login module ?
-
4. Re: Custom jdbc login module for remoting
By removing the realm from the connector there is now no security applied to that connector so all attempts to connect will be allowed in without authentication.
-
5. Re: Custom jdbc login module for remoting
The same result I got when using a simpler configuration (without authentication-jaspi) :
<security-domains>
<security-domain name="asf-jaas" cache-type="default">
<authentication>
<login-module code="com.asf.security.server.jaas.LdapFallbackJdbcLoginModule" flag="required">
<module-option name="debug" value="true"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
-
6. Re: Custom jdbc login module for remoting
Darran Lofthouse wrote:
By removing the realm from the connector there is now no security applied to that connector so all attempts to connect will be allowed in without authentication.
My login module is getting called and so I get javax.ejb.EJBAccessException: JBAS013323: Invalid User and I cannot use the EJB
-
7. Re: Custom jdbc login module for remoting
Yes your module is getting called but you just have a random username and password as you have disbled any security checks on the incomming connection.
-
8. Re: Custom jdbc login module for remoting
Darran Lofthouse wrote:
Yes your module is getting called but you just have a random username and password as you have disbled any security checks on the incomming connection.
Indeed this seems very logic.
I've updated the standalone.xml file to use a realm for remoting like this:
[...]
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
<security-realm name="ApplicationRealm">
<authentication>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
<security-realm name="MyAppRealm">
<authentication>
<jaas name="asf-jaas"/>
</authentication>
</security-realm>
</security-realms>
[...]
<subsystem xmlns="urn:jboss:domain:remoting:1.1">
<connector name="remoting-connector" socket-binding="remoting" security-realm="MyAppRealm"/>
</subsystem>
[...]
<security-domains>
<security-domain name="asf-jaas" cache-type="default">
<authentication>
<login-module code="com.asf.security.server.jaas.LdapFallbackJdbcLoginModule" flag="required">
<module-option name="debug" value="true"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
but now the login module is not getting called.
Am I missing any other configuration ?
-
9. Re: Custom jdbc login module for remoting
When you say your module is not getting called what is actually happening? Are you saying the call is reaching all the way to the EJB without any further checks or is some other error being reported?
-
10. Re: Custom jdbc login module for remoting
If I set
<connector name="remoting-connector" socket-binding="remoting" security-realm="MyAppRealm"/>
I only get a client exception:
javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
and nothing in logs.
when using
<connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>
the user in application-users.properties is validated but I still get the random passwords in my login module.
-
11. Re: Custom jdbc login module for remoting
Ok forget the second config, that is not relevent and your domain configuration is not compatible with that realm - for the first option how have you set the username and password for the client?
-
12. Re: Custom jdbc login module for remoting
This is the way I call the test method from EJB:
public class Jndi {
public static void main(String[] args) throws NamingException,
AppException, RemoteException {
final Hashtable jndiProperties = new Hashtable();
jndiProperties.put(Context.URL_PKG_PREFIXES,
"org.jboss.ejb.client.naming");
jndiProperties.put(Context.INITIAL_CONTEXT_FACTORY,
"org.jboss.naming.remote.client.InitialContextFactory");
jndiProperties.put(Context.PROVIDER_URL, "remote://localhost:4447");
jndiProperties.put(Context.SECURITY_PRINCIPAL, "capone");
jndiProperties.put(Context.SECURITY_CREDENTIALS, "1234564");
jndiProperties.put("jboss.naming.client.ejb.context", true);
final Context context = new InitialContext(jndiProperties);
final String appName = "capone";
final String moduleName = "capone-EJB";
final String distinctName = "";
final String beanName = "TestControllerBean";
final String viewClassName = TestControllerRemote.class.getName();
String lookup = "ejb:" + appName + "/" + moduleName + "/"
+ distinctName + "/" + beanName + "!" + viewClassName;
System.out.println("lookup name: " + lookup);
TestController facade = (TestController) context.lookup(lookup);
System.out.println(facade);
System.out.println("test: " + facade.testMessage("hello"));
}
}
-
13. Re: Custom jdbc login module for remoting
Thanks for the code, just checking something locally myself but could you please confirm which line actually fails? Is it the lookup failing or the call to the EJB?
-
14. Re: Custom jdbc login module for remoting
The lookup is failing. Here full stack trace:
Feb 20, 2012 4:05:20 PM org.xnio.Xnio <clinit>
INFO: XNIO Version 3.0.3.GA
Feb 20, 2012 4:05:20 PM org.xnio.nio.NioXnio <clinit>
INFO: XNIO NIO Implementation Version 3.0.3.GA
Feb 20, 2012 4:05:20 PM org.jboss.remoting3.EndpointImpl <clinit>
INFO: JBoss Remoting version 3.2.2.GA
Feb 20, 2012 4:05:20 PM org.jboss.remoting3.remote.RemoteConnection handleException
ERROR: JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
Exception in thread "main" javax.naming.NamingException: Failed to create remoting connection [Root exception is java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed]
at org.jboss.naming.remote.client.ClientUtil.namingException(ClientUtil.java:36)
at org.jboss.naming.remote.client.InitialContextFactory.getInitialContext(InitialContextFactory.java:117)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at com.asf.jndi.jboss7.Jndi.main(Jndi.java:31)
Caused by: java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
at org.jboss.naming.remote.protocol.IoFutureHelper.get(IoFutureHelper.java:87)
at org.jboss.naming.remote.client.cache.ConnectionCache.get(ConnectionCache.java:42)
at org.jboss.naming.remote.client.InitialContextFactory.createConnection(InitialContextFactory.java:153)
at org.jboss.naming.remote.client.InitialContextFactory.getOrCreateConnection(InitialContextFactory.java:126)
at org.jboss.naming.remote.client.InitialContextFactory.getInitialContext(InitialContextFactory.java:106)
... 5 more
Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:365)
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:214)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)
at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189)
at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)
at org.xnio.nio.NioHandle.run(NioHandle.java:90)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:184)
at ...asynchronous invocation...(Unknown Source)
at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:270)
at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:251)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:349)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:333)
at org.jboss.naming.remote.client.cache.EndpointCache$EndpointWrapper.connect(EndpointCache.java:110)
at org.jboss.naming.remote.client.cache.ConnectionCache.get(ConnectionCache.java:41)
... 8 more