JBoss AS 7 remote standalone client auth
fpu May 5, 2012 2:38 AMHi, I have a some problem with JAAS Auth on JBoss 7.
I have a some ear deployed on JBoss AS7 with jboss-app.xml
<jboss-app xmlns="http://www.jboss.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="7.0" xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee "> <security-domain>FooDomain</security-domain>
In standalone.xml I have
<security-realm name="ApplicationRealm"> <authentication> <jaas name="FooDomain"/> </authentication> </security-realm> ... <security-domain name="FooDomain" cache-type="default"> <authentication> <login-module code="Remoting" flag="optional"> <module-option name="password-stacking" value="useFirstPass"/> </login-module> <login-module code="Database" flag="required"> <module-option name="dsJndiName" value="java:/MyDS"/> <module-option name="principalsQuery" value="select password from users where user_id=?"/> <module-option name="rolesQuery" value="select role, 'Roles' from roles where user_id=?"/> <module-option name="password-stacking" value="useFirstPass"/> </login-module> </authentication> </security-domain>
I can lookup some ejb from standalone client and authentication is successful when I use code like this:
final Hashtable<Object, Object> p = new Hashtable<Object, Object>(); p.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming"); p.put(Context.SECURITY_PRINCIPAL, username); p.put(Context.SECURITY_CREDENTIALS, password); p.put("jboss.naming.client.ejb.context", true); p.put(Context.PROVIDER_URL, "remote://10.10.1.18:4447"); p.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false"); p.put(Context.INITIAL_CONTEXT_FACTORY, org.jboss.naming.remote.client.InitialContextFactory.class.getName()); context = new InitialContext(p);
The problem is that if I provide wrong credentials, I see in debug console
javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
but I can't catch it.
Server logs (not important parts cutted):
TRACE [DatabaseServerLoginModule] initialize TRACE [DatabaseServerLoginModule] Security domain: FooDomain TRACE [DatabaseServerLoginModule] DatabaseServerLoginModule, dsJndiName=java:/MyDS TRACE [DatabaseServerLoginModule] principalsQuery=select password from users where user_id=? TRACE [DatabaseServerLoginModule] rolesQuery=select role, 'Roles' from roles where user_id=? TRACE [DatabaseServerLoginModule] suspendResume=true TRACE [DatabaseServerLoginModule] login TRACE [DatabaseServerLoginModule] suspendAnyTransaction TRACE [DatabaseServerLoginModule] Excuting query: select password from users where user_id=?, with username: test TRACE [DatabaseServerLoginModule] Obtained user password TRACE [DatabaseServerLoginModule] resumeAnyTransaction DEBUG [DatabaseServerLoginModule] Bad password for username=test TRACE [DatabaseServerLoginModule] abort
When I try to use LoginContext just nothing happens on server. Configuration
public class DefaultJassConfiguration extends Configuration { @Override public AppConfigurationEntry[] getAppConfigurationEntry(String name) { Map options = new HashMap(); options.put("debug", true); AppConfigurationEntry[] entries = { new AppConfigurationEntry("org.jboss.security.ClientLoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options) }; return entries; }
Test
Configuration.setConfiguration(new DefaultJassConfiguration()); try { LoginContext lc = new LoginContext("FooDomain", new UsernamePasswordHandler("test", "test".toCharArray())); lc.login(); System.out.println(lc.getSubject()); } catch (LoginException e) { e.printStackTrace(); } }
Perhaps LoginContext don't know server address? I try to add
System.setProperty("java.naming.provider.url", "remote://10.10.1.18:4447");
but with no effect.
How to make LoginContext work? Or how to catch SaslException? I consider to make some dummy bean with method always returned true and call it after login, but it looks ugly.
P.S. I'm sorry for my English (It makes me a bit shy)