1 Reply Latest reply on Jul 31, 2012 5:14 PM by tmanning

    Security Realms, Security Domains, and remote EJB invocation

    tmanning Newbie

      Hi there - I've gone through a lot of documentation and forum posts but I'm still unclear on some things and I'm hoping someone can shed some light. This is JBoss AS7.1.1Final.

       

      I want to invoke a remote EJB, and from this part of standalone.xml I understand that it will use the ApplicationRealm to authenticate:

       

      {code:xml}

              <subsystem xmlns="urn:jboss:domain:remoting:1.1">

                  <connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>

              </subsystem>

      {code}

       

      However, I don't want to use the ApplicationRealm's usual application-users.properties and application-roles.properties files, with associated add-user.sh script and hashed passwords. Instead, I've defined my own security domain with my own plaintext users.properties and roles.properties files:

       

      {code:xml}

                      <security-domain name="myDomain" cache-type="default">

                          <authentication>

                              <login-module code="UsersRoles" flag="required">

                                  <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>

                                  <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>

                              </login-module>

                              <login-module code="Remoting" flag="optional">

                                  <module-option name="password-stacking" value="useFirstPass"/>

                              </login-module>

                          </authentication>

                      </security-domain>

      {code}

       

      My realms are set up as follows:

       

      {code:xml}

              <security-realms>

                  <security-realm name="ManagementRealm">

                      <authentication>

                          <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>

                      </authentication>

                  </security-realm>

                  <security-realm name="ApplicationRealm">

                      <authentication>

                          <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>

                      </authentication>

                  </security-realm>

              </security-realms>

      {code}

       

      This works quite well for logging into my web application (ported from JBoss 5.1) - users added to my own users.properties file can login.

       

      Unfortunately, when invoking a remote EJB the users/passwords in my users.properties file are NOT used. Instead, only the application-users.properties file is consulted.

      Here's how I'm creating an inital context:

       

      {code}

      properties.setProperty(Context.SECURITY_PRINCIPAL, "user20");

      properties.setProperty(Context.SECURITY_CREDENTIALS, "password");

      properties.setProperty("java.naming.factory.initial", "org.jboss.naming.remote.client.InitialContextFactory");

      properties.setProperty("java.naming.provider.url", "remote://localhost:4447");

      properties.setProperty("jboss.naming.client.ejb.context", "true");

      properties.setProperty(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");


      context = new InitialContext(properties);

      {code}

       

      Do I also need to set the Context.SECURITY_PROTOCOL to something?

       

      users.properties contains the line "user20=password" - but I get the following exception:

       

      javax.naming.NamingException: Failed to create remoting connection [Root exception is java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed]

                at org.jboss.naming.remote.client.ClientUtil.namingException(ClientUtil.java:36)

                at org.jboss.naming.remote.client.InitialContextFactory.getInitialContext(InitialContextFactory.java:121)

       

       

      I then used the add-user.sh script to add user20 to application-users.properties with a hashed password, and was able to create an initial context no problem.

       

      The bean lookup then succeeds using the ejb-client method, but on the server side all I see is the anonymous user.

       

      So the questions are: 

       

      1) What's the correct way to get ApplicationRealm to use the myDomain security domain to authenticate? Or should I be creating a separate Realm?

      2) Once I've succeded in obtaining an InitialContext and invoking my bean, how can I propogate the security credentials to the server?

       

      Thanks for any help!

        • 1. Re: Security Realms, Security Domains, and remote EJB invocation
          tmanning Newbie

          Ok, I've learned enough to answer my own question.

           

          In order to have remoting use the same authentication as my EJBs, I create a new realm, pointed it at my domain, and configured remoting to use my new realm.

           

           

          {code:xml}

          <security-realm name="myDomainRealm">

                          <authentication>

                              <jaas name="myDomain"/>

                          </authentication>

          </security-realm>

          {code}

           

          {code:xml}

          <security-domain name="myDomain" cache-type="default">

                              <authentication>

                                  <login-module code="UsersRoles" flag="required">

                                      <module-option name="usersProperties" value="${jboss.server.config.dir}/users.properties"/>

                                      <module-option name="rolesProperties" value="${jboss.server.config.dir}/roles.properties"/>

                                  </login-module>

                                  <login-module code="Remoting" flag="optional">

                                      <module-option name="password-stacking" value="useFirstPass"/>

                                  </login-module>

                              </authentication>

                          </security-domain>

          {code}

           

           

          {code:xml}

          <subsystem xmlns="urn:jboss:domain:remoting:1.1">

                      <connector name="remoting-connector" socket-binding="remoting" security-realm="myDomainRealm"/>

          </subsystem>

          {code}

          1 of 1 people found this helpful