1 Reply Latest reply on Jul 31, 2013 12:43 AM by Alexander Hartner

    AS 7.1.1 remote ejb call with JAAS

    bomc Newbie

      Hello all,

      I'm trying to invoke an ejb from a remote client using JAAS.
      I've read the article here https://community.jboss.org/wiki/JBoss7AndEjbRemoteCallWithSecurity and following the steps, but after invoking the EJB I get the following Exception:

       

      javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public abstract java.lang.String RemoteSecure.getSecurityInfo() of bean: SecureEJB is not allowed

       

      For my test I have a .ear with following structure

       

      MyEar.ear
        +---META-INF
              +---application.xml
              +---jboss-app.xml
        +---MyEjb.jar
              +---META-INF
                    +---jboss-ejb3.xml
              +---RemoteSecure.class
              +---SecureEJB

       

      I add a security realm to the standard-full.xml

       

      <security-realm name="BomcRealm">
              <authentication>
                  <jaas name="BomcDomain"/>
              </authentication>
      </security-realm>

      my security domain with a DatabaseServerLoginModule

       

      <security-domain name="BomcDomain" cache-type="default">
            <authentication>

       

                  <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
                         <module-option name="dsJndiName" value="java:jboss/datasources/Bomc-ServerDS"/>
                         <module-option name="principalsQuery" value="SELECT C_PASSWORD FROM COR_USER WHERE C_USERNAME=?"/>
                         <module-option name="rolesQuery" value="SELECT C_ROLE_NAME COR_ROLE, 'Role' FROM ... WHERE u.C_USERNAME=?"/>
                          <module-option name="password-stacking" value="useFirstPass"/>
                   </login-module>
            </authentication>
      </security-domain>

       

      I change the security-realm of the remoting-connector to:

       

          <subsystem xmlns="urn:jboss:domain:remoting:1.1">
              connector name="remoting-connector" socket-binding="remoting" security-realm="BomcRealm"/>
          </subsystem>

      my EJB:

       

      @Stateless
      @Remote(RemoteSecure.class)
      public class SecureEJB implements RemoteSecure {

             @Resource
             private SessionContext ctx;

       

             @RolesAllowed("write")
             public String getSecurityInfo() {
                   Principal principal = ctx.getCallerPrincipal();
                   return principal.toString();
             }
      }

       

      the jboss-ejb3.xml:

       

      <?xml version="1.0" encoding="UTF-8"?> 
      <jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
                xmlns="http://java.sun.com/xml/ns/javaee"
                xmlns:s="urn:security"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd
                http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_1.xsd"
               version="3.1"
               impl-version="2.0">
            

             <assembly-descriptor xmlns="http://java.sun.com/xml/ns/javaee">
                <security:security xmlns:security="urn:security">
                    <ejb-name>*</ejb-name>
                    <security:security-domain>BomcDomain</security:security-domain>
                 </security:security>
             </assembly-descriptor>
      </jboss:ejb-jar>

       

       

      the jboss-app.xml

       

      <jboss-app xmlns="http://www.jboss.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="7.0" >
            <security-domain>BomcDomain</security-domain>
      </jboss-app>


      my client:

       

      public static void main(String... args) throws Exception {
              final String appName = "Bomc-Server";
              final String moduleName = "Bomc-Server-ejb-1.0.0-SNAPSHOT";
              final String distinctName = "";
              final String beanName = SecureEJB.class.getSimpleName();
              final String viewClassName = RemoteSecure.class.getName();

              String jndiHomeName = "ejb:" + appName + "/" + moduleName + "/" + distinctName + "/" + beanName + "!" + viewClassName;

              Properties p = new Properties();
              p.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "false");
              p.put("remote.connections", "default");
              p.put("remote.connection.default.host", "127.0.0.1");
              p.put("remote.connection.default.port", "4447");
              p.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "true");
              p.put("remote.connection.default.username", "bomc_admin");
              p.put("remote.connection.default.password", "bomc");          
              p.put("remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");
              p.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");

       

              EJBClientConfiguration cc = new PropertiesBasedEJBClientConfiguration(p);
              ContextSelector<EJBClientContext> selector = new ConfigBasedEJBClientContextSelector(cc);
              EJBClientContext.setSelector(selector);

       

              Properties props = new Properties();
              props.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
              InitialContext context = new InitialContext(props);

       

              RemoteSecure r = (RemoteSecure) context.lookup(jndiHomeName)
              System.out.println(r.getSecurityInfo());
          }


      The logs shows the user is authenticated and the roles will be assigned.

       

      21:17:22,500 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (Remoting "chabomc0-pc" task-4) Begin getAppConfigurationEntry(BomcDomain), size=4
      21:17:22,501 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (Remoting "chabomc0-pc" task-4) End getAppConfigurationEntry(BomcDomain), authInfo=AppConfigurationEntry[]:
      [0]
      LoginModule Class: org.jboss.as.security.remoting.RemotingLoginModule
      ControlFlag: Anmeldemodul-Steuerflag: optional
      Options:
      name=password-stacking, value=useFirstPass
      [1]
      LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
      ControlFlag: Anmeldemodul-Steuerflag: required
      Options:
      name=principalsQuery, value=SELECT C_PASSWORD FROM COR_USER WHERE C_USERNAME=?
      name=dsJndiName, value=java:jboss/datasources/Bomc-ServerDS
      name=password-stacking, value=useFirstPass
      name=rolesQuery, value=SELECT C_ROLE_NAME COR_ROLE, 'Role' FROM ... WHERE u.C_USERNAME=?

      21:17:22,505 TRACE [org.jboss.as.security.remoting.RemotingLoginModule] (Remoting "c-pc" task-4) initialize
      21:17:22,506 TRACE [org.jboss.as.security.remoting.RemotingLoginModule] (Remoting "c-pc" task-4) Security domain: BomcDomain
      21:17:22,506 TRACE [org.jboss.as.security.remoting.RemotingLoginModule] (Remoting "c-pc" task-4) login
      21:17:22,507 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) initialize
      21:17:22,507 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) Security domain: BomcDomain
      21:17:22,508 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) DatabaseServerLoginModule, dsJndiName=java:jboss/datasources/Bomc-ServerDS
      21:17:22,509 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) principalsQuery=SELECT C_PASSWORD FROM COR_USER WHERE C_USERNAME=?
      21:17:22,510 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) rolesQuery=SELECT C_ROLE_NAME COR_ROLE, 'Role' FROM ... WHERE u.C_USERNAME=?
      21:17:22,511 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) suspendResume=true
      21:17:22,513 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) login
      21:17:22,514 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) suspendAnyTransaction
      21:17:22,515 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) Excuting query: SELECT C_PASSWORD FROM COR_USER WHERE C_USERNAME=?, with username: bomc_admin
      21:17:22,517 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) Obtained user password
      21:17:22,518 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) resumeAnyTransaction
      21:17:22,518 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) User 'bomc_admin' authenticated, loginOk=true
      21:17:22,519 TRACE [org.jboss.as.security.remoting.RemotingLoginModule] (Remoting "c-pc" task-4) commit, loginOk=false
      21:17:22,520 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) commit, loginOk=true
      21:17:22,520 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) getRoleSets using rolesQuery: SELECT C_ROLE_NAME COR_ROLE, 'Role' FROM ... WHERE u.C_USERNAME=?, username: bomc_admin
      21:17:22,522 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) suspendAnyTransaction
      21:17:22,523 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) Excuting query: SELECT C_ROLE_NAME COR_ROLE, 'Role' FROM ... WHERE u.C_USERNAME=?, with username: bomc_admin
      21:17:22,526 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) Assign user to role read
      21:17:22,526 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) Assign user to role write
      21:17:22,527 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) Assign user to role delete
      21:17:22,528 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (Remoting "c-pc" task-4) resumeAnyTransaction
      21:17:22,674 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (EJB default - 3) Begin isValid, principal:bomc_admin, cache entry: org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@2253d4bf
      21:17:22,676 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (EJB default - 3) Begin validateCache, info=org.jboss.security.authentication.JBossCachedAuthenticationManager$DomainInfo@2253d4bf;credential.class=java.lang.String@745957924
      21:17:22,677 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (EJB default - 3) End validateCache, isValid=true
      21:17:22,678 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (EJB default - 3) End isValid, true
      21:17:22,679 ERROR [org.jboss.ejb3.invocation] (EJB default - 3) JBAS014134: EJB Invocation failed on component SecureEJB for method public abstract java.lang.String de.bomc.server.core.service.security.RemoteSecure.getSecurityInfo(): javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public abstract java.lang.String de.bomc.server.core.service.security.RemoteSecure.getSecurityInfo() of bean: SecureEJB is not allowed

       

       

      At the end I get a javax.ejb.EJBAccessException, what is missing or wrong?


      Many thanks in advance for any help in this regard.