2 Replies Latest reply on Nov 14, 2012 8:53 AM by Craig Giordano

    Authentication working for EJBs but not for JNDI look up.

    Craig Giordano Newbie

      After much searching I cannot find the configuration piece I am missing to be able to look up a remote connection factory via JNDI when security is in place.  Oddly enough, I am able to access EJBs which are secured.  I am using JBoss AS 7.1.1.Final.  Here are the details:

       

      In my standalone.xml file I have my own security realm

       

      <management>

              <security-realms> . . .

                 

                  <security-realm name="Paragon2Realm">

                      <authentication>

                          <jaas name="Paragon2Domain"/>

                      </authentication>

                  </security-realm>

              </security-realms>

            

      </management>

       

      Pointing to my security domain

       

      <security-domain name="Paragon2Domain" cache-type="default">

          <authentication>

              <login-module code="Database" flag="required">

                  <module-option name="dsJndiName" value="java:jboss/datasources/Paragon2DS"/>

                  <module-option name="principalsQuery" value="select PASSWORD from PARAGON2_USER where USER_NAME = ?"/>

                  <module-option name="password-stacking" value="useFirstPass"/>

                  <module-option name="realm" value="Paragon2Realm"/>

                  <module-option name="hashAlgorithm" value="SHA-256"/>

              </login-module>

              <login-module code="Remoting" flag="optional">

                  <module-option name="password-stacking" value="useFirstPass"/>

              </login-module>

          </authentication>

      </security-domain>

       

      and the security realm is referenced in the remote configuration

       

      <subsystem xmlns="urn:jboss:domain:remoting:1.1">

          <connector name="remoting-connector" socket-binding="remoting" security-realm="Paragon2Realm"/>

      </subsystem>

       

      I am able to successfully call an EJB using the following settings in jboss-ejb-client.properties

      remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false

      remote.connections=default

      remote.connection.default.host=localhost

      remote.connection.default.port=4447

      remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false

      remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER

      remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false

      remote.connection.default.username=aeinstein

      remote.connection.default.password=e=mc2

      java.naming.factory.url.pkgs=org.jboss.ejb.client.naming

       

      When I try to do a JNDI look up like this:

       

      Properties props = new Properties();

      props.setProperty("java.naming.factory.initial", "org.jboss.naming.remote.client.InitialContextFactory");

      props.setProperty("java.naming.provider.url", "remote://localhost:4447");

      props.setProperty("java.naming.security.principal", "aeinstein");

      props.setProperty("java.naming.security.credentials", "e=mc2");

       

      Context ctx = new InitialContext(props);

      Object object = ctx.lookup("jms/RemoteConnectionFactory");

      System.out.println("Object = " + object);

       

      I get the following error:

       

      Exception in thread "main" javax.naming.NamingException: Failed to create remoting connection [Root exception is java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed]

          at org.jboss.naming.remote.client.ClientUtil.namingException(ClientUtil.java:36)

          at org.jboss.naming.remote.client.InitialContextFactory.getInitialContext(InitialContextFactory.java:121)

          at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)

          at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)

          at javax.naming.InitialContext.init(InitialContext.java:242)

          at javax.naming.InitialContext.<init>(InitialContext.java:216)

          at com.ierin.paragon2.client.JmsTest.main(JmsTest.java:29)

          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

          at java.lang.reflect.Method.invoke(Method.java:601)

          at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)

      Caused by: java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

          at org.jboss.naming.remote.protocol.IoFutureHelper.get(IoFutureHelper.java:87)

          at org.jboss.naming.remote.client.NamingStoreCache.getRemoteNamingStore(NamingStoreCache.java:56)

          at org.jboss.naming.remote.client.InitialContextFactory.getOrCreateCachedNamingStore(InitialContextFactory.java:166)

          at org.jboss.naming.remote.client.InitialContextFactory.getOrCreateNamingStore(InitialContextFactory.java:139)

          at org.jboss.naming.remote.client.InitialContextFactory.getInitialContext(InitialContextFactory.java:104)

          ... 10 more

      Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

          at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:365)

          at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:214)

          at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)

          at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189)

          at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103)

          at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)

          at org.xnio.nio.NioHandle.run(NioHandle.java:90)

          at org.xnio.nio.WorkerThread.run(WorkerThread.java:184)

          at ...asynchronous invocation...(Unknown Source)

          at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:270)

          at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:251)

          at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:349)

          at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:333)

          at org.jboss.naming.remote.client.EndpointCache$EndpointWrapper.connect(EndpointCache.java:105)

          at org.jboss.naming.remote.client.NamingStoreCache.getRemoteNamingStore(NamingStoreCache.java:55)

          ... 13 more

       

      Nothing appears in the JBoss log, even when set to TRACE.  I see plenty of log entries from the DatabaseServerLoginModule when accessing the EJBs, however.

       

      What am I missing?

        • 1. Re: Authentication working for EJBs but not for JNDI look up.
          Heinz Wilming Newbie

          Using JAAS requires the transmission of the password at transport level in plain text. The deafult is a MD5 hash.

           

          You need to set the following XNIO property for client-side transport:

           

          "jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false"
          

           

          As example:

           

           

          Properties props = new Properties();

          props.setProperty("java.naming.factory.initial", "org.jboss.naming.remote.client.InitialContextFactory");

          props.setProperty("java.naming.provider.url", "remote://localhost:4447");

          props.setProperty("java.naming.security.principal", "aeinstein");

          props.setProperty("java.naming.security.credentials", "e=mc2");



          props.setProperty("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");


           

          Context ctx = new InitialContext(props);

          Object object = ctx.lookup("jms/RemoteConnectionFactory");

          System.out.println("Object = " + object);