0 Replies Latest reply on Nov 16, 2012 12:42 PM by Christophe Fillot

    Remoting and security domains (Jboss 7.1.1)

    Christophe Fillot Newbie

      Hello,

       

      I've an application with EJBs that need to check users and roles. The EJBs are called in two ways:

       

      - By web servlets ;

      - By a remote standalone client, using remoting on port 4447 ;

       

      The authentication methods are different for the remote part and the servlets (Jasig CAS, with CASLoginModule).

       

      The domain used by the web part is called "cas-auth" (specified in jboss-web.xml) and is defined like this :

       

                      <security-domain name="cas-auth" cache-type="default">

                          <authentication>

                              <login-module code="org.jasig.cas.client.jaas.CasLoginModule" flag="required" module="cas">

                                  <module-option name="ticketValidatorClass" value="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"/>

                                  <module-option name="casServerUrlPrefix" value="https://cas-server.internal/cas"/>

                                  <module-option name="principalGroupName" value="CallerPrincipal"/>

                                  <module-option name="roleGroupName" value="Roles"/>

                                  <module-option name="defaultRoles" value="cas-user"/>

                              </login-module>

                          </authentication>

                      </security-domain>

       

      The domain used by EJBs is called "domain1" (specified in jboss-ejb3.xml), and is defined as follows:

       

                      <security-domain name="domain1" cache-type="default">

                          <authentication>

                              <login-module code="Remoting" flag="optional">

                                  <module-option name="password-stacking" value="useFirstPass"/>

                              </login-module>

                              <login-module code="fr.utc.dsi.jboss.DatabaseRoleLoginModule" flag="required" module="fr.utc.dsi.jboss">

                                  <module-option name="dsJndiName" value="java:jboss/datasources/accounts"/>

                                  <module-option name="rolesQuery" value="select groupname,'Roles' from accounts_groups where username=?"/>

                              </login-module>

                          </authentication>

                      </security-domain>

       

      The DatabaseRoleLoginModule is a custom module I wrote, by extending DatabaseServerLoginModule, but which doesn't check usernames (to sum up, the login method always returns true). It simply fetch additional roles from a database. I can provide the code for it if needed.

       

      The servlet -> EJB part works. I wanted to add support for remoting, and after a lot of trials/errors, I could get something working with the following configuration:

       

                  <security-realm name="RemotingRealm">

                      <authentication>

                          <jaas name="other"/>

                      </authentication>

                  </security-realm>

       

              <subsystem xmlns="urn:jboss:domain:remoting:1.1">

                  <connector name="remoting-connector" socket-binding="remoting" security-realm="RemotingRealm"/>

              </subsystem>

       

      (If I kept the "default" configuration, I got UUID as usernames).

       

      At the client level, I use the following for jboss-client-ejb.properties (I found xnio options by browsing the forums):

       

      endpoint.name=my-remote-client

      remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false

       

      remote.connections=default

       

      remote.connection.default.host=127.0.0.1

      remote.connection.default.port=4447

      remote.connection.default.username=SECRET_USERNAME

      remote.connection.default.password=SECRET_PASSWORD

      remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=true

      remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER

       

      And for jndi.properties:

       

      java.naming.factory.url.pkgs=org.jboss.ejb.client.naming

      java.naming.provider.url=remote://127.0.0.1:4447

      java.naming.factory.initial=org.jboss.naming.remote.client.InitialContextFactory

      java.naming.security.principal=SECRET_USERNAME

      java.naming.security.credentials=SECRET_PASSWORD

      jboss.naming.client.ejb.context=true

      jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false

       

      "SECRET_USERNAME" has role entries in the database (and is defined in application-users.properties)

       

      Since I'm a total beginner with Jboss, I would like to have opinions about all of the above. Is it the correct way to do or is it a total mess ? I know the JAAS/SASL part in clear-text is not secure (I can indeed see the username/password by using wireshark).

       

      BTW, I tried to use role mapping in "domain1" security domain with the following configuration (instead of using my custom LoginModule):

       

                          <mapping>

                              <mapping-module code="DatabaseRoles" type="role">

                                  <module-option name="dsJndiName" value="java:jboss/datasources/accounts"/>

                                  <module-option name="rolesQuery" value="select groupname,'Roles' from accounts_groups where username=?"/>

                              </mapping-module>

                          </mapping>

       

      But if I remove the custom LoginModule, I get a "Login failure: javax.security.auth.login.LoginException: Login Failure: all modules ignored" exception. I guess this is because no module handled the authentication. I thought of using

      ClientLoginModule, but if I use it, I get this message:

       

      17:14:39,578 TRACE [org.jboss.security.plugins.mapping.JBossMappingManager] (EJB default - 1) Application Policy not found for domain=CLIENT_LOGIN_MODULE.Mapping framework will use the default domain:other


      I don't understand why the domain seems to be changed to "CLIENT_LOGIN_MODULE".

      Do I have to create some custom dummy LoginModule that would always return "true" for the login() method ?

       

      Thanks in advance for any help and comments !