0 Replies Latest reply on Nov 16, 2012 12:42 PM by Christophe Fillot

    Remoting and security domains (Jboss 7.1.1)

    Christophe Fillot Newbie



      I've an application with EJBs that need to check users and roles. The EJBs are called in two ways:


      - By web servlets ;

      - By a remote standalone client, using remoting on port 4447 ;


      The authentication methods are different for the remote part and the servlets (Jasig CAS, with CASLoginModule).


      The domain used by the web part is called "cas-auth" (specified in jboss-web.xml) and is defined like this :


                      <security-domain name="cas-auth" cache-type="default">


                              <login-module code="org.jasig.cas.client.jaas.CasLoginModule" flag="required" module="cas">

                                  <module-option name="ticketValidatorClass" value="org.jasig.cas.client.validation.Cas20ServiceTicketValidator"/>

                                  <module-option name="casServerUrlPrefix" value="https://cas-server.internal/cas"/>

                                  <module-option name="principalGroupName" value="CallerPrincipal"/>

                                  <module-option name="roleGroupName" value="Roles"/>

                                  <module-option name="defaultRoles" value="cas-user"/>





      The domain used by EJBs is called "domain1" (specified in jboss-ejb3.xml), and is defined as follows:


                      <security-domain name="domain1" cache-type="default">


                              <login-module code="Remoting" flag="optional">

                                  <module-option name="password-stacking" value="useFirstPass"/>


                              <login-module code="fr.utc.dsi.jboss.DatabaseRoleLoginModule" flag="required" module="fr.utc.dsi.jboss">

                                  <module-option name="dsJndiName" value="java:jboss/datasources/accounts"/>

                                  <module-option name="rolesQuery" value="select groupname,'Roles' from accounts_groups where username=?"/>





      The DatabaseRoleLoginModule is a custom module I wrote, by extending DatabaseServerLoginModule, but which doesn't check usernames (to sum up, the login method always returns true). It simply fetch additional roles from a database. I can provide the code for it if needed.


      The servlet -> EJB part works. I wanted to add support for remoting, and after a lot of trials/errors, I could get something working with the following configuration:


                  <security-realm name="RemotingRealm">


                          <jaas name="other"/>




              <subsystem xmlns="urn:jboss:domain:remoting:1.1">

                  <connector name="remoting-connector" socket-binding="remoting" security-realm="RemotingRealm"/>



      (If I kept the "default" configuration, I got UUID as usernames).


      At the client level, I use the following for jboss-client-ejb.properties (I found xnio options by browsing the forums):














      And for jndi.properties:










      "SECRET_USERNAME" has role entries in the database (and is defined in application-users.properties)


      Since I'm a total beginner with Jboss, I would like to have opinions about all of the above. Is it the correct way to do or is it a total mess ? I know the JAAS/SASL part in clear-text is not secure (I can indeed see the username/password by using wireshark).


      BTW, I tried to use role mapping in "domain1" security domain with the following configuration (instead of using my custom LoginModule):



                              <mapping-module code="DatabaseRoles" type="role">

                                  <module-option name="dsJndiName" value="java:jboss/datasources/accounts"/>

                                  <module-option name="rolesQuery" value="select groupname,'Roles' from accounts_groups where username=?"/>




      But if I remove the custom LoginModule, I get a "Login failure: javax.security.auth.login.LoginException: Login Failure: all modules ignored" exception. I guess this is because no module handled the authentication. I thought of using

      ClientLoginModule, but if I use it, I get this message:


      17:14:39,578 TRACE [org.jboss.security.plugins.mapping.JBossMappingManager] (EJB default - 1) Application Policy not found for domain=CLIENT_LOGIN_MODULE.Mapping framework will use the default domain:other

      I don't understand why the domain seems to be changed to "CLIENT_LOGIN_MODULE".

      Do I have to create some custom dummy LoginModule that would always return "true" for the login() method ?


      Thanks in advance for any help and comments !