2 Replies Latest reply on Jan 15, 2013 11:19 AM by enavit

Custom Login Module: Problems with remote Non-EJB JNDI lookup

vatpet Dec 20, 2012 7:57 AM

I am using JBoss AS 7.1.1.Final.

For authentication I have a custom login module placed in the JBoss static module structure.

The remote connector on port 4447 is pointing to my own security realm, pointing to my own security domain, poiting to my custom login module.

For remote EJB lookup the custom login module is called correctly and the lookup (and EJB call) works fine.

For remote Non-EJB lookup (in my case I want to look up jms/RemoteConnectionFactory) the custom login module is not called for any reason.

The remote EJB lookup and the remote Non-EJB lookup is implemented completely different.

This is also documented in https://docs.jboss.org/author/display/AS71/Remote+EJB+invocations+via+JNDI+-+EJB+client+API+or+remote-naming+project.

Unfortunately it seems that the calling of a custom login module is also implemented differently in these two cases.

For remote EJB lookup, I use the following settings for InitialContext creation / lookup / EJB-call:

java.naming.factory.url.pkgs=org.jboss.ejb.client.naming

jboss.naming.client.ejb.context=true

remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false

remote.connections=default

remote.connection.default.host=localhost

remote.connection.default.port=4447

remote.connection.default.username=myuser

remote.connection.default.password=mypass

remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false

remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER

remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false

The lookup works fine (no authentication). The autentication is done when the EJB method is called. The custom login module is called at this time. This works as expected. So far so good.

For remote Non-EJB lookup (looking up jms/RemoteConnectionFactory) the settings posted above does not work. Some 'java.naming.*' settings are requested. The 'remote.connection.*' settings seems to be ignored (if they are set or not does not make any difference).

Here I use the following settings for InitialContext creation and lookup:

java.naming.factory.initial=org.jboss.naming.remote.client.InitialContextFactory

java.naming.provider.url=remote://localhost:4447

java.naming.security.principal=myuser

java.naming.security.credentials=mypass

The authentication is done at the lookup (as expected). But the custom login module is never called and the 'javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed' exception is thrown.

When I use the default ApplicationRealm with the default authentication (Jboss application users) and I create an application user the lookup works.

Does custom login modules for remote Non-EJB lookup work at all ?

If yes, what are the differencies ? What do I have to change ?

1. Re: Custom Login Module: Problems with remote Non-EJB JNDI lookup

vatpet Jan 3, 2013 11:20 AM (in response to vatpet)

Can it be that the problem occurs because there is no security-domain assigned for non-Ejb JNDI lookups (like JMS queue factoy) ?
Is it possible to assign a security-domain for general JNDI lookups ?

For non-EJB JNDI remote lookups it seems that the security-realm defined in the remoting connector is used for authorization. This works as expected.
I have tried to link this security-realm with the 'other' security-domain as well as my own custom security-domain but neither of these seems to work.
I assume this does not work, because the security-domain here is not available at all or set to an (internal) unknown value.
Witch security-domain name should I use insetad of 'other' to make it work ?
Actions
2. Re: Custom Login Module: Problems with remote Non-EJB JNDI lookup

enavit Jan 15, 2013 11:19 AM (in response to vatpet)

I have the same problem, please let me know, if you found a solution for it. Thank you.
Actions

Go to original post