2 Replies Latest reply on Jan 15, 2013 11:19 AM by enavit

    Custom Login Module: Problems with remote Non-EJB JNDI lookup

    vatpet Newbie

      I am using JBoss AS 7.1.1.Final.

      For authentication I have a custom login module placed in the JBoss static module structure.

      The remote connector on port 4447 is pointing to my own security realm, pointing to my own security domain, poiting to my custom login module.

      For remote EJB lookup the custom login module is called correctly and the lookup (and EJB call) works fine.

      For remote Non-EJB lookup (in my case I want to look up jms/RemoteConnectionFactory) the custom login module is not called for any reason.

       

      The remote EJB lookup and the remote Non-EJB lookup is implemented completely different.

      This is also documented in https://docs.jboss.org/author/display/AS71/Remote+EJB+invocations+via+JNDI+-+EJB+client+API+or+remote-naming+project.

      Unfortunately it seems that the calling of a custom login module is also implemented differently in these two cases.

       

      For remote EJB lookup, I use the following settings for InitialContext creation / lookup / EJB-call:

         java.naming.factory.url.pkgs=org.jboss.ejb.client.naming

         jboss.naming.client.ejb.context=true

         remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false

         remote.connections=default

         remote.connection.default.host=localhost

         remote.connection.default.port=4447

         remote.connection.default.username=myuser

         remote.connection.default.password=mypass

         remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false

         remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER

         remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false

      The lookup works fine (no authentication). The autentication is done when the EJB method is called. The custom login module is called at this time. This works as expected. So far so good.

       

      For remote Non-EJB lookup (looking up jms/RemoteConnectionFactory) the settings posted above does not work. Some 'java.naming.*' settings are requested. The 'remote.connection.*' settings seems to be ignored (if they are set or not does not make any difference).

      Here I use the following settings for InitialContext creation and lookup:

         java.naming.factory.initial=org.jboss.naming.remote.client.InitialContextFactory

         java.naming.provider.url=remote://localhost:4447

         java.naming.security.principal=myuser

         java.naming.security.credentials=mypass

      The authentication is done at the lookup (as expected). But the custom login module is never called and the 'javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed' exception is thrown.

      When I use the default ApplicationRealm with the default authentication (Jboss application users) and I create an application user the lookup works.

       

      Does custom login modules for remote Non-EJB lookup work at all ?

      If yes, what are the differencies ? What do I have to change ?

        • 1. Re: Custom Login Module: Problems with remote Non-EJB JNDI lookup
          vatpet Newbie

          Can it be that the problem occurs because there is no security-domain assigned for non-Ejb JNDI lookups (like JMS queue factoy) ?

          Is it possible to assign a security-domain for general JNDI lookups ?

           

          For non-EJB JNDI remote lookups it seems that the security-realm defined in the remoting connector is used for authorization. This works as expected.

          I have tried to link this security-realm with the 'other' security-domain as well as my own custom security-domain but neither of these seems to work.

          I assume this does not work, because the security-domain here is not available at all or set to an (internal) unknown value.

          Witch security-domain name should I use insetad of 'other' to make it work ?

          • 2. Re: Custom Login Module: Problems with remote Non-EJB JNDI lookup
            enavit Newbie

            I have the same problem, please let me know, if you found a solution for it. Thank you.