0 Replies Latest reply on Jan 6, 2013 7:57 AM by Joseph Neubauer

    Migration JBoss 6.0.0 --> 7.1.1 EJB invokation and EJB security

    Joseph Neubauer Newbie

      Hello Community,

       

      for a couple of days now I'm trying to migrate our application from 6.0.0 Final to 7.1.1 Final and encounter some problems.

      All problems deal with EJB invokation and EJB security.

       

      A brief description of our application:

       

      • The core is build of EJBs and deployed in an EAR.
      • All EJBs are annotated with @SecurityDomain. The security domain is configured in standalone.xml (on my developer machine). In the simpliest case it is configured with a database login module.
      • There exists different types of clients:
        • A Vaadin Web-Application deployed in a WAR on the same machine and in the same JBoss instance (normally)
        • A Eclipse RCP client

       

      I got the RCP client connected by now, but have still some issues.

       

      1. Connecting my client as described in https://docs.jboss.org/author/display/AS71/EJB+invocations+from+a+remote+client+using+JNDI

      using jboss-ejb-client.properties (I assume, this is the prefered way) is not useful for me, because it seems that the security principal is not propagated to the EJBs in the EAR application.

       

      Question 1: Is there any way to achieve the propagation of the principal?

       

      2. Then I connected my client as described in https://docs.jboss.org/author/display/AS71/Remote+EJB+invocations+via+JNDI+-+EJB+client+API+or+remote-naming+project.

      Also the Context.SECURITY_PRINCIPAL is not propagated to the EJBs, although the security domain is active and does a login (Tested with a wrong password ;-)).

      The only way I found to get the principal propagated is the way described in https://community.jboss.org/wiki/JBossAS7RemoteEJBAuthenticationHowto. Thanks to Yann Le Moigne.

        

      Question 2: Is this a proper way to do EJB authentication in JBoss? Formerly I used SecurityClient and SecurityClientFactory (with JBoss 6.0.0).

       

      3. So I was happy (at first ;-)) until I tried to connect the Vaadin application in the same way. I get java.lang.SecurityException: EJB client context selector may not be changed.

      OK, his is server to server communication. So I tried the way described in https://docs.jboss.org/author/display/AS71/EJB+invocations+from+a+remote+server+instance. (It is not completely clear to me, why the Vaadin application could not be treated as a normal EJB client).

      This works, but the login module in my security domain is not used and all I get with SessionContext.getCallerPrincipal().getName() is "anonymous".

      Sure, I defined a "special" user "ejb" to connect to the server, didn't I?

      New test: Instead of this line in standalone.xml

      ...

      <remote-outbound-connection name="remote-ejb-connection" outbound-socket-binding-ref="remote-ejb" security-realm="ejb-security-realm" username="ejb">

      ...

        

      I tried:

      ...

      <remote-outbound-connection name="remote-ejb-connection" outbound-socket-binding-ref="remote-ejb" security-realm="mali-security-realm">

      ...

        

      This has no effect. The "mali-security-realm" is the realm used in my application.     

        

      Question 3: Is there (or will be) any way to

      a) use the security domain and its login module AND propagate the security principal?

      b) OR to perform a login like a "normal" remote client?

       

      Maybe I'm completely on the wrong way ... But especially top 3. (Connecting the Vaadin application) prevents the migration to JBoss AS 7.

       

      BTW, this is the code to connect the RCP client:

           

      ...

      final Properties props = new Properties();

      props.put(Context.INITIAL_CONTEXT_FACTORY, org.jboss.naming.remote.client.InitialContextFactory.class.getName());

      props.put(Context.PROVIDER_URL, "remote://localhost:4447");

      props.put("jboss.naming.client.ejb.context", true);

      props.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");

      props.put("jboss.naming.client.security.callback.handler.class","de.mali.client.security.MyJAASCallbackHandler");

      props.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");

      MyJAASCallbackHandler.setCredential(user, password);

      ctx = new InitialContext(props);

      ...

       

      MyJAASCallbackHandler is exactly the callback from Yann in https://community.jboss.org/wiki/JBossAS7RemoteEJBAuthenticationHowto.

       

      Any help would be really appreciated!!

       

      Thanks

      Joseph