2 Replies Latest reply on Jan 6, 2014 10:24 AM by Julien Kronegg

    Remoting login module does not work if authentication is JAAS-based

    Vlad Arkhipov Newbie

      Hello,

       

      I'm using JBoss EAP 6.1.0-Alpha. As documentation says:

       

      • Remoting

      The Remoting login module is used to check if the request currently being authenticated is a request received over a Remoting connection, if so the identity that was created during the authentication process is used and associated with the current request.

      If the request did not arrive over a Remoting connection this module does nothing and allows the JAAS based login to continue to the next module.

      However, if you use a JAAS-based security realm to authenticate remoting calls, this module does not work as expected. Remoting uses "RemotingRealm" (which uses JAAS authentication via "remoting-domain" security domain), my application uses "application-domain". There is a user "ejb" in both domains, however the passwords are different.

       

      Here is the configuration (standalone.xml)

       

       

      <management>
        ...
        <security-realms>
          <security-realm name="RemotingRealm">
            <authentication>
              <jaas name="remoting-domain"/>
            </authentication>
          </security-realm>
      </management>
      ...
      <subsystem xmlns="urn:jboss:domain:remoting:1.1">
        <connector name="remoting-connector" socket-binding="remoting" security-realm="RemotingRealm"/>
      </subsystem>
      ...
      <subsystem xmlns="urn:jboss:domain:security:1.2">
        <security-domains>
          ...
          
          <security-domain name="remoting-domain" cache-type="default">
            <authentication>
              <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
                <module-option name="usersProperties" value="${jboss.server.config.dir}/x-users.properties"/>
                <module-option name="rolesProperties" value="${jboss.server.config.dir}/x-roles.properties"/>
                <module-option name="password-stacking" value="useFirstPass"/>
              </login-module>
            </authentication>
          </security-domain>
      
          <security-domain name="application-domain" cache-type="default">
            <authentication>
              <login-module code="Remoting" flag="optional">
                <module-option name="password-stacking" value="useFirstPass"/>
              </login-module>
              <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
                <module-option name="usersProperties" value="${jboss.server.config.dir}/y-users.properties"/>
                <module-option name="rolesProperties" value="${jboss.server.config.dir}/y-roles.properties"/>
                <module-option name="password-stacking" value="useFirstPass"/>
              </login-module>
            </authentication>
          </security-domain>
        </security-domains>
      </subsystem>
      

       

      If invoke a remote call, first it authenticates a user via "remoting-domain", then it tries to authenticate the user one more time using "application-domain". Remoting login module does not get already authenticated identity from "remoting-domain" domain.

      However if you use non-JAAS based security domain for "RemotingRealm" (for example if you switch it to "ApplicationRealm" and create a user in application-users.properties) "Remoting" login-module works as expected: UsersRolesLoginModule in "application-domain" receives an already authenticated identity and does not try to authenticate the user. I debugged it a bit and found that the problem arises because org.jboss.as.security.service.SimpleSecurityManager.push clears RemotingContext if the current subject contains private password credentials, and this is the case only if JAAS authenticated was used (see org.jboss.as.domain.management.security.JaasCallbackHandler.handle).

        • 1. Re: Remoting login module does not work if authentication is JAAS-based
          Arun Varadharajan Newbie

          Facing simila issue.. do you find any solution.

           

          -Arun

          • 2. Re: Remoting login module does not work if authentication is JAAS-based
            Julien Kronegg Novice

            I got similar issues with a system where the user can have multiple passwords (typically a standard one and a generated one-time-password used for SSO between applications). Typically, the user is logged with the standard password (lets say "P1") on the main web application and a one-time-password token (lets say "P2") is used to allow access to another application. When both applications are hosted by the same server, I guess the behavior is the following:

            1. the user session contains the cached credentials P1 once logged on
            2. then P2 is "stacked" when the user logs to the second application (as far as I understood, passwords are stacked, but I'm not sure about that), so we get P1>P2 in stack
            3. when the user makes EJB calls on the first application, P1 is stacked, so we get P1>P2>P1 in stack
            4. when the user makes EJB calls on the second application, P2 would be stacked (i.e. P1>P2>P1>P2 in stack), but the authentication fails since since P2 is a one-time-password that has been used before during step 2.

            The configuration is described more extensively in another post.

             

            I ended up by removing the EJB security and it suits my expectations (I guess the credentials are not stacked anymore). Of course this is only a quick workaround...