1 Reply Latest reply on Apr 27, 2013 11:02 AM by pref

Passing a custom Principal object from a standalone client to JBoss AS 7.1.1

ecimon Apr 19, 2013 8:26 AM

I'm migrating a JBoss 5.1.0.GA setup to 7.1.1.Final and I'm struggling with some authentication issues, that I could really use some guidance with, since I'm running out of ideas at the moment. What I'm trying to achieve is to pass a custom principal object ("com.example.SomePrincipal") to a server login module ("com.example.MyLoginModule") in an application-specific security domain ("MyDomain").

What I've tried so far on the client side:

class StandaloneClientTest {

   @Test
   public void testConnection() throws Exception {
          Hashtable<String, Object> params = new Hashtable<String, Object>();
          params.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");
          params.put(Context.PROVIDER_URL, "remote://127.0.0.1:4447/"); 
//          params.put(Context.SECURITY_PRINCIPAL, "user"); //Implies org.jboss.security.SimplePrincipal
//          params.put(Context.SECURITY_CREDENTIALS, "qwerty");
          params.put("jboss.naming.client.ejb.context", true);
  
          InitialContext ctx = new InitialContext(params);
        EchoRemote service = (EchoRemote) ctx.lookup("MyApp/SecureServiceBean!com.example.services.EchoRemote"); 
               
        //This used to work on JBoss 5.1 and seems to be ignored on 7.1.1.Final
        MySecurityClient cl = (MySecurityClient) org.jboss.security.client.SecurityClientFactory.getSecurityClient("com.example.MySecurityClient");
        cl.setSomeClientSpecificAttributes(...)
        cl.login();

        service.doSomething();

        cl.logout();
    }
}

EJB:

@Stateless
@Remote(EchoRemote.class)
@SecurityDomain("MyDomain") //Configured in standalone.xml ("authentication" contains "Remoting" and a custom "Database" login-module, that's aware of the prinicipal in question)
public class SecureServiceBean implements EchoRemote {

    @Override
    public String doSomething() {
        String msg = "Secure test...";
        System.out.println(msg);
        return msg;
    }
}

Client output:

Apr 19, 2013 11:33:27 AM org.jboss.remoting3.remote.RemoteConnection handleException
ERROR: JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

Server output (setting SECURITY_PRINCIPAL/SECURITY_CREDENTIALS will imply an authentication attempt to my MyDomain):

11:33:27,049 TRACE [org.jboss.remoting.remote] Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial@2193be98
11:33:27,050 TRACE [org.jboss.remoting.remote.server] No EXTERNAL mechanism due to explicit exclusion
11:33:27,050 TRACE [org.jboss.remoting.remote.server] Trying SASL server factory org.jboss.sasl.localuser.LocalUserServerFactory@1251ac5c
11:33:27,050 TRACE [org.jboss.remoting.remote.server] Added mechanism JBOSS-LOCAL-USER
11:33:27,050 TRACE [org.jboss.remoting.remote.server] Trying SASL server factory org.jboss.sasl.digest.DigestMD5ServerFactory@300ad569
11:33:27,051 TRACE [org.jboss.remoting.remote.server] Added mechanism DIGEST-MD5
11:33:27,051 TRACE [org.jboss.remoting.remote.server] Trying SASL server factory org.jboss.sasl.plain.PlainServerFactory@1740f923
11:33:27,051 TRACE [org.jboss.remoting.remote.server] Excluding mechanism PLAIN because it is not in the allowed list
11:33:27,051 TRACE [org.jboss.remoting.remote.server] Trying SASL server factory org.jboss.sasl.anonymous.AnonymousServerFactory@2aa474c2
11:33:27,051 TRACE [org.jboss.remoting.remote.server] Trying SASL server factory com.sun.security.sasl.ntlm.FactoryImpl@12ed826d
11:33:27,052 TRACE [org.jboss.remoting.remote.server] Excluding mechanism NTLM because it is not in the allowed list
11:33:27,052 TRACE [org.jboss.remoting.remote.server] Trying SASL server factory com.sun.security.sasl.digest.FactoryImpl@270dcbd0
11:33:27,052 TRACE [org.jboss.remoting.remote.server] Excluding repeated occurrence of mechanism DIGEST-MD5
11:33:27,052 TRACE [org.jboss.remoting.remote.server] Trying SASL server factory com.sun.security.sasl.ServerFactoryImpl@7abfd8b7
11:33:27,052 TRACE [org.jboss.remoting.remote.server] Excluding mechanism CRAM-MD5 because it is not in the allowed list
11:33:27,053 TRACE [org.jboss.remoting.remote.server] Trying SASL server factory com.sun.security.sasl.gsskerb.FactoryImpl@492d1556
11:33:27,053 TRACE [org.jboss.remoting.remote.server] Excluding mechanism GSSAPI because it is not in the allowed list
11:33:27,053 TRACE [org.jboss.remoting.remote.connection] Sent message java.nio.HeapByteBuffer[pos=42 lim=42 cap=8192] (direct)

Any input on this would be greatly appreciated.

Thanks,

Simon

1. Re: Passing a custom Principal object from a standalone client to JBoss AS 7.1.1

pref Apr 27, 2013 11:02 AM (in response to ecimon)

I think the real problem is how you connecting to a remote server. EJB client have changed drastically since JBoss 5 times. You should refer the documentation on remote EJB invocations https://docs.jboss.org/author/display/AS71/EJB+invocations+from+a+remote+client+using+JNDI
Actions