1 Reply Latest reply on Apr 27, 2013 11:02 AM by pref

    Passing a custom Principal object from a standalone client to JBoss AS 7.1.1

    ecimon

      I'm migrating a JBoss 5.1.0.GA setup to 7.1.1.Final and I'm struggling with some authentication issues, that I could really use some guidance with, since I'm running out of ideas at the moment. What I'm trying to achieve is to pass a custom principal object ("com.example.SomePrincipal") to a server login module ("com.example.MyLoginModule") in an application-specific security domain ("MyDomain").

       

      What I've tried so far on the client side:

      class StandaloneClientTest {
      
         @Test
         public void testConnection() throws Exception {
                Hashtable<String, Object> params = new Hashtable<String, Object>();
                params.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");
                params.put(Context.PROVIDER_URL, "remote://127.0.0.1:4447/"); 
      //          params.put(Context.SECURITY_PRINCIPAL, "user"); //Implies org.jboss.security.SimplePrincipal
      //          params.put(Context.SECURITY_CREDENTIALS, "qwerty");
                params.put("jboss.naming.client.ejb.context", true);
        
                InitialContext ctx = new InitialContext(params);
              EchoRemote service = (EchoRemote) ctx.lookup("MyApp/SecureServiceBean!com.example.services.EchoRemote"); 
                     
              //This used to work on JBoss 5.1 and seems to be ignored on 7.1.1.Final
              MySecurityClient cl = (MySecurityClient) org.jboss.security.client.SecurityClientFactory.getSecurityClient("com.example.MySecurityClient");
              cl.setSomeClientSpecificAttributes(...)
              cl.login();
      
              service.doSomething();
      
              cl.logout();
          }
      }
      

       

      EJB:

      @Stateless
      @Remote(EchoRemote.class)
      @SecurityDomain("MyDomain") //Configured in standalone.xml ("authentication" contains "Remoting" and a custom "Database" login-module, that's aware of the prinicipal in question)
      public class SecureServiceBean implements EchoRemote {
      
          @Override
          public String doSomething() {
              String msg = "Secure test...";
              System.out.println(msg);
              return msg;
          }
      }
      

       

       

      Client output:

      Apr 19, 2013 11:33:27 AM org.jboss.remoting3.remote.RemoteConnection handleException

      ERROR: JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

      Server output (setting SECURITY_PRINCIPAL/SECURITY_CREDENTIALS will imply an authentication attempt to my MyDomain):

      11:33:27,049 TRACE [org.jboss.remoting.remote] Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial@2193be98

      11:33:27,050 TRACE [org.jboss.remoting.remote.server] No EXTERNAL mechanism due to explicit exclusion

      11:33:27,050 TRACE [org.jboss.remoting.remote.server] Trying SASL server factory org.jboss.sasl.localuser.LocalUserServerFactory@1251ac5c

      11:33:27,050 TRACE [org.jboss.remoting.remote.server] Added mechanism JBOSS-LOCAL-USER

      11:33:27,050 TRACE [org.jboss.remoting.remote.server] Trying SASL server factory org.jboss.sasl.digest.DigestMD5ServerFactory@300ad569

      11:33:27,051 TRACE [org.jboss.remoting.remote.server] Added mechanism DIGEST-MD5

      11:33:27,051 TRACE [org.jboss.remoting.remote.server] Trying SASL server factory org.jboss.sasl.plain.PlainServerFactory@1740f923

      11:33:27,051 TRACE [org.jboss.remoting.remote.server] Excluding mechanism PLAIN because it is not in the allowed list

      11:33:27,051 TRACE [org.jboss.remoting.remote.server] Trying SASL server factory org.jboss.sasl.anonymous.AnonymousServerFactory@2aa474c2

      11:33:27,051 TRACE [org.jboss.remoting.remote.server] Trying SASL server factory com.sun.security.sasl.ntlm.FactoryImpl@12ed826d

      11:33:27,052 TRACE [org.jboss.remoting.remote.server] Excluding mechanism NTLM because it is not in the allowed list

      11:33:27,052 TRACE [org.jboss.remoting.remote.server] Trying SASL server factory com.sun.security.sasl.digest.FactoryImpl@270dcbd0

      11:33:27,052 TRACE [org.jboss.remoting.remote.server] Excluding repeated occurrence of mechanism DIGEST-MD5

      11:33:27,052 TRACE [org.jboss.remoting.remote.server] Trying SASL server factory com.sun.security.sasl.ServerFactoryImpl@7abfd8b7

      11:33:27,052 TRACE [org.jboss.remoting.remote.server] Excluding mechanism CRAM-MD5 because it is not in the allowed list

      11:33:27,053 TRACE [org.jboss.remoting.remote.server] Trying SASL server factory com.sun.security.sasl.gsskerb.FactoryImpl@492d1556

      11:33:27,053 TRACE [org.jboss.remoting.remote.server] Excluding mechanism GSSAPI because it is not in the allowed list

      11:33:27,053 TRACE [org.jboss.remoting.remote.connection] Sent message java.nio.HeapByteBuffer[pos=42 lim=42 cap=8192] (direct)

       

      Any input on this would be greatly appreciated.

       

      Thanks,

      Simon