13 Replies Latest reply on May 13, 2013 3:18 AM by k koushik

    Jboss 7.2 Custom login module Ejb invocation error

    k koushik Newbie

      Hi we are using the Jboss 7.2. when i use prediefined configuration with ApplicationRelm, the ejb invocation goes through without any error.

      How ever if i make use of my own custom login module, I get below exception

      15:52:37,724 ERROR connection:105 - JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

      javax.naming.NamingException: Failed to connect to any server. Servers tried: [remote://127.0.0.1:4447]

      javax.naming.NamingException: Failed to connect to any server. Servers tried: [remote://127.0.0.1:4447]

          at org.jboss.naming.remote.client.HaRemoteNamingStore.failOverSequence(HaRemoteNamingStore.java:200)

          at org.jboss.naming.remote.client.HaRemoteNamingStore.namingStore(HaRemoteNamingStore.java:131)

          at org.jboss.naming.remote.client.HaRemoteNamingStore.namingOperation(HaRemoteNamingStore.java:112)

          at org.jboss.naming.remote.client.HaRemoteNamingStore.lookup(HaRemoteNamingStore.java:223)

          at org.jboss.naming.remote.client.RemoteContext.lookup(RemoteContext.java:79)

          at org.jboss.naming.remote.client.RemoteContext.lookup(RemoteContext.java:83)

          at javax.naming.InitialContext.lookup(Unknown Source)

          at Client.main(Client.java:37)

       

      here is my security domain configuration

        <security-domain name="ejb-security-domain" cache-type="default">

                          <authentication>

                              <login-module code="test.security.auth.spi.ServerLoginModule" flag="required" module="mymodule"/>                       

                         </authentication>

                      </security-domain>

      <security-realm name="ApplicationRealm">

                      <authentication>

                      <jaas name="ejb-security-domain"/>

                          <!--local default-user="$local" allowed-users="*"/>

                          <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>

                      </authentication>

                      <authorization>

                          <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>

                      </authorization-->

                      </authentication>

                  </security-realm>

      if i remove the jaas from ApplicationRealm and retain the commented out part above everything goes fine

      Can anybody guide me if i am missing some thing over here

       

      Thanks in advance

        • 1. Re: Jboss 7.2 Custom login module Ejb invocation error
          k koushik Newbie

          Can any one please help me over here

          • 2. Re: Jboss 7.2 Custom login module Ejb invocation error
            Tomaz Cerar Master

            enable trace logging for org.jboss.as.security and org.jboss.securtiy

             

            that will show you what is going on.

            • 3. Re: Jboss 7.2 Custom login module Ejb invocation error
              k koushik Newbie

              After i enabled to client side log i see the following exception trace

              .RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

                  at org.jboss.naming.remote.protocol.IoFutureHelper.get(IoFutureHelper.java:87)

                  at org.jboss.naming.remote.client.HaRemoteNamingStore.failOverSequence(HaRemoteNamingStore.java:180)

                  at org.jboss.naming.remote.client.HaRemoteNamingStore.namingStore(HaRemoteNamingStore.java:131)

                  at org.jboss.naming.remote.client.HaRemoteNamingStore.namingOperation(HaRemoteNamingStore.java:112)

                  at org.jboss.naming.remote.client.HaRemoteNamingStore.lookup(HaRemoteNamingStore.java:223)

                  at org.jboss.naming.remote.client.RemoteContext.lookup(RemoteContext.java:79)

                  at org.jboss.naming.remote.client.RemoteContext.lookup(RemoteContext.java:83)

                  at javax.naming.InitialContext.lookup(InitialContext.java:411)

                  at ClassA.main(ClassA.java:42)

              Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

                  at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:382)

                  at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:225)

                  at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)

                  at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189)

                  at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103)

                  at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)

                  at org.xnio.nio.NioHandle.run(NioHandle.java:90)

                  at org.xnio.nio.WorkerThread.run(WorkerThread.java:187)

                  at ...asynchronous invocation...(Unknown Source)

                  at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:270)

                  at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:251)

                  at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:349)

                  at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:333)

                  at org.jboss.naming.remote.client.EndpointCache$EndpointWrapper.connect(EndpointCache.java:105)

                  at org.jboss.naming.remote.client.HaRemoteNamingStore.failOverSequence(HaRemoteNamingStore.java:179)

                  ... 7 more

               

              javax.naming.NamingException: Failed to connect to any server. Servers tried: [remote://10.64.66.191:4447]

                  at org.jboss.naming.remote.client.HaRemoteNamingStore.failOverSequence(HaRemoteNamingStore.java:200)

                  at org.jboss.naming.remote.client.HaRemoteNamingStore.namingStore(HaRemoteNamingStore.java:131)

                  at org.jboss.naming.remote.client.HaRemoteNamingStore.namingOperation(HaRemoteNamingStore.java:112)

                  at org.jboss.naming.remote.client.HaRemoteNamingStore.lookup(HaRemoteNamingStore.java:223)

                  at org.jboss.naming.remote.client.RemoteContext.lookup(RemoteContext.java:79)

                  at org.jboss.naming.remote.client.RemoteContext.lookup(RemoteContext.java:83)javax.naming.NamingException: Failed to connect to any server. Servers tried: [remote://10.64.66.191:4447]

               

                  at javax.naming.InitialContext.lookup(InitialContext.java:411)

                  at ClassA.main(ClassA.java:42)

              • 4. Re: Jboss 7.2 Custom login module Ejb invocation error
                k koushik Newbie

                Added the trace level logs for org.jboss.security and org.jboss.as.security but it did not showed any error

                further i added trace level for org.jboss.remoting and the following message were displayed. anything wrong going on here?

                 

                21:19:27,363 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Server received capabilities request

                21:19:27,363 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Server received capability: version 1

                21:19:27,363 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Server received capability: remote endpoint name "config-based-naming-client-endpoint"

                21:19:27,363 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Server received capability: message close protocol supported

                21:19:27,441 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) No EXTERNAL mechanism due to explicit exclusion

                21:19:27,441 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Trying SASL server factory org.jboss.sasl.localuser.LocalUserServerFactory@4edb89c2

                21:19:27,441 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Excluding mechanism JBOSS-LOCAL-USER because it is not in the allowed list

                21:19:27,441 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Trying SASL server factory org.jboss.sasl.digest.DigestMD5ServerFactory@b1ae4cc

                21:19:27,441 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Excluding mechanism DIGEST-MD5 because it is not in the allowed list

                21:19:27,441 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Trying SASL server factory org.jboss.sasl.plain.PlainServerFactory@11bd1bf7

                21:19:27,441 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Added mechanism PLAIN

                21:19:27,441 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Trying SASL server factory org.jboss.sasl.anonymous.AnonymousServerFactory@30c01f1c

                21:19:27,441 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Trying SASL server factory com.sun.security.sasl.digest.FactoryImpl@7d4e3c21

                21:19:27,442 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Excluding mechanism DIGEST-MD5 because it is not in the allowed list

                21:19:27,442 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Trying SASL server factory com.sun.security.sasl.ServerFactoryImpl@1fca022

                21:19:27,442 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Excluding mechanism CRAM-MD5 because it is not in the allowed list

                21:19:27,442 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Trying SASL server factory com.sun.security.sasl.gsskerb.FactoryImpl@2488e6c7

                21:19:27,442 TRACE [org.jboss.remoting.remote.server] (Remoting "kekoushi-ws01" read-1) Excluding mechanism GSSAPI because it is not in the allowed list

                • 5. Re: Jboss 7.2 Custom login module Ejb invocation error
                  k koushik Newbie

                  Hi,

                  Can anyone help me here. i tried the same in Jboss 7.1.1 aswell and same issue appears there also.

                  i am stuck in this.

                  • 6. Re: Jboss 7.2 Custom login module Ejb invocation error
                    jaikiran pai Master

                    1) Please be patient

                    2) When you say you are using 7.2, which exact version is that? Where did you build/download it from? Have you tried the latest available release from the downloads page?

                    3) When you enable TRACE level logs for org.jboss.security and org.jboss.as.security, please attach those logs to this thread.

                    • 7. Re: Jboss 7.2 Custom login module Ejb invocation error
                      k koushik Newbie

                      the version i am using is jboss 7.2.0 Final

                      I tried the same in Jboss 7.1.1 Final aswell and observed the same issue.

                      i have attached the server log after enabling the TRACE level for org.jboss.security and org.jboss.as.security

                      • 8. Re: Jboss 7.2 Custom login module Ejb invocation error
                        jaikiran pai Master

                        k koushik wrote:

                         

                        .

                        i have attached the server log after enabling the TRACE level for org.jboss.security and org.jboss.as.security

                        I see no TRACE logging of those packages, in those logs. How did you enable it?

                        • 9. Re: Jboss 7.2 Custom login module Ejb invocation error
                          k koushik Newbie

                          this is the log configuration i used.

                          <logger category="org.jboss.remoting">
                                      <level name="TRACE"/>
                                  </logger>
                          <logger category="org.jboss.as.remoting" >
                                      <level name="TRACE"/>
                                  </logger>

                          earlier there was an attribute use-parent-handlers="true" set. i removed it and executed the test again

                          logs are attached again. But what i observed is while the client tries to obtain the connection there is no security related logs printed.

                          • 10. Re: Jboss 7.2 Custom login module Ejb invocation error
                            jaikiran pai Master

                            k koushik wrote:

                             

                            this is the log configuration i used.

                            <logger category="org.jboss.remoting">
                                        <level name="TRACE"/>
                                    </logger>
                            <logger category="org.jboss.as.remoting" >
                                        <level name="TRACE"/>
                                    </logger>

                            Please read our responses again. That's not the package we are interested in (for now).

                            • 11. Re: Jboss 7.2 Custom login module Ejb invocation error
                              k koushik Newbie

                              Hi,I am very sorry i mentioned wrong packages in my earlier reply.i am already using the  Trace level for org.jboss.security and org.jboss.as.security.here is my complete log configuration which i had used in my application


                              <logger category="com.arjuna">

                              <level name="WARN"/>

                              </logger>

                              <logger category="org.apache.tomcat.util.modeler">

                              <level name="WARN"/>

                              </logger>

                              <logger category="org.jboss.as.config">

                              <level name="DEBUG"/>

                              </logger>

                              <logger category="sun.rmi">

                              <level name="WARN"/>

                              </logger>

                              <logger category="jacorb">

                              <level name="WARN"/>

                              </logger>

                              <logger category="jacorb.config">

                              <level name="ERROR"/>

                              </logger>

                              <logger category="org.jboss.as.security">

                              <level name="TRACE"/>

                              </logger>

                              <logger category="org.jboss.securtiy">

                              <level name="TRACE"/>

                              </logger>

                              <logger category="org.jboss.remoting">

                              <level name="TRACE"/>

                              </logger>



                              <logger category="org.jboss.as.remoting" >

                              <level name="TRACE"/>

                              </logger>

                              <!--logger category="org.xnio.nio" use-parent-handlers="true">

                              <level name="TRACE"/>

                              </logger-->

                              <logger category="org.jboss.msc.service" use-parent-handlers="true">

                              <level name="TRACE"/>

                              </logger>

                              <logger category="org.jboss.as.domain.management.security">

                              <level name="TRACE"/>

                              </logger>

                              <root-logger>

                              <level name="INFO"/>

                              <handlers>

                              <handler name="CONSOLE"/>

                              <handler name="FILE"/>

                              </handlers>

                              </root-logger>
                              • 12. Re: Jboss 7.2 Custom login module Ejb invocation error
                                k koushik Newbie

                                Hi,

                                I did Further experiments with this issue by introducing different combinations of realms and security domain.

                                I observed that the above mentioned exceptions (SaslException) doesn't occur if i configure my Realm like

                                            <security-realm name="MyRealm">

                                                <authentication>

                                                <jaas name="mydomain"/>

                                                    <local default-user="$local" allowed-users="*"/>                   

                                                </authentication>

                                            </security-realm>

                                can any one please let me know the implication of including  <local default-user="$local" allowed-users="*"/>  ?

                                 

                                But now i am facing different issue. The custom login module extend the UserNamePasswordLoginModule. while validating the password i observed that the comes in an encoded format something like "db034ebe-8d93-4f4c-8cb4-fbeec9566ecd" and the expected password is in clear text which is returned from getUserPassword method. what is the encoding format we have to use? or is there any way to decrypt the input password which i could use in the validate method.

                                 

                                Thanks in advance.

                                • 13. Re: Jboss 7.2 Custom login module Ejb invocation error
                                  k koushik Newbie

                                  Hi,

                                  Can anyone provide me hint over here. I am totally clueless.

                                  All i want to achieve is to authenticate remote ejb invocation with a  custome relam with my own implementation of loginmodule extending usernamepasswordLoginmodule