5 Replies Latest reply on Oct 4, 2013 7:14 AM by Alexander Hartner

    JBAS013323: Invalid User on JBoss 7.2

    Alexander Hartner Expert

      For some time I have been struggling against the "Invalid User" error.

       

      application.xml

      <?xml version="1.0" encoding="UTF-8"?>
      <application version="6" xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                 xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/application_6.xsd">
        <display-name>SimpleBean</display-name>
        <module>
          <ejb>SimpleBean-ejb.jar</ejb>
        </module>
        <security-role>
          <description>ABCAdmin</description>
          <role-name>ABCAdmin</role-name>
        </security-role>   
      </application>
      
      

      jboss-app.xml

      <?xml version="1.0" encoding="UTF-8"?>
      <jboss-app>
        <security-domain>ABCAdmin</security-domain>
      </jboss-app>
      
      

      ejb-jar.xml

      <?xml version="1.0" encoding="UTF-8"?>
      <ejb-jar xmlns = "http://java.sun.com/xml/ns/javaee" 
               version = "3.1"
               xmlns:xsi = "http://www.w3.org/2001/XMLSchema-instance" 
               xsi:schemaLocation = "http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_1.xsd">
        <description>ABC EJB</description>
        <display-name>ABCEJB</display-name>
        <enterprise-beans>     
          <message-driven>
            <ejb-name>TransactionJobListener</ejb-name>
            <ejb-class>com.abc.messagebean.TransactionJobListener</ejb-class>
            <message-destination-link>TransactionJobs</message-destination-link>
            <resource-ref>
              <res-ref-name>ConnectionFactory</res-ref-name>
              <res-type>javax.jms.ConnectionFactory</res-type>
              <res-auth>Container</res-auth>
            </resource-ref>    
            <message-destination-ref>
              <message-destination-ref-name>queue/abc/TransactionJobs</message-destination-ref-name>
              <message-destination-type>javax.jms.Queue</message-destination-type>
              <message-destination-usage>Produces</message-destination-usage>
              <message-destination-link>TransactionJobs</message-destination-link>
            </message-destination-ref>
          </message-driven>
        </enterprise-beans>         
      </ejb-jar>
      
      

      jboss-ejb3.xml

      <?xml version="1.1" encoding="UTF-8"?>
      <jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
                     xmlns="http://java.sun.com/xml/ns/javaee"
                     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                     xmlns:c="urn:clustering:1.0"
                     xmlns:s="urn:security"
                     xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-ejb3-2_0.xsd http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/ejb-jar_3_1.xsd"
                     version="3.1"
                     impl-version="2.0">
        <assembly-descriptor>
          <s:security>
            <ejb-name>*</ejb-name>
            <s:security-domain>ABCAdmin</s:security-domain>
          </s:security>
        </assembly-descriptor>   
        <enterprise-beans>
          <message-driven>
            <ejb-name>TransactionJobListener</ejb-name>
            <activation-config>
              <activation-config-property>
                <activation-config-property-name>destination</activation-config-property-name>
                <activation-config-property-value>java:/queue/abc/TransactionJobs</activation-config-property-value>
              </activation-config-property>
            </activation-config>     
            <resource-ref>
              <res-ref-name>ConnectionFactory</res-ref-name>
              <jndi-name>java:/jms/ABCJMSConnectionFactory</jndi-name>
            </resource-ref>
            <message-destination-ref>
              <message-destination-ref-name>queue/abc/TransactionJobs</message-destination-ref-name>
              <message-destination-type>javax.jms.Topic</message-destination-type>
              <message-destination-usage>Produces</message-destination-usage>
              <message-destination-link>TransactionJobs</message-destination-link>
              <jndi-name>java:/queue/abc/TransactionJobs</jndi-name>
            </message-destination-ref>
          </message-driven>
        </enterprise-beans>
      </jboss:ejb-jar>
      
      
      

      Bean Implementation

      ...
      @Stateless
      @RolesAllowed("ABCAdmin")
      @PermitAll
      @RunAs("ABCAdmin")
      public class CalculatorBean implements CalculatorRemote, CalculatorLocal
      {
        private transient Logger logger = Logger.getLogger(CalculatorBean.class.getName());
      
        @PermitAll     
        public double add(double a, double b)
        {
          logger.info("ADDING");
          return a+b;
        }
      ...
      
      

      Client

      Properties properties = new Properties();
      properties.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");
      properties.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
      properties.put("java.naming.provider.url", "remote://localhost:4447");
      properties.put(Context.SECURITY_PRINCIPAL, "user");
      properties.put(Context.SECURITY_CREDENTIALS, "password");
      properties.put("jboss.naming.client.ejb.context", true);
      InitialContext ctx = new InitialContext(properties);
      System.out.println("Got Naming Service");
      
      CalculatorServices calculator = (CalculatorServices) ctx.lookup("SimpleBean/SimpleBean-ejb/CalculatorBean!com.abc.sessionbean.CalculatorRemote");
      System.out.println("Got Calculator : "+calculator);
      System.out.println("ADD      : " + calculator.add(5, 4));
      
      

       

      Since adding the security-domain to the application the client stopped working and I am now getting : javax.ejb.EJBAccessException: JBAS013323: Invalid User


      • I can't understand what part I missed or where my mistake is without this security domain being specified the client is working.

       

      Beside this issue I also have some other questions:

      • When I remove jboss.naming.client.ejb.context from the JNDI properties the client also does not work. Why is this required and what does this do?
      • Is there a simple way to disabled security on JBoss 7.2?
      • I tried using the ejb-client method as well but couldn't get this working either. Using ejb:SimpleBean/SimpleBean-ejb//CalculatorBean!com.abc.sessionbean.CalculatorRemote as the JNDI name resulted in other errors.

       

      Thanks for all your help and support.

        • 1. Re: JBAS013323: Invalid User on JBoss 7.2
          Wolf-Dieter Fink Master

          To answer your questions:

          • The property jboss.naming.client.ejb.context force the creation of the ejb-client context to invoke EJB's with remote-naming.
          • you can remove the security-realm attribute from the remoting connector, in that case you will run complete without security
          • if you use the ejb-client approach you need to set the correct environment, see this documentation

           

          Could you show what you change for "adding the security-domain"?

          • 2. Re: Re: JBAS013323: Invalid User on JBoss 7.2
            Alexander Hartner Expert

            I added the security-domain to the jboss-app.xml file.

             

            <?xml version="1.0" encoding="UTF-8"?>  
            <jboss-app>  
              <security-domain>ABCAdmin</security-domain>  
            </jboss-app> 
            
            

             

            I will try to disable security as you suggested and see if I can get the application working in this configuration.

            • 3. Re: Re: JBAS013323: Invalid User on JBoss 7.2
              Wolf-Dieter Fink Master

              How do you add this security-domain in the configuration?

              • 4. Re: Re: Re: JBAS013323: Invalid User on JBoss 7.2
                Alexander Hartner Expert

                In my standalone.xml file I specify it using:

                 

                ...
                <management>
                    <security-realms>
                        <security-realm name="ManagementRealm">
                            <authentication>
                                <local default-user="$local"/>
                                <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
                            </authentication>
                        </security-realm>
                        <security-realm name="ApplicationRealm">
                            <authentication>
                                <local default-user="$local" allowed-users="*"/>
                                <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                            </authentication>
                            <authorization>
                                <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
                            </authorization>
                        </security-realm>
                        <security-realm name="ABCAdmin">
                            <authentication>
                                <local default-user="$local" allowed-users="*"/>
                                <properties path="abczone-users.properties" relative-to="jboss.server.config.dir"/>
                            </authentication>
                            <authorization>
                                <properties path="abczone-roles.properties" relative-to="jboss.server.config.dir"/>
                            </authorization>
                        </security-realm>
                    </security-realms>
                    <management-interfaces>
                        <native-interface security-realm="ManagementRealm">
                            <socket-binding native="management-native"/>
                        </native-interface>
                        <http-interface security-realm="ManagementRealm">
                            <socket-binding http="management-http"/>
                        </http-interface>
                    </management-interfaces>
                </management>
                ...
                <subsystem xmlns="urn:jboss:domain:remoting:1.1">
                    <connector name="remoting-connector" socket-binding="remoting" security-realm="ABCAdmin"/>
                </subsystem>
                ....
                <security-domain name="ABCAdmin">
                    <authentication>
                        <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="requisite">
                            <module-option name="password-stacking" value="useFirstPass"/>
                            <module-option name="usersProperties" value="file:${jboss.server.config.dir}/abczone-users.properties"/>
                            <module-option name="rolesProperties" value="file:${jboss.server.config.dir}/abczone-roles.properties"/>
                        </login-module>
                    </authentication>
                </security-domain>
                

                 

                I also tried specifying different realms on the remoting-connector, this however did not resolve the issue.

                • 5. Re: JBAS013323: Invalid User on JBoss 7.2
                  Alexander Hartner Expert

                  Updating the standalone-full-ha.xml file as shown below allow the application to run without any need for security realms / domains.

                   

                  Changes are :

                  Comment out : <default-security-domain value="other"/>

                  Set default-missing-method-permissions-deny-access to false

                   

                  <subsystem xmlns="urn:jboss:domain:ejb3:1.4">
                      <session-bean>
                          <stateless>
                              <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>
                          </stateless>
                          <stateful default-access-timeout="5000" cache-ref="simple" clustered-cache-ref="clustered"/>
                          <singleton default-access-timeout="5000"/>
                      </session-bean>
                      <mdb>
                          <resource-adapter-ref resource-adapter-name="hornetq-ra"/>
                          <bean-instance-pool-ref pool-name="mdb-strict-max-pool"/>
                      </mdb>
                      <pools>
                          <bean-instance-pools>
                              <strict-max-pool name="slsb-strict-max-pool" max-pool-size="20" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
                              <strict-max-pool name="mdb-strict-max-pool" max-pool-size="20" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>
                          </bean-instance-pools>
                      </pools>
                      <caches>
                          <cache name="simple" aliases="NoPassivationCache"/>
                          <cache name="passivating" passivation-store-ref="file" aliases="SimpleStatefulCache"/>
                          <cache name="clustered" passivation-store-ref="infinispan" aliases="StatefulTreeCache"/>
                      </caches>
                      <passivation-stores>
                          <file-passivation-store name="file"/>
                          <cluster-passivation-store name="infinispan" cache-container="ejb"/>
                      </passivation-stores>
                      <async thread-pool-name="default"/>
                      <timer-service thread-pool-name="default">
                          <data-store path="timer-service-data" relative-to="jboss.server.data.dir"/>
                      </timer-service>
                      <remote connector-ref="remoting-connector" thread-pool-name="default"/>
                      <thread-pools>
                          <thread-pool name="default">
                              <max-threads count="10"/>
                              <keepalive-time time="100" unit="milliseconds"/>
                          </thread-pool>
                      </thread-pools>
                      <iiop enable-by-default="false" use-qualified-name="false"/>
                  <!--            <default-security-domain value="other"/>-->
                      <default-missing-method-permissions-deny-access value="false"/>
                  </subsystem>