1 Reply Latest reply on Oct 24, 2013 9:49 AM by Sergiu Pienar

    Remote EJB + Custom Login Module + Hibernate

    Sergiu Pienar Apprentice

      Using JBoss 7.1.1 Final with Hibernate 3.6.9 (packed in my EAR file).

      I'm also using a custom login module define in standalone.xml as:

       

      <security-domain name="myRealm" cache-type="default">

                          <authentication>

                              <login-module code="com.login.LoginModule" flag="required">

                                  <module-option name="dsJndiName" value="java:jboss/datasources/myDS"/>

                                  <module-option name="hashAlgorithm" value="SHA"/>

                                  <module-option name="hashEncoding" value="BASE64"/>

                                  <module-option name="principalsQuery" value="SELECT u.password FROM Usr u, Client c, UserRole ur WHERE u.logname = ? AND (u.status = 'active' OR u.status = 'system')  AND u.clientid = c.clientid AND (c.status = 'active' OR c.status = 'system') AND (u.passwordExpireDate is null OR u.passwordExpireDate > now())  AND u.userId = ur.userId  AND u.lockedStatus != 1 AND ur.roleId=20"/>

                                  <module-option name="rolesQuery" value="SELECT p.label, 'Roles' FROM Usr u, Role r, Privilege p, RolePrivilege rp, UserRole ur WHERE u.logname = ? AND u.userId = ur.userId   AND u.clientId = ur.clientId AND ur.roleId = r.roleId  AND r.roleId = rp.roleId AND rp.privilegeId = p.privilegeId"/>

                              </login-module>

                          </authentication>

                      </security-domain>

       

      The login module works fine both for remote invocations and local ones. The login module is deployed as a jar inside the remoting module with the remoting module pointing to it:

       

      <module xmlns="urn:jboss:module:1.1" name="org.jboss.as.remoting">

          <properties>

              <property name="jboss.api" value="private"/>

          </properties>

         

         <resources>

              <resource-root path="jboss-as-remoting-7.1.1.Final.jar"/>

        <resource-root path="login-module.jar"/>

        <!-- Insert resources here -->

          </resources>

      ....

       

      My problem is that the custom login class is using Hibernate to track user activity as below:

       

      @Override

        public boolean login()

        throws LoginException {


        String[] info = this.getUsernameAndPassword();

        String logname = info[0];

        boolean login = false;


      try {

        login = super.login();

       

        if (login) {

        Session session = null;

        try {

             session = BeanUtil.getSessionFactory().openSession();

             User user = UserHelper.loadUser(session, logname);

       

      ....

      where getSessionFactory does:

       

      Context ctx = new InitialContext();

      return (SessionFactory)ctx.lookup("java:jboss/HibernateFactory");

       

      This login works fine (manages get the Session and do the proper calls) when used from within the application.

       

      The problem occurs when I try to call a remote EJB that is under the security-domain that the customLogin module is mapped to.

      I've added a dependency to hibernate in the remoting's module.xml (for the remoting module to be able to do Hibernate related operations).

       

      I get the following error:

       

      10:57:34,056 TRACE [org.jboss.remoting.remote] (Remoting "myApp" read-1) Accepted connection from /127.0.0.1:63577 to 127.0.0.1/127.0.0.1:4447

      10:57:34,058 TRACE [org.jboss.remoting.remote] (Remoting "myApp" read-1) Setting read listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial@c84e90

      10:57:34,059 TRACE [org.jboss.remoting.remote.connection] (Remoting "myApp" read-1) Sent message java.nio.HeapByteBuffer[pos=12 lim=12 cap=8192] (direct)

      10:57:34,061 TRACE [org.jboss.remoting.remote.connection] (Remoting "myApp" read-1) Flushed channel (direct)

      10:57:34,067 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Server received capabilities request

      10:57:34,068 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Server received capability: version 1

      10:57:34,069 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Server received capability: remote endpoint name "config-based-naming-client-endpoint"

      10:57:34,071 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) No EXTERNAL mechanism due to explicit exclusion

      10:57:34,072 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Trying SASL server factory org.jboss.sasl.localuser.LocalUserServerFactory@5e6cf7

      10:57:34,074 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Added mechanism JBOSS-LOCAL-USER

      10:57:34,075 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Trying SASL server factory org.jboss.sasl.digest.DigestMD5ServerFactory@14405c3

      10:57:34,076 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Excluding mechanism DIGEST-MD5 because it is not in the allowed list

      10:57:34,078 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Trying SASL server factory org.jboss.sasl.plain.PlainServerFactory@d669c2

      10:57:34,079 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Added mechanism PLAIN

      10:57:34,080 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Trying SASL server factory org.jboss.sasl.anonymous.AnonymousServerFactory@b961d6

      10:57:34,081 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Trying SASL server factory com.sun.security.sasl.digest.FactoryImpl@c62e1a

      10:57:34,083 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Excluding mechanism DIGEST-MD5 because it is not in the allowed list

      10:57:34,084 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Trying SASL server factory com.sun.security.sasl.ServerFactoryImpl@fcb590

      10:57:34,085 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Excluding mechanism CRAM-MD5 because it is not in the allowed list

      10:57:34,087 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Trying SASL server factory com.sun.security.sasl.gsskerb.FactoryImpl@f4234b

      10:57:34,088 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Excluding mechanism GSSAPI because it is not in the allowed list

      10:57:34,090 TRACE [org.jboss.remoting.remote.connection] (Remoting "myApp" read-1) Sent message java.nio.HeapByteBuffer[pos=37 lim=37 cap=8192] (direct)

      10:57:34,091 TRACE [org.jboss.remoting.remote.connection] (Remoting "myApp" read-1) Flushed channel (direct)

      10:57:34,139 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Server received authentication request

      10:57:34,168 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (Remoting "myApp" task-4) Begin getAppConfigurationEntry(myAppRealm), size=6

      10:57:34,169 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (Remoting "myApp" task-4) End getAppConfigurationEntry(myAppRealm), authInfo=AppConfigurationEntry[]:

      [0]

      LoginModule Class: com.login.LoginModule

      ControlFlag: LoginModuleControlFlag: required

      Options:

      name=hashAlgorithm, value=SHA

      name=principalsQuery, value=SELECT u.password FROM Usr u, Client c, UserRole ur WHERE u.logname = ? AND (u.status = 'active' OR u.status = 'system')  AND u.clientid = c.clientid AND (c.status = 'active' OR c.status = 'system') AND (u.passwordExpireDate is null OR u.passwordExpireDate > now())  AND u.userId = ur.userId  AND u.lockedStatus != 1 AND ur.roleId=20

      name=hashEncoding, value=BASE64

      name=dsJndiName, value=java:jboss/datasources/myAppDS

      name=rolesQuery, value=SELECT p.label, 'Roles' FROM Usr u, Role r, Privilege p, RolePrivilege rp, UserRole ur WHERE u.logname = ? AND u.userId = ur.userId   AND u.clientId = ur.clientId AND ur.roleId = r.roleId  AND r.roleId = rp.roleId AND rp.privilegeId = p.privilegeId

       

       

      10:57:34,180 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" task-4) Server sending authentication rejected (javax.security.sasl.SaslException: PLAIN password not verified by CallbackHandler)

      10:57:34,197 TRACE [org.jboss.remoting.remote.connection] (Remoting "myApp" task-4) Sent message java.nio.HeapByteBuffer[pos=1 lim=1 cap=8192] (direct)

      10:57:34,199 TRACE [org.jboss.remoting.remote.connection] (Remoting "myApp" task-4) Flushed channel (direct)

      10:57:34,200 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Server received capabilities request

      10:57:34,201 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Server received capability: version 1

      10:57:34,202 TRACE [org.jboss.remoting.remote.server] (Remoting "myApp" read-1) Server received capability: remote endpoint name "config-based-naming-client-endpoint"

      10:57:34,203 TRACE [org.jboss.remoting.remote.connection] (Remoting "myApp" read-1) Sent message java.nio.HeapByteBuffer[pos=37 lim=37 cap=8192] (direct)

       

      Debugging on server-sider shows a ClassNotFoundException - possibly the Session.java but I`m unsure for I could not find the sources for the ModulesClassLoader so I can move the debug in that area.

       

      Any ideas are welcome.

        • 1. Re: Remote EJB + Custom Login Module + Hibernate
          Sergiu Pienar Apprentice

          I've also tried a different approach in which instead of getting the user directly with the hibernate Session I`m using a EJB a have deployed for this.

          Now I'm getting that the UserEJBLocal$$$view can not be cast to UserEJBLocal.

           

          This is most likely that I have the UserEJBLocal in both the EAR and the login-module.jar.

          My EJB's are packed in a jar and deployed within the EAR.

          I wonder if making the EJB's jar a module in jboss would solve my problem ... if so, how could I declare that my EAR is dependent on that module ?