4 Replies Latest reply on Feb 19, 2014 3:44 AM by Enrico Morelli

    'login-modules=[{' is not a valid operation name.

    Enrico Morelli Newbie

      I'm trying to port my application from Glassfish to WildFly following your documentation. But I receive an error when I try to configure the Realm part. My groups is an Enumerate entity and I've two tables: participant and users_groups (where I've email (the FK to participant) and groupname fields). The user have to enter his email and password to enter in the application.

       

      I create a file like that:

       

      ./subsystem=security/security-domain=app:add(cache-type="default")

        cd ./subsystem=security/security-domain=app   

          ./authentication=classic:add(       

            login-modules=[{         

                    code="Database",        

                    flag="required",

                module-options={           

                 dsJndiName="java:/jdbc/idpbynmr",

                 principalsQuery="select password from participant where email=?",

                  rolesQuery="select groupname, 'Roles'

                              from users_groups ug inner join participant a on ug.email = a.email

                              where a.email = ?", hashAlgorithm="SHA-256",

                         hashEncoding="BASE64",

                 unauthenticatedIdentity="guest"

                }

              }, {

                code="RoleMapping",

                flag="required",

                module-options={

                  rolesProperties="file:${jboss.server.config.dir}/app.properties",

                  replaceRole="false"

                }

              }

           ])

       

      But when I try to execute: ./jboss_cli.sh --connect --file=myfile

       

      I receive the following output:

      {"outcome" => "success"} {

           "outcome" => "success",

           "response-headers" => {

               "operation-requires-reload" => true,

               "process-state" => "reload-required"

           } }

       

      'login-modules=[{' is not a valid operation name.


      How can I solve the problem?

      Thanks

        • 1. Re: 'login-modules=[{' is not a valid operation name.
          Tomaz Cerar Master

          Hi,

           

          it looks like problem are extra line breaks where you should not have any.

           

          you could also modify your script to be bit simplified by using bit different syntax for adding modules.

           

          /subsystem=security/security-domain=app:add(cache-type="default")

          /subsystem=security/security-domain=app/authentication=classic:add()

          cd ./subsystem=security/security-domain=app/authentication=classic

          ./login-module=database:add(code="Database",flag="required", module-options={

                     dsJndiName="java:/jdbc/idpbynmr",

                     principalsQuery="select password from participant where email=?",

                      rolesQuery="select groupname, 'Roles'

                                  from users_groups ug inner join participant a on ug.email = a.email

                                  where a.email = ?", hashAlgorithm="SHA-256",

                             hashEncoding="BASE64",

                     unauthenticatedIdentity="guest"

                    }

                  )

          ./login-module=RoleMapping:add(code="RoleMapping", flag="required",module-options={ rolesProperties="file:${jboss.server.config.dir}/app.properties",replaceRole="false"})

          --

          tomaz

          • 2. Re: Re: 'login-modules=[{' is not a valid operation name.
            Brian Stansberry Master

            If you want to break a single operation over multiple lines, use the '\' character. So, starting from Tomaz's variation on the script, a backslash is added to lines 4-12:

             

            /subsystem=security/security-domain=app:add(cache-type="default")
            /subsystem=security/security-domain=app/authentication=classic:add()
            cd ./subsystem=security/security-domain=app/authentication=classic
            ./login-module=database:add(code="Database",flag="required", module-options={ \
                       dsJndiName="java:/jdbc/idpbynmr", \
                       principalsQuery="select password from participant where email=?", \
                        rolesQuery="select groupname, 'Roles' \
                                    from users_groups ug inner join participant a on ug.email = a.email \
                                    where a.email = ?", hashAlgorithm="SHA-256", \
                               hashEncoding="BASE64", \
                       unauthenticatedIdentity="guest" \
                      } \
                    )
            ./login-module=RoleMapping:add(code="RoleMapping", flag="required",module-options={ rolesProperties="file:${jboss.server.config.dir}/app.properties",replaceRole="false"})
            

             

            There's another weakness in your original script though. Notice that your script had two separate responses from the server:

             

            {"outcome" => "success"} {

                 "outcome" => "success",

                 "response-headers" => {

                     "operation-requires-reload" => true,

                     "process-state" => "reload-required"

                 } }

             

            'login-modules=[{' is not a valid operation name.

             

            That's because your script told the server to execute two write operations. (Tomaz's variant has four.) The problem is that the first one succeeded while the second one failed. That leaves your server config in a half-way state. You can't just go fix a typo in your script or something and try again, since the first step has modified the config.

             

            Better is to have your changes execute as an atomic operation. To do this, you would include the 'batch' command as the line before the first of the atomic steps, and then the 'run-batch' command as the line after the atomic steps.

             

            Simply doing that with your original script or Tomaz's though doesn't work. You get this:

             

            $ bin/jboss-cli.sh -c --file=/Users/bstansberry/tmp/trash/tomaz-batch.txt

            JBAS014808: Child resource '"security-domain" => "app"' not found

             

            This happens because of the "cd" on line 3. That "cd" is a client side operation, an instruction to change the client side context to a new location. But the CLI validates the validity of that location against the server, and since nothing will happen server-side until 'run-batch' is called, line 1 and 2 will not have executed yet. So when the CLI tries to validate that "/subsystem=security/security-domain=app/authentication=classic" exists, it fails with the "JBAS014808: Child resource '"security-domain" => "app"' not found" message.

             

            Solution is to not use the "cd" in a script and just use full addresses:

             

            batch
            /subsystem=security/security-domain=app:add(cache-type="default")
            /subsystem=security/security-domain=app/authentication=classic:add()
            /subsystem=security/security-domain=app/authentication=classic/login-module=database:add(code="Database",flag="required", module-options={ \
                       dsJndiName="java:/jdbc/idpbynmr", \
                       principalsQuery="select password from participant where email=?", \
                        rolesQuery="select groupname, 'Roles' \
                                    from users_groups ug inner join participant a on ug.email = a.email \
                                    where a.email = ?", hashAlgorithm="SHA-256", \
                               hashEncoding="BASE64", \
                       unauthenticatedIdentity="guest" \
                      } \
                    )
            /subsystem=security/security-domain=app/authentication=classic/login-module=RoleMapping:add(code="RoleMapping", flag="required",module-options={ rolesProperties="file:${jboss.server.config.dir}/app.properties",replaceRole="false"})
            run-batch
            

             

            That succeeds:

             

            $ bin/jboss-cli.sh -c --file=/Users/bstansberry/tmp/trash/absolute-batch.txt

            The batch executed successfully

             

            It's best to avoid 'cd' in scripts. The 'cd' saves some typing when creating the script, but makes it more fragile. Generally you only bother with a script if you want to use it multiple times, so the fragility concern should outweigh the extra typing.


            /subsystem=security/security-domain=app/authentication=classic/subsystem=security/security-domain=app/authentication=classic

            • 3. Re: Re: 'login-modules=[{' is not a valid operation name.
              Brian Stansberry Master

              I opened https://issues.jboss.org/browse/WFLY-2946 to look into improving the 'cd' behavior in the CLI's batch mode.

              • 4. Re: 'login-modules=[{' is not a valid operation name.
                Enrico Morelli Newbie

                Thanks to all. It's works fine.