3 Replies Latest reply on Mar 6, 2014 4:37 AM by Philippe Marschall

    LoginModule#login() called twice in case of login failure

    Philippe Marschall Expert

      I'm not sure whether this is the right forum or whether it should go to the remoting3 (4?) forum.

       

      We are seeing that our login module gets called twice when an ejb remoting client tries to log in with the wrong credentials. The same credentials are used for both login attempts. The issue seems to be that a capability request is sent in case of a rejected authorization which triggers a second login. This a bit of an issue for us as we have a security requirement to track the number of failed login attempts. At the moment the reported number is twice the actual number.

        • 1. Re: LoginModule#login() called twice in case of login failure
          David Lloyd Master

          This is in fact a Remoting issue, but it's OK to ask it here!

           

          The reason this happens is, the Remoting client cannot know whether the failure was due to a failure in the SASL mechanism or due to a genuine authentication problem, so it will try out all the agreed-upon mechanisms before giving up (not unlike SSH in fact).  The solution is to specify a single supported SASL mechanism on the server side.

          • 2. Re: Re: LoginModule#login() called twice in case of login failure
            Philippe Marschall Expert

            David Lloyd wrote:

             

            This is in fact a Remoting issue, but it's OK to ask it here!

             

            The reason this happens is, the Remoting client cannot know whether the failure was due to a failure in the SASL mechanism or due to a genuine authentication problem, so it will try out all the agreed-upon mechanisms before giving up (not unlike SSH in fact).  The solution is to specify a single supported SASL mechanism on the server side.

            We tried this and it does not seem to help

            <subsystem xmlns="urn:jboss:domain:remoting:1.1">
              <connector name="remoting-connector" socket-binding="remoting" security-realm="AcmeRealm">
              <sasl>
              <include-mechanisms value="PLAIN"/>
              </sasl>
              </connector>
              </subsystem>
            
            
            
            

            ClientConnectionOpenListener.Authentication always issues a capabilities request even if there is just one SASL mechanism or we just tried the last SASL mechanism. We changed the code and to do

            connection.handleException(allMechanismsFailed());
            
            
            
            

            instead of

            sendCapRequest(serverName);

            when we just tried the last SASL mechanism (saslMechs.size() <= 1). This worked in the debugger but failed outside of the debugger. It seems that outside of the debugger somebody quickly creates a new channel and ClientConnectionOpenListener.


            Edit: while CCOL.Authentication issues a second capabilties request it does not issue a second login request. That has to come from somewhere else.

            • 3. Re: LoginModule#login() called twice in case of login failure
              Philippe Marschall Expert

              It seems not to be JBoss Remoting related but rather EJB client related. When configured with just one SASL mechanism the JBoss Remoting works fine. However we're using ConfigBasedEJBClientContextSelector to configure the EJB client. This does the first login with the wrong credentials but swallows the exception. The second login happens by the EJB client when we do the first remoting call. We get the exception and stop there.