8 Replies Latest reply on Mar 10, 2014 10:30 PM by Sam W

    How to secure remote ejb communnication by user name and password only.

    Sam W Expert

      Hi,

       

      I have setup two jboss 711 Final systems, one is act for server , another is client, on different machines.

      The server side is configured using user_add.sh script to add user credential to the standard/configuration/application-user.properties file

      The client side is configured using the instructions stated on the website as below:

       

      http://www.mastertheboss.com/jboss-as-7/how-to-call-ejbs-from-another-jboss-as-7-instance

       

      I restarted both systems, the client communicated successfully to the server .

      However after I deliberately made the password different between server and client jboss, and restarted both systems (server and client), the client is still able to communicate with the server without any error.

      I think if different password setup in both server and client jboss systems, the client should not be able to communicate with the jboss ejb services regardless whether the ejb service interfaces has the @RoleAccess() annotations applied to the method name. I could be wrong.

      I think my configuration to the server and client systems are wrong.

      I am wondering what is the correct procedure to configure jboss server and jboss client must use username and password to communicate between ejb service.

       

      Very appreciate for anybody's help.

       

      Best regards

      Sam

        • 1. Re: How to secure remote ejb communnication by user name and password only.
          Wolf-Dieter Fink Master

          What password you set different?

          If you change the password with add-user at the client side this will have no effect as the password is set by the security-realm as base64.

          • 2. Re: How to secure remote ejb communnication by user name and password only.
            Sam W Expert

            Hi thank your suggestion.

            I didn't change the password by add-user script on the client side.

            At server side, I changed the password by hand, by adding arbitrary characters to the end of the Base64 SASL generated password, to deliberately make it different to the client side.

             

            Thanks & Best regards

            sam

            • 3. Re: How to secure remote ejb communnication by user name and password only.
              Sam W Expert

              Even with RolesAccess() on server ejb service method, the client still able to access server ejb without any problem:

               

              Server entity:

              public abstract class AbstractFacade<T> {

                  private Class<T> entityClass;

                  protected final String ROLES_NAME = "myrole";

               

                  public AbstractFacade(Class<T> entityClass) {

                      this.entityClass = entityClass;

                  }

               

                  protected abstract EntityManager getEntityManager();

               

                  @RolesAllowed(ROLES_NAME)

                  public void create(T entity) {

                      getEntityManager().persist(entity);

                  }

               

                  @RolesAllowed(ROLES_NAME)

                  public void edit(T entity) {

                      getEntityManager().merge(entity);

                  }

               

                  @RolesAllowed(ROLES_NAME)

                  public void remove(T entity) {

                      getEntityManager().remove(getEntityManager().merge(entity));

                  }

               

                  @RolesAllowed(ROLES_NAME)

                  public T find(Object id) {

                      return getEntityManager().find(entityClass, id);

                  }

               

               

              Server configuration:

              [jbossserv@portal ~/jboss711Final/standalone/configuration]$ cat application-users.properties
              #
              # Properties declaration of users for the realm 'ApplicationRealm' which is the default realm
              # for application services on a new AS 7.1 installation.
              #
              # This includes the following protocols: remote ejb, remote jndi, web, remote jms
              #
              # Users can be added to this properties file at any time, updates after the server has started
              # will be automatically detected.
              #
              # The format of this realm is as follows: -
              # username=HEX( MD5( username ':' realm ':' password))
              #
              # A utility script is provided which can be executed from the bin folder to add the users: -
              # - Linux
              #  bin/add-user.sh
              #
              # - Windows
              #  bin\add-user.bat
              #
              # The following illustrates how an admin user could be defined, this
              # is for illustration only and does not correspond to a usable password.
              #
              #admin=2a0923285184943425d1f53ddd58ec7a
              mytest=fb466192463d57497a8d7aa6b739d515
              [jbossserv@portal ~/jboss711Final/standalone/configuration]$ cat application-roles.properties
              #
              # Properties declaration of users roles for the realm 'ApplicationRealm'.
              #
              # This includes the following protocols: remote ejb, remote jndi, web, remote jms
              #
              # Users can be added to this properties file at any time, updates after the server has started
              # will be automatically detected.
              #
              # The format of this file is as follows: -
              # username=role1,role2,role3
              #
              # A utility script is provided which can be executed from the bin folder to add the users: -
              # - Linux
              #  bin/add-user.sh
              #
              # - Windows
              #  bin\add-user.bat
              #
              # The following illustrates how an admin user could be defined.
              #
              #admin=PowerUser,BillingAdmin,
              #guest=guest
              mytest=myrole
              [jbossserv@portal ~/jboss711Final/standalone/configuration]$

              Client configuration:

              <security-realm name="ejb-security-realm">
                              <server-identities>
                                  <secret value="XXXXXUUUUUUUUUUUUUUUUfb466192463d57497a8d7aa6b739d515"/>
                              </server-identities>
                          </security-realm>

               

               

              As shown above, the password on client configuraiton is deliberately written as different to the password in the Server configration.

              But the client still able to communicate with server without any problem.

               

              Thank you for reading.

              Thanks

              Sam

              • 4. Re: How to secure remote ejb communnication by user name and password only.
                Wolf-Dieter Fink Master

                Hmm, as far as I remember that might end in an illegal base64 and the characters at the end get cut and you will end in a correct passwd.

                What if you change the password at server side?

                Maybe you enable TRACE for org.jboss.security to see more about that.

                • 5. Re: How to secure remote ejb communnication by user name and password only.
                  Sam W Expert

                  Thank you for your suggestion.

                  I tried it with manually changing its password to completely something else, (eg. I copied the password of the admin user override the password of mytest), to make sure the password is completely different to the client's password and the password is a valid base64 password, but the client still communicate with the server without error.

                   

                  I really get stuck.

                   

                  Best regards

                  sam

                  • 6. Re: How to secure remote ejb communnication by user name and password only.
                    Wolf-Dieter Fink Master

                    Did you restart the server after changing the password?

                    • 8. Re: How to secure remote ejb communnication by user name and password only.
                      Sam W Expert

                      Just wondering if there is any body written a programming guide from JBoss team