1 2 Previous Next 15 Replies Latest reply on Apr 30, 2014 10:39 AM by sae_stahlgruber

    DatabaseServerLoginModule broken?

    sae_stahlgruber Newbie

      I am trying to migrate an application to WildFly (from AS6.1). The migration went pretty smooth except for using the security domain.

      The application uses a the ClientLoginModule on the client side and the DatabaseserverLoginModule on the server side.

       

      Though the DatabaseServerLoginModule is called the validation of the password fails. I debugged it and the reason seems to be that in org.jboss.security.auth.callback.JBossCallbackHandler.getPassword() a org.jboss.as.security.remoting.RemotingConnectionCredential@22341334 is not handled and hence instead of a password the String org.jboss.as.security.remoting.RemotingConnectionCredential@22341334 is passed through to the DatabaseLoginModule.

       

      This could be connected to this posts:

      Re: Cannot get password in custom LoginModule

      Problem using DatabaseServerLoginModule - Password ist not validated correctly

        • 1. Re: DatabaseServerLoginModule broken?
          sae_stahlgruber Newbie

          I assume its to early to use WildFly. I could'nt get the jboss-as-ejb-security-interceptors quickstart to work either: Caused by: java.lang.IllegalStateException: EJBCLIENT000025: No EJB receiver available for handling [appName:, moduleName:jboss-as-ejb-security-interceptors, distinctName:] combination for invocation context org.jboss.ejb.client.EJBClientInvocationContext@38de2e8f

          • 2. Re: DatabaseServerLoginModule broken?
            jaikiran pai Master

            I just posted a reply to the thread Re: Cannot get password in custom LoginModule. Can you give it a try?

            • 3. Re: DatabaseServerLoginModule broken?
              sae_stahlgruber Newbie

              My problem seems rather to be caused by this new local user thing.

              When debugging SimpleSecurityManager.authenticate I see Principal: $local@ApplicationRealm

               

              So I commented out the local tag in the standalone.xml:

              <security-realm name="ApplicationRealm">
                
              <authentication>
                
              <!-- <local default-user="$local" allowed-users="*"/> -->
                
              <properties path="application-users.properties" relative-to="jboss.server.config.dir" />
                
              </authentication>
                
              <authorization>
                
              <properties path="application-roles.properties" relative-to="jboss.server.config.dir" />
                
              </authorization>
              </security-realm>


              But then I get:

              javax.security.sasl.SaslException: Authentication failed: the server presented no authentication mechanisms

              • 4. Re: DatabaseServerLoginModule broken?
                jaikiran pai Master

                You should be disabling the JBOSS-LOCAL-USER auth mechanism in your client configuration, like I suggested hereRe: Cannot get password in custom LoginModule

                • 5. Re: DatabaseServerLoginModule broken?
                  sae_stahlgruber Newbie


                  I have had that before

                  • 6. Re: DatabaseServerLoginModule broken?
                    jaikiran pai Master

                    Can you attach an application which reproduces this against WildFly 8 Final?

                    • 7. Re: DatabaseServerLoginModule broken?
                      sae_stahlgruber Newbie

                      All I can give You for now ist my login context.

                       

                          Properties clientProperties = new Properties();
                          clientProperties.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "false");
                          clientProperties.put("remote.connections", "default");
                          clientProperties.put("remote.connection.default.port", "8080");
                          clientProperties.put("remote.connection.default.host", "localhost");
                          clientProperties.put("remote.connection.default.username", "root");
                          clientProperties.put("remote.connection.default.password", "pw4root");
                          clientProperties.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "true");
                          clientProperties.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
                          clientProperties.put("remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");
                          EJBClientConfiguration ejbClientConfiguration = new PropertiesBasedEJBClientConfiguration(clientProperties);
                          ContextSelector<EJBClientContext> contextSelector = new ConfigBasedEJBClientContextSelector(ejbClientConfiguration);
                          EJBClientContext.setSelector(contextSelector);
                          Properties properties = new Properties();
                          properties.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");
                          properties.put(Context.PROVIDER_URL, "http-remoting://localhost:8080");
                          properties.put("jboss.naming.client.ejb.context", true);
                          Context context = new InitialContext(properties);

                       

                      I have read a lot of documentation - which unfortunately is not up-to-date for WildFly.

                      With all my efforts all I can get is the $local principal on the server side.

                      • 8. Re: DatabaseServerLoginModule broken?
                        jaikiran pai Master

                        Please give it a try against the latest released 8.1.0.CR1 Downloads · WildFly. If it still fails there, please file a JIRA Browse Projects - JBoss Issue Tracker with an application to reproduce it so that someone can take a look. I have seen 2-3 threads with similar issue on WildFly so it might either be a configuration issue or some real bug. Give it a try soon before the 8.1.0.Final gets released

                        • 9. Re: DatabaseServerLoginModule broken?
                          sae_stahlgruber Newbie

                          With 8.1.0.CR1, although the JNDI-lookup works, a call to any remote method results in:

                          Exception in thread "main" java.lang.IllegalStateException: EJBCLIENT000025: No EJB receiver available for handling [appName:Universalkatalog, moduleName:UniversalkatalogEJB, distinctName:] combination for invocation context org.jboss.ejb.client.EJBClientInvocationContext@3aa3db4b

                            at org.jboss.ejb.client.EJBClientContext.requireEJBReceiver(EJBClientContext.java:749)

                            at org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(ReceiverInterceptor.java:116)

                            at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183)

                            at org.jboss.ejb.client.EJBInvocationHandler.sendRequestWithPossibleRetries(EJBInvocationHandler.java:253)

                            at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:198)

                            at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:181)

                            at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:144)

                            at com.sun.proxy.$Proxy0.log(Unknown Source)

                            at de.stahlgruber.universal.client.EjbTryoutTestNoAuto.main(EjbTryoutTestNoAuto.java:87)

                          • 10. Re: DatabaseServerLoginModule broken?
                            sae_stahlgruber Newbie

                            Ok. Forget the previous. That was temporary. After restarting the application server it works now - still without authentication.

                             

                            The trouble - as I unterstand it - seems to be that the http-remoting-connector uses the ApplicationRealm. That way all that arrives within the DatabaseServerLoginModule is a "$local" user.

                             

                            If I configure the http-remoting-connector with my own UnisecRealm like that:

                            <security-realm name="UnisecRealm">

                                            <authentication>

                                                <jaas name="unisec"/>

                                            </authentication>

                                        </security-realm>

                             

                            .. and configure the http-remoting-connector using the UnisecRealm then I get "javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed". The DatabaseServerLoginModule is not called then.

                             

                            If I I configure the http-remoting-connector without a realm the user id that arrives in the DatabaseServerLoginModule is a "anonymous" user.

                             

                            As the DatabaseServerLoginModule won't find the user with user ids "$local" or "anonymous" this will result in " javax.ejb.EJBAccessException: JBAS013323: Invalid User".

                             

                            How would I configure the http-remoting-connector in a way that would pass through the correct user and password information to the DatabaseServerLoginModule as it used to work with JBoss AS 6.1?

                             

                            The security domain is defined like that:

                            <security-domain name="unisec" cache-type="default">

                                                <authentication>

                                                    <login-module code="Remoting" flag="optional">

                                                        <module-option name="password-stacking" value="useFirstPass"/>

                                                    </login-module>

                                                    <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">

                                                        <module-option name="dsJndiName" value="java:/DB2DS"/>

                                                    </login-module>

                                                </authentication>

                                            </security-domain>

                            • 11. Re: DatabaseServerLoginModule broken?
                              sae_stahlgruber Newbie

                              I noticed that now there is a wildfly-ejb-remote quickstart project which works with WildFly 8.0, compiled an ran it successfully.

                               

                              Then I added @SecurityDomain("unisec") to the wildfly-ejb-remote-server-side/src/main/java/org/jboss/as/quickstarts/ejb/remote/stateless/CalculatorBean.java, and added ..

                              remote.connection.default.username=myusername

                              remote.connection.default.password=pw4myusername

                              remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false

                              and changed remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=true

                              in wildfly-ejb-remote-client/src/main/resources/jboss-ejb-client.properties

                               

                              The org.jboss.security.auth.spi.DatabaseServerLoginModule ist called which I can see by debugging into the method org.jboss.security.auth.spi.UsernamePasswordLoginModule.login() of its base class.

                              And - debugging -

                              /* 222 */  this.loginOk = false;

                              /* 223 */  String[] info = getUsernameAndPassword();

                              /* 224 */  String username = info[0];

                              /* 225 */  String password = info[1];

                              I can see the values of username and password.

                               

                              That's great, though I have no idea what was wrong before!

                              • 12. Re: DatabaseServerLoginModule broken?
                                sae_stahlgruber Newbie

                                But for some reason the programmatic way to supply the client settings does not work:

                                final Properties properties = new Properties();

                                  properties.setProperty("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "false");

                                  properties.setProperty("remote.connections", "default");

                                  properties.setProperty("remote.connection.default.host", "localhost");

                                  properties.setProperty("remote.connection.default.username", "root");

                                  properties.setProperty("remote.connection.default.password", getMD5("pw4root"));

                                  properties.setProperty("remote.connection.default.port", "8080");

                                  properties.setProperty("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "true");

                                  properties.setProperty("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");

                                  EJBClientContext.setSelector(

                                   new ConfigBasedEJBClientContextSelector(

                                   new PropertiesBasedEJBClientConfiguration(properties)));

                                • 13. Re: DatabaseServerLoginModule broken?
                                  sae_stahlgruber Newbie

                                  org.jboss.security.auth.spi.UsernamePasswordLoginModule.login() returns true, so why does it throw this this?

                                   

                                  INFO: EJBCLIENT000013: Successful version handshake completed for receiver context EJBReceiverContext{clientContext=org.jboss.ejb.client.EJBClientContext@14cbd69, receiver=Remoting connection EJB receiver [connection=org.jboss.ejb.client.remoting.ConnectionPool$PooledConnection@55273929,channel=jboss.ejb,nodename=zorglt246]} on channel Channel ID fd76a138 (outbound) of Remoting connection 0167db34 to localhost/127.0.0.1:8080

                                  Exception in thread "main" javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public abstract int org.jboss.as.quickstarts.ejb.remote.stateless.RemoteCalculator.add(int,int) of bean: CalculatorBean is not allowed

                                  at org.jboss.as.ejb3.security.AuthorizationInterceptor.processInvocation(AuthorizationInterceptor.java:135)

                                  • 14. Re: DatabaseServerLoginModule broken?
                                    sae_stahlgruber Newbie

                                    The DatabaseServerLoginModule included in JBoss 6.1.0 Final has had a default rolesQuery.

                                    The DatabaseServerLoginModule in newer Picketbox releases has no default rolesQuery!

                                    1 2 Previous Next