6 Replies Latest reply on Apr 8, 2014 4:43 AM by Darran Lofthouse

    Security porpogation issue when EJB server to server bean look up

    sudhananthan B Newbie

      Hi,

       

      I'm using jboss EAP 6.1.0. I looked up remote bean through obtaining context as below:

       

      jndiProps.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
      haJNDIContext = new InitialContext(jndiProps);
      

       

      On the remote machine when i get context information via javax.interceptor.InvocationContext of my EjbInterceptor class, it always return user name as 'anonymous'

       

      @AroundInvoke
          public Object aroundInvoke(final InvocationContext invocationContext) throws Exception {
              try
              {
                  Connection con = RemotingContext.getConnection();
                  if (con != null)
                  {
                      UserPrincipal up = null;
                      for (Principal current : con.getPrincipals()) {
                          if (current instanceof UserPrincipal) {
                              up = (UserPrincipal) current;
                          }
                          //break;
                      }
                  }
                  .....
                 ......
         }
      

      Any one give me solution to propagate the context information when doing server to server ejb  lookup.

       

      Thanks in advance,

      Sudhananthan B.

        • 1. Re: Security porpogation issue when EJB server to server bean look up
          Wolf-Dieter Fink Master

          Did you enable the security for your application?

          Also you should show how you have configured the outbound connection

          • 2. Re: Re: Security porpogation issue when EJB server to server bean look up
            sudhananthan B Newbie

            Yes i've enabled security policy in jboss-app.xml

             

            <jboss-app>
            
                <security-domain>SecurityPolicy</security-domain>
                ....
            
            

             

            And also in standalone.xml remoting configuration is as below:

             

                      <security-realm name="ejb-security-realm">
                            <server-identities>
                                <secret value="ZGVmYXVsdHVzZXI="/>
                            </server-identities>
                      </security-realm>
                      ....
                      ....
            
                      <subsystem xmlns="urn:jboss:domain:remoting:1.1">
                        <connector name="remoting-connector" socket-binding="remoting"/>
                        <outbound-connections>
                            <remote-outbound-connection name="remote-ejb-connection" outbound-socket-binding-ref="remote-ejb" username="ejb" security-realm="ejb-security-realm">
                                <properties>
                                    <property name="SASL_POLICY_NOANONYMOUS" value="false"/>
                                    <property name="SSL_ENABLED" value="false"/>
                                </properties>
                            </remote-outbound-connection>
                        </outbound-connections>
                    </subsystem>
            
                    .....
                          <security-domain name="SecurityPolicy" cache-type="default">
                                <authentication>
                                    <login-module code="Remoting" flag="optional">
                                        <module-option name="password-stacking" value="useFirstPass"/>
                                    </login-module>
                                    <login-module code="org.jboss.security.ClientLoginModule" flag="required">
                                        <module-option name="restore-login-identity" value="true"/>
                                    </login-module>
                                    <login-module code="xxx.xxx.xxx.CustomLoginCheck" flag="required">
                                        <module-option name="unauthenticatedIdentity" value="defaultuser"/>
                                    </login-module>
                                </authentication>
                            </security-domain>
            
            

             

             

            jboss-ejb-client.xml

             

            <jboss-ejb-client xmlns:xsi="urn:jboss:ejb-client:1.0" xsi:noNamespaceSchemaLocation="jboss-ejb-client_1_2.xsd">
                <client-context>
                    <!-- By default LocalEJBReceiverPreferringDeploymentNodeSelector.class is used Node Selector-->
                        <ejb-receivers>
                             <remoting-ejb-receiver outbound-connection-ref="remote-ejb-connection"/>
                        </ejb-receivers>
            
                         <clusters>
                                 <cluster name="ejb" username="ejb" security-realm="ejb-security-realm">
                                      <connection-creation-options>
                                            <property name="org.xnio.Options.SSL_ENABLED" value="false"/>
                                            <property name="org.xnio.Options.SASL_POLICY_NOANONYMOUS" value="false"/>
                                        </connection-creation-options>
                                  </cluster>
                        </clusters>
                    </client-context>
            </jboss-ejb-client>
            
            

             

             

            Do i need any additional configuration in order to propagate the security credentials.

             

            Thanks,

            Sudhananthan B

            • 3. Re: Security porpogation issue when EJB server to server bean look up
              sudhananthan B Newbie
              Wolf-Dieter Fink

               

              I'm using custom login module. Is there any thing i'm missing. I stuck in there for a while.

               

              Thanks in advance,

              Sudhananthan B.

              • 4. Re: Security porpogation issue when EJB server to server bean look up
                Darran Lofthouse Master

                Despite what you may have read elsewhere never ever ever ever use the ClientLoginModule in a security domain that is used to secure access to an application.  In short it leaks security contexts in certain circumstances.

                 

                To propagate an identity from one server to another you should have a look at the ejb-security-interceptors quickstart, this quick start demonstrates how interceptors can be used to pass the name of the user from the client side to the server side of the call along with the EJB invocation and how login modules can verify this user and switch the identity for the call.

                1 of 1 people found this helpful
                • 5. Re: Security porpogation issue when EJB server to server bean look up
                  sudhananthan B Newbie

                  Thanks darranl for your reply,

                   

                  I looked into the ejb-security-interceptors quickstart.

                  I've following questions related to the example,

                   

                  1. In the example @ DelegationLoginModule, No password validation happens for delegation request (the delegation credentials checks against the user@realm in property and it returns the status).

                  2. The security information along with realm gets propagated when i do remote invocation and it is fine. But the mater is the password gets encrypted. For eg: My Password is 'defaultuser' gets encrypted as 'bb5331d1-5630-4687-8137-3fd8f7b8e74a'. It changes often. What's the algorithm behind this, so that i can decrypt it and validate.

                  3. In the thread  https://community.jboss.org/thread/200905 Jaikiran Pai said that there is no way to dynamically configured user for remote invoking from server to server. Now I'm hard-coring the values in standalone.xml. Is there any other work around to do that programatically.

                   

                  Thanks in advance,

                  Sudhananthan B.

                  • 6. Re: Security porpogation issue when EJB server to server bean look up
                    Darran Lofthouse Master

                    1 - Yes that is correct, the client server has already authenticated against the second server so the quick start is demonstrating trust i.e. the first server is trusted to ask for requests to be executed as a different user

                    2 - That is not a password, that is just a place holder we use to work around a JAAS / realm integration issue.  You will need the realm that secures the incoming connection to be configured to delegate to JAAS.

                    3 - The solution is to use the quickstart approach with the interceptors and login module to switch the identity for the call.

                    1 of 1 people found this helpful