7 Replies Latest reply on Aug 5, 2014 4:29 PM by Wolfgang Knauf

    JAAS login in application client does not work

    Wolfgang Knauf Master

      Hi all,


      I struggle with a small sample that uses an application client module to access a secured stateless session bean. So I configured a security domain (using "jboss-app.xml" and also by using the "@SecurityDomain" annotation). All is fine when I perform a login in a web module and access the EJB.


      But in my application client module, I see that a login is performed, by it seems that the password is not sent to the server.


      After activating the log of the security layer, I see this output on the server side:

      21:23:32,868 TRACE [org.jboss.security] (EJB default - 6) PBOX000263: Executing query SELECT PASSWORT FROM BENUTZER WHERE LOGIN=? with username kunde

      21:23:32,868 DEBUG [org.jboss.security] (EJB default - 6) PBOX000283: Bad password for username kunde

      So the "Database" login module is kicking in, and the username "kunde" is the one that's provided in the client. But the password is declared "bad", so I assume it must be null.


      And the client sees this exception for every ejb method call:

      21:23:33,009 INFO  [stdout] (Thread-39) Failed (javax.ejb.EJBAccessException): JBAS013323: Invalid User


      On the client side, I did this for logging in:


            LoginContext loginContext = new LoginContext ("knaufsecurity", callbackHandler);



      The callback handler just provides a hard coded username and password for the corresponding callbacks - name and password callback are called.


      I also declare a "auth.conf" in the client (don't know whether it is required, the sample is migrated from JBoss 5).

      knaufsecurity {

         org.jboss.security.ClientLoginModule  required;



      And in "%WILDFLY_HOME%\appclient\configuration\appclient.xml", I added this:

      <security-domain name="knaufsecurity" cache-type="default">


          <login-module code="Client" flag="required"/>




      Attached is my EAR file (contains sources). To reproduce:

      1) add this to "standalone.xml":

      <security-domain name="knaufsecurity" cache-type="default">


          <login-module code="Database" flag="required">

            <module-option name="dsJndiName" value="java:jboss/datasources/ExampleDS"/>

            <module-option name="principalsQuery" value="SELECT PASSWORT FROM BENUTZER WHERE LOGIN=?"/>

            <module-option name="rolesQuery" value="SELECT R.ROLLE, 'Roles' FROM ROLLE AS R, BENUTZER_ROLLE AS BR, BENUTZER AS B        WHERE B.LOGIN=? AND BR.ROLLEN_ID = R.ID AND BR.BENUTZER_ID = B.ID"/>




      2) deploy EAR file to server

      3) make my changes to "appclient.xml" (if this is necessary at all?)

      4) run app client: %WILDFLY_HOME%\bin\appclient.bat c:\path\to\Security.ear#SecurityClient.jar


      Hope that someone can shed some light on this. Either I have a misunderstanding in my client side JAAS config, or there is something broken in WildFly...


      Best regards