1 Reply Latest reply on Jan 29, 2015 6:10 PM by Stanley Tom

    Jaas credentials propagation in remote EJB call between multiple Wildfly instances

    mjv Newbie

      I have two instance of wildfly (WfA and WfB), each one with a different application deployed (AppA and AppB). Each application has its own security-domain (well configured on standalone-full.xml). Authentication on each application works well (I've my custom login module and authentication/autorization/identity services), and the jaas security subject is filled with the right principals.

      The problem occurs when in AppA I call a remote SECURED ejb of AppB using http-remoting protocol: when i do this call the user is already authenticated in security-domain of AppA and has principals and roles well managed. As expected in WfB a new authentication is required (because called ejb is protected) and the caller is not authenticated in security-domain of AppB. Security interceptors trigger a new Jaas authentication in WfB but, for some reason, the callback passed to the login module has username ANONYMOUS and password NULL.

      This scenario is correctly supported in JBoss 6, in this case username and password given by the user during authentication on AppA are propagated within the ejb context and correctly passed in the LoginModule's callback. I suppose it's done by some EjbInterceptors and the mecchanism is totally transparent.

      I know that remote ejb invocation protocol is deeply different between J6 and W8 (jnp vs http-remoting) but i can't believe that in Wildfly there's not this propagation or a similar mechanism.

      I've try anything: RemotingLoginModule, ClientLoginModule and so on..but nothing works.

      PS: obviously the authenticated user in AppA has roles on AppB too..

        • 1. Re: Jaas credentials propagation in remote EJB call between multiple Wildfly instances
          Stanley Tom Newbie

          Just registered into this forum looking for a resolution to this exact same issue.  Wonder if you discovered anything new since your last post?

           

          Our situation is basically identical.  We're currently on JBoss 5.  Our web-tier instances only service WARs and our EJB-tier instances only service EJBs.  Our servlets or Struts Actions remotely invokes EJBs with no problems.  We also have our own custom authenticator/login module to authenticate credentials.  Connections to EJB are via JNP.  We don't have to explicitly pass credentials to EJB connection.

           

          We're looking into migrating to Wildfly 8.2.  If both WARs and EJBs run on the same instance, no problem.  However, if we try to run separate Wildfly instances just like we are on JBoss 5, it appears that we have to explicitly pass credentials via JNDI properties.  (We're using Remote-Naming; EJB Client appears too restrictive for us.)  We have lots of users and roles.

           

          Maybe there's a way to extract the credentials authenticated by Undertow via the authentication mechanism and insert them into the JNDI properties?  As an application developer, I don't believe we should have to do this, but I'm getting desperate!