4 Replies Latest reply on Jul 9, 2018 3:48 AM by Milad Jafari

    Migrate Wildfly 10 to 12 - RMI custom login module not working

    Milad Jafari Newbie

      Hi.

       

      We are migrating from wilfly 10 to 12. In wildfly 10 we developed custom LoginModule(for making http basic authentication) which make a RMI call to a remote EJB located in another sever and remote EJB on that server find subject through making a query on database. After migrating to wildfly 12 it dose not work and throw this exception:

       

      javax.ejb.NoSuchEJBException: EJBCLIENT000079: Unable to discover destination for request for EJB StatelessEJBLocator for "....", view is interface ..., affinity is None
      at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:567)
      at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:503)
      at org.jboss.ejb.protocol.remote.RemotingEJBClientInterceptor.handleInvocationResult(RemotingEJBClientInterceptor.java:56)
      at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:569)
      at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:503)
      at org.jboss.ejb.client.TransactionPostDiscoveryInterceptor.handleInvocationResult(TransactionPostDiscoveryInterceptor.java:133)
      at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:569)
      at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:503)
      at org.jboss.ejb.client.DiscoveryEJBClientInterceptor.handleInvocationResult(DiscoveryEJBClientInterceptor.java:118)
      at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:569)
      at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:503)
      at org.jboss.ejb.client.NamingEJBClientInterceptor.handleInvocationResult(NamingEJBClientInterceptor.java:78)
      at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:569)
      at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:503)
      at org.jboss.ejb.client.TransactionInterceptor.handleInvocationResult(TransactionInterceptor.java:172)
      at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:569)
      at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:503)
      at org.jboss.ejb.client.EJBClientInvocationContext.awaitResponse(EJBClientInvocationContext.java:907)
      at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:165)
      at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:100)
      at com.sun.proxy.$Proxy120.findSubjectBy(Unknown Source)
      at com.common.security.jaas.remote.CustomeRemoteLoginModule.initializeLoginRemote(CustomeRemoteLoginModule.java:85)
      at com.common.security.jaas.remote.CustomeRemoteLoginModule.initialize(CustomeRemoteLoginModule.java:54)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
      at java.lang.reflect.Method.invoke(Method.java:498)

       

      The remote EJB was deployed and we can found it in log

      java:global/test-ear/core/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth
      java:app/core/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth
      java:module/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth
      java:jboss/exported/test-ear/core/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth

       

      The login module configuration in wildfly 12 is :

      <subsystem xmlns="urn:jboss:domain:security:2.0">

                 <security-domain name="test-sec-domain">

                          <authentication>

                              <login-module code="com.common.security.jaas.remote.CustomeRemoteLoginModule" flag="required">

                                  <module-option name="hashEncoding" value="base64"/>

                                  <module-option name="hashAlgorithm" value="SHA-256"/>

                                  <module-option name="remoteImplClassName" value="TestSecurityFacade"/>

                                  <module-option name="ignorePasswordCase" value="true"/>

                              </login-module>

                          </authentication>

                </security-domain>

      </subsystem>

       

       

      The code which is making JNDI lookup for find remote EJB is :

      Hashtable env = new Hashtable();
      env.put(Context.INITIAL_CONTEXT_FACTORY, "org.wildfly.naming.client.WildFlyInitialContextFactory");
      env.put(Context.URL_PKG_PREFIXES, "org.wildfly.naming.client.NamingProvider");
      try {
           InitialContext context = new InitialContext(env);
           RemoteAuth remoteAuth = ((remoteAuth) context.lookup("ejb:test-ear/core/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth"));
           String username = remoteAuth.findSubject("test");
      } catch (NamingException e) {
           logger.error("Error in initialise context", e);
      }

       

      Is there any idea about this problem? Is there any built-in login module for this purpose? How can I migrate this configuration to elytron?

        • 2. Re: Migrate Wildfly 10 to 12 - RMI custom login module not working
          Milad Jafari Newbie

          Hi Philippe.

           

          Thank you for reply.

           

          As I mentioned, we migrate to new EJB Client, but the lookup in "ejb:" name space dose not found any thing, but if you lookup the ejb in "java:global/" ejb  "java:jboss/exported" it can found the EJB.

           

          It is not work:

          RemoteAuth remoteAuth = ((remoteAuth) context.lookup("ejb:test-ear/core/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth")); 

           

          It is work:

          RemoteAuth remoteAuth = ((remoteAuth) context.lookup("java:global/test-ear/core/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth"));

           

          And also it is work too

          RemoteAuth remoteAuth = ((remoteAuth) context.lookup("java:jboss/exported/test-ear/core/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth"));

           

          Any Idea?

           

          • 3. Re: Migrate Wildfly 10 to 12 - RMI custom login module not working
            Martin Choma Master

            Please add logging if it shows something strange

            Security TRACE logging

            /subsystem=logging/console-handler=CONSOLE:write-attribute(name=level, value=ALL)

            /subsystem=logging/logger=org.jboss.security:add(level=ALL)

            /subsystem=logging/logger=org.jboss.as.security:add(level=ALL)

            /subsystem=logging/logger=org.picketbox:add(level=ALL)

            /subsystem=logging/logger=org.apache.catalina.authenticator:add(level=ALL)

            /subsystem=logging/logger=org.jboss.as.web.security:add(level=ALL)

            /subsystem=logging/logger=org.jboss.as.domain.management.security:add(level=ALL)

            /subsystem=logging/logger=org.wildfly.security:add(level=ALL)

            /subsystem=logging/logger=org.wildfly.elytron:add(level=ALL)

            # With Remoting

            /subsystem=logging/logger=org.jboss.sasl:add(level=ALL)

            /subsystem=logging/logger=org.jboss.as.ejb3:add(level=ALL)

            /subsystem=logging/logger=org.jboss.as.remoting:add(level=ALL)

            /subsystem=logging/logger=org.jboss.remoting3:add(level=ALL)

            /subsystem=logging/logger=org.jboss.remoting:add(level=ALL)

            /subsystem=logging/logger=org.jboss.naming.remote:add(level=ALL)

             

             

            What exactly does your custom CustomeRemoteLoginModule do? How do you mean http basic authentication in conjuction with EJB over remoting? In Elytron you can secure EJB with some of standard SASL mechanisms (PLAIN, DIGEST-MD5, SCRAM-SHA-256 ...) Or you can still write custom Elytron security realm to fulfill your needs.

             

            [1] Getting started with EJBs and Elytron Part 1: Securing EJBs and invoking them from remote clients

            • 4. Re: Migrate Wildfly 10 to 12 - RMI custom login module not working
              Milad Jafari Newbie

              Hi Martin Choma.

               

              Thank you for replay.

              The customeRemoteLoginModule make an RMI call to an other machine which is connected to DB and user is found by logic which is located in our "core module".

               

              The problem has been solved by this solution :

              RemoteAuth remoteAuth = ((remoteAuth) context.lookup("java:global/test-ear/core/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth"));

               

              also if the Context.PROVIDER_URL set by remote machine ip and port then the "ejb:" namespace will be work, otherwise it dose not work. see below code:

               

               

              Properties properties = new Properties();
              properties.put(Context.INITIAL_CONTEXT_FACTORY, "org.wildfly.naming.client.WildFlyInitialContextFactory");
              properties.put(Context.PROVIDER_URL, "http-remoting://host:port");
              InitialContext context = new InitialContext(properties);
              RemoteAuth remoteAuth = ((remoteAuth) context.lookup("ejb:test-ear/core/TestSecurityFacade!com.common.security.jaas.remote.RemoteAuth"));