1 2 3 4 Previous Next 52 Replies Latest reply on Aug 7, 2013 9:52 AM by massassa

    Custom jdbc login module for remoting

    danjee

      Hello,

       

      I am trying to migrate an OC4J_10g application to the new Jboss 7. I've successfully deployed the ear but I have troubles using the login module.

      I've chanded the configuration line for remoting realms in standalone.xml:

       

      <connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm" />
      

       

      to use my custom security realm:

       

      <connector name="remoting-connector" socket-binding="remoting" security-realm="MyAppRealm" />
      

       

      Also in the security-domains I've defined my custom login module:

       

      <security-domain name="my-jaas" cache-type="default">
        <authentication>
                <login-module code="com.asf.security.server.jaas.LdapFallbackJdbcLoginModule" flag="required">
                     <module-option name="debug" value="true"/>
                </login-module>
           </authentication>
      </security-domain>
      

       

      I've also add the jboss.xml file in META-INF folder linking the ear to the security-domain:

       

      <jboss>
           <security-domain>my-jaas</security-domain>
      </jboss>
      

       

       

      My problem is linking the MyAppRealm to the security-domain. How can I do that ?

      As I saw in docs https://docs.jboss.org/author/display/AS7/Securing+the+Management+Interfaces , realms have only 5 mechanisms(ldap,users,properties,ssl,secret) and none of them can be help me making that link.

      Any help will be appreciated!

      Thank you!

       

      Daniel Jipa

        • 1. Re: Custom jdbc login module for remoting
          danjee

          Here are bits of my standalone.xml configuration:

          [...]

           

          <management>

                  <security-realms>

                      <security-realm name="ManagementRealm">

                          <authentication>

                              <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>

                          </authentication>

                      </security-realm>

                      <security-realm name="ApplicationRealm">

                          <authentication>

                              <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>

                          </authentication>

                      </security-realm>

                      <security-realm name="MyAppRealm">

                          <authentication>

                              <properties path="myapp-users.properties" relative-to="jboss.server.config.dir"/>

                          </authentication>

                      </security-realm>

                  </security-realms>

                  <management-interfaces>

                      <native-interface security-realm="ManagementRealm">

                          <socket-binding native="management-native"/>

                      </native-interface>

                      <http-interface security-realm="ManagementRealm">

                          <socket-binding http="management-http"/>

                      </http-interface>

                  </management-interfaces>

              </management>

           

          [...]

           

          <subsystem xmlns="urn:jboss:domain:remoting:1.1">

                      <connector name="remoting-connector" socket-binding="remoting" security-realm="MyAppRealm"/>

          </subsystem>

          <subsystem xmlns="urn:jboss:domain:resource-adapters:1.0"/>

          <subsystem xmlns="urn:jboss:domain:sar:1.0"/>

          <subsystem xmlns="urn:jboss:domain:security:1.1">

                      <security-domains>

                          <security-domain name="asf-jaas" cache-type="default">

                              <authentication>

                                  <login-module code="com.asf.security.server.jaas.LdapFallbackJdbcLoginModule" flag="required">

                                      <module-option name="debug" value="true"/>

                                  </login-module>

                              </authentication>

                          </security-domain>

                      </security-domains>

          </subsystem>

          [...]

           

          What should I modify in order that remote JNDI will use my custom login module ?

          • 2. Re: Custom jdbc login module for remoting
            dlofthouse

            Looking at your configuration your inbound communications over Remoting are making use of the MyAppRealm - this realm needs to be updated to reference the JAAS domain that you have defined, here is an example of how to reference a JAAS domain from a realm: -

             

             

             <security-realm name="ManagementRealm">
             <authentication>
             <jaas name="darrans-domain" />
             </authentication>
             </security-realm>
            
            • 3. Re: Custom jdbc login module for remoting
              danjee

              I've managed to make my login module usable.

              I've removed the realm restriction for remoting so no the line in standalone.xml is like this:

               

              <connector name="remoting-connector" socket-binding="remoting" />

               

              In the security domain the configuration is like this:

               

              <security-domains>

                              <security-domain name="asf-jaas" cache-type="default">

                                  <authentication-jaspi>

                                      <login-module-stack name="asf-jaas-stack">

                                          <login-module code="com.asf.security.server.jaas.LdapFallbackJdbcLoginModule" flag="required">

                                              <module-option name="debug" value="true"/>

                                          </login-module>

                                      </login-module-stack>

                                      <auth-module code="com.asf.security.server.jaas.LdapFallbackJdbcLoginModule" login-module-stack-ref="asf-jaas-stack"/>

                                  </authentication-jaspi>

                              </security-domain>

                          </security-domains>

               

              And I think the biggest mistake I made was the jboss.xml file name which I renamed it jboss-app.xml to store my security-domain.

               

              Now the validateUser method is getting called. I am now facing a new challange with the usernames and passwords because they are encrypted by JBoss.

              Are they reversible ? Or should I alter my login module ?

              • 4. Re: Custom jdbc login module for remoting
                dlofthouse

                By removing the realm from the connector there is now no security applied to that connector so all attempts to connect will be allowed in without authentication.

                • 5. Re: Custom jdbc login module for remoting
                  danjee

                  The same result I got when using a simpler configuration (without authentication-jaspi) :

                   

                  <security-domains>

                                  <security-domain name="asf-jaas" cache-type="default">

                                      <authentication>

                                          <login-module code="com.asf.security.server.jaas.LdapFallbackJdbcLoginModule" flag="required">

                                              <module-option name="debug" value="true"/>

                                          </login-module>

                                      </authentication>

                                  </security-domain>

                              </security-domains>

                  • 6. Re: Custom jdbc login module for remoting
                    danjee

                    Darran Lofthouse wrote:

                     

                    By removing the realm from the connector there is now no security applied to that connector so all attempts to connect will be allowed in without authentication.

                     

                     

                    My login module is getting called and so I get javax.ejb.EJBAccessException: JBAS013323: Invalid User and I cannot use the EJB

                    • 7. Re: Custom jdbc login module for remoting
                      dlofthouse

                      Yes your module is getting called but you just have a random username and password as you have disbled any security checks on the incomming connection.

                      • 8. Re: Custom jdbc login module for remoting
                        danjee

                        Darran Lofthouse wrote:

                         

                        Yes your module is getting called but you just have a random username and password as you have disbled any security checks on the incomming connection.

                         

                        Indeed this seems very logic.

                        I've updated the standalone.xml file to use a realm for remoting like this:

                         

                        [...]

                         

                        <security-realms>

                                    <security-realm name="ManagementRealm">

                                        <authentication>

                                            <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>

                                        </authentication>

                                    </security-realm>

                                    <security-realm name="ApplicationRealm">

                                        <authentication>

                                            <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>

                                        </authentication>

                                    </security-realm>

                                    <security-realm name="MyAppRealm">

                                        <authentication>

                                            <jaas name="asf-jaas"/>

                                        </authentication>

                                    </security-realm>

                                </security-realms>

                         

                        [...]

                         

                        <subsystem xmlns="urn:jboss:domain:remoting:1.1">

                                    <connector name="remoting-connector" socket-binding="remoting" security-realm="MyAppRealm"/>

                                </subsystem>

                         

                        [...]

                        <security-domains>

                                        <security-domain name="asf-jaas" cache-type="default">

                                            <authentication>

                                                <login-module code="com.asf.security.server.jaas.LdapFallbackJdbcLoginModule" flag="required">

                                                    <module-option name="debug" value="true"/>

                                                </login-module>

                                            </authentication>

                                        </security-domain>

                                    </security-domains>

                         

                         

                        but now the login module is not getting called.

                        Am I missing any other configuration ?

                        • 9. Re: Custom jdbc login module for remoting
                          dlofthouse

                          When you say your module is not getting called what is actually happening?  Are you saying the call is reaching all the way to the EJB without any further checks or is some other error being reported?

                          • 10. Re: Custom jdbc login module for remoting
                            danjee

                            If I set

                             

                            <connector name="remoting-connector" socket-binding="remoting" security-realm="MyAppRealm"/>

                             

                            I only get a client exception:

                             

                            javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

                             

                            and nothing in logs.

                             

                            when using

                             

                            <connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>

                             

                            the user in application-users.properties is validated but I still get the random passwords in my login module.

                            • 11. Re: Custom jdbc login module for remoting
                              dlofthouse

                              Ok forget the second config, that is not relevent and your domain configuration is not compatible with that realm - for the first option how have you set the username and password for the client?

                              • 12. Re: Custom jdbc login module for remoting
                                danjee

                                This is the way I call the test method from EJB:

                                 

                                public class Jndi {

                                          public static void main(String[] args) throws NamingException,

                                                              AppException, RemoteException {

                                                    final Hashtable jndiProperties = new Hashtable();

                                 

                                 

                                                    jndiProperties.put(Context.URL_PKG_PREFIXES,

                                                                        "org.jboss.ejb.client.naming");

                                                     jndiProperties.put(Context.INITIAL_CONTEXT_FACTORY,

                                                     "org.jboss.naming.remote.client.InitialContextFactory");

                                                     jndiProperties.put(Context.PROVIDER_URL, "remote://localhost:4447");

                                                     jndiProperties.put(Context.SECURITY_PRINCIPAL, "capone");

                                                     jndiProperties.put(Context.SECURITY_CREDENTIALS, "1234564");

                                                     jndiProperties.put("jboss.naming.client.ejb.context", true);

                                                    

                                                    final Context context = new InitialContext(jndiProperties);

                                                    final String appName = "capone";

                                                    final String moduleName = "capone-EJB";

                                                    final String distinctName = "";

                                                    final String beanName = "TestControllerBean";

                                                    final String viewClassName = TestControllerRemote.class.getName();

                                                    String lookup = "ejb:" + appName + "/" + moduleName + "/"

                                                                        + distinctName + "/" + beanName + "!" + viewClassName;

                                                    System.out.println("lookup name: " + lookup);

                                                    TestController facade = (TestController) context.lookup(lookup);

                                                    System.out.println(facade);

                                                    System.out.println("test: " + facade.testMessage("hello"));

                                 

                                 

                                          }

                                }

                                • 13. Re: Custom jdbc login module for remoting
                                  dlofthouse

                                  Thanks for the code, just checking something locally myself but could you please confirm which line actually fails?  Is it the lookup failing or the call to the EJB?

                                  • 14. Re: Custom jdbc login module for remoting
                                    danjee

                                    The lookup is failing. Here full stack trace:

                                     

                                    Feb 20, 2012 4:05:20 PM org.xnio.Xnio <clinit>

                                    INFO: XNIO Version 3.0.3.GA

                                    Feb 20, 2012 4:05:20 PM org.xnio.nio.NioXnio <clinit>

                                    INFO: XNIO NIO Implementation Version 3.0.3.GA

                                    Feb 20, 2012 4:05:20 PM org.jboss.remoting3.EndpointImpl <clinit>

                                    INFO: JBoss Remoting version 3.2.2.GA

                                    Feb 20, 2012 4:05:20 PM org.jboss.remoting3.remote.RemoteConnection handleException

                                    ERROR: JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

                                    Exception in thread "main" javax.naming.NamingException: Failed to create remoting connection [Root exception is java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed]

                                              at org.jboss.naming.remote.client.ClientUtil.namingException(ClientUtil.java:36)

                                              at org.jboss.naming.remote.client.InitialContextFactory.getInitialContext(InitialContextFactory.java:117)

                                              at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)

                                              at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)

                                              at javax.naming.InitialContext.init(InitialContext.java:223)

                                              at javax.naming.InitialContext.<init>(InitialContext.java:197)

                                              at com.asf.jndi.jboss7.Jndi.main(Jndi.java:31)

                                    Caused by: java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

                                              at org.jboss.naming.remote.protocol.IoFutureHelper.get(IoFutureHelper.java:87)

                                              at org.jboss.naming.remote.client.cache.ConnectionCache.get(ConnectionCache.java:42)

                                              at org.jboss.naming.remote.client.InitialContextFactory.createConnection(InitialContextFactory.java:153)

                                              at org.jboss.naming.remote.client.InitialContextFactory.getOrCreateConnection(InitialContextFactory.java:126)

                                              at org.jboss.naming.remote.client.InitialContextFactory.getInitialContext(InitialContextFactory.java:106)

                                              ... 5 more

                                    Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

                                              at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:365)

                                              at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:214)

                                              at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)

                                              at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189)

                                              at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103)

                                              at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)

                                              at org.xnio.nio.NioHandle.run(NioHandle.java:90)

                                              at org.xnio.nio.WorkerThread.run(WorkerThread.java:184)

                                              at ...asynchronous invocation...(Unknown Source)

                                              at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:270)

                                              at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:251)

                                              at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:349)

                                              at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:333)

                                              at org.jboss.naming.remote.client.cache.EndpointCache$EndpointWrapper.connect(EndpointCache.java:110)

                                              at org.jboss.naming.remote.client.cache.ConnectionCache.get(ConnectionCache.java:41)

                                              ... 8 more

                                    1 2 3 4 Previous Next