7 Replies Latest reply: Oct 7, 2013 2:26 PM by José Pedro Novais RSS

Username & password get mysteriously encoded in custom server login module AS7.1

Jan Snelders Newbie

I'm migrating a client-server application from JBoss 6.1 to JBoss 7.1 CR1 and run into some problems when trying to get my custom server login module to work.

 

On the client side I use the org.jboss.security.ClientLoginModule. On the server side I have a custom login module which extends org.jboss.security.auth.spi.UsernamePasswordLoginModule. My implementation is similar to how org.jboss.security.auth.spi.LdapLoginModule is implemented and extends the UsernamePasswordLoginModule.

 

The problem I run into is that once I call getUsername() (from UsernamePasswordLoginModule) I don't get the username which was used to login. It seems to be encoded/encrypted. The same happens to my password.

 

They look like "db80497a-0e75-4d7b-8261-4bb6faf7c9b4" (username) & "d89e062f-4740-4529-a3c9-beb84d73589" (password).

 

Further more they change every time I try to login, so if my guess about the encoding is correct there also seems to be an random challenge involved.

 

The problem is that I don't know why this happens and more important: how to decode this back to my original username & password.

 

(I posted the same question on the PicketBox forum a week ago, but apparently that wasn't the correct place to ask this question)

  • 1. Re: Username & password get mysteriously encoded in custom server login module AS7.1
    Levente Sántha Newbie

    I have the exact same problem with an extended  UsernamePasswordLoginModule. It worked under JBoss 4 and it gets an encrypted username under JBoss 7.1 final. Why is the username encrytpted?

  • 2. Re: Username & password get mysteriously encoded in custom server login module AS7.1
    Darran Lofthouse Master

    It is not encrypted - the value is not getting passed from the SASL authentication tier to the login module so a unique id is being generated.

     

    Can you please show the configuration of both the security realm and your security domain.

  • 3. Re: Username & password get mysteriously encoded in custom server login module AS7.1
    Levente Sántha Newbie

    On the client side in .java.login.config I have:

     

    MyDomain {
          org.jboss.security.ClientLoginModule requisite;
    };

     

    I added this to the JBoss AS configuration file:

     

    <security-domain name="MyDomain" cache-type="default">
          <authentication>
               <login-module code = "org.jboss.security.auth.spi.RunAsLoginModule" flag="required">
                    <module-option name="roleName" value="administrator"/>
               </login-module>
              <login-module code="my.custom.login.module.ClassName" flag="required">
                    <module-option name="hashUserPassword" value="false"/>
               </login-module>
          </authentication>
    </security-domain>

  • 4. Re: Username & password get mysteriously encoded in custom server login module AS7.1
    Sebastian Bayerlein Newbie

    I'm facing the same problem. Has somebody an idea?

  • 5. Re: Username & password get mysteriously encoded in custom server login module AS7.1
    Jan Snelders Newbie

    As Darran mentions the username & password I see aren't encoded or encrypted but just anonymous/generated id's generated by the server since there just aren't any credentials passed to the server. I think I now understand why and got closer to a solution.

    Darran and Anil explain things in much more detail in this thread: https://community.jboss.org/thread/195501?start=0&tstart=0 .

     

    Disable Local User Authenticaton when developing on one machine

    The reason why there wasn't any credentials passed to the server in my case was because my setup was on one computer: The 'remote' client and server both run on the same machine. In this case the remote client will perform a 'local user' authentication which authenticates by proofing it is running on the same machine by reading a jboss-server generated file and telling the server the content of the file. That's nice in some cases but not if your custom login module isn't aware of this and need real world credentials to succeed.

     

    I prevented this from happending by setting the option: "remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER" in the jboss-ejb-client.properties file for my EJB connection.

     

    I shouldn't have removed the security-realm on the remoting-connector

    I removed the security-realm="ApplicationRealm" parameter from the remoting-connector in my standalone.xml file and left this connector unsecured. I just secured my EJB by annotating it with a @SecurityDomain("MySecurityDomain"). That caused things not to work, I needed a valid security-realm there.

    <subsystem xmlns="urn:jboss:domain:remoting:1.1">

         <connector name="remoting-connector" socket-binding="remoting" security-realm="MyRealm"/>

    </subsystem>

     

    If I understand Darran correctly in the earlier mentioned thread this is because credentials will not be sent to the server when negotiating a connection if the remoting-connector is not secured. The security domain securing your EJB will not receive any credentials in that case.....

     

    Make my custom login module findable for JBoss

    At the time your remote client will authenticate on the remoting-connector JBoss doesn't know which deployment/application you are about to access on the server. So if your custom loginmodule is for example within a specific EAR, JBoss doesn't know about it and authentication will fail with an error looking something like this:

    19:20:46,277 TRACE [org.jboss.modules] (Remoting "hattori-hanzo" task-2) Class com.my.CustomSecurityLoginModule not found from Module "org.jboss.as.remoting:main" from local module loader @3d32e42f (roots: C:\jboss\jboss-as-7\modules)

     

    Daniel Jipa mentions a workaround https://community.jboss.org/message/719096#719096 which isn't elegant but worked for me:


    I finally got it to work. The issue was the loading of custom security jar. It seems that putting it in the ear is not a solution (or at least not sufficient)

    I added it on the jboss_install_dir/modules/org/jboss/as/remoting/main and modified the module.xml file at the same path to also use that resource.

    I worked with or without the jndiProperties.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");

     


    Darran Lofthouse mentioned that there is a more elegant solution here https://community.jboss.org/message/722362#722362


    This has been implemented, and will be in the 7.1.1 release that will go out this week.

     

    Basically you can now refer to a deployment in the "module=" attribute on a login module. The format is deployment.name. So for example, foo.jar would be "deployment.foo.jar". You can also refer to static modules as before.

     

     

    I didn't manage to get that working however.

     

    The relvant parts of my config

    standalone.xml file:

    <security-realms>

         ...

         <security-realm name="MyRealm">

              <authentication>

                   <jaas name="MySecurityDomain"/>

              </authentication>

         </security-realm>

    </security-realms>

    ....

    <subsystem xmlns="urn:jboss:domain:remoting:1.1">

         <connector name="remoting-connector" socket-binding="remoting" security-realm="MyRealm"/>

    </subsystem>

    ....

    <security-domain name="MySecurityDomain" cache-type="default">

         <authentication>

              <login-module code="com.my.CustomLoginModule" flag="required" module="deployment.MyEAR.ear.MyLoginModule.jar">

                   <module-option name="password-stacking" value="useFirstPass"/>

              </login-module>

         </authentication>

    </security-domain>

     

    Please note that the part 'module="deployment.MyEAR.ear.MyLoginModule.jar"' didn't work for me but I just left it for reference.

     

    jboss-ejb-client.properties file:

    remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false

    remote.connections=default

    remote.connection.default.host=localhost

    remote.connection.default.port = 4447

    remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false

    remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER

    remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false

    # remote.connection.default.callback.handler.class=com.my.MyLoginCallbackHandler

    remote.connection.default.username=username

    remote.connection.default.password=password

  • 6. Re: Username & password get mysteriously encoded in custom server login module AS7.1
    Carsten Lichy-Bittendorf Newbie

    Hi,

    I'm trying to configure something similar and struggle based on AS7.1.3:

     

    if I change the security-realm to "MyRealm" the client can't connect any more, because of "javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed"

    if the security-realm is set to "ApplicationRealm" I experience the following:

     

    using as custom login module:

    <login-module code="Remoting" flag="optional">
                                <module-option name="password-stacking" value="useFirstPass"/>
                            </login-module>
                            <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
                                <module-option name="unauthenticatedIdentity" value="anonymous"/>
                                <module-option name="defaultUsersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
                                <module-option name="defaultRolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
                                <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
                                <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
                                <module-option name="password-stacking" value="useFirstPass"/>
                            </login-module>

    it works fine - like documented in may blogs.

    switching the login-module to

    <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
                                <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                                <module-option name="java.naming.provider.url" value="ldap://ldap.acme.com:389"/>
                                <module-option name="java.naming.security.authentication" value="simple"/>
                                <module-option name="principalDNPrefix" value="cn="/>
                                <module-option name="principalDNSuffix" value=",ou=People,dc=acme,dc=com"/>
                                <module-option name="searchTimeLimit" value="5000"/>
                                <module-option name="searchScope" value="ONELEVEL_SCOPE"/>
                            </login-module>

    always causes a "PBOX000283: Bad password for username dummy"

    at the client I tried same set of properties and lot variants to get it working. Up to my investigation the credential get send encrpyted to the server.
    In case of properties based login-module it can get directly compared with the file content, while the LDAP authentication would cause a decrpytion.

    So how to send the credential plain text to the server? - I'm aware on the security impact :-)

  • 7. Re: Username & password get mysteriously encoded in custom server login module AS7.1
    José Pedro Novais Newbie

    Hi,

    I'm also trying to get get Username/Password credentials in my custom Login Module, which extends org.jboss.security.auth.spi.UsernamePasswordLoginModule.

    My LoginModule is correctly initialized, but I always get a king of an hash instead in the login() method. This, seams to be due to the username/password credentials are not properly propagated from the Remote EJB client to the server.

     

    I Always get the following (in log):

        18:41:51,253 TRACE [org.jboss.security.authentication.JBossCachedAuthenticationManager] (EJB default - 1) defaultLogin, principal=80e88281-66ed-42d9-acd0-61a13c5880fb

        18:41:51,254 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (EJB default - 1) Begin getAppConfigurationEntry(testLoginModule), size=3

        18:41:51,254 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (EJB default - 1) End getAppConfigurationEntry(testLoginModule), authInfo=AppConfigurationEntry[]:

        [0]

        LoginModule Class: testLoginModule.loginModule.UserPassTestLoginModule

        ControlFlag: LoginModuleControlFlag: required

        Options:

        name=realm, value=ApplicationRealm

        name=debug, value=true

        name=password-stacking, value=useFirstPass

        18:41:51,256 INFO  [stdout] (EJB default - 1) UserPassTestLoginModule.login()

        18:41:51,256 INFO  [stdout] (EJB default - 1) username 80e88281-66ed-42d9-acd0-61a13c5880fb, password 846496d7-8155-41e9-bfef-12d329ba21c4

        18:41:51,257 INFO  [stdout] (EJB default - 1) username '80e88281-66ed-42d9-acd0-61a13c5880fb', password '846496d7-8155-41e9-bfef-12d329ba21c4'

        18:41:51,257 INFO  [stdout] (EJB default - 1) Returning result = false

     

     

    my security configuration in standalone-full.xml in JBoss 7.1.1.FINAL

                    <security-domain name="testLoginModule" cache-type="default">

                        <authentication>

                            <login-module code="testLoginModule.loginModule.UserPassTestLoginModule" flag="required" module="deployment.server-login-module-test.jar">

                                <module-option name="password-stacking" value="useFirstPass"/>

                                <module-option name="debug" value="true"/>

                                <module-option name="realm" value="ApplicationRealm"/>

                            </login-module>

                        </authentication>

                    </security-domain>

     

    my EJB Client

    public static void test_protectedBean_approach_1()

      {

            ProtectedGreeter protectedGreeterBean;

     

            final Properties jndiProperties = new Properties();

            jndiProperties.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");

            jndiProperties.put(Context.PROVIDER_URL, "127.0.0.1:4447");

            jndiProperties.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "false");

            jndiProperties.put("remote.connections", "default");

            jndiProperties.put("remote.connection.default.port", "4447");

            jndiProperties.put("remote.connection.default.host", "127.0.0.1");

            //jndiProperties.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "false");

            //jndiProperties.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");

     

            jndiProperties.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");

            jndiProperties.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");

     

            // This tels JBOss ejb-client to not use remoting instead of ByPassing

            jndiProperties.put("remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");

            jndiProperties.put("remote.connection.default.username", "appuser1");

            jndiProperties.put("remote.connection.default.password", "appuser");

     

     

            // this is to configure JBoss EJB client API by code instead of jboss-ejb-client.propeties file

            EJBClientConfiguration cc = new PropertiesBasedEJBClientConfiguration(jndiProperties);

            ContextSelector<EJBClientContext> selector = new ConfigBasedEJBClientContextSelector(cc);

            EJBClientContext.setSelector(selector);

     

            try

            {

                final Context context = new InitialContext(jndiProperties);

                String result_message = "";

                ProtectedGreeter unprotectedGreeterBean = (ProtectedGreeter) context.lookup(UnprotectedGreeterBean_url);

                result_message = unprotectedGreeterBean.tell_me_hello(" Alice");

                System.out.println(result_message);

     

                protectedGreeterBean = (ProtectedGreeter) context.lookup(ProtectedGreeter_url);

                result_message = protectedGreeterBean.tell_me_hello(" Bob");

                System.out.println(result_message);

            }

            catch (Exception e)

            {

                e.printStackTrace();

            }

        }

     

    the call to the unprotectedGreeterBean works just fine. the call to protectedGreeterBean instantiates the my Login module as expected, but the username/password credentials are not passed to the server.

    Could please someone tell-me whats wrong/missing?

    Please check out my attached code (Just with login-module an EJB Client and standalone configuration file).

     

    • server application with login module:

    > mvn clean install && mvn jboss-as:deploy    to deploy the server-login-module-test

    • to run EJB Client Test

    > mvn clean compile assembly:single

    > java -jar target/client-login-module-test-jar-with-dependencies.jar