1 2 3 Previous Next 37 Replies Latest reply on Nov 3, 2012 4:21 PM by pgarner Go to original post
      • 15. Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
        dlofthouse

        Ok I have just verified the web to ejb call portion of this and that aspect is fixed - I am only seeing a single into the login module despite multiple calls to the web app and the secured ejb.

         

        The issue I am now working on is the following: -

          https://issues.jboss.org/browse/AS7-3525

         

        This issue will be relevent if you regularly disconnect and reconnect to the AS instance as that will be the trigger for a re-authentication - if a connection is maintained you should still be able to make many calls to deployed EJBs without the re-authentication after the first call.

        • 16. Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
          michael_gronau

          Thank you Darran, our use case is a remote client calling the ejb and I see our login module for the remoting connector is only called once per user (as expected) but the module for the ejb security domain is called every time. We are not disconnecting between the calls.The only way I know how to disconnect is closing the client jvm (which is i my eyes another issue). I have tested this with latest build #772.

          • 17. Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
            dlofthouse

            Thank you for the clarificartion Michael - that scenario should have been covered by the fix but I will make sure I investigate it more closely to verify.

             

            Regarding the inability to close the connection I would suggest starting a separate thread for that one - there is possibly an option you have not seen or if that is not available then there may be something we are missing as I agree there is not nescesarily a relationship between the length of time a java process is running and how long a connection to the server is maintained.

            • 18. Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
              michael_gronau

              Thats nice Darran. I will start another thread regarding the 'How to close a connection'-problem.

              • 19. Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
                dlofthouse

                Michael,

                 

                Would it be possible for you to show me your current realm and jaas configuration again?  I have just tested this again using the latest code and can not reproduce repeated calls to the login module.

                 

                My realm definition is now: -

                 

                            <security-realm name="ApplicationRealm">
                                <authentication>
                                    <jaas name="other"/>
                                </authentication>
                            </security-realm>
                

                 

                And my domain defintiion is still: -

                 

                                <security-domain name="other" cache-type="default">
                                    <authentication>
                                        <login-module code="Remoting" flag="optional">
                                            <module-option name="password-stacking" value="useFirstPass"/>
                                        </login-module>
                                        <login-module code="RealmUsersRoles" flag="required">
                                            <module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
                                            <module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
                                            <module-option name="realm" value="ApplicationRealm"/>
                                            <module-option name="password-stacking" value="useFirstPass"/>
                                        </login-module>
                                    </authentication>
                                </security-domain>
                

                 

                However I am running with slightly modified code to output a stack trace each and every time the module is called at the moment I am only seeing it called twice: -

                  1 - As the connection is authenticated.

                2 - For the first EJB call.

                 

                Updating the connection authentication to ensure that it also uses the cache is the task I am currently working on so that will be reduced down to just a single call but there must be something else we are missing if you are still seeing multiple calls so I would like to make sure we understand that so that your scenario is covered.

                • 20. Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
                  michael_gronau

                  Hi Darran,

                   

                  I think it now gets i little bit more complicated. Let me try to explain.

                  For our client application we have the requirement to be able to use multiple users per JVM. in Jboss 4.x and 5.x this could be achieved simply with the JBoss client login module by calling login() method of the module in the current thread for the current user. In JBoss 7 i found the only solution by using the class org.jboss.ejb.client.ThreadLocalContextSelector<...> to set the current EJBClientContext object for the current thread and user. With this approach i was able to call ejb methods with different users in the same jvm -> the server-side CallerPrincipal is correctly set for every call.

                   

                  The following pseudo code works like a charm, which is the authentication process is only called once per connection:

                   

                  In the main thread

                  create connection

                  set ThreadLocalContext()

                  lookup the ejb.

                  called it in a loop

                   

                  Everything is ok here. But when I start another thread to call the ejb then every call starts the authentication process:

                   

                  In the main thread:

                  create connection

                  set the context

                  create a new thread and start.

                   

                  in the run method of the thread:

                  set threadlocal context for the desired user (which is already successfully authenticated).

                  lookup the ejb

                  call it in a loop (now every call must be authenticated)

                   

                   

                  am I missing something?? Or do I have to do something else instead of using org.jboss.ejb.client.ThreadLocalContextSelector<...>.

                  • 21. Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
                    jason.greene

                    In remoting authentication is PER connection. Inside of a connection you have have multiple channels which are intended for multiple services (e.g. ejb, jmx, etc). All are intended to share the same credentials so that auth is only done once on initial connect. If you need to dynamically handle different users, then the best way is to manage all of the connections yourself (this will also address the close problem you mention in the other thread). So basically all you do is setup your connections lazily and per user, and then associate them to the ejb client context before a proxy is invoked (e.g. using ThreadLocalContextSelector like you are already doing). If you prefer you could also write your own context selector that uses the username as an entry in a global index.

                     

                    Something like this could be done for a connection per-thread model (although ideally you don't want duplicate connections for the same user):

                     

                    Global Shared Stuff for the entire VM

                            // Gloabl Shared Stuff
                            // create the endpoint
                            final Endpoint endpoint = Remoting.createEndpoint("my-client", OptionMap.create(Options.THREAD_DAEMON, true));
                    
                            // Have the provider use non-ssl connections
                            endpoint.addConnectionProvider("remote", new RemoteConnectionProviderFactory(), OptionMap.create(Options.SSL_ENABLED, false));
                    
                            // Setup a global thread-local selector, which willl allow you to have a different connection per-thread
                            this.selector = new ThreadLocalContextSelector<EJBClientContext>(new ThreadLocal<EJBClientContext>()); 
                            EJBClientContext.setSelector(this.selector);
                    

                     

                    Per-connection setup

                            // Where to connect
                            final URI connectionURI = new URI("remote://localhost:4447");
                    
                            // Disable local auth, and allow plain text passwords over the wire (clear text is needed for JAAS / security domains)
                            OptionMap.Builder builder = OptionMap.builder().set(Options.SASL_POLICY_NOANONYMOUS, true);
                            builder.set(Options.SASL_POLICY_NOPLAINTEXT, false);
                            builder.set(Options.SASL_DISALLOWED_MECHANISMS, Sequence.of("JBOSS-LOCAL-USER"));
                    
                            // Create the connection
                            final IoFuture<Connection> futureConnection = endpoint.connect(connectionURI, builder.getMap(), new AuthenticationCallbackHandler(username, password));
                            // wait for the connection to be established
                            final Connection connection = IoFutureHelper.get(futureConnection, 5000, TimeUnit.MILLISECONDS);
                            
                            // associate it with a new EJB client context
                            EJBClientContext context = EJBClientContext.create();
                            context.registerConnection(connection);
                    
                            // Set this thread to use this context
                            this.selector.setCurrent(context);
                    
                    • 22. Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
                      michael_gronau

                      Hello Jason,

                      thank you for your suggestions I will definitely try this out. But I could imagine, that it has the same effect, because the problem is not the authentication on the connection (because this happens only once per user/thread as expected) but on the ejb call itself. But let me see if it works.

                       

                      Thanks alot,

                      Michael

                      • 23. Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
                        michael_gronau

                        Hi Jason,

                        I have refactored my code and tested it and as I said, the problem still exists. But at least my 'connection close problem' is solved with your solution. Thank you for that!

                        • 24. Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
                          dlofthouse

                          FYI I have just submitted the pull request for AS7-3525, I have been testing various sceneraios from web apps accessing EJBs to remote EJB clients both making multiple calls over a connection and running the client multiple times to get multiple connections and there is now only a single authentication in the JAAS domain for an individual user.

                          • 25. Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
                            michael_gronau

                            Ok, so I will wait until its available in the nightly build and I will give it try.

                            • 26. Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
                              danjee

                              I've just downloaded the latest build for 7.1.2 release and the problem continues for remote and local calls

                               

                              Here are bits of my standalone.xml file:

                               

                               

                              <security-domains>

                                              <security-domain name="AsfJaas" cache-type="default">

                                                  <authentication>

                                                      <login-module code="com.asf.security.server.jaas.AsfBaseLoginModule" flag="required" module="deployment.capone.ear.asf-security-server-2.0-dev.jar">

                                                          <module-option name="password-stacking" value="useFirstPass"/>

                                                          <module-option name="debug" value="true"/>

                                                      </login-module>

                                                  </authentication>

                                              </security-domain>

                                              <security-domain name="AsfRemoteJaas" cache-type="default">

                                                  <authentication>

                                                      <login-module code="com.asf.jboss7.security.AsfRemotingLoginModule" flag="required">

                                                          <module-option name="password-stacking" value="userFirstPass"/>

                                                      </login-module>

                                                  </authentication>

                                              </security-domain>

                                          </security-domains>

                              • 27. Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
                                dlofthouse

                                What does your realm look like now? 

                                 

                                Also could I suggest within your login module adding a line like: -

                                 

                                  new Throwable("TRACE").printStackTrace();

                                 

                                This helps verify the stack for the additional calls.

                                • 28. Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
                                  danjee

                                  Attached is my full standalone.xml

                                   

                                  I will also give a try with that stacktrace but it's quite clear that is something missing in my configurations that make those unnecessary calls.

                                   

                                  My java code that does local calls looks like this:

                                   

                                   

                                  @EJB
                                            PersistenceControllerLocal facade;
                                  ....
                                  
                                  public void buttonClick(ClickEvent event) {
                                      try{
                                          Long accId = 28897012l;
                                                                            lbl.setCaption("created by: "
                                                                                                     + facade.get(AccountDebt.class, accId) .getCreatedBy());
                                           }catch(Exception e){
                                       e.printStackTrace();     
                                  }                                                                                
                                  }
                                  
                                  

                                   

                                  Every time I click the button my login module is getting called

                                  • 29. Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
                                    danjee

                                    I've placed a stack trace in my login module and I see that JBossCachedAuthenticationManager,authenticate is getting called but also my login module is called.

                                    Here is the stack trace:

                                     

                                     

                                    09:35:04,848 ERROR [stderr] (http--0.0.0.0-8089-2) java.lang.Throwable: Trace for login module calls
                                    09:35:04,848 ERROR [stderr] (http--0.0.0.0-8089-2)      at com.asf.security.server.jaas.AsfBaseLoginModule.login(AsfBaseLoginModule.java:115)
                                    09:35:04,849 ERROR [stderr] (http--0.0.0.0-8089-2)      at sun.reflect.GeneratedMethodAccessor128.invoke(Unknown Source)
                                    09:35:04,849 ERROR [stderr] (http--0.0.0.0-8089-2)      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
                                    09:35:04,850 ERROR [stderr] (http--0.0.0.0-8089-2)      at java.lang.reflect.Method.invoke(Method.java:597)
                                    09:35:04,850 ERROR [stderr] (http--0.0.0.0-8089-2)      at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
                                    09:35:04,850 ERROR [stderr] (http--0.0.0.0-8089-2)      at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
                                    09:35:04,851 ERROR [stderr] (http--0.0.0.0-8089-2)      at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
                                    09:35:04,851 ERROR [stderr] (http--0.0.0.0-8089-2)      at java.security.AccessController.doPrivileged(Native Method)
                                    09:35:04,851 ERROR [stderr] (http--0.0.0.0-8089-2)      at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
                                    09:35:04,852 ERROR [stderr] (http--0.0.0.0-8089-2)      at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
                                    09:35:04,852 ERROR [stderr] (http--0.0.0.0-8089-2)      at org.jboss.security.authentication.JBossCachedAuthenticationManager.defaultLogin(JBossCachedAuthenticationManager.java:449)
                                    09:35:04,853 ERROR [stderr] (http--0.0.0.0-8089-2)      at org.jboss.security.authentication.JBossCachedAuthenticationManager.proceedWithJaasLogin(JBossCachedAuthenticationManager.java:383)
                                    09:35:04,853 ERROR [stderr] (http--0.0.0.0-8089-2)      at org.jboss.security.authentication.JBossCachedAuthenticationManager.authenticate(JBossCachedAuthenticationManager.java:361)
                                    09:35:04,854 ERROR [stderr] (http--0.0.0.0-8089-2)      at org.jboss.security.authentication.JBossCachedAuthenticationManager.isValid(JBossCachedAuthenticationManager.java:160)
                                    09:35:04,854 ERROR [stderr] (http--0.0.0.0-8089-2)      at org.jboss.as.security.service.SimpleSecurityManager.authenticate(SimpleSecurityManager.java:354)
                                    09:35:04,855 ERROR [stderr] (http--0.0.0.0-8089-2)      at org.jboss.as.security.service.SimpleSecurityManager.push(SimpleSecurityManager.java:292)
                                    09:35:04,855 ERROR [stderr] (http--0.0.0.0-8089-2)      at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:49)
                                    09:35:04,856 ERROR [stderr] (http--0.0.0.0-8089-2)      at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:45)
                                    09:35:04,856 ERROR [stderr] (http--0.0.0.0-8089-2)      at java.security.AccessController.doPrivileged(Native Method)
                                    09:35:04,856 ERROR [stderr] (http--0.0.0.0-8089-2)      at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:74)
                                    09:35:04,857 ERROR [stderr] (http--0.0.0.0-8089-2)      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
                                    09:35:04,857 ERROR [stderr] (http--0.0.0.0-8089-2)      at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:42)
                                    09:35:04,858 ERROR [stderr] (http--0.0.0.0-8089-2)      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
                                    09:35:04,858 ERROR [stderr] (http--0.0.0.0-8089-2)      at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59)
                                    09:35:04,859 ERROR [stderr] (http--0.0.0.0-8089-2)      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
                                    09:35:04,859 ERROR [stderr] (http--0.0.0.0-8089-2)      at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
                                    09:35:04,860 ERROR [stderr] (http--0.0.0.0-8089-2)      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
                                    09:35:04,860 ERROR [stderr] (http--0.0.0.0-8089-2)      at org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45)
                                    09:35:04,860 ERROR [stderr] (http--0.0.0.0-8089-2)      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
                                    09:35:04,861 ERROR [stderr] (http--0.0.0.0-8089-2)      at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
                                    09:35:04,861 ERROR [stderr] (http--0.0.0.0-8089-2)      at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:165)
                                    09:35:04,862 ERROR [stderr] (http--0.0.0.0-8089-2)      at org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:173)
                                    09:35:04,862 ERROR [stderr] (http--0.0.0.0-8089-2)      at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
                                    09:35:04,862 ERROR [stderr] (http--0.0.0.0-8089-2)      at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
                                    09:35:04,863 ERROR [stderr] (http--0.0.0.0-8089-2)      at org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:72)
                                    09:35:04,863 ERROR [stderr] (http--0.0.0.0-8089-2)      at com.asf.kollecto.server.ejb.persistence.PersistenceControllerLocal$$$view11.get(Unknown Source)
                                    09:35:04,864 ERROR [stderr] (http--0.0.0.0-8089-2)      at com.asf.capone.web.CaponeVaadinApplication$1.buttonClick(CaponeVaadinApplication.java:48)