1 2 Previous Next 26 Replies Latest reply: Apr 17, 2013 9:56 AM by Cristian Duicu Go to original post Branched to a new discussion. RSS
  • 15. Re: Custom Login Module with remote EJB
    john_k Newbie

    what i additionally wonder i get this:

    Server received capability: remote endpoint name "config-based-naming-client-endpoint"

    but a jboss-ejb-client.properties in my project... 

    https://docs.jboss.org/author/display/AS71/EJB+invocations+from+a+remote+client+using+JNDI

    "The endpoint.name property is optional and if not specified in the jboss-ejb-client.properties file, it will default to "config-based-ejb-client-endpoint" name."

     

    francois at least for you that seems to work

  • 16. Re: Custom Login Module with remote EJB
    Francois Swiegers Newbie

    I specify the client name in the jboss-ejb-client.properties as "client-endpoint". If you ommit this name, it defaults to "config-based-client-endpoint", which is what you are seeing. So that seems OK to me.

  • 17. Re: Custom Login Module with remote EJB
    john_k Newbie

    yeah but i wonder why it dosent seem to load this jboss-ejb-client.properties:

    endpoint.name=client-endpoint

    remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false

    remote.connections=default

    .....

  • 18. Re: Custom Login Module with remote EJB
    jaikiran pai Master

    Francois, I see in your first post that you probably have managed to add a debugger to the AS7 code to understand what's going on. So if you are willing to continue with this, then could you please add a breakpoint in org.jboss.as.domain.management.security.JaasCallbackHandler to lines where you see verifyPasswordCallback.setVerified(false); (there are a couple of places in that class where this is done) and see if you can find anything? I think we could improve the logging in that class to log the login failure exception stacktraces at DEBUG/TRACE level.

  • 19. Re: Custom Login Module with remote EJB
    Francois Swiegers Newbie

    Thanks for helping out Jaikiran,

     

    I did what you asked, and the error provided by the JaasCallbackHandler is that the org.jboss.as.remoting module could not find my custom login module. I added my custom login module jar file to the ..modules\org\jboss\as\remoting\main folder, and modified the module.xml like so:

     

    <module xmlns="urn:jboss:module:1.1" name="org.jboss.as.remoting">

        <properties>

            <property name="jboss.api" value="private"/>

        </properties>

     

     

        <resources>

            <resource-root path="jboss-as-remoting-7.1.1.Final.jar"/>

                             <resource-root path="zboss-login-module.jar"/>

                        <!-- Insert resources here -->

        </resources>

     

    ...

     

    This has solved the problem for me.

     

    It is up for debate, I guess, on whether this is the *ideal* solution - clearly it would be preferable if you could deploy the custom module as part of the application, or as a separate deployable unit in the deployments folder (which I believe is the intention). But this workarround is good enough for me now.

     

    Thanks for the help!

  • 20. Re: Custom Login Module with remote EJB
    jaikiran pai Master

    It's good to know what was going wrong. Now that we know the real issue, I think I see what the problem in your configuration was. You have this:

    <security-domains>

         <security-domain name="alchemy" cache-type="default">

              <authentication>

                   <login-module code="org.zboss.login.module.TestLoginModule" flag="required"/>

     

    The login-module allows the use of an optional attribute to point to the name of the "module" which contains your LoginModule and related classes. So try changing it to:

     

    <security-domains>
          <security-domain name="alchemy" cache-type="default">
               <authentication>
                    <login-module code="org.zboss.login.module.TestLoginModule" module="org.zboss.login.module" flag="required"/>
    

     

    Then you won't have to change the remoting module xml to specify the additional resource root.

     

    Let us know if this works.

  • 21. Re: Custom Login Module with remote EJB
    Francois Swiegers Newbie

    My login-module configuration, before getting to work, was:

     

    <security-domain name="alchemy" cache-type="default">

                        <authentication>

                            <login-module code="org.zboss.login.module.AlchemyLoginModule" flag="required" module="deployment.zboss-login-module.jar">

                                <module-option name="password-stacking" value="useFirstPass"/>

                            </login-module>

                        </authentication>

                    </security-domain>

     

    because I tried to use the strategy of deploying the login module in the deployments folder. This does not seem to work. It was only when I added the login module to the remoting module that it started to work.

     

    I will now attempt to make my login module a separate module in JBoss, instead of adding it to the remoting module, and will revert with the result shortly.

  • 22. Re: Custom Login Module with remote EJB
    Francois Swiegers Newbie

    OK, I moved my custom login module to its own JBoss login module by doing this:

     

    Copy jar file to ..\modules\org\zboss\login\module\zboss-login-module.jar

     

     

    My module.xml file:

     

    <?xml version="1.0" encoding="UTF-8"?>

     

    <module xmlns="urn:jboss:module:1.1" name="org.zboss.login.module">  

        <resources>

            <resource-root path="zboss-login-module.jar"/>

        </resources>

        <dependencies>

            <module name="org.picketbox" optional="true"/>       

            <module name="javax.api" />

        </dependencies>

    </module>

     

     

    The configuration for my login module in standalone.xml:

     

    <security-domain name="alchemy" cache-type="default">

         <authentication>

              <login-module code="org.zboss.login.module.AlchemyLoginModule" flag="required" module="org.zboss.login.module">

                    <module-option name="password-stacking" value="useFirstPass"/>

              </login-module>

         </authentication>

    </security-domain>

     

     

    This does not work (same error as before)

     

    When debugging the JaasCallbackHandler, I get the following error:

     

    javax.security.auth.login.LoginException: unable to find LoginModule class: org.zboss.login.module.AlchemyLoginModule from [Module "org.jboss.as.remoting:main" from local module loader @f40c1f (roots: C:\Workspace\dev\trader\trunk\distribution\1\SBINTL_DEV\jboss\modules)]

     

    When I put the jar file back with the remoting module, and remove the module attribute from the security-domain configuration in standalone.xml, then it works again.

     

    <security-domain name="alchemy" cache-type="default">

         <authentication>

              <login-module code="org.zboss.login.module.AlchemyLoginModule" flag="required">

                   <module-option name="password-stacking" value="useFirstPass"/>

              </login-module>

         </authentication>

    </security-domain>

     

    Just to add, it only works if the custom login module class is both in the remoting module AND in the war file. If I remove the login module from my war file, then I get

     

    09:53:22,804 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (EJB default - 1) Login failure: javax.security.auth.login.LoginException: unable to find LoginModule class: org.zboss.login.module.AlchemyLoginModule from [Module "deployment.zboss-server.war:main" from Service Module Loader]

              at javax.security.auth.login.LoginContext.invoke(LoginContext.java:822) [rt.jar:1.7.0_04]

              at javax.security.auth.login.LoginContext.access$000(LoginContext.java:203) [rt.jar:1.7.0_04]

              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:698) [rt.jar:1.7.0_04]

              at javax.security.auth.login.LoginContext$4.run(LoginContext.java:696) [rt.jar:1.7.0_04]

     

     

     

    So, it seems to me that the remoting module requires access to the custom login module, but this is not sufficient. The security module also requires access to the custom login module from the authentication manager. Is there a way where I can supply my login module as either a separate Jboss module or a deployable JAR, and configure the remoting subsystem to have access to this?

  • 23. Re: Custom Login Module with remote EJB
    jaikiran pai Master

    This classloading part doesn't look right. Would it be possible for you to attach a reproducible application here? I'll check with Darran/Jason about this.

  • 24. Re: Custom Login Module with remote EJB
    Francois Swiegers Newbie

    Thank Jaikiran

     

    I attach my Maven application (please note that I changed my RMI port to be on the 6447 as opposed to 4447, for reasons to do with our corporate deployment pipeline) in attachment zboss.rar.

     

    The zboss-login-module project contains the custom login module that I am using for this project. The zboss-client project contains the client code that I'm using.

     

    I also attach in jboss.rar the JBoss deployments configuration and modules folders that I am using, you should be able to simply paste this in a vanilla JBoss 7.1.1 installation, and be ready to go.

     

    The attachments are the working version. By removing the zboss-login-module from the org.jboss.as.remoting module (either by deploying it directly into deployments or by moving it into its own module) you should be able to replicate the errors I have seen in this thread.

     

    I am very much interested in whether you are able to replicate my problem, could you please be so kind as to let me know the result of your investigation?

  • 25. Re: Custom Login Module with remote EJB
    pweldon Newbie

    I've just run into this under 7.1.1 trying to use a deployable custom login module with remoting. Is there a Jira issue for the login module class loader issue?

  • 26. Re: Custom Login Module with remote EJB
    Cristian Duicu Newbie

    Francois, thank you for this thread - this helped me a lot. Let me contribute a bit since you still had a question hanging.

    I think a better solution would be to deploy the custom login module normally (ie. outside the remoting module). So you will deploy the login module as you originally intended:

     

    jboss\modules\org\zboss\login\module\main

         -> zboss-login-module.jar

         -> module.xml

     

    <?xml version="1.0" encoding="UTF-8"?>

     

    module.xml contains:

     

    <module xmlns="urn:jboss:module:1.0" name="org.zboss.login.module">

      <resources>

        <resource-root path="zboss-login-module.jar"/>

            <!-- Insert resources here -->

      </resources>

      <dependencies>

         <module name="javax.api"/>

         <module name="org.picketbox"/>

      </dependencies>

    </module>


    Then all you need to do is create a dependency between the remoting module and the custom login module. To do this modify the modules/org/jboss/as/remoting/main/module.xml and add the dependency:

    <module xmlns="urn:jboss:module:1.1" name="org.jboss.as.remoting">

        <properties>

            <property name="jboss.api" value="private"/>

        </properties>

     

     

        <resources>

            <resource-root path="jboss-as-remoting-7.1.1.Final.jar"/>

            <!-- Insert resources here -->

        </resources>

     

     

        <dependencies>

            <module name="org.jboss.staxmapper"/>

            <module name="org.jboss.as.controller"/>

            <module name="org.jboss.as.domain-management"/>

            <module name="org.jboss.as.network"/>

            <module name="org.jboss.as.protocol"/>

            <module name="org.jboss.as.server"/>

            <module name="org.jboss.as.security" optional="true"/>

            <module name="org.jboss.as.threads"/>

            <module name="org.jboss.logging"/>

            <module name="org.jboss.modules"/>

            <module name="org.jboss.msc"/>       

            <module name="org.jboss.remoting3"/>

            <module name="org.jboss.sasl"/>

            <module name="org.jboss.threads"/>

            <module name="org.picketbox" optional="true"/>       

            <module name="javax.api" />

            <module name="org.zboss.login.module" optional="true"/>

        </dependencies>

    </module>

    I am not yet sure of the meaning of the "optional" attribute, but this worked fine for me.

1 2 Previous Next