Error JMS client lookup with a custom login module
muza71 Jun 13, 2012 7:05 AMHi,
Following problem: We have a Swing based fat client application with a JBoss7 as backend. I need to do a lookup for a JMS ConnectionFactory from our client-application to a JBoss7 instance after a JAAS login process via a custom login module.
To do the lookup I need to initialize the InitialContext, during the creation of the InitialContext I get following exception:
ERROR org.jboss.remoting.remote.connection:99 - JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
Details:
JBoss 7.1.1-Final.
We have a custom JAAS login module with a own security-realm. We first need to login via a technical user, make a real logout and then login with the username/password of the user. Thus we need a real logout, we implemented it with the new EJBClientContext (described here https://community.jboss.org/thread/198414?start=0&tstart=0):
// Login: change the client context for each login
Properties clientProps = new Properties();
clientProps.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "false");
clientProps.put("remote.connections", "default");
clientProps.put("remote.connection.default.host", "192.168.0.55");
clientProps.put("remote.connection.default.port", "4447");
clientProps.put("remote.connection.default.username", username);
clientProps.put("remote.connection.default.password", password);
clientProps.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "false");
EJBClientConfiguration clientConfiguration = new PropertiesBasedEJBClientConfiguration(clientProps);
ContextSelector<EJBClientContext> contextSelector = new ConfigBasedEJBClientContextSelector(clientConfiguration);
EJBClientContext.setSelector(contextSelector);
// Lookup a Stateless Session Bean:
Hashtable properties = new Hashtable();
properties.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
Context ctx = new InitialContext(properties);
MyBeanRemoteInterface remoteService = (MyBeanRemote) ctx.lookup("ejb:appName/moduleName/MyBean!de.a.b.c.MyBeanRemoteInterface");
We do not use the jboss-ejb-client.properties ! And we don't have a jndi.properties file, because we do it programatically
This works perfekt for the login procedure and the lookup for stateless EJB's.
But now we need to connect to a JMS queue. As I understand I have to do it in this way:
Hashtable props = new Hashtable();
props.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");
props.put(Context.PROVIDER_URL, "remote://192.168.0.55:4447");
Context ctx = new InitialContext(props); <--- Exception
ConnectionFactory factory = (ConnectionFactory) ctx.lookup("jms/RemoteConnectionFactory");
During creation of the InitialContext we get following Exception:
javax.naming.NamingException: Failed to create remoting connection [Root exception is java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed]
at org.jboss.naming.remote.client.ClientUtil.namingException(ClientUtil.java:36)
at org.jboss.naming.remote.client.InitialContextFactory.getInitialContext(InitialContextFactory.java:121)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
at javax.naming.InitialContext.init(InitialContext.java:223)
at javax.naming.InitialContext.<init>(InitialContext.java:197)
at de.a.b.c.JMSNotificationCenter.<init>(JMSNotificationCenter.java:144)
Caused by: java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
at org.jboss.naming.remote.protocol.IoFutureHelper.get(IoFutureHelper.java:87)
at org.jboss.naming.remote.client.NamingStoreCache.getRemoteNamingStore(NamingStoreCache.java:56)
at org.jboss.naming.remote.client.InitialContextFactory.getOrCreateCachedNamingStore(InitialContextFactory.java:166)
at org.jboss.naming.remote.client.InitialContextFactory.getOrCreateNamingStore(InitialContextFactory.java:139)
at org.jboss.naming.remote.client.InitialContextFactory.getInitialContext(InitialContextFactory.java:104)
... 13 more
Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:365)
at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:214)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)
at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189)
at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103)
at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)
at org.xnio.nio.NioHandle.run(NioHandle.java:90)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:184)
at ...asynchronous invocation...(Unknown Source)
at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:270)
at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:251)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:349)
at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:333)
at org.jboss.naming.remote.client.EndpointCache$EndpointWrapper.connect(EndpointCache.java:105)
at org.jboss.naming.remote.client.NamingStoreCache.getRemoteNamingStore(NamingStoreCache.java:55)
... 16 more
If I add
props.put(Context.SECURITY_PRINCIPAL, "jmsUser");
props.put(Context.SECURITY_CREDENTIALS, "jms");
I get the same Exception (doesn't matter, if it is a user which is defined in the ApplicationRealm property file or which is a valid user in our JAAS realm, the user has always the role "messaging").
I tried it with any combinations of these properties...same effekt:
props.put("jboss.naming.client.ejb.context", true);
props.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "false");
props.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
props.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");
This is our configuration of the jboss:
...
<security-realm name="ApplicationRealm">
<authentication>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
</security-realm>
<security-realm name="BobyRealm">
<authentication>
<jaas name="b3db"/>
</authentication>
</security-realm>
...
<subsystem xmlns="urn:jboss:domain:messaging:1.1">
<hornetq-server>
<persistence-enabled>true</persistence-enabled>
<journal-file-size>102400</journal-file-size>
<journal-min-files>2</journal-min-files>
....
<security-settings>
<security-setting match="#">
<permission type="send" roles="messaging"/>
<permission type="consume" roles="messaging"/>
<permission type="createNonDurableQueue" roles="messaging"/>
<permission type="deleteNonDurableQueue" roles="messaging"/>
</security-setting>
</security-settings>
....
<connection-factory name="RemoteConnectionFactory">
<connectors>
<connector-ref connector-name="netty"/>
</connectors>
<entries>
<entry name="RemoteConnectionFactory"/>
<entry name="java:jboss/exported/jms/RemoteConnectionFactory"/>
</entries>
</connection-factory>
</jms-connection-factories>
....
</hornetq-server>
</subsystem>
...
<subsystem xmlns="urn:jboss:domain:remoting:1.1">
<connector name="remoting-connector" socket-binding="remoting" security-realm="BobyRealm"/>
</subsystem>
....
<subsystem xmlns="urn:jboss:domain:security:1.1">
<security-domains>
<security-domain name="other" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="RealmUsersRoles" flag="required">
<module-option name="usersProperties" value="${jboss.server.config.dir}/application-users.properties"/>
<module-option name="rolesProperties" value="${jboss.server.config.dir}/application-roles.properties"/>
<module-option name="realm" value="ApplicationRealm"/>
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
<security-domain name="jboss-web-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="jboss-ejb-policy" cache-type="default">
<authorization>
<policy-module code="Delegating" flag="required"/>
</authorization>
</security-domain>
<security-domain name="b3db" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="de.a.b.c.B4DBLoginModule" flag="required" module="com.ourloginmodule">
<module-option name="dsJndiName" value="java:jboss/datasources/BobyDS"/>
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
...
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>
<socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>
<socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/>
<socket-binding name="ajp" port="8009"/>
<socket-binding name="http" port="8080"/>
<socket-binding name="https" port="8443"/>
<socket-binding name="jacorb" interface="unsecure" port="3528"/>
<socket-binding name="jacorb-ssl" interface="unsecure" port="3529"/>
<socket-binding name="messaging" port="5445"/>
<socket-binding name="messaging-throughput" port="5455"/>
<socket-binding name="osgi-http" interface="management" port="8090"/>
<socket-binding name="remoting" port="4447"/>
<socket-binding name="txn-recovery-environment" port="4712"/>
<socket-binding name="txn-status-manager" port="4713"/>
<outbound-socket-binding name="mail-smtp">
<remote-destination host="localhost" port="25"/>
</outbound-socket-binding>
</socket-binding-group>
During login I get following in the server log:
TRACE [org.xnio.listener] (Remoting "myserver" read-1) Setting channel listener to org.jboss.remoting3.remote.ServerConnectionOpenListener$Initial@5544b978
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) No EXTERNAL mechanism due to explicit exclusion
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory org.jboss.sasl.localuser.LocalUserServerFactory@12eca104
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Added mechanism JBOSS-LOCAL-USER
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory org.jboss.sasl.digest.DigestMD5ServerFactory@6d3f1750
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Excluding mechanism DIGEST-MD5 because it is not in the allowed list
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory org.jboss.sasl.plain.PlainServerFactory@4913bd38
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Added mechanism PLAIN
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory org.jboss.sasl.anonymous.AnonymousServerFactory@2eebcd03
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory com.sun.security.sasl.digest.FactoryImpl@7ae09805
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Excluding mechanism DIGEST-MD5 because it is not in the allowed list
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory com.sun.security.sasl.ServerFactoryImpl@2f1caf49
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Excluding mechanism CRAM-MD5 because it is not in the allowed list
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory com.sun.security.sasl.gsskerb.FactoryImpl@437f9c9
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Excluding mechanism GSSAPI because it is not in the allowed list
TRACE [org.xnio.channels.framed] (Remoting "myserver" read-1) Accepting java.nio.HeapByteBuffer[pos=0 lim=41 cap=8192] into java.nio.HeapByteBuffer[pos=0 lim=8196 cap=8196]
TRACE [org.xnio.channels.framed] (Remoting "myserver" read-1) Accepted a message into java.nio.HeapByteBuffer[pos=45 lim=8196 cap=8196]
If I try to to create the InitialContext for the ConnectionFactory lookup I get following:
TRACE [org.xnio.channels.framed] (Remoting "myserver" read-1) Copying message from java.nio.HeapByteBuffer[pos=4 lim=45 cap=8196] into java.nio.HeapByteBuffer[pos=0 lim=8192 cap=8192]
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Server received capabilities request
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Server received capability: version 1
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Server received capability: remote endpoint name "config-based-naming-client-endpoint"
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) No EXTERNAL mechanism due to explicit exclusion
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory org.jboss.sasl.localuser.LocalUserServerFactory@3e7aaa11
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Added mechanism JBOSS-LOCAL-USER
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory org.jboss.sasl.digest.DigestMD5ServerFactory@67336222
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Excluding mechanism DIGEST-MD5 because it is not in the allowed list
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory org.jboss.sasl.plain.PlainServerFactory@5e6fdb1c
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Added mechanism PLAIN
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory org.jboss.sasl.anonymous.AnonymousServerFactory@19a3bb4
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory com.sun.security.sasl.digest.FactoryImpl@34c5a73e
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Excluding mechanism DIGEST-MD5 because it is not in the allowed list
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory com.sun.security.sasl.ServerFactoryImpl@1c66f283
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Excluding mechanism CRAM-MD5 because it is not in the allowed list
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Trying SASL server factory com.sun.security.sasl.gsskerb.FactoryImpl@2abb8506
TRACE [org.jboss.remoting.remote.server] (Remoting "myserver" read-1) Excluding mechanism GSSAPI because it is not in the allowed list
TRACE [org.xnio.channels.framed] (Remoting "myserver" read-1) Accepting java.nio.HeapByteBuffer[pos=0 lim=41 cap=8192] into java.nio.HeapByteBuffer[pos=0 lim=8196 cap=8196]
I don't know if this has something to do with the EJBClientContext mechanism.
Does anybody has any ideas ?
Thank you
Jürgen