4 Replies Latest reply on Nov 30, 2012 3:05 PM by brunothebear

Remote EJB/JMS JBoss AS 7.1.1 problem

brunothebear Nov 29, 2012 6:18 AM

Hello,

Past couple of weeks ive been trying to migrate project from JBoss 4.2.2GA to JBoss 7 AS. Everything went pretty much fine till i hit the remoting part on which I've stuck for a quite time now.

In JBoss 4.2.2 project uses custom login module to authenticate remote calls.

The promblem is that i have trouble to get the username/password to the server so the user can eb authenticated.

Ive somewhat sorted otu the EJB invocation and i do it like this.

standalone.xml

 <security-realms>
         ...
            <security-realm name="TESTRealm">
                <authentication>
                    <jaas name="testdomain"/>
                </authentication>
            </security-realm>
        </security-realms>

....
        <subsystem xmlns="urn:jboss:domain:remoting:1.1">
            <connector name="remoting-connector" socket-binding="remoting" security-realm="TESTRealm"/>
        </subsystem>

 <subsystem xmlns="urn:jboss:domain:security:1.1">
            <security-domains>
                <security-domain name="other">
                    <authentication>
                        <login-module code="UsersRoles" flag="required"/>
                    </authentication>
                </security-domain>
                <security-domain name="jboss-web-policy">
                    <authorization>
                        <policy-module code="Delegating" flag="required"/>
                    </authorization>
                </security-domain>
                <security-domain name="jboss-ejb-policy">
                    <authorization>
                        <policy-module code="Delegating" flag="required"/>
                    </authorization>
                </security-domain>
                <security-domain name="testdomain">
                    <authentication>
                        <login-module code="com.test.proj.CustomLoginModule" flag="required">
                            <module-option name="password-stacking" value="useFirstPass"/>
                            <module-option name="hashAlgorithm" value="MD5"/>
                            <module-option name="hashEncoding" value="hex"/>
                            <module-option name="ignorePasswordCase" value="true"/>
                        </login-module>
                    </authentication>
                </security-domain>
            </security-domains>
        </subsystem>

Client part:

                Hashtable< String, Object>props = new Hashtable< String, Object>();
                props.put("jboss.naming.client.ejb.context", true);
                props.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
                final String firstPassword = new String(password);
                org.jboss.as.naming.InitialContext  ctx = new org.jboss.as.naming.InitialContext(); 
                Properties jbossProperties = new Properties();
                jbossProperties.load(EjbSupportImpl.class.getResourceAsStream("/jboss-ejb-client.properties"));
                jbossProperties.put("remote.connection.default.username", name);
                jbossProperties.put("remote.connection.default.password", firstPassword);


                final EJBClientConfiguration ejbClientConfiguration = new PropertiesBasedEJBClientConfiguration(jbossProperties);
                final ContextSelector<EJBClientContext> ejbClientContextSelector = new ConfigBasedEJBClientContextSelector(ejbClientConfiguration);
                EJBClientContext.setSelector(ejbClientContextSelector);
                final String jndiName = "ejb:ear/ejb-module/TestBean!com.test.proj.TestBean?stateful";
                final Object o = ctx.lookup(jndiName);
               TestBean test= (TestBean) o;
                test.testMethod();

jboss-ejb-client-properties:

remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false
remote.connections=default
remote.connection.default.host=localhost
remote.connection.default.port=4447
remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=true
remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false
remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER

With all the above everything works fine, the part that bothers me is this

                org.jboss.as.naming.InitialContext  ctx = new org.jboss.as.naming.InitialContext();

if i use javax.naming.InitialContext instead of JBoss

i get

javax.naming.NamingException: Failed to create remoting connection [Root exception is java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed]
          at org.jboss.naming.remote.client.ClientUtil.namingException(ClientUtil.java:36)
          at org.jboss.naming.remote.client.InitialContextFactory.getInitialContext(InitialContextFactory.java:121)
          at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)
          at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)
          at javax.naming.InitialContext.init(InitialContext.java:223)
          at javax.naming.InitialContext.<init>(InitialContext.java:197)
          at com.test.proj.communication.LoginClass.newInitialContext(LoginClass.java:162)
          at com.test.proj.communication.LoginClass.authenticate(LoginClass.java:243)
          at com.test.proj.communication.LoginClass.login(LoginClass.java:179)
          at com.test.proj.communication.LoginClass.getInstance(EjbSupportImpl.java:64)
          at com.test.proj.Application.<init>(Application.java:35)
          at com.test.proj.Application.getInstance(Application.java:59)
          at com.test.proj.TESTClient.main(TESTClient.java:51)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
          at java.lang.reflect.Method.invoke(Method.java:597)
          at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
          at org.jboss.naming.remote.protocol.IoFutureHelper.get(IoFutureHelper.java:87)
          at org.jboss.naming.remote.client.NamingStoreCache.getRemoteNamingStore(NamingStoreCache.java:56)
          at org.jboss.naming.remote.client.InitialContextFactory.getOrCreateCachedNamingStore(InitialContextFactory.java:166)
          at org.jboss.naming.remote.client.InitialContextFactory.getOrCreateNamingStore(InitialContextFactory.java:139)
          at org.jboss.naming.remote.client.InitialContextFactory.getInitialContext(InitialContextFactory.java:104)
          ... 16 more

no errors on serverside.

Anyways im ok with using method above for EJBs but then the problem comes with remote JMS where i cant acquire the connection factory i require from server via JNDI

Connection factory in standalone.xml

                    <connection-factory name="RemoteConnectionFactory">
                        <connectors>
                            <connector-ref connector-name="netty"/>
                        </connectors>
                        <entries>
                            <entry name="RemoteConnectionFactory"/>
                            <entry name="java:jboss/exported/jms/RemoteConnectionFactory"/>
                        </entries>
                    </connection-factory>

and the way i trie to look it up

                Hashtable<String, Object> env = new Hashtable<String, Object>();
            env.put(Context.INITIAL_CONTEXT_FACTORY,"org.jboss.naming.remote.client.InitialContextFactory");
            env.put(Context.PROVIDER_URL, System.getProperty(Context.PROVIDER_URL,"remote://localhost:4447"));
            env.put(Context.SECURITY_PRINCIPAL, "test");
            env.put(Context.SECURITY_CREDENTIALS, "123456");
            InitialContext ctx = new InitialContext(env);
            String connectionFactoryString = "jms/RemoteConnectionFactory";
            ConnectionFactoryconnectionFactory = (ConnectionFactory) ctx.lookup(connectionFactoryString);

In which case im getting exception like the one above

javax.naming.NamingException: Failed to create remoting connection [Root exception is java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed]

Can anyone help me figure out how to properly get the ConnectionFactories/queues etc.. via remote JDNI?

1. Re: Remote EJB/JMS JBoss AS 7.1.1 problem

nickarls Nov 30, 2012 1:30 AM (in response to brunothebear)

Never done a lookup like that but I've seen port 5445 mentioned in the context of a netty connector(?)
Actions

2. Re: Remote EJB/JMS JBoss AS 7.1.1 problem

brunothebear Nov 30, 2012 2:46 AM (in response to nickarls)

Nicklas Karlsson wrote:

Never done a lookup like that but I've seen port 5445 mentioned in the context of a netty connector(?)

I dont think thats possible, when using this port im getting exception on serverside

Failed to decode: java.lang.IllegalArgumentException: Invalid type: -1
 at org.hornetq.core.protocol.core.impl.PacketDecoder.decode(PacketDecoder.java:550) [hornetq-core-2.2.13.Final.jar:]
 at org.hornetq.core.protocol.core.impl.RemotingConnectionImpl.bufferReceived(RemotingConnectionImpl.java:479) [hornetq-core-2.2.13.Final.jar:]
 at org.hornetq.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:533) [hornetq-core-2
...

Anyways it appears when changing security realm to jaas authentication so i can use the database authentication for EJBs it breaks the JMS part.

So its possible to acquire remote connection with using jboss-ejb-client.properties but not this way

        props.put(Context.INITIAL_CONTEXT_FACTORY,org.jboss.naming.remote.client.InitialContextFactory.class.getName());
        props.put(InitialContext.SECURITY_PRINCIPAL, "test");
        props.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", false);
        props.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");
        props.put(InitialContext.PROVIDER_URL, "remote://localhost:4447");
        props.put(InitialContext.SECURITY_CREDENTIALS, "123456");
        InitialContext context = new InitialContext(props);

So is it possible to use jaas auth for ejbs and jms? Since using property files for users is not an option.

Ive tried to disable security on the hornet-server without any luck.

3. Re: Remote EJB/JMS JBoss AS 7.1.1 problem

jbertram Nov 30, 2012 2:20 PM (in response to brunothebear)

You definitely can't do a JNDI lookup on port 5445 since that is a HornetQ managed by HornetQ. So the error you're getting there is not surprising.

As for the other issue, I don't believe it has anything to do with HornetQ. Keep in mind that JNDI and JMS are 100% independent. You doing a JNDI lookup here, nothing to do with JMS - yet. All the security related to the JNDI lookup is completely separate from any HornetQ security. That being the case, I'll have to defer to someone more familiar with JNDI security.
Actions
4. Re: Remote EJB/JMS JBoss AS 7.1.1 problem

brunothebear Nov 30, 2012 3:05 PM (in response to jbertram)

Yep the issue i have is with remote jndi with security. It works if remote-connector in standalone.xml has no security realm specified i.e no username, password is required. Then i can look up remote ConnectionFactory but when i do specify security realm since i need it for the EJBs the lookup fails with no-auth methods exception.
I found some sort of work around for getting remote connection factories/queues but it still feels like hacking as it does for setting static EJB context.
Actions

Go to original post