8 Replies Latest reply on May 21, 2015 12:15 PM by antlia

    Remoting issue with JAAS Realm JBoss EAP 6.2.0

    antlia

      Hi to all,

       

      I'm trying to configure JBoss in remoting with a jaas security realm, following the various steps i've reached this configuration:

       

      standalone.xml

      <security-realms>
         <security-realm name="ManagementRealm">
             <authentication>
                 <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir" />
             </authentication>
         </security-realm>
         <security-realm name="ApplicationRealm">
            <authentication>
              <properties path="application-users.properties"    relative-to="jboss.server.config.dir" />
            </authentication>
         </security-realm>
         <security-realm name="JaasRealm">
             <authentication>
                <jaas name="other" />
             </authentication>
         </security-realm>
      </security-realms>
      
      
      <subsystem xmlns="urn:jboss:domain:remoting:1.1">
         <connector name="remoting-connector" socket-binding="remoting" security-realm="JaasRealm" />
      </subsystem>
      
      <security-domain name="other" cache-type="default">
         <authentication>
           <login-module code="org.example.MyClass" flag="required" module=org.example">
               <module-option name="dsJndiName" value="java:jboss/datasources/CommonDS" />
           </login-module>
         </authentication>
      </security-domain>
      
      
      

       

      But when trying to connect in remoting to this server instance, I always get SaslException: Authentication failed: all available authentication mechanisms failed


      I'm calling a remote EJB through a simple main getting the initial context with these propreties:

       

      jboss.naming.client.ejb.context, true

      Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming"

      org.xnio.Options.SASL_POLICY_NOANONYMOUS, false

      org.xnio.Options.SASL_POLICY_NOPLAINTEXT, false

      org.xnio.Options.SASL_DISALLOWED_MECHANISMS, JBOSS-LOCAL-USER

       

      What am I missing in order to make it working?

       

      Thanks in advance,

       

      Antlia

        • 1. Re: Remoting issue with JAAS Realm JBoss EAP 6.2.0
          wdfink

          could you show the complete client side properties and how ypu lookup the ejb?

          • 2. Re: Re: Remoting issue with JAAS Realm JBoss EAP 6.2.0
            antlia

            Here is the code I'm using for testing the remote calls to my Ejb

            public static void main(String[] args) {
                 try {
                      Properties jndiProps = new Properties();
                      jndiProps.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
                      jndiProps.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");
                      jndiProps.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", true);
                      jndiProps.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", false);
                      jndiProps.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS","JBOSS-LOCAL-USER");
                      jndiProps.put(Context.PROVIDER_URL,"remote://192.168.2.153:4447");
                      // username
                      jndiProps.put(Context.SECURITY_PRINCIPAL, "user");
                      // password
                      jndiProps.put(Context.SECURITY_CREDENTIALS, "password");
            
                      // This is an important property to set if you want to do EJB invocations via the remote-naming project
                      jndiProps.put("jboss.naming.client.ejb.context", false);
                      // create a context passing these properties
                      Context ctx = new InitialContext(jndiProps);
            
                        DynamicFormRemote dyn = (DynamicFormRemote)ctx.lookup( "java:global/Reapp-0.1-dev/ReAppEjb/DynamicFormRemote!it.antlia.reapp.session.DynamicFormRemote");
                       dyn.findAllOrderedByName();     
                    }
                    catch(Exception ne) {
                        ne.printStackTrace();
                    }
            
            }
            
            

             

            Thanks,

             

            Antlia

             

            Edit: I've tried to bind the jaas security-realm for logging into JBoss management console, and it's working, so I'm supposing that the security domain configuration is fine, the problem is tied to the remoting subsystem...any suggest?

            • 3. Re: Remoting issue with JAAS Realm JBoss EAP 6.2.0
              javdev

              short-term solution: copy your custom login module to [jboss_6_2_0_EAP\modules\system\layers\base\org\jboss\as\remoting\main\] and modify module.xml appropriately + remove module declaration [org.example] in your security domain [other] in standalone.xml

              • 4. Re: Remoting issue with JAAS Realm JBoss EAP 6.2.0
                antlia

                Hi javdev,

                 

                unfortunately I cannot follow your suggestion, because I'm using this login module for the whole application (even the web part). All my ejb's are pointing to "other" domain and so I cannot remove this module from the security tag, for remoting calls...it's very strange that JBoss doesn't allow the remoting authentication using a security realm based on JAAS...

                • 5. Re: Remoting issue with JAAS Realm JBoss EAP 6.2.0
                  javdev

                  Hi Antlia,

                   

                  it seems, that your login-module in class [org.example.MyClass] is located in a new jboss module [org.example]. And that's not working. We had to copy the jar with our custom login module to [jboss_6_2_0_EAP\modules\system\layers\base\org\jboss\as\remoting\main].

                   

                  If you copy your jar to module [org.jboss.as.remoting], you have to remove the attribute [module=org.example]. That's all.

                  • 6. Re: Re: Remoting issue with JAAS Realm JBoss EAP 6.2.0
                    antlia

                    Hi javdev,

                     

                    I tried to follow your suggestions, but maybe I'm missing something, because I can't get it to work.

                     

                    I've followed this step:

                     

                    - Moved my custom module (jar) to org/jboss/as/remoting/main

                    - Changed module.xml of remoting, adding the new resource (my custom login module) and its dependencies

                    - Removed module attribute from the <login-module definition>, which now looks like this:

                    <login-module code="org.example.MyClass" flag="required">
                    

                     

                    - Added the new security realm, with authentication jaas

                    - Associated the remoting subsystem with the new security realm, as described in my first post.

                     

                    But I'm still getting the same error... can you tell me what is wrong with these step, please?

                     

                    Thanks in advance,

                    Antlia

                    • 7. Re: Re: Remoting issue with JAAS Realm JBoss EAP 6.2.0
                      javdev

                      Hm, i think you should enable logging for categories [org.jboss.security] and [org.jboss.as.remoting] in standalone.xml:

                       

                      <periodic-rotating-file-handler name="FILE4REMOTINGANDSECURITY">

                          <formatter>

                              <pattern-formatter pattern="%d{HH:mm:ss,SSS} %-5p [%c] [%C] (%t) %s%E%n"/>

                          </formatter>

                          <file relative-to="jboss.server.log.dir" path="remoting_and_security.log"/>

                          <suffix value=".yyyy-MM-dd"/>

                          <append value="true"/>

                      </periodic-rotating-file-handler>

                      <logger category="org.jboss.as.remoting">

                          <level name="TRACE"/>

                          <handlers><handler name="FILE4REMOTINGANDSECURITY"/></handlers>

                      </logger>

                      <logger category="org.jboss.security">

                          <level name="TRACE"/>

                          <handlers><handler name="FILE4REMOTINGANDSECURITY"/></handlers>

                      </logger>

                       

                      Maybe your login module is called but access is denied.

                       

                      You should also have a look at properties [default-security-domain value] and [default-missing-method-permissions-deny-access value] in standalone.xml:

                       

                      <subsystem xmlns="urn:jboss:domain:ejb3:1.4">

                      ........

                          <default-security-domain value="other"/>

                          <default-missing-method-permissions-deny-access value="true"/>

                      </subsystem>

                       

                      The value of the property [default-security-domain] should be ok (in your case).

                      The value of the property [default-missing-method-permissions-deny-access] should be [false] but is by default [true].

                      • 8. Re: Remoting issue with JAAS Realm JBoss EAP 6.2.0
                        antlia

                        Finally I solved it...all the booleans passed in Properties object must be passed as String, not boolean, for example

                         

                        jndiProps.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");