[JBoss AS 7 Development] - Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
5:02 p.m.
Michael Gronau [https://community.jboss.org/people/Michael_Gronau] created the discussion
"Every single remote ejb call starts full authentication process with SecurityDomain
cache-type="default""
To view the discussion, visit: https://community.jboss.org/message/722172#722172
--------------------------------------------------------------
Hello,
I'm trying to move our big j2ee application to JBoss 7 (currently using 7.1.1 nightly
build). We have configured a SecurityDomain for our ejb's with custom login modules.
The domains are configured to use caching with cache-type='default', but it seems
this is not working correctly. Every single call (with the same user, who has already
authenticated successfully on the client side) to a secured ejb method starts the full
authentication process from the beginning, which has a big performance impact to us. Is
this a bug, or (hopefully not) by design?
I found this bug, maybe its the same problem? https://issues.jboss.org/browse/AS7-3498
AS7-3498
Best regards,
Michael Gronau
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/722172#722172]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
5:05 p.m.
New subject: [JBoss AS 7 Development] - Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
Darran Lofthouse [https://community.jboss.org/people/dlofthouse] created the discussion
"Re: Every single remote ejb call starts full authentication process with
SecurityDomain cache-type="default""
To view the discussion, visit: https://community.jboss.org/message/722174#722174
--------------------------------------------------------------
I am just testing AS7-3498 now - the description of what is happening in that issue should
not be happening. For your remote client are you regularly creating a new connection or
is this over the same connection?
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/722174#722174]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
5:08 p.m.
New subject: [JBoss AS 7 Development] - Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
Michael Gronau [https://community.jboss.org/people/Michael_Gronau] created the discussion
"Re: Every single remote ejb call starts full authentication process with
SecurityDomain cache-type="default""
To view the discussion, visit: https://community.jboss.org/message/722177#722177
--------------------------------------------------------------
Holy sh... what a fast response ;-)
I just create the connection once, lookup the bean once and then call a method in a loop.
Every call starts the authentication in the ejb SecurityDomain..
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/722177#722177]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
5:14 p.m.
New subject: [JBoss AS 7 Development] - Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
Darran Lofthouse [https://community.jboss.org/people/dlofthouse] created the discussion
"Re: Every single remote ejb call starts full authentication process with
SecurityDomain cache-type="default""
To view the discussion, visit: https://community.jboss.org/message/722180#722180
--------------------------------------------------------------
Ok that does sound wrong - there is a situation I am still working on properly using the
cache where new connections are created but if the same connection is used you should not
be seeing repeated calls to the security domain - can you just show me your realm and
domain configuration so I can double check it and I will cover your scenario in my
testing.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/722180#722180]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
5:20 p.m.
New subject: [JBoss AS 7 Development] - Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
Michael Gronau [https://community.jboss.org/people/Michael_Gronau] created the discussion
"Re: Every single remote ejb call starts full authentication process with
SecurityDomain cache-type="default""
To view the discussion, visit: https://community.jboss.org/message/722182#722182
--------------------------------------------------------------
Ok, here we go:
We have a custom login-module for the remoting connector and another custom LoginModule
for EJB Security Domain:
| | <security-realm name="ApplicationRealm"> |
| | <authentication> |
| | <jaas name="jas-remote"/> |
| | </authentication> |
| | </security-realm> |
| | <security-domains> |
| | <security-domain name="jas-remote"
cache-type="default"> |
| | <authentication> |
| | <login-module
code="com.os.ee.security.jboss.JBoss7RemotingLoginModule"
flag="optional"/> |
| | </authentication> |
| | </security-domain> |
| | <security-domain name="jas"
cache-type="default"> |
| | <authentication> |
| | <login-module
code="com.os.ee.security.jboss.JBoss7ServerLoginModule"
flag="required"/> |
| | </authentication> |
| | </security-domain> |
The caching with the remote connection seems to work, i see authentication only once per
connection. Only securityDomain 'jas' is called everytime.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/722182#722182]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
5:22 p.m.
New subject: [JBoss AS 7 Development] - Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
Darran Lofthouse [https://community.jboss.org/people/dlofthouse] created the discussion
"Re: Every single remote ejb call starts full authentication process with
SecurityDomain cache-type="default""
To view the discussion, visit: https://community.jboss.org/message/722183#722183
--------------------------------------------------------------
Just to be clear - the jas domain, is that the one assigned to your EJB?
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/722183#722183]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
5:29 p.m.
New subject: [JBoss AS 7 Development] - Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
Daniel Straub [https://community.jboss.org/people/dastraub] created the discussion
"Re: Every single remote ejb call starts full authentication process with
SecurityDomain cache-type="default""
To view the discussion, visit: https://community.jboss.org/message/722185#722185
--------------------------------------------------------------
May be the same issue like this https://issues.jboss.org/browse/AS7-3498
https://issues.jboss.org/browse/AS7-3498
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/722185#722185]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
6:36 p.m.
New subject: [JBoss AS 7 Development] - Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
Darran Lofthouse [https://community.jboss.org/people/dlofthouse] created the discussion
"Re: Every single remote ejb call starts full authentication process with
SecurityDomain cache-type="default""
To view the discussion, visit: https://community.jboss.org/message/722207#722207
--------------------------------------------------------------
Michael, ok just tested the call from a web app to an EJB as described in the original
issue and the cache is being skipped in the EJB tier - for remote clients the call will be
passing through the exact same point that is affecting the web app calls so it does appear
to be exactly the same issue.
I am just looking now at how large an issue this will be to fix.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/722207#722207]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
8:32 a.m.
New subject: [JBoss AS 7 Development] - Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
Michael Gronau [https://community.jboss.org/people/Michael_Gronau] created the discussion
"Re: Every single remote ejb call starts full authentication process with
SecurityDomain cache-type="default""
To view the discussion, visit: https://community.jboss.org/message/722366#722366
--------------------------------------------------------------
Ok, Darran, thanks alot. Hope you can find a solution.
Michael
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/722366#722366]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
7:58 p.m.
New subject: [JBoss AS 7 Development] - Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
Daniel Jipa [https://community.jboss.org/people/danjee] created the discussion
"Re: Every single remote ejb call starts full authentication process with
SecurityDomain cache-type="default""
To view the discussion, visit: https://community.jboss.org/message/723002#723002
--------------------------------------------------------------
Hello,
I'm facing the same issue. This happens when calling ejb method remotely and when
calling it locally from a web application bundled in the same ear.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/723002#723002]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
8:28 p.m.
New subject: [JBoss AS 7 Development] - Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
Jason Greene [https://community.jboss.org/people/jason.greene] created the discussion
"Re: Every single remote ejb call starts full authentication process with
SecurityDomain cache-type="default""
To view the discussion, visit: https://community.jboss.org/message/723008#723008
--------------------------------------------------------------
This should be fixed in 7.1.1 which was released last night. Let us know if it resolves it
for you. Thanks!
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/723008#723008]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
8:49 p.m.
New subject: [JBoss AS 7 Development] - Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
Daniel Jipa [https://community.jboss.org/people/danjee] created the discussion
"Re: Every single remote ejb call starts full authentication process with
SecurityDomain cache-type="default""
To view the discussion, visit: https://community.jboss.org/message/723013#723013
--------------------------------------------------------------
Unfortunately it didn't worked for with 7.1.1 version. The login module was called for
every ejb call.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/723013#723013]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
10:15 p.m.
New subject: [JBoss AS 7 Development] - Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
Jason Greene [https://community.jboss.org/people/jason.greene] created the discussion
"Re: Every single remote ejb call starts full authentication process with
SecurityDomain cache-type="default""
To view the discussion, visit: https://community.jboss.org/message/723018#723018
--------------------------------------------------------------
Ok the issue resolved was not the only factor then. We will look into this next week .
Thanks
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/723018#723018]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
2:43 p.m.
New subject: [JBoss AS 7 Development] - Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
Michael Gronau [https://community.jboss.org/people/Michael_Gronau] created the discussion
"Re: Every single remote ejb call starts full authentication process with
SecurityDomain cache-type="default""
To view the discussion, visit: https://community.jboss.org/message/724003#724003
--------------------------------------------------------------
Hi Jason,
are there any new about that issue. I saw, the Issue
https://issues.jboss.org/browse/AS7-3498 AS7-3498 was marked as duplicated by
https://issues.jboss.org/browse/AS7-4087 AS7-4087 But this issue is marked as resolved? I
tried a brand new 7.1.2.Final-Snapshot but the problem still exists.
Michael
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/724003#724003]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
3:54 p.m.
New subject: [JBoss AS 7 Development] - Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
Darran Lofthouse [https://community.jboss.org/people/dlofthouse] created the discussion
"Re: Every single remote ejb call starts full authentication process with
SecurityDomain cache-type="default""
To view the discussion, visit: https://community.jboss.org/message/724028#724028
--------------------------------------------------------------
Michael, I am reviewing this issue again as I write this.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/724028#724028]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
7:13 p.m.
New subject: [JBoss AS 7 Development] - Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
Darran Lofthouse [https://community.jboss.org/people/dlofthouse] created the discussion
"Re: Every single remote ejb call starts full authentication process with
SecurityDomain cache-type="default""
To view the discussion, visit: https://community.jboss.org/message/724109#724109
--------------------------------------------------------------
Ok I have just verified the web to ejb call portion of this and that aspect is fixed - I
am only seeing a single into the login module despite multiple calls to the web app and
the secured ejb.
The issue I am now working on is the following: -
https://issues.jboss.org/browse/AS7-3525 https://issues.jboss.org/browse/AS7-3525
This issue will be relevent if you regularly disconnect and reconnect to the AS instance
as that will be the trigger for a re-authentication - if a connection is maintained you
should still be able to make many calls to deployed EJBs without the re-authentication
after the first call.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/724109#724109]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
10:20 a.m.
New subject: [JBoss AS 7 Development] - Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
Michael Gronau [https://community.jboss.org/people/Michael_Gronau] created the discussion
"Re: Every single remote ejb call starts full authentication process with
SecurityDomain cache-type="default""
To view the discussion, visit: https://community.jboss.org/message/724254#724254
--------------------------------------------------------------
Thank you Darran, our use case is a remote client calling the ejb and I see our login
module for the remoting connector is only called once per user (as expected) but the
module for the ejb security domain is called every time. We are not disconnecting between
the calls.The only way I know how to disconnect is closing the client jvm (which is i my
eyes another issue). I have tested this with latest build #772.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/724254#724254]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
1:26 p.m.
New subject: [JBoss AS 7 Development] - Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
Darran Lofthouse [https://community.jboss.org/people/dlofthouse] created the discussion
"Re: Every single remote ejb call starts full authentication process with
SecurityDomain cache-type="default""
To view the discussion, visit: https://community.jboss.org/message/724305#724305
--------------------------------------------------------------
Thank you for the clarificartion Michael - that scenario should have been covered by the
fix but I will make sure I investigate it more closely to verify.
Regarding the inability to close the connection I would suggest starting a separate thread
for that one - there is possibly an option you have not seen or if that is not available
then there may be something we are missing as I agree there is not nescesarily a
relationship between the length of time a java process is running and how long a
connection to the server is maintained.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/724305#724305]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
2:01 p.m.
New subject: [JBoss AS 7 Development] - Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
Michael Gronau [https://community.jboss.org/people/Michael_Gronau] created the discussion
"Re: Every single remote ejb call starts full authentication process with
SecurityDomain cache-type="default""
To view the discussion, visit: https://community.jboss.org/message/724320#724320
--------------------------------------------------------------
Thats nice Darran. I will start another thread regarding the 'How to close a
connection'-problem.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/724320#724320]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
6:09 p.m.
New subject: [JBoss AS 7 Development] - Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
Darran Lofthouse [https://community.jboss.org/people/dlofthouse] created the discussion
"Re: Every single remote ejb call starts full authentication process with
SecurityDomain cache-type="default""
To view the discussion, visit: https://community.jboss.org/message/724386#724386
--------------------------------------------------------------
Michael,
Would it be possible for you to show me your current realm and jaas configuration again?
I have just tested this again using the latest code and can not reproduce repeated calls
to the login module.
My realm definition is now: -
<security-realm name="ApplicationRealm">
<authentication>
<jaas name="other"/>
</authentication>
</security-realm>
And my domain defintiion is still: -
<security-domain name="other"
cache-type="default">
<authentication>
<login-module code="Remoting"
flag="optional">
<module-option name="password-stacking"
value="useFirstPass"/>
</login-module>
<login-module code="RealmUsersRoles"
flag="required">
<module-option name="usersProperties"
value="${jboss.server.config.dir}/application-users.properties"/>
<module-option name="rolesProperties"
value="${jboss.server.config.dir}/application-roles.properties"/>
<module-option name="realm"
value="ApplicationRealm"/>
<module-option name="password-stacking"
value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
However I am running with slightly modified code to output a stack trace each and every
time the module is called at the moment I am only seeing it called twice: -
1 - As the connection is authenticated.
2 - For the first EJB call.
Updating the connection authentication to ensure that it also uses the cache is the task I
am currently working on so that will be reduced down to just a single call but there must
be something else we are missing if you are still seeing multiple calls so I would like to
make sure we understand that so that your scenario is covered.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/724386#724386]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
10:21 a.m.
New subject: [JBoss AS 7 Development] - Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
Michael Gronau [https://community.jboss.org/people/Michael_Gronau] created the discussion
"Re: Every single remote ejb call starts full authentication process with
SecurityDomain cache-type="default""
To view the discussion, visit: https://community.jboss.org/message/724613#724613
--------------------------------------------------------------
Hi Darran,
I think it now gets i little bit more complicated. Let me try to explain.
For our client application we have the requirement to be able to use multiple users per
JVM. in Jboss 4.x and 5.x this could be achieved simply with the JBoss client login module
by calling login() method of the module in the current thread for the current user. In
JBoss 7 i found the only solution by using the class
org.jboss.ejb.client.ThreadLocalContextSelector<...> to set the current
EJBClientContext object for the current thread and user. With this approach i was able to
call ejb methods with different users in the same jvm -> the server-side
CallerPrincipal is correctly set for every call.
The following pseudo code works like a charm, which is the authentication process is only
called once per connection:
In the main thread
create connection
set ThreadLocalContext()
lookup the ejb.
called it in a loop
Everything is ok here. But when I start another thread to call the ejb then every call
starts the authentication process:
In the main thread:
create connection
set the context
create a new thread and start.
in the run method of the thread:
set threadlocal context for the desired user (which is already successfully
authenticated).
lookup the ejb
call it in a loop (now every call must be authenticated)
am I missing something?? Or do I have to do something else instead of using
org.jboss.ejb.client.ThreadLocalContextSelector<...>.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/724613#724613]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
3:39 p.m.
New subject: [JBoss AS 7 Development] - Re: Every single remote ejb call starts full authentication process with SecurityDomain cache-type="default"
Jason Greene [https://community.jboss.org/people/jason.greene] created the discussion
"Re: Every single remote ejb call starts full authentication process with
SecurityDomain cache-type="default""
To view the discussion, visit: https://community.jboss.org/message/724714#724714
--------------------------------------------------------------
In remoting authentication is PER connection. Inside of a connection you have have
multiple channels which are intended for multiple services (e.g. ejb, jmx, etc). All are
intended to share the same credentials so that auth is only done once on initial connect.
If you need to dynamically handle different users, then the best way is to manage all of
the connections yourself (this will also address the close problem you mention in the
other thread). So basically all you do is setup your connections lazily and per user, and
then associate them to the ejb client context before a proxy is invoked (e.g. using
ThreadLocalContextSelector like you are already doing). If you prefer you could also write
your own context selector that uses the username as an entry in a global index.
Something like this could be done for a connection per-thread model (although ideally you
don't want duplicate connections for the same user):
Global Shared Stuff for the entire VM
// Gloabl Shared Stuff
// create the endpoint
final Endpoint endpoint = Remoting.createEndpoint("my-client",
OptionMap.create(Options.THREAD_DAEMON, true));
// Have the provider use non-ssl connections
endpoint.addConnectionProvider("remote", new
RemoteConnectionProviderFactory(), OptionMap.create(Options.SSL_ENABLED, false));
// Setup a global thread-local selector, which willl allow you to have a different
connection per-thread
this.selector = new ThreadLocalContextSelector<EJBClientContext>(new
ThreadLocal<EJBClientContext>());
EJBClientContext.setSelector(this.selector);
Per-connection setup
// Where to connect
final URI connectionURI = new URI("remote://localhost:4447");
// Disable local auth, and allow plain text passwords over the wire (clear text is
needed for JAAS / security domains)
OptionMap.Builder builder =
OptionMap.builder().set(Options.SASL_POLICY_NOANONYMOUS, true);
builder.set(Options.SASL_POLICY_NOPLAINTEXT, false);
builder.set(Options.SASL_DISALLOWED_MECHANISMS,
Sequence.of("JBOSS-LOCAL-USER"));
// Create the connection
final IoFuture<Connection> futureConnection =
endpoint.connect(connectionURI, builder.getMap(), new
AuthenticationCallbackHandler(username, password));
// wait for the connection to be established
final Connection connection = IoFutureHelper.get(futureConnection, 5000,
TimeUnit.MILLISECONDS);
// create a remoting EJB receiver for this connection
final EJBReceiver receiver = new RemotingConnectionEJBReceiver(connection);
// associate it with a new client context
EJBClientContext context = EJBClientContext.create();
context.registerEJBReceiver(receiver);
// Set this thread to use this context
this.selector.setCurrent(context);
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/724714#724714]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
4688
days inactive
4700
days old
jboss-dev-forums@lists.jboss.org
21 comments
5 participants
participants (5)
-
Daniel Jipa -
Daniel Straub
-
Darran Lofthouse
-
Jason Greene
-
Michael Gronau