Re: [jboss-dev-forums] [JBoss AS 7 Development] - JBoss 7 and Ejb remote call with security
by Darran Lofthouse
Darran Lofthouse [https://community.jboss.org/people/dlofthouse] commented on the document
"JBoss 7 and Ejb remote call with security"
To view all comments on this document, visit: https://community.jboss.org/docs/DOC-17581#comment-9050
--------------------------------------------------
Do you see an option to convert this to a discussion? Would probably make more sense as a discussion than an article.
Anyway you seem to be having the local authentication mechanism kick in for these calls so you need to disable the mechanism on the client side, for JNDI this can be achieved with the following option: -
> jndiProperties.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", *"*JBOSS-LOCAL-USER");
For the EJB connection you will need a line simiar to: -
> remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER
(But adjust the connection name to match the name you are using.)
--------------------------------------------------
12 years, 10 months
[JBoss AS 7 Development] - Remote client access with database login module: user name and password are UUIDs
by Frank Ulbricht
Frank Ulbricht [https://community.jboss.org/people/f.ulbricht] created the discussion
"Remote client access with database login module: user name and password are UUIDs"
To view the discussion, visit: https://community.jboss.org/message/719442#719442
--------------------------------------------------------------
Hello there,
I have a simple application with a secured session bean. I want to invoke this bean from a remote client.
This is my configuration:
standalone.xml:
...
<security-realm name="TutorialRealm">
<authentication>
<jaas name="tutorial"/>
</authentication>
</security-realm>
...
<subsystem xmlns="urn:jboss:domain:remoting:1.1">
<connector name="remoting-connector" socket-binding="remoting" security-realm="TutorialRealm"/>
</subsystem>
...
<security-domain name="tutorial" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="Database" flag="required">
<module-option name="dsJndiName" value="java:/TutorialDS"/>
<module-option name="principalsQuery" value="SELECT PASSWORD FROM SYSTEM_USER WHERE USER_NAME = ?"/>
<module-option name="rolesQuery" value="SELECT USER_ROLE, 'Roles' FROM SYSTEM_USER_ROLE WHERE USER_NAME = ?"/>
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
...
My bean looks like this (it just returns the current user, but this method was never called):
@Stateless(name = "Secured")
@Remote(SecuredRemote.class)
@SecurityDomain("tutorial")
public class SecuredBean implements SecuredRemote {
@Resource
private SessionContext sessionContext;
@Override
@RolesAllowed("role1")
public String getCurrentUserName() {
Principal principal = this.sessionContext.getCallerPrincipal();
return principal.getName();
}
}
In my ear I have a jboss-app.xml like this:
<jboss-app xmlns="http://www.jboss.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="7.0">
<security-domain>tutorial</security-domain>
</jboss-app>
My client code is this:
@SuppressWarnings("nls")
public class Client {
private static String applicationName = "test.ear";
private static String remoteModuleName = "remote.jar";
private static String userName = "admin";
private static String password = "test";
public static void main(final String[] args) {
final Client client = new Client();
try {
client.run();
} catch (final Exception ex) {
ex.printStackTrace();
}
}
public Client() {
// create client configuration
final EJBClientConfiguration clientConfiguration = new PropertiesBasedEJBClientConfiguration(
createClientConfigurationProperties());
// create a context selector
final ContextSelector<EJBClientContext> contextSelector = new ConfigBasedEJBClientContextSelector(
clientConfiguration);
// set the selector for use
EJBClientContext.setSelector(contextSelector);
}
public void run() throws Exception {
// lookup and use secured bean
final SecuredRemote secured = lookupBean("Secured", SecuredRemote.class, false);
System.out.println(secured.getCurrentUserName());
}
private static <T> T lookupBean(final String beanName, final Class<T> viewClass, final boolean stateful)
throws NamingException {
final String lookupName = String.format("ejb:%1$s/%2$s/%3$s!%4$s?%5$s", applicationName, remoteModuleName,
beanName, viewClass.getName(), stateful ? "stateful" : "stateless");
return (T) getInitialContext().lookup(lookupName);
}
private static Context context;
private static Context getInitialContext() throws NamingException {
if (context == null) {
final Hashtable<Object, Object> contextProperties = new Hashtable<>();
contextProperties.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
contextProperties.put(Context.SECURITY_PRINCIPAL, userName);
contextProperties.put(Context.SECURITY_CREDENTIALS, password);
contextProperties.put("jboss.naming.client.ejb.context", true);
contextProperties.put(Context.PROVIDER_URL, "remote://localhost:4447");
//contextProperties.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");
context = new InitialContext(contextProperties);
}
return context;
}
private static Properties createClientConfigurationProperties() {
final Properties properties = new Properties();
properties.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "false");
properties.put("remote.connections", "default");
properties.put("remote.connection.default.host", "localhost");
properties.put("remote.connection.default.port", "4447");
properties.put("remote.connection.default.username", userName);
properties.put("remote.connection.default.password", password);
properties.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "true");
// properties.put("remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS","JBOSS-LOCAL-USER");
properties.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
return properties;
}
}
The database query from the login module is executed but using the "jdbc.spy" is see the user name is a random UUID. So I never see the entered user name on the server side. In the end there is of course this exception on server side:
JBAS014134: EJB Invocation failed on component Secured for method public abstract java.lang.String com.qualitype.tutorial.remote.SecuredRemote.getCurrentUserName(): javax.ejb.EJBAccessException: JBAS013323: Invalid User
If I enable the "SASL_DISALLOWED_MECHANISMS" property the is: java.lang.IllegalStateException: No EJB receiver available for handling [...] combination
If I enable the "INITIAL_CONTEXT_FACTORY" property the exception is: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
As you can see, I use a lot of different properties. This is a collection copied from various samples from the forum. I think I tested nearly all combination of them but it always leads me to one of the exceptions above.
In my opinion the configuration on server side should be alright. But I have a lot of doubts concerning the client configuration...
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/719442#719442]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&con...]
12 years, 10 months
[JBoss AS 7 Development] - JBoss 7 and Ejb remote call with security
by Petr Mates
Petr Mates [https://community.jboss.org/people/mates1234] modified the document:
"JBoss 7 and Ejb remote call with security"
To view the document, visit: https://community.jboss.org/docs/DOC-17581
--------------------------------------------------------------
This article describes my tests with ejb and JBoss7.
For my test a have ear (TestEar) with one ejb module (TestEjb) and one bean (TestBean).
TestEar.ear
+---TestEjb.ejb
+--mates.test.TestBean.class
mates.test.TestBeanRemote.class
As security I use RealmUsersRoles with
*+x-users.properties+*
testX=test1234
*+x-users.properties+*
testX=bean
And now standalone.xml
and I changed ApplicationRealm
<security-realm name="ApplicationRealm">
<authentication>
<jaas name="bean-sec-domain"/>
</authentication>
</security-realm>
and security domain
<security-domain name="bean-sec-domain" cache-type="default">
<authentication>
<login-module code="Remoting" flag="optional">
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required">
<module-option name="defaultUsersProperties" value="file:/${jboss.server.config.dir}/x-users.properties"/>
<module-option name="defaultRolesProperties" value="file:/${jboss.server.config.dir}/x-roles.properties"/>
<module-option name="usersProperties" value="file:/${jboss.server.config.dir}/x-users.properties"/>
<module-option name="rolesProperties" value="file:/${jboss.server.config.dir}/x-roles.properties"/>
<module-option name="password-stacking" value="useFirstPass"/>
</login-module>
</authentication>
</security-domain>
And now lets look at bean.
@Stateless
@DeclareRoles("bean")
public class TestBean implements TestBeanRemote {
@Resource
private EJBContext context;
@Override
@RolesAllowed("bean")
public String getName ()
{
getNameFree();
}
@Override
public String getNameFree ()
{
String aName = "";
if (context.getCallerPrincipal() != null) {
aName = context.getCallerPrincipal().getName();
}
return "name " + aName + " " + context.isCallerInRole("bean");
}
}
Let's secure EJB
add *+jboss-app.xml+* to TestEar.ear\META-INF. I use security domain other to ensure that i secure all beans.
<?xml version="1.0" encoding="UTF-8"?>
<p:jboss-app xmlns:p="http://www.jboss.com/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee ../../xsd/jboss-app_7_0.xsd ">
<security-domain>other</security-domain>
</p:jboss-app>
And I want to secure TestBean. I have to add *+jboss-ejb3.xml+* to TestEjb.jar\META-INF\. TestBean is secured by *bean-sec-domain*.
<?xml version="1.0" encoding="UTF-8"?>
<jboss:ejb-jar xmlns:jboss="http://www.jboss.com/xml/ns/javaee"
xmlns="http://java.sun.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:security="urn:security" version="3.1" impl-version="2.0">
<assembly-descriptor xmlns="http://java.sun.com/xml/ns/javaee">
<security:security xmlns:security="urn:security">
<security:security-domain>bean-sec-domain</security:security-domain>
<ejb-name>TestBean</ejb-name>
</security:security>
</assembly-descriptor>
</jboss:ejb-jar>
Remote interface is realz simple with 2 methods.
Client:
Hashtable<String, Object> p = new Hashtable<String, Object>();
p.put(Context.INITIAL_CONTEXT_FACTORY, InitialContextFactory.class.getName());
p.put(Context.PROVIDER_URL, "remote://127.0.0.1:4447/");
p.put(InitialContext.SECURITY_PRINCIPAL, "testX");
p.put(InitialContext.SECURITY_CREDENTIALS, "test1234");
p.put("jboss.naming.client.ejb.context", true);
p.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
InitialContext c = new InitialContext(p);
TestBeanRemote vLookup = (TestBeanRemote) c.lookup("java:/TestEar/TestEjb/TestBean!"+ TestBeanRemote.class.getName());
System.out.println("x" + vLookup.getNameFree());
System.out.println("x" + vLookup.getName());
After this you can see
xname testX true
xsecured name testX true
*That's all.*
*And now some other tests:*
Most important mart is
+*p.put("jboss.naming.client.ejb.context", true);*+
witout this property you wil see "+No EJB receiver available for handling [appName:TestEar,modulename:TestEjb,distinctname:] combination+"
when you put in class path file *+jboss-ejb-client.properties+* with standard
remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false
remote.connections=x1
remote.connection.x1.host=127.0.0.1
remote.connection.x1.port = 4447
remote.connection.x1.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false
remote.connection.x1.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false
and comment +*p.put("jboss.naming.client.ejb.context", true);*+
and in console is now
xname $local false
Exception in thread "main" javax.ejb.EJBAccessException: JBAS014502: Invocation on method: public abstract java.lang.String mates.test.TestBeanRemote.getName() of bean: TestBean is not allowed
+*jboss.naming.client.ejb.context*+ setup EJBContext on client side. See *+org.jboss.naming.remote.client.InitialContextFactory+*
+*
*+
--------------------------------------------------------------
Comment by going to Community
[https://community.jboss.org/docs/DOC-17581]
Create a new document in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=102&c...]
12 years, 10 months
[JBoss AS 7 Development] - Logging Id's
by John Bailey
John Bailey [https://community.jboss.org/people/johnbailey] modified the document:
"Logging Id's"
To view the document, visit: https://community.jboss.org/docs/DOC-16810
--------------------------------------------------------------
Logging id ranges for JBoss AS7 i18n message interfaces.
|| %1,3% *Status* ||
| C | = | Complete |
| I | = | In Progress |
| P | = | Merged, but not complete |
| W | = | Waiting Merge |
|| *Range* || *Subsystem
* || *Status
* ||
| *10100 - 10199* | *Transaction* | C |
| *10200 - 10399
* | *Clustering**
* | C |
| *10400 - 10499* | *Connector**
* | C |
| *10500 - 10599* | *CLI (not applicable)
* | N/A |
| *10600 - 10699* | *Controller Client* | C |
| *10700 - 10799, 18500 - 18699* | *CMP* |
|
| *10800 - 10899* | *Host Controller (domain packages)* | C |
| *10900 - 10999* | *Host Controller (host packages)* | C |
| *11000 - 11099* | *EE* | C |
| *11100 - 11199* | *Embedded* | C |
| *11200 - 11299* | *JAXRS* | C |
| *11300 - 11399* | *JMX* | C |
| *11400 - 11499* | *JPA* | C |
| *11500 - 11599* | *Logging* | C |
| *11600 - 11699* | *Messaging* | C |
| *11700 - 11799* | *mod_cluster* | C |
| *11800 - 11899* | *Naming* | C |
| *11900 - 11999* | *OSGi* | C |
| *12000 - 12099* | *Process Controller* | C |
| *12100 - 12199* | *Protocol* | C |
| *12200 - 12299* | *Management Client Content* | C |
| *12300 - 12399* | *Platform MBeans* | C |
| *12400 - 12499* | *Threads* | C |
| *13100 - 13199* | *Security* | C |
| *13200 - 13299* | *AppClient* | C |
| *13300 - 13399* | *JDR* | C |
| *14000 - 14099* | *JAXR* | W |
| *14100 - 14599* | *Ejb3* | P |
| *14600 - 14899* | *Controller* | C |
| *14900 - 14999* | *Deployment Repository* | C |
| *15000 - 15099* | *Deployment Scanner* | C |
| *15100 - 15199* | *Deployment HTTP API* | C |
| *15200 - 15299* | *Deployment Management* | C |
| *15300 - 15399* | *Network* | C |
| *15400 - 15499* | *Mail* | C |
| *15500 - 15699* | *Web Services* | C |
| *15700 - 15999* | *Server* | C |
| *1**6000 - 16099* | *Weld* | C |
| *16100 - 16199* | *EE Deployment* | C |
| *16200 - 16299* | *Configadmin* | C |
| *16300 - 16499* | *Jacorb* | C |
| available block(s) |
|
|
| *17000 - 17099* | *POJO* | C |
| *17100 - 17199* | *Remoting* | W |
| *17200 - 17299* | *SAR* | W |
| *18000 - 18399* | *Web* | C |
| *18400 - 18499* | *Xts* | C |
--------------------------------------------------------------
Comment by going to Community
[https://community.jboss.org/docs/DOC-16810]
Create a new document in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=102&c...]
12 years, 10 months
[JBoss AS 7 Development] - Re: remote ejb client username is encrypted at the server(JBOSS7.1 CR1)
by Darran Lofthouse
Darran Lofthouse [https://community.jboss.org/people/dlofthouse] created the discussion
"Re: remote ejb client username is encrypted at the server(JBOSS7.1 CR1)"
To view the discussion, visit: https://community.jboss.org/message/719029#719029
--------------------------------------------------------------
Thanks for the detailed output - at this point this suggests the realm / domain configuration is correctly configured to be working together, we may need to double check that the correct password is being passed to the login module but from the information I have if the correct username is arriving there I would not suspect the wrong password to be arriving there.
Within your security domain configuration you have configured the module to use both a hashAlgorithm and hashEncoding - what is the actual value stored in the password field of that row of the table?
I would suggest that as a next step to at least verify end to end of this call that you remove both the hashAlgorithm and hashEncoding values from the domain configuration and update that row of the table so that the password field contains the plain text value 'admin' - if the call can be verified to that point it will mean that attention can then be focussed on the final settings for the DatabaseLoginModule.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/719029#719029]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&con...]
12 years, 10 months