[JBoss AS 7 Development] - Re: Remote client access with database login module: user name and password are UUIDs
9:32 p.m.
andrei povodyrev [https://community.jboss.org/people/apovodyrev] created the discussion
"Re: Remote client access with database login module: user name and password are
UUIDs"
To view the discussion, visit: https://community.jboss.org/message/724140#724140
--------------------------------------------------------------
Seems like all remote calls have to be authenticated by remoting-connector.
This is the key <connector name="remoting-connector"
socket-binding="remoting" security-realm="TutorialRealm"/> where
whole jboss ejb remote access is tied to a single app realm. Seems like a mess. If you
have multiple apps on the same server with own security, maintaining acces to them with
remote client is going to be nightmare.
Application login module must have <module-option name="password-stacking"
value="useFirstPass"/> to piggy back on cached Principal/Credentials
If security realm (ApplicationRealm by default) is removed from remoting-connector, there
is no way to authenticate ejb remote call.
Tried multiple approaches
1)
jndiProperties.put(InitialContext.SECURITY_PRINCIPAL, "user");
jndiProperties.put(InitialContext.SECURITY_CREDENTIALS, "pass");
2)
org.jboss.security.client.SecurityClient
3)
org.jboss.security.auth.callback.AppCallbackHandler
User credential set by above means do not get to java ee security context and random UUID
values are used on server, or $local if
setting SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER not used
A frequently refernced link from jboss7 docs
https://docs.jboss.org/author/display/AS71/EJB+invocations+from+a+remote+...
https://docs.jboss.org/author/display/AS71/EJB+invocations+from+a+remote+...
is not sufficient to make your remote clients work because it leaves the server
configuration part out of discussion.
Frustrated after fighting this for the thrid day in the row.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/724140#724140]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
10:07 a.m.
Daniel Jipa [https://community.jboss.org/people/danjee] created the discussion
"Re: Remote client access with database login module: user name and password are
UUIDs"
To view the discussion, visit: https://community.jboss.org/message/724248#724248
--------------------------------------------------------------
Seems like all remote calls have to be authenticated by remoting-connector.
This is the key <connector name="remoting-connector"
socket-binding="remoting" security-realm="TutorialRealm"/> where
whole jboss ejb remote access is tied to a single app realm. Seems like a mess. If you
have multiple apps on the same server with own security, maintaining acces to them with
remote client is going to be nightmare.
My workaround for this was to put a jar file with a dummy login module that just let
authentication requests pass, considering that other security-domains are enabled in
EJBs.
Application login module must have <module-option name="password-stacking"
value="useFirstPass"/> to piggy back on cached Principal/Credentials
That didn't work for me in JBoss 7.1.1. Do I miss other configurations for making
cache to work ?
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/724248#724248]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
8:06 p.m.
andrei povodyrev [https://community.jboss.org/people/apovodyrev] created the discussion
"Re: Remote client access with database login module: user name and password are
UUIDs"
To view the discussion, visit: https://community.jboss.org/message/724406#724406
--------------------------------------------------------------
Daniel,
I use Jboss 7.1.0. password-stacking will work if you have more than one LoginModule. Say,
you leave security realm for remoting unchanged (ApplicationRealm configured by
application-users.properties), Then org.jboss.as.security.remoting.RemotingLoginModule
will place principal in the sharedState map maintained by
javax.security.auth.login.LoginContext. Then your DatabseServerLoginModule gets its turn
it will pick the pricipal cached by RemotingLoginModule. If <module-option
name="password-stacking" value="useFirstPass"/> is enabled.
Your suggestion for dummy LoginModule is good. There you can place principal/credential
supplied by remote client(remote.connection.default.username/password) into sharedState
which in turn will be picked up by any other LoginModule in the array of applications
deployed on this jboss instance.
I see configuration could be like this
| | <security-realm name="ApplicationRealm"> |
| | <authentication> |
| | <jaas name="my-dummy-domain"/> |
| | </authentication> |
| | </security-realm> |
| | <security-domain name="my-dummy-domain"
cache-type="default"> |
| | <authentication> |
| | <login-module code="MyDummyLoginModule"
flag="required"> |
| | <module-option name="password-stacking"
value="useFirstPass"/> |
| | </login-module> |
| | </authentication> |
| | </security-domain> |
| | <security-domain name="myRealDomain"
cache-type="default"> |
| | <login-module code="Database"
flag="required"> |
| | <module-option name="password-stacking"
value="useFirstPass"/> |
| | <module-option name="dsJndiName"
value=""/> |
| | <module-option name="principalsQuery"
value="select password ..?"/> |
| | <module-option name="rolesQuery" value="select
ur.role, 'Roles' from ..."/> |
| | </login-module> |
| | </security-domain> |
Pls, let me know if you use your dummy loginmodule in a similar way
Andrei
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/724406#724406]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
11:03 a.m.
Daniel Jipa [https://community.jboss.org/people/danjee] created the discussion
"Re: Remote client access with database login module: user name and password are
UUIDs"
To view the discussion, visit: https://community.jboss.org/message/725543#725543
--------------------------------------------------------------
Hello Andrei,
I didn't had the time to handle this upgrade to JBoss 7 this last few days. Indeed I
use my dummy login module in this way, without this option:
<module-option name="password-stacking" value="useFirstPass"/>
for it.
But this option is enabled in my real login module and the multiple call to EJB problem
persists even when calling methods remotely or locally from a war.
The problem with multiple calls to the EJB as I understood it will be solved in 7.1.2
version.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/725543#725543]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
4425
days inactive
4432
days old
jboss-dev-forums@lists.jboss.org
3 comments
2 participants
participants (2)
-
andrei povodyrev -
Daniel Jipa