1:06 p.m.
Darran Lofthouse [https://community.jboss.org/people/dlofthouse] created the discussion
"Re: remote ejb client username is encrypted at the server(JBOSS7.1 CR1)"
To view the discussion, visit: https://community.jboss.org/message/717947#717947
--------------------------------------------------------------
Don't worry about the SASL options, they are selected automatically based on the
capabilities of the authentication mechanism you choose.
What you will need to do is reference the JAAS domain from the realm, an example of this
is here: -
<security-realm name="ManagementRealm">
<authentication>
<jaas name="darrans-domain" />
</authentication>
</security-realm>
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/717947#717947]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
3:49 p.m.
apparaonali [https://community.jboss.org/people/apparaonali] created the discussion
"Re: remote ejb client username is encrypted at the server(JBOSS7.1 CR1)"
To view the discussion, visit: https://community.jboss.org/message/718350#718350
--------------------------------------------------------------
I am also facing the user name encrypted issue.
I tried with the above suggestion, still it failed to login due to encrypted vaule of
Principal/user.
I enabled trace and verified the Principal/user value it is always encrypted value and
different for run to run.
I added below lines as per your suggestion:
================================
<security-realm name="ManagementRealm">
<authentication>
<jaas name="AppuLogin" />
</authentication>
</security-realm>
I also added below lines as remote socket binding referring to "ApplicationRealm
<subsystem xmlns="urn:jboss:domain:remoting:1.1"> <connector
name="remoting-connector" socket-binding="remoting"
security-realm="*ApplicationRealm*"/> </subsystem>"
security-realm name="ApplicationRealm">
<authentication>
<jaas name="iS3Login"/>
</authentication>
</security-realm>
Here is server side trace, I underlined the principal value:
8:35:26,010 DEBUG [org.jboss.security.plugins.JBossAuthenticationManager.AppuLogin] (EJB
default - 1) CallbackHandler:
mailto:org.jboss.security.auth.callback.JBossCallbackHandler@cfed14
org.jboss.security.auth.callback.JBossCallbackHandler@cfed14
08:35:26,010 TRACE [org.jboss.security.plugins.JBossAuthenticationManager.AppuLogin] (EJB
default - 1) Begin isValid, principal:*f048cdad-baf6-4aef-8591-186a7414350f*
08:35:26,010 TRACE [org.jboss.security.plugins.JBossAuthenticationManager.AppuLogin] (EJB
default - 1) defaultLogin, principal=*f048cdad-baf6-4aef-8591-186a7414350f*
08:35:26,010 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (EJB default - 1)
Begin getAppConfigurationEntry(AppuLogin), size=3
08:35:26,026 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] (EJB default - 1)
End getAppConfigurationEntry(AppuLogin), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.DatabaseServerLoginModule
ControlFlag: LoginModuleControlFlag: sufficient
Options:
name=hashAlgorithm, value=SHA-256
name=principalsQuery, value=select password from sessionuser where name=?
name=hashEncoding, value=base64
name=dsJndiName, value=java:/jdbc/AppuDS
name=rolesQuery, value=select role, 'Roles' from sessionrole where name=?
08:35:26,026 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (EJB default -
1) initialize
08:35:26,026 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (EJB default -
1) Security domain: AppuLogin
08:35:26,026 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (EJB default -
1) Password hashing activated: algorithm = SHA-256, encoding = base64, charset =
{default}, callback = null, storeCallback = null
08:35:26,026 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (EJB default -
1) DatabaseServerLoginModule, dsJndiName=java:/jdbc/AppuDS
08:35:26,026 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (EJB default -
1) principalsQuery=select password from sessionuser where name=?
08:35:26,026 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (EJB default -
1) rolesQuery=select role, 'Roles' from sessionrole where name=?
08:35:26,026 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (EJB default -
1) suspendResume=true
08:35:26,026 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (EJB default -
1) login
08:35:26,041 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (EJB default -
1) suspendAnyTransaction
08:35:26,041 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (EJB default -
1) Excuting query: select password from sessionuser where name=?, with username:
f048cdad-baf6-4aef-8591-186a7414350f
08:35:26,072 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (EJB default -
1) Query returned no matches from db
08:35:26,072 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (EJB default -
1) resumeAnyTransaction
08:35:26,072 TRACE [org.jboss.security.auth.spi.DatabaseServerLoginModule] (EJB default -
1) abort
08:35:26,072 TRACE [org.jboss.security.plugins.JBossAuthenticationManager.AppuLogin] (EJB
default - 1) Login failure: javax.security.auth.login.FailedLoginException: PB00019:
Processing Failed:No matching username found in Principals
at
org.jboss.security.auth.spi.DatabaseServerLoginModule.getUsersPassword(DatabaseServerLoginModule.java:186)
[picketbox-4.0.6.final.jar:4.0.6.final]
at
org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:248)
[picketbox-4.0.6.final.jar:4.0.6.final]
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/718350#718350]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
3:57 p.m.
Darran Lofthouse [https://community.jboss.org/people/dlofthouse] created the discussion
"Re: remote ejb client username is encrypted at the server(JBOSS7.1 CR1)"
To view the discussion, visit: https://community.jboss.org/message/718354#718354
--------------------------------------------------------------
The username and password are not encrypted, they are random values as the values from the
client connection are not arriving at the server.
What call are you making to the server at the time this is logged?
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/718354#718354]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
4:27 p.m.
Darran Lofthouse [https://community.jboss.org/people/dlofthouse] created the discussion
"Re: remote ejb client username is encrypted at the server(JBOSS7.1 CR1)"
To view the discussion, visit: https://community.jboss.org/message/718374#718374
--------------------------------------------------------------
Also where is your client located? Looking at your log I think the local authentication
mechanism could be getting selected which would explain why there is no username or
password propagated to the login module.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/718374#718374]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
5:51 p.m.
apparaonali [https://community.jboss.org/people/apparaonali] created the discussion
"Re: remote ejb client username is encrypted at the server(JBOSS7.1 CR1)"
To view the discussion, visit: https://community.jboss.org/message/718417#718417
--------------------------------------------------------------
Thanks for your quick reply.
When my test sesion bean trying to get the principal from the EJBContext, it is throwing
the above error. Please find the detais of my test below.
TestBean:
=======
@Stateless
@SecurityDomain(value = "AppuLogin")*
*
*public class SessionBean implements SessionBeanInterface { @Resource **private**
EJBContext context;*Principal pp = context.getCallerPrincipal();*
@Override public String getPrincipal() {*
System.++out++.println(pp.toString());
** return** (String) (context.getCallerPrincipal().getName());
}
#
}
Standalone Remote Client code:
=========================
public class RemoteEJBClient {
private static final String USER_LOGIN_NAME = "admin";
private static final String USER_PASSWORD = "admin";
static {
Security.addProvider(new JBossSaslProvider());
}
public static final String AUTH_LOGIN_CONFIG =
"java.security.auth.login.config";
public static final String AUTH_CONF = "/auth.conf";
public static void main(String[] args) throws Exception {
if (System.getProperties().getProperty(RemoteEJBClient.AUTH_LOGIN_CONFIG) == null)
{
URL url =
RemoteEJBClient.class.getClass().getResource(RemoteEJBClient.AUTH_CONF);
if (url != null) {
System.getProperties().setProperty(RemoteEJBClient.AUTH_LOGIN_CONFIG,
url.toString());
}
}
AppCallbackHandler callbackHandler = new AppCallbackHandler(USER_LOGIN_NAME,
USER_PASSWORD.toCharArray());
LoginContext loginContext = new LoginContext("logincontextname",
callbackHandler);
loginContext.login();
final Hashtable jndiProperties = new Hashtable();
jndiProperties.put(Context.URL_PKG_PREFIXES,
"org.jboss.ejb.client.naming");
final Context context = new InitialContext(jndiProperties);
invokeStatelessBean(context);
}
private static void invokeStatelessBean(Context context) throws NamingException,
LoginException {
final SessionBeanInterface statelessSessionBeanInterface =
lookupRemoteStatelessCalculator(context);
System.out.println("Obtained a remote stateless SessionBeanInterface for
invocation");
try {
final String principal = statelessSessionBeanInterface.getPrincipal();
System.out.println("EJB principal " +
statelessSessionBeanInterface.getPrincipal());
} catch (RuntimeException e) {
e.printStackTrace();
}
}
private static SessionBeanInterface lookupRemoteStatelessCalculator(Context context)
throws NamingException, LoginException {
final String appName = "TestEAR";
final String moduleName = "TestEJB";
final String distinctName = "";
final String beanName = "SessionBean";
final String viewClassName = SessionBeanInterface.class.getName();
System.out.println("ejb:" + appName + "/" + moduleName +
"/" + distinctName + "/" + beanName + "!" + viewClassName);
return (SessionBeanInterface) context.lookup("ejb:" + appName +
"/" + moduleName + "/" + distinctName + "/" + beanName
+ "!" + viewClassName);
}
}
Client ejb properties:
===============
remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false
remote.connections=default
remote.connection.default.host=
localhost
remote.connection.default.port = 4447
remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false
remote.connection.two.host=
localhost
remote.connection.two.port = 4447
remote.connection.two.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false
aut.conf:
======
logincontextname
{
org.jboss.security.ClientLoginModule required
;
};
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/718417#718417]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
6:27 p.m.
Darran Lofthouse [https://community.jboss.org/people/dlofthouse] created the discussion
"Re: remote ejb client username is encrypted at the server(JBOSS7.1 CR1)"
To view the discussion, visit: https://community.jboss.org/message/718433#718433
--------------------------------------------------------------
Can you try the following client properties: -
remote.connection.default.connect.options.org.xnio.Options..SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER
remote.connection.two.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false
I believe from the message you show that the client and server are running local to each
other so the authentication is ocurring silently and locally, these properties first allow
for the username and password to be sent to the server and secondly will allow the
password to be passed plain text to the server which is required to pass it to JAAS.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/718433#718433]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
6:45 p.m.
apparaonali [https://community.jboss.org/people/apparaonali] created the discussion
"Re: remote ejb client username is encrypted at the server(JBOSS7.1 CR1)"
To view the discussion, visit: https://community.jboss.org/message/718443#718443
--------------------------------------------------------------
I added these properties, still I am geting these exceptions.
Client side I obsrsed the below warning related to new property
WARN: Invalid option 'org.xnio.Options..SASL_DISALLOWED_MECHANISMS' in property
'remote.connection.default.connect.options.org.xnio.Options..SASL_DISALLOWED_MECHANISMS':
java.lang.IllegalArgumentException : Class 'org.xnio.Options.' not found
Thanks for your quck replies.
Here is file ejb client properties I used to run the test:
=======================================
remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=
false
remote.connections=
default
remote.connection.default.host=
localhost
remote.connection.default.port =
4447
remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=
false
*remote.connection.default.connect.options.org.xnio.Options..SASL_DISALLOWED_MECHANISMS*=JBOSS-LOCAL-USER
remote.connection.two.host=
localhost
remote.connection.two.port =
4447remote.connection.two.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=
false
*remote.connection.two.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=*
*false*
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/718443#718443]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
9:58 a.m.
jaikiran pai [https://community.jboss.org/people/jaikiran] created the discussion
"Re: remote ejb client username is encrypted at the server(JBOSS7.1 CR1)"
To view the discussion, visit: https://community.jboss.org/message/718594#718594
--------------------------------------------------------------
Darran Lofthouse wrote:
Can you try the following client properties: -
remote.connection.default.connect.options.org.xnio.Options..SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER
remote.connection.two.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false
There are a couple of typos in there. What Darran meant was:
remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER
remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false
(Notice the connection name is "default" and not "two").
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/718594#718594]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
11:01 a.m.
jw [https://community.jboss.org/people/jw] created the discussion
"Re: remote ejb client username is encrypted at the server(JBOSS7.1 CR1)"
To view the discussion, visit: https://community.jboss.org/message/718619#718619
--------------------------------------------------------------
auth.conf:
logincontextname
{
org.jboss.security.ClientLoginModule required
;
};
Is this supported again? I thought this JAAS module is not compatible anymore (as of
7.1.0.Cr1)
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/718619#718619]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
12:35 p.m.
Darran Lofthouse [https://community.jboss.org/people/dlofthouse] created the discussion
"Re: remote ejb client username is encrypted at the server(JBOSS7.1 CR1)"
To view the discussion, visit: https://community.jboss.org/message/718653#718653
--------------------------------------------------------------
jw - that is a new question so I would suggest starting a new thread - but no that module
is not currently supported.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/718653#718653]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
12:36 p.m.
Darran Lofthouse [https://community.jboss.org/people/dlofthouse] created the discussion
"Re: remote ejb client username is encrypted at the server(JBOSS7.1 CR1)"
To view the discussion, visit: https://community.jboss.org/message/718654#718654
--------------------------------------------------------------
jw - can you also please describe your environment?
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/718654#718654]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
1:20 p.m.
jw [https://community.jboss.org/people/jw] created the discussion
"Re: remote ejb client username is encrypted at the server(JBOSS7.1 CR1)"
To view the discussion, visit: https://community.jboss.org/message/718667#718667
--------------------------------------------------------------
Pretty much the same as https://community.jboss.org/people/apparaonali
apparaonali's:
jboss-ejb-client.properties
remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false
remote.connections=default
remote.connection.default.host=localhost
remote.connection.default.port=4447
remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false
remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER
remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false
jndi.properties
java.naming.factory.url.pkgs=org.jboss.ejb.client.naming
java.naming.factory.initial=org.jboss.naming.remote.client.InitialContextFactory
Remote client code:
ctx = loadFromJndiPropertiesFile();
ctx.put("jboss.naming.client.ejb.context", true); // can not be in
jndi.properties. Requieres boolean, does not accept String
ctx.put( Context.PROVIDER_URL, "remote://myhost:4447");
ctx.put(InitialContext.SECURITY_PRINCIPAL, username);
ctx.put(InitialContext.SECURITY_CREDENTIALS, password);
ctx.lookup(.....);
Server config:
<subsystem xmlns="urn:jboss:domain:remoting:1.1">
<connector name="remoting-connector"
socket-binding="remoting"/>
</subsystem>
<subsystem xmlns="urn:jboss:domain:security:1.1">
<security-domains>
<security-domain name="my-security-domain"
cache-type="default">
<authentication>
<login-module code="Database"
flag="required">
<module-option name="dsJndiName"
value="java:/MyDS"/>
<module-option name="principalsQuery"
value="......."/>
<module-option name="rolesQuery"
value="......."/>
<module-option name="hashAlgorithm"
value="SHA"/>
<module-option name="hashEncoding"
value="BASE64"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
In addition I wanted to link the ApplicationRealm to my-security-domain:
<management>
<security-realms>
<security-realm name="ApplicationRealm">
<authentication>
<jaas name="my-security-domain"/>
</authentication>
</security-realm>
</security-realms>
</management>
but that hasn't worked, so I had to remove the security realm of remoting
jboss-app.xml (in META-INF of my ear):
<jboss-app>
<security-domain>my-security-domain</security-domain>
</jboss-app>
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/718667#718667]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
12:59 p.m.
jw [https://community.jboss.org/people/jw] created the discussion
"Re: remote ejb client username is encrypted at the server(JBOSS7.1 CR1)"
To view the discussion, visit: https://community.jboss.org/message/718660#718660
--------------------------------------------------------------
Darran Lofthouse schrieb:
jw - that is a new question so I would suggest starting a new thread - but no that module
is not currently supported.
your're right. Just saw this in
https://community.jboss.org/people/apparaonali apparaonali's example. Thouht it could
be a hint.
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/718660#718660]
Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&...]
4440
days inactive
4442
days old
jboss-dev-forums@lists.jboss.org
12 comments
4 participants
participants (4)
-
apparaonali -
Darran Lofthouse
-
jaikiran pai
-
jw