[JBoss JIRA] (AS7-4099) Clustered EJB invocations for server to server communication fail on secured servers
7:03 a.m.
jaikiran pai created AS7-4099:
---------------------------------
Summary: Clustered EJB invocations for server to server communication fail on
secured servers
Key: AS7-4099
URL: https://issues.jboss.org/browse/AS7-4099
Project: Application Server 7
Issue Type: Bug
Components: EJB
Affects Versions: 7.1.0.Final
Reporter: jaikiran pai
Assignee: jaikiran pai
Priority: Critical
Fix For: 7.1.1.Final
While writing a documentation for server to server EJB invocations when security is
involved, I just noticed that we lack a way to let the user deployments configure security
and other connection details for dynamic nodes that participate in the clustered
invocation. Consider the following scenario:
1) Server A and Server B both running in standalone HA mode. Both server A and B have a
deployment "foo" containing clustered SFSBs.
2) Server C is a client server (may or may not have cluster capability).
3) Server C has a deployment "bar" containing a jboss-ejb-client.xml with
reference to a outbound remoting connection:
{code:xml}
<jboss-ejb-client xmlns="urn:jboss:ejb-client:1.0">
<client-context>
<ejb-receivers>
<remoting-ejb-receiver
outbound-connection-ref="server-A-outbound-connection" />
</ejb-receivers>
</client-context>
</jboss-ejb-client>
{code}
Server C has a outbound connection configuration to server A, configured in its remoting
subsystem with appropriate security and other connection settings.
The "bar" application on server C invokes a SFSB from "foo"
application on server A. Server A sends back the cluster topology to server C and that
topology includes server B (and other nodes if any). Now server C has no knowledge on how
to connect to server B with the appropriate security credentials. The EJB client API falls
back on default connection options and will try to connect to server B, but that will
obviously fail because those defaults won't be applicable in a secured server
environment.
The infrastructure is in place, in EJB client API to dynamically connecting to the cluster
nodes. What we are missing is a way to let users configure this. For a remote standalone
client, we allow this via jboss-ejb-client.properties. We need something similar but more
applicable for a client hosted on the server, in the jboss-ejb-client.xml.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
7:11 a.m.
[
https://issues.jboss.org/browse/AS7-4099?page=com.atlassian.jira.plugin.s...
]
jaikiran pai commented on AS7-4099:
-----------------------------------
I've something like this in mind:
{code:xml}
<jboss-ejb-client xmlns="urn:jboss:ejb-client:1.0">
<client-context>
<ejb-receivers exclude-local-receiver="true">
<remoting-ejb-receiver outbound-connection-ref="abc" />
</ejb-receivers>
<clusters>
<!-- Configuration for cluster named ejb -->
<cluster name="ejb" max-allowed-connected-nodes="5"
username="foo" security-realm="realm configured in domain or standalone
config" connect-timeout="5000">
<!-- Optional cluster node selector -->
<cluster-node-selector name="org.myapp.Foo"
module="optional-module-name"/>
<!-- Connection creation options applicable to all nodes in this
cluster -->
<connection-creation-options>
<property name="prop" value="val"/>
</connection-creation-options>
<!-- Optional channel creation options -->
<channel-creation-options>
<property name="prop" value="val"/>
</channel-creation-options>
<!-- Optional node configurations for a specific node in this cluster
-->
<node name="some node name" user-name="foo"
security-realm="bar">
<!-- Connection creation options applicable to this node -->
<connection-creation-options>
<property name="prop" value="val"/>
</connection-creation-options>
</node>
</cluster>
</clusters>
</client-context>
</jboss-ejb-client>
{code}
Clustered EJB invocations for server to server communication fail on
secured servers
------------------------------------------------------------------------------------
Key: AS7-4099
URL: https://issues.jboss.org/browse/AS7-4099
Project: Application Server 7
Issue Type: Bug
Components: EJB
Affects Versions: 7.1.0.Final
Reporter: jaikiran pai
Assignee: jaikiran pai
Priority: Critical
Fix For: 7.1.1.Final
While writing a documentation for server to server EJB invocations when security is
involved, I just noticed that we lack a way to let the user deployments configure security
and other connection details for dynamic nodes that participate in the clustered
invocation. Consider the following scenario:
1) Server A and Server B both running in standalone HA mode. Both server A and B have a
deployment "foo" containing clustered SFSBs.
2) Server C is a client server (may or may not have cluster capability).
3) Server C has a deployment "bar" containing a jboss-ejb-client.xml with
reference to a outbound remoting connection:
{code:xml}
<jboss-ejb-client xmlns="urn:jboss:ejb-client:1.0">
<client-context>
<ejb-receivers>
<remoting-ejb-receiver
outbound-connection-ref="server-A-outbound-connection" />
</ejb-receivers>
</client-context>
</jboss-ejb-client>
{code}
Server C has a outbound connection configuration to server A, configured in its remoting
subsystem with appropriate security and other connection settings.
The "bar" application on server C invokes a SFSB from "foo"
application on server A. Server A sends back the cluster topology to server C and that
topology includes server B (and other nodes if any). Now server C has no knowledge on how
to connect to server B with the appropriate security credentials. The EJB client API falls
back on default connection options and will try to connect to server B, but that will
obviously fail because those defaults won't be applicable in a secured server
environment.
The infrastructure is in place, in EJB client API to dynamically connecting to the
cluster nodes. What we are missing is a way to let users configure this. For a remote
standalone client, we allow this via jboss-ejb-client.properties. We need something
similar but more applicable for a client hosted on the server, in the
jboss-ejb-client.xml.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
7:13 a.m.
[
https://issues.jboss.org/browse/AS7-4099?page=com.atlassian.jira.plugin.s...
]
jaikiran pai edited comment on AS7-4099 at 3/8/12 8:12 AM:
-----------------------------------------------------------
I've something like this in mind:
{code:xml}
<jboss-ejb-client xmlns="urn:jboss:ejb-client:1.1">
<client-context>
<ejb-receivers exclude-local-receiver="true">
<remoting-ejb-receiver outbound-connection-ref="abc" />
</ejb-receivers>
<clusters>
<!-- Configuration for cluster named ejb -->
<cluster name="ejb" max-allowed-connected-nodes="5"
username="foo" security-realm="realm configured in domain or standalone
config" connect-timeout="5000">
<!-- Optional cluster node selector -->
<cluster-node-selector name="org.myapp.Foo"
module="optional-module-name"/>
<!-- Connection creation options applicable to all nodes in this
cluster -->
<connection-creation-options>
<property name="prop" value="val"/>
</connection-creation-options>
<!-- Optional channel creation options -->
<channel-creation-options>
<property name="prop" value="val"/>
</channel-creation-options>
<!-- Optional node configurations for a specific node in this cluster
-->
<node name="some node name" user-name="foo"
security-realm="bar">
<!-- Connection creation options applicable to this node -->
<connection-creation-options>
<property name="prop" value="val"/>
</connection-creation-options>
</node>
</cluster>
</clusters>
</client-context>
</jboss-ejb-client>
{code}
Edit: Fixed minor typo.
was (Author: jaikiran):
I've something like this in mind:
{code:xml}
<jboss-ejb-client xmlns="urn:jboss:ejb-client:1.0">
<client-context>
<ejb-receivers exclude-local-receiver="true">
<remoting-ejb-receiver outbound-connection-ref="abc" />
</ejb-receivers>
<clusters>
<!-- Configuration for cluster named ejb -->
<cluster name="ejb" max-allowed-connected-nodes="5"
username="foo" security-realm="realm configured in domain or standalone
config" connect-timeout="5000">
<!-- Optional cluster node selector -->
<cluster-node-selector name="org.myapp.Foo"
module="optional-module-name"/>
<!-- Connection creation options applicable to all nodes in this
cluster -->
<connection-creation-options>
<property name="prop" value="val"/>
</connection-creation-options>
<!-- Optional channel creation options -->
<channel-creation-options>
<property name="prop" value="val"/>
</channel-creation-options>
<!-- Optional node configurations for a specific node in this cluster
-->
<node name="some node name" user-name="foo"
security-realm="bar">
<!-- Connection creation options applicable to this node -->
<connection-creation-options>
<property name="prop" value="val"/>
</connection-creation-options>
</node>
</cluster>
</clusters>
</client-context>
</jboss-ejb-client>
{code}
Clustered EJB invocations for server to server communication fail on
secured servers
------------------------------------------------------------------------------------
Key: AS7-4099
URL: https://issues.jboss.org/browse/AS7-4099
Project: Application Server 7
Issue Type: Bug
Components: EJB
Affects Versions: 7.1.0.Final
Reporter: jaikiran pai
Assignee: jaikiran pai
Priority: Critical
Fix For: 7.1.1.Final
While writing a documentation for server to server EJB invocations when security is
involved, I just noticed that we lack a way to let the user deployments configure security
and other connection details for dynamic nodes that participate in the clustered
invocation. Consider the following scenario:
1) Server A and Server B both running in standalone HA mode. Both server A and B have a
deployment "foo" containing clustered SFSBs.
2) Server C is a client server (may or may not have cluster capability).
3) Server C has a deployment "bar" containing a jboss-ejb-client.xml with
reference to a outbound remoting connection:
{code:xml}
<jboss-ejb-client xmlns="urn:jboss:ejb-client:1.0">
<client-context>
<ejb-receivers>
<remoting-ejb-receiver
outbound-connection-ref="server-A-outbound-connection" />
</ejb-receivers>
</client-context>
</jboss-ejb-client>
{code}
Server C has a outbound connection configuration to server A, configured in its remoting
subsystem with appropriate security and other connection settings.
The "bar" application on server C invokes a SFSB from "foo"
application on server A. Server A sends back the cluster topology to server C and that
topology includes server B (and other nodes if any). Now server C has no knowledge on how
to connect to server B with the appropriate security credentials. The EJB client API falls
back on default connection options and will try to connect to server B, but that will
obviously fail because those defaults won't be applicable in a secured server
environment.
The infrastructure is in place, in EJB client API to dynamically connecting to the
cluster nodes. What we are missing is a way to let users configure this. For a remote
standalone client, we allow this via jboss-ejb-client.properties. We need something
similar but more applicable for a client hosted on the server, in the
jboss-ejb-client.xml.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
1:50 p.m.
[
https://issues.jboss.org/browse/AS7-4099?page=com.atlassian.jira.plugin.s...
]
Jason Greene updated AS7-4099:
------------------------------
Priority: Blocker (was: Critical)
Since this effectively prevents servers (and also ee app clients) from acting as clients
to a default security cluster config, this should block the 7.1.1 release.
Clustered EJB invocations for server to server communication fail on
secured servers
------------------------------------------------------------------------------------
Key: AS7-4099
URL: https://issues.jboss.org/browse/AS7-4099
Project: Application Server 7
Issue Type: Bug
Components: EJB
Affects Versions: 7.1.0.Final
Reporter: jaikiran pai
Assignee: jaikiran pai
Priority: Blocker
Fix For: 7.1.1.Final
While writing a documentation for server to server EJB invocations when security is
involved, I just noticed that we lack a way to let the user deployments configure security
and other connection details for dynamic nodes that participate in the clustered
invocation. Consider the following scenario:
1) Server A and Server B both running in standalone HA mode. Both server A and B have a
deployment "foo" containing clustered SFSBs.
2) Server C is a client server (may or may not have cluster capability).
3) Server C has a deployment "bar" containing a jboss-ejb-client.xml with
reference to a outbound remoting connection:
{code:xml}
<jboss-ejb-client xmlns="urn:jboss:ejb-client:1.0">
<client-context>
<ejb-receivers>
<remoting-ejb-receiver
outbound-connection-ref="server-A-outbound-connection" />
</ejb-receivers>
</client-context>
</jboss-ejb-client>
{code}
Server C has a outbound connection configuration to server A, configured in its remoting
subsystem with appropriate security and other connection settings.
The "bar" application on server C invokes a SFSB from "foo"
application on server A. Server A sends back the cluster topology to server C and that
topology includes server B (and other nodes if any). Now server C has no knowledge on how
to connect to server B with the appropriate security credentials. The EJB client API falls
back on default connection options and will try to connect to server B, but that will
obviously fail because those defaults won't be applicable in a secured server
environment.
The infrastructure is in place, in EJB client API to dynamically connecting to the
cluster nodes. What we are missing is a way to let users configure this. For a remote
standalone client, we allow this via jboss-ejb-client.properties. We need something
similar but more applicable for a client hosted on the server, in the
jboss-ejb-client.xml.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
4691
days inactive
4691
days old
3 comments
2 participants
participants (2)
-
jaikiran pai (JIRA) -
Jason Greene (JIRA)