[Beginner's Corner] - Re: Integrate JBoss 6 to AD - map groups to roles?
by Jonathan Turner
Jonathan Turner [https://community.jboss.org/people/earthwormgym] created the discussion
"Re: Integrate JBoss 6 to AD - map groups to roles?"
To view the discussion, visit: https://community.jboss.org/message/720171#720171
--------------------------------------------------------------
Hi,
I've been trying to get LDAP auth against Active Directory working for the admin-console. After reading many posts and trying many different configuration options I'm still not having any luck.
I have tried the following two options as ones I thought made sense in my login-config.xml
Option 1:
<application-policy name="jmx-console">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.provider.url">ldap://adserver.domain.com:389/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="bindDN">domain\searchuser</module-option>
<module-option name="bindCredential">search.user.passwd</module-option>
<module-option name="baseCtxDN">DC=DOMAIN,DC=com</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">DC=DOMAIN,DC=com</module-option>
<module-option name="roleFilter">(sAMAccountName={0})</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">cn</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
</login-module>
</authentication>
</application-policy>
The idea here is that it looks in the login user's entry for the memberOf attributes, which returns the groups and then gets the cn for each of these groups to match against the role I configure in the admin-console's web.xml
I see from a wireshark of the LDAP queries that it bind successfully and the queries ruturn as they should but I still get access denied.
Option 2:
<application-policy name="jmx-console">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.provider.url">ldap://adserver.domain.com:389/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="bindDN">domain\searchuser</module-option>
<module-option name="bindCredential">search.user.passwd</module-option>
<module-option name="baseCtxDN">DC=DOMAIN,DC=com</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">DC=DOMAIN,DC=com</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleRecursion">5</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
</login-module>
</authentication>
</application-policy>
The idea here is that it queries for all the groups that the login user is a member of and then to the cn of the group for the role to match against that configured in the web.xml.
Again I see the queries via wireshark and they seem to work.
The login user is definitely in the group that I'm using for the role.
Any ideas? My next step is going to be to download the source and remote debug the login module. Is there something obvious I'm getting wrong?
Thanks
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/720171#720171]
Start a new discussion in Beginner's Corner at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&con...]
14 years, 1 month
[EJB3] - javax.naming.NamingException: Could not dereference object [Root exception is java.lang.reflect.org.jboss.remoting.InvocationFailureException: Unable to perform invocation; nested exception is: java.io.EOFException: end of file]
by Sarang Anajwala
Sarang Anajwala [https://community.jboss.org/people/saranganajwala] created the discussion
"javax.naming.NamingException: Could not dereference object [Root exception is java.lang.reflect.org.jboss.remoting.InvocationFailureException: Unable to perform invocation; nested exception is: java.io.EOFException: end of file]"
To view the discussion, visit: https://community.jboss.org/message/720081#720081
--------------------------------------------------------------
Getting following exception while trying to connect to remote EJB.
I tried to send 500 requests (through a for-loop in java client program) to the EJB.... about 400 went throgh and then I started getting this error, so certainly this is not a classpath issue or code issue.
Anything related to configuration?
Version: "JBoss AS 6.1.Final"
*javax.naming.NamingException: Could not dereference object [Root exception is java.lang.reflect.UndeclaredThrowableException]*
at org.jnp.interfaces.NamingContext.getObjectInstanceWrapFailure(NamingContext.java:1508)
at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:824)
at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:688)
at javax.naming.InitialContext.lookup(InitialContext.java:392)
at ManageDataMining.setUp(ManageDataMining.java:66)
at ManageDataMining.main(ManageDataMining.java:39)
*Caused by: java.lang.reflect.UndeclaredThrowableException*
at $Proxy0.createProxyBusiness(Unknown Source)
at org.jboss.ejb3.proxy.impl.objectfactory.session.SessionProxyObjectFactory.createProxy(SessionProxyObjectFactory.java:129)
at org.jboss.ejb3.proxy.impl.objectfactory.session.stateless.StatelessSessionProxyObjectFactory.getProxy(StatelessSessionProxyObjectFactory.java:79)
at org.jboss.ejb3.proxy.impl.objectfactory.ProxyObjectFactory.getObjectInstance(ProxyObjectFactory.java:161)
at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:304)
at org.jnp.interfaces.NamingContext.getObjectInstance(NamingContext.java:1483)
at org.jnp.interfaces.NamingContext.getObjectInstanceWrapFailure(NamingContext.java:1500)
... 5 more
*Caused by: org.jboss.remoting.InvocationFailureException: Unable to perform invocation; nested exception is:*
* java.io.EOFException: end of file*
at org.jboss.remoting.transport.socket.SocketClientInvoker.handleException(SocketClientInvoker.java:146)
at org.jboss.remoting.transport.socket.MicroSocketClientInvoker.transport(MicroSocketClientInvoker.java:956)
at org.jboss.remoting.MicroRemoteClientInvoker.invoke(MicroRemoteClientInvoker.java:169)
at org.jboss.remoting.Client.invoke(Client.java:2070)
at org.jboss.remoting.Client.invoke(Client.java:879)
at org.jboss.aspects.remoting.InvokeRemoteInterceptor.invoke(InvokeRemoteInterceptor.java:60)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.proxy.impl.remoting.IsLocalProxyFactoryInterceptor.invoke(IsLocalProxyFactoryInterceptor.java:104)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.aspects.remoting.PojiProxy.invoke(PojiProxy.java:62)
... 12 more
*Caused by: java.io.EOFException: end of file*
at org.jboss.remoting.transport.socket.MicroSocketClientInvoker.transport(MicroSocketClientInvoker.java:903)
at org.jboss.remoting.MicroRemoteClientInvoker.invoke(MicroRemoteClientInvoker.java:169)
at org.jboss.remoting.Client.invoke(Client.java:2070)
at org.jboss.remoting.Client.invoke(Client.java:879)
at org.jboss.aspects.remoting.InvokeRemoteInterceptor.invoke(InvokeRemoteInterceptor.java:60)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.ejb3.proxy.impl.remoting.IsLocalProxyFactoryInterceptor.invoke(IsLocalProxyFactoryInterceptor.java:104)
at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
at org.jboss.aspects.remoting.PojiProxy.invoke(PojiProxy.java:62)
at $Proxy0.createProxyBusiness(Unknown Source)
at org.jboss.ejb3.proxy.impl.objectfactory.session.SessionProxyObjectFactory.createProxy(SessionProxyObjectFactory.java:129)
at org.jboss.ejb3.proxy.impl.objectfactory.session.stateless.StatelessSessionProxyObjectFactory.getProxy(StatelessSessionProxyObjectFactory.java:79)
at org.jboss.ejb3.proxy.impl.objectfactory.ProxyObjectFactory.getObjectInstance(ProxyObjectFactory.java:161)
at javax.naming.spi.NamingManager.getObjectInstance(NamingManager.java:304)
at org.jnp.interfaces.NamingContext.getObjectInstance(NamingContext.java:1483)
at org.jnp.interfaces.NamingContext.getObjectInstanceWrapFailure(NamingContext.java:1500)
at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:824)
at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:688)
at javax.naming.InitialContext.lookup(InitialContext.java:392)
at ManageDataMining.setUp(ManageDataMining.java:66)
at ManageDataMining.main(ManageDataMining.java:39)
at org.jboss.aspects.remoting.InvokeRemoteInterceptor.invoke(InvokeRemoteInterceptor.java:72)
... 16 more
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/720081#720081]
Start a new discussion in EJB3 at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&con...]
14 years, 1 month
[JBoss Tools] - Excited about JBoss AS 7.1 Part I: Deployable Datasources
by Max Rydahl Andersen
Max Rydahl Andersen [https://community.jboss.org/people/maxandersen] modified the blog post:
"Excited about JBoss AS 7.1 Part I: Deployable Datasources"
To view the blog post, visit: https://community.jboss.org/community/tools/blog/2012/02/28/excited-about...
--------------------------------------------------------------
I’m posting about three features which I have had a personal interest in making it into AS 7.1 and the upcoming JBoss Enterprise Application Platform (EAP) 6.
Today the topic is Deployable datasources.
h1. Deployable datasources
Deployable file based datasources (named -ds.xml) have been a feature of JBoss for ages but in the redesign and release of AS 7.0 they did not make it in. Making it an unfortunate requirement for users to have their server running and use either the raw management API or the Admin Console to setup even the simplest datasource. You could do tricks like use @DatasourceDefinition annotations but it is not nice having to compile Java code to just wire up a datasource.
AS 7.1 finally fixes this issue and brings back -ds.xml and even include support for deploying https://github.com/jbossas/jboss-as/blob/master/testsuite/integration/bas... JMS destinations via a -jms.xml file too, but that will be for another blog.
How does such a -ds.xml look like then ? Here is a simple one for a hsqldb running on localhost:
<?xml version="1.0" encoding="UTF-8"?>
<datasources xmlns="http://www.jboss.org/ironjacamar/schema">
<datasource
jndi-name="java:jboss/datasources/employeedb"
enabled="true"
use-java-context="true" pool-name="employeedb">
<connection-url>jdbc:hsqldb:hsql://localhost:1701</connection-url>
<driver>hsqldb.jar</driver>
<pool></pool>
<security>
<user-name>sa</user-name>
<password></password>
</security>
</datasource>
</datasources>
The XML tags does what you think it does - configure a datasource with the proper JDBC connection url, username, password and so forth.
If you want to know all the details about this file format you can see the http://docs.jboss.org/ironjacamar/userguide/1.0/en-US/html/deployment.htm... IronJacamar documentation for all the options available such as pool sizes.
Armed with this -ds.xml + a matching driver jar, which in this case is named hsqldb.jar you can copy the two files to the deployments folder of AS 7.1 and from then on the datasource named java:jboss/datasources/employeedb can be used by any application running on the server.
h2. Creating -ds.xml with JBoss Tools
I actually did not manually type up that -ds.xml file for my local running hsqldb database, nor did I manually deploy the driver.jar. I used a new wizard that are coming in JBoss Tools 3.3 Beta1 which takes the connection information I already have setup in Eclipse, create the right files for me and if I update the files it will also update the deployments.
https://community.jboss.org/servlet/JiveServlet/showImage/38-4662-18048/j... https://community.jboss.org/servlet/JiveServlet/downloadImage/38-4662-180...
Once this wizard have run I simply right click the -ds.xml + driver.jar and select ‘Mark as Deployable’ on them. This deploys them to my server and if I make changes to the -ds.xml the changes gets copied over directly and AS will pick up the changes shortly after.
https://community.jboss.org/servlet/JiveServlet/showImage/38-4662-18049/d... https://community.jboss.org/servlet/JiveServlet/downloadImage/38-4662-180...
I find it exciting that we now not only have a file format for defining datasources, but also that they are separate deployable resources together with a driver jar which both can be easily shared on a team.
h2. The fine print
A few caveats/tricks for this approach are:
* I prefer deploying datasources independent of my application, but you can put the -ds.xml inside your application META-INF or WEB-INF directory and it will be deployed together with the application.
* The JDBC driver needs to be JDBC 4 compatible to be deployable out of the deployment directory. In the rare case your driver is not JDBC 4 compatible then you will need to deploy it as a module in AS 7.
* The datasource can not be modified/managed via the Admin Console since it is a deployed resource and not part of the managed API of AS 7 - if you wish full admin control you will have to configure the datasource via the management API or admin console. As I understand it over time the admin console is set to include support for at least a read-only view of these file based datasources.
* If you wanted to connect to a h2 database you would not need to copy the driver jar, but simply refer to <driver>h2</driver> instead and you it pickup the default embedded h2 database driver in AS 7.
h2. Tomorrow
Tomorrow the topic is on how AS 7.1 is secured by default but are still developer friendly.
--------------------------------------------------------------
Comment by going to Community
[https://community.jboss.org/community/tools/blog/2012/02/28/excited-about...]
14 years, 1 month
[Performance Tuning] - Slow download speed with JBoss 4.23 on Windows
by Thorsten W.
Thorsten W. [https://community.jboss.org/people/thwi] created the discussion
"Slow download speed with JBoss 4.23 on Windows"
To view the discussion, visit: https://community.jboss.org/message/719917#719917
--------------------------------------------------------------
Hi all,
my company is hosting JBoss on Windows Servers (2003 (R2), 2008 (R2)) as well as on SuSE SLES 11.
We're still using JBoss 4.2.3 but plan to switch to 7.1 this year.
We've detected a strange download issue with JBoss on (any of our) Windows servers. The download speed of static files (we've tested with a static 200 zip file) is much slower than with IIS or with Linux JBoss installations.
While on localhost JBoss and IIS were both able to deliver the file with up to 160 MByte/s (as fast as the disk could), we've detected a bigger difference when we try that e.g. 10 network hops away: There we had the situation that IIS was able to transfer the file with 4 MByte/s while JBoss only could transfer with 1,6MByte/s.
We tried the same thing with a server in the US, which is 14 hops away from us (Germany): IIS transferred with 400KByte/s while JBoss only transferred with 150KByte/s - with Apache in front connected via AJP the download speed increased up to 200KByte/s, but still half as fast as IIS.
I've experimented with several JBoss Connector settings, e.g. maxKeepAliveRequests, keepAliveTimeout, connectionTimeout, acceptCount,
and context.xml settings, cacheMaxSize="204800" cacheTTL="60000"cachingAllowed="true", but it made no difference.
The question is, if this related to a suboptimal connection settings in JBoss or e.g. a bad MTU setting is slowing down the transfers?
Thanks,
Thorsten
--------------------------------------------------------------
Reply to this message by going to Community
[https://community.jboss.org/message/719917#719917]
Start a new discussion in Performance Tuning at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&con...]
14 years, 1 month
