Hello.
I would like to understand if it is possible to have a web tier be the remote EJB client and not have any jboss-ejb-client.properites that expose security. I have this code:
private static Calculator lookupRemoteEJB() throws NamingException {
Properties jndiProps = new Properties();
jndiProps.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");
jndiProps.put(Context.PROVIDER_URL,"remote://localhost:4447");
jndiProps.put(Context.SECURITY_PRINCIPAL, "webTier");
jndiProps.put(Context.SECURITY_CREDENTIALS, "secretpassword");
//create a context passing these properties
Context context = new InitialContext(jndiProps);
final String appName = "";
final String moduleName = "EJBSandbox";
final String distinctName = "";
final String beanName = CalculatorBean.class.getSimpleName();
final String viewClassName = Calculator.class.getName();
System.out.println("Looking EJB via JNDI ");
System.out.println(moduleName + "/" + distinctName + "/" + beanName + "!" + viewClassName);
return (Calculator) context.lookup(moduleName + "/" + beanName + "!" + viewClassName);
}
It works provided I have this jboss-ejb-client.properties in my classpath:
remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false
remote.connections=default
remote.connection.default.host=127.0.0.1
remote.connection.default.port = 4447
remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false
remote.connection.default.username=webTier
remote.connection.default.password=secretpassword
remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER
remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false
However, if I remove the user name and password from the properties file, I get this exception:
ERROR: JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
No EJB receiver available for handling [appName:,modulename:EJBSandbox,distinctname:] combination for invocation context org.jboss.ejb.client.EJBClientInvocationContext@1a3a9bba
java.lang.IllegalStateException: No EJB receiver available for handling [appName:,modulename:EJBSandbox,distinctname:] combination for invocation context org.jboss.ejb.client.EJBClientInvocationContext@1a3a9bba
Is there a way to remove security information from the property file (or encrypt it minimally) so that this is not in clear text on a web server in the DMZ? Any concrete examples?