[jboss-dev-forums] [JBoss AS 7 Development] - Remote client access with database login module: user name and password are UUIDs

Fri Feb 24 07:25:51 EST 2012

Frank Ulbricht [https://community.jboss.org/people/f.ulbricht] created the discussion

"Remote client access with database login module: user name and password are UUIDs"

To view the discussion, visit: https://community.jboss.org/message/719442#719442

--------------------------------------------------------------
Hello there,

I have a simple application with a secured session bean. I want to invoke this bean from a remote client.

This is my configuration:

standalone.xml:

...
            <security-realm name="TutorialRealm">
                <authentication>
                    <jaas name="tutorial"/>
                </authentication>
            </security-realm>
...
        <subsystem xmlns="urn:jboss:domain:remoting:1.1">
            <connector name="remoting-connector" socket-binding="remoting" security-realm="TutorialRealm"/>
        </subsystem>
...
              <security-domain name="tutorial" cache-type="default">
                    <authentication>
                        <login-module code="Remoting" flag="optional">
                            <module-option name="password-stacking" value="useFirstPass"/>
                        </login-module>
                        <login-module code="Database" flag="required">
                            <module-option name="dsJndiName" value="java:/TutorialDS"/>
                            <module-option name="principalsQuery" value="SELECT PASSWORD FROM SYSTEM_USER WHERE USER_NAME = ?"/>
                            <module-option name="rolesQuery" value="SELECT USER_ROLE, 'Roles' FROM SYSTEM_USER_ROLE WHERE USER_NAME = ?"/>
                            <module-option name="password-stacking" value="useFirstPass"/>
                        </login-module>
                    </authentication>
                </security-domain>
...

My bean looks like this (it just returns the current user, but this method was never called):

@Stateless(name = "Secured")
@Remote(SecuredRemote.class)
@SecurityDomain("tutorial")
public class SecuredBean implements SecuredRemote {

 @Resource
 private SessionContext sessionContext;

 @Override
 @RolesAllowed("role1")
 public String getCurrentUserName() {
  Principal principal = this.sessionContext.getCallerPrincipal();
  return principal.getName();
 }
}

In my ear I have a jboss-app.xml like this:

<jboss-app xmlns="http://www.jboss.com/xml/ns/javaee"
 xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="7.0">
<security-domain>tutorial</security-domain>
</jboss-app>

My client code is this:

@SuppressWarnings("nls")
public class Client {
 private static String applicationName = "test.ear";
 private static String remoteModuleName = "remote.jar";
 private static String userName = "admin";
 private static String password = "test";

 public static void main(final String[] args) {
  final Client client = new Client();
  try {
   client.run();
  } catch (final Exception ex) {
   ex.printStackTrace();
  }
 }

 public Client() {
  // create client configuration
  final EJBClientConfiguration clientConfiguration = new PropertiesBasedEJBClientConfiguration(
    createClientConfigurationProperties());
  // create a context selector
  final ContextSelector<EJBClientContext> contextSelector = new ConfigBasedEJBClientContextSelector(
    clientConfiguration);
  // set the selector for use
  EJBClientContext.setSelector(contextSelector);
 }

 public void run() throws Exception {  
  // lookup and use secured bean
  final SecuredRemote secured = lookupBean("Secured", SecuredRemote.class, false);
  System.out.println(secured.getCurrentUserName());
 }

 private static <T> T lookupBean(final String beanName, final Class<T> viewClass, final boolean stateful)
   throws NamingException {
  final String lookupName = String.format("ejb:%1$s/%2$s/%3$s!%4$s?%5$s", applicationName, remoteModuleName,
    beanName, viewClass.getName(), stateful ? "stateful" : "stateless");
  return (T) getInitialContext().lookup(lookupName);
 }

 private static Context context;
 private static Context getInitialContext() throws NamingException {
  if (context == null) {
   final Hashtable<Object, Object> contextProperties = new Hashtable<>();
   contextProperties.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
   contextProperties.put(Context.SECURITY_PRINCIPAL, userName);
   contextProperties.put(Context.SECURITY_CREDENTIALS, password);
   contextProperties.put("jboss.naming.client.ejb.context", true);
   contextProperties.put(Context.PROVIDER_URL, "remote://localhost:4447");
   //contextProperties.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");
   context = new InitialContext(contextProperties);
  }
  return context;
 }

 private static Properties createClientConfigurationProperties() {
  final Properties properties = new Properties();
  properties.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "false");
  properties.put("remote.connections", "default");
  properties.put("remote.connection.default.host", "localhost");
  properties.put("remote.connection.default.port", "4447");
  properties.put("remote.connection.default.username", userName);
  properties.put("remote.connection.default.password", password);
  properties.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "true");
  // properties.put("remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS","JBOSS-LOCAL-USER");
  properties.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
  return properties;
 }
}

The database query from the login module is executed but using the "jdbc.spy" is see the user name is a random UUID. So I never see the entered user name on the server side. In the end there is of course this exception on server side:
JBAS014134: EJB Invocation failed on component Secured for method public abstract java.lang.String com.qualitype.tutorial.remote.SecuredRemote.getCurrentUserName(): javax.ejb.EJBAccessException: JBAS013323: Invalid User

If I enable the "SASL_DISALLOWED_MECHANISMS" property the  is: java.lang.IllegalStateException: No EJB receiver available for handling [...] combination
If I enable the "INITIAL_CONTEXT_FACTORY" property the exception is: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

As you can see, I use a lot of different properties. This is a collection copied from various samples from the forum. I think I tested nearly all combination of them but it always leads me to one of the exceptions above.

In my opinion the configuration on server side should be alright. But I have a lot of doubts concerning the client configuration...
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/719442#719442]

Start a new discussion in JBoss AS 7 Development at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2225]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-dev-forums/attachments/20120224/164edccb/attachment.html 