• Post Reply Bookmark Topic Watch Topic
  • New Topic

Custom Login Module EAP6.1 / JBoss 7.2

 
Christian Dillinger
Ranch Hand
Posts: 200
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,

I'm trying to setup a simple application with JBoss 7.2 (EAP6.1alpha) which uses a custom login module. (Cannot use one of the standard modules as I need to retrieve information from a legacy system in the background - AS400 host)

Currently our login module works fine with JBoss 4.2.2. We implemented it by extending AbstractServerLoginModule. Tried the same procedure with the new JBoss...

This is just simple teststuff... (Stripped exception handling)


I configured the security system like this:



and annoted a bean that way:



Client-side:

jboss-ejb-client.properties (in CLI or Swing App)


This leads to the following exception:

JBAS014502: Invocation on method: public abstract java.lang.String a.b.c.D.test(java.lang.String) of bean: DImpl is not allowed

If I use "remote.connection.default.username=abcd"

There is another exception:

JBAS013323: Invalid User

It seems that login in general works, but what else happens there?!? What lacks?

Maybe I should mention that we don't use @RolesAllowed-Annotations. We have an Interceptor which reads some more information from our Principal and uses them to determine, if a) the user is allowed to call that method in general and b) with certain parameters (for "visibility"-reasons).

That's the first part of my problem...

Second is: I'd like to configure jboss-ejb-client.properties with the "remote.connection.default.callback.handler.class"-Property. If I set that property and a default username there is an error, that I cannot use both. If I only use my ClientCallbackHandler I get this:

javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

Googled for half a day but it's getting even more unclear...

Password is a weird thing as well. Inside my login module it looks like this "a7ab0e54-6706-455e-947a-9fedc6c9b894".

So, here are the questions:
1. How to configure the ClientCallbackHandler?
2. How to change the LoginModule (or the configuration) that calling the method is possible after using a correct username?
3. How to see the correct password "test" inside the login module? (Need to pass it to the legacy system...)

Any real good tipps / tutorials on this?

Kind regards,
Chris
 
Christian Dillinger
Ranch Hand
Posts: 200
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi all,

a little update...

I did a small AuthorizationModule (extending AbstractAuthorizationModule) to get my LoginModule to work.

On the client-side I debugged PropertiesBasedEJBClientConfiguration and found what was wrong with my CallbackHandler. Handling the RealmCallback was missing.

Now my client connects to the server, gets authenticated by it's username and is able to call some business logic.

What's still missing:
There is NO call with a PasswordCallback if I use that jboss-ejb-client.properties



Inside the LoginModule I can only see the username that's being passed from client-side.

If I add



my method handle(Callback[] callbacks) has to provide
- username to a NameCallback
- password to a PasswordCallback
- realm to a RealmCallback

but afterwards I still see the following error



Does anybody know how to simply pass username AND password to the server-side? Wahat's the right SASL-mechanism?

Kind regards,
Chris
 
Jaikiran Pai
Sheriff
Posts: 10447
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
How did you add the user and password on the server side and to which realm did you add it?
 
Christian Dillinger
Ranch Hand
Posts: 200
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I didn't add the user on the server side.

But I found a working solution one hour ago. My plan was to describe that one later if somebody else needs it...

Short solution: (described here: https://access.redhat.com/site/solutions/178323 - with some minor modifications)

I made the ApplicationRealm use "my" security domain:



Deploy the LoginModule to my domain as a module and not inside the application.

module.xml


Make the LoginModule make use of the module via



After that remoting works with my CallbackHandler and it passes the password as cleartext to the server. (Next step will be to configure encryption/decryption of the password and send it to the external system.)
 
Christian Dillinger
Ranch Hand
Posts: 200
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The tricky part was to understand that I have to deploy my LoginModule as a module in EAP. (I'm beginner in JBoss7/EAP, so I'm still learning the differences between the "stone-age"-version 4.2.2 and the new one...)
 
Jaikiran Pai
Sheriff
Posts: 10447
227
IntelliJ IDE Ubuntu
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I didn't realize you had the application realm backed by JAAS from your earlier posts (I skipped some parts of the lengthy post), but glad to know you got it working!
 
Christian Dillinger
Ranch Hand
Posts: 200
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Obviously I didn't find the right links last week...

https://community.jboss.org/message/739247#739247


The solution with "linking" the realm to own security-domain to use JAAS is quite new...
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!