This week's giveaway is in the Cloud/Virtualization forum. We're giving away four copies of Production-Ready Serverless (Operational Best Practices) and have Yan Cui on-line! See this thread for details.
I'm trying to setup a simple application with JBoss 7.2 (EAP6.1alpha) which uses a custom login module. (Cannot use one of the standard modules as I need to retrieve information from a legacy system in the background - AS400 host)
Currently our login module works fine with JBoss 4.2.2. We implemented it by extending AbstractServerLoginModule. Tried the same procedure with the new JBoss...
This is just simple teststuff... (Stripped exception handling)
I configured the security system like this:
and annoted a bean that way:
jboss-ejb-client.properties (in CLI or Swing App)
This leads to the following exception:
JBAS014502: Invocation on method: public abstract java.lang.String a.b.c.D.test(java.lang.String) of bean: DImpl is not allowed
If I use "remote.connection.default.username=abcd"
There is another exception:
JBAS013323: Invalid User
It seems that login in general works, but what else happens there?!? What lacks?
Maybe I should mention that we don't use @RolesAllowed-Annotations. We have an Interceptor which reads some more information from our Principal and uses them to determine, if a) the user is allowed to call that method in general and b) with certain parameters (for "visibility"-reasons).
That's the first part of my problem...
Second is: I'd like to configure jboss-ejb-client.properties with the "remote.connection.default.callback.handler.class"-Property. If I set that property and a default username there is an error, that I cannot use both. If I only use my ClientCallbackHandler I get this:
javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
Googled for half a day but it's getting even more unclear...
Password is a weird thing as well. Inside my login module it looks like this "a7ab0e54-6706-455e-947a-9fedc6c9b894".
So, here are the questions:
1. How to configure the ClientCallbackHandler?
2. How to change the LoginModule (or the configuration) that calling the method is possible after using a correct username?
3. How to see the correct password "test" inside the login module? (Need to pass it to the legacy system...)
Any real good tipps / tutorials on this?
posted 5 years ago
a little update...
I did a small AuthorizationModule (extending AbstractAuthorizationModule) to get my LoginModule to work.
On the client-side I debugged PropertiesBasedEJBClientConfiguration and found what was wrong with my CallbackHandler. Handling the RealmCallback was missing.
Now my client connects to the server, gets authenticated by it's username and is able to call some business logic.
What's still missing:
There is NO call with a PasswordCallback if I use that jboss-ejb-client.properties
Inside the LoginModule I can only see the username that's being passed from client-side.
If I add
my method handle(Callback callbacks) has to provide
- username to a NameCallback
- password to a PasswordCallback
- realm to a RealmCallback
but afterwards I still see the following error
Does anybody know how to simply pass username AND password to the server-side? Wahat's the right SASL-mechanism?
I made the ApplicationRealm use "my" security domain:
Deploy the LoginModule to my domain as a module and not inside the application.
Make the LoginModule make use of the module via
After that remoting works with my CallbackHandler and it passes the password as cleartext to the server. (Next step will be to configure encryption/decryption of the password and send it to the external system.)
posted 5 years ago
The tricky part was to understand that I have to deploy my LoginModule as a module in EAP. (I'm beginner in JBoss7/EAP, so I'm still learning the differences between the "stone-age"-version 4.2.2 and the new one...)