Matze Json

Hi Folks,

I have two different Glassfish Server instances running, one of v2 the other is v3.
On the v2 server runs an EJB offering a Remote interface. This EJB is secured via SSL, i. e. the deployment descriptor sun-ejb-jar contains the following lines:

<ejb>
<ejb-name>PsiCtrBean</ejb-name>
<jndi-name>ems.ebs.control.PsiCtrRemote</jndi-name>
<ior-security-config>
<transport-config>
<integrity>required</integrity>
<confidentiality>required</confidentiality>
<establish-trust-in-target>supported</establish-trust-in-target>
<establish-trust-in-client>required</establish-trust-in-client>
</transport-config>
<sas-context>
<caller-propagation>supported</caller-propagation>
</sas-context>
</ior-security-config>
</ejb>

On the v2 server the standard IIOP listeners are active, i. e. the unsecured listener on port 3700, the SSL listener on port 3820 and the mutual authentication SSL listener on port 3920.

My aim is to call the Remote EJB using mutual authentication over SSL from a web applicaton (war) running on the v3 server. If I call the EJB over the unsecured port 3700 (without the above-mentioned deployment descriptor lines) everything works fine.
But when I try to call the EJB over the port 3920 it doesn't work. The web client uses the following annotation:
@EJB(mappedName="corbaname:iiop:localhost:3920#ems.ebs.control.PsiCtrRemote")
I get the following error message:

com.sun.faces.mgbean.ManagedBeanCreationException: Bei der Ressourcen-Einspeisung auf dem verwalteten Bean SessionBeanGeneral ist ein Fehler aufgetreten.
at com.sun.faces.mgbean.BeanBuilder.injectResources(BeanBuilder.java:211)
at com.sun.faces.mgbean.BeanBuilder.build(BeanBuilder.java:103)
at com.sun.faces.mgbean.BeanManager.createAndPush(BeanManager.java:405)
at com.sun.faces.mgbean.BeanManager.create(BeanManager.java:267)
at com.sun.faces.el.ManagedBeanELResolver.getValue(ManagedBeanELResolver.java:86)
at javax.el.CompositeELResolver.getValue(CompositeELResolver.java:175)
at com.sun.faces.el.FacesCompositeELResolver.getValue(FacesCompositeELResolver.java:72)
at com.sun.el.parser.AstIdentifier.getValue(AstIdentifier.java:99)
at com.sun.el.parser.AstValue.getValue(AstValue.java:158)
at com.sun.el.ValueExpressionImpl.getValue(ValueExpressionImpl.java:219)
at org.jboss.weld.el.WeldValueExpression.getValue(WeldValueExpression.java:71)
at com.sun.faces.facelets.el.TagValueExpression.getValue(TagValueExpression.java:102)
at javax.faces.component.ComponentStateHelper.eval(ComponentStateHelper.java:190)
at javax.faces.component.ComponentStateHelper.eval(ComponentStateHelper.java:178)
at javax.faces.component.UIOutput.getValue(UIOutput.java:168)
at com.sun.faces.renderkit.html_basic.HtmlBasicInputRenderer.getValue(HtmlBasicInputRenderer.java:205)
at com.sun.faces.renderkit.html_basic.HtmlBasicRenderer.getCurrentValue(HtmlBasicRenderer.java:338)
at com.sun.faces.renderkit.html_basic.HtmlBasicRenderer.encodeEnd(HtmlBasicRenderer.java:164)
at javax.faces.component.UIComponentBase.encodeEnd(UIComponentBase.java:878)
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1620)
at javax.faces.render.Renderer.encodeChildren(Renderer.java:168)
at javax.faces.component.UIComponentBase.encodeChildren(UIComponentBase.java:848)
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1613)
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1616)
at javax.faces.component.UIComponent.encodeAll(UIComponent.java:1616)
at com.sun.faces.application.view.FaceletViewHandlingStrategy.renderView(FaceletViewHandlingStrategy.java:380)
at com.sun.faces.application.view.MultiViewHandler.renderView(MultiViewHandler.java:126)
at javax.faces.application.ViewHandlerWrapper.renderView(ViewHandlerWrapper.java:273)
at com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:127)
at com.sun.faces.lifecycle.Phase.doPhase(Phase.java:101)
at com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:139)
at javax.faces.webapp.FacesServlet.service(FacesServlet.java:313)
at org.apache.catalina.core.StandardWrapper.service(StandardWrapper.java:1523)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:279)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:188)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:641)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:97)
at com.sun.enterprise.web.PESessionLockingStandardPipeline.invoke(PESessionLockingStandardPipeline.java:85)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:185)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:325)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:226)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:165)
at com.sun.grizzly.http.ProcessorTask.invokeAdapter(ProcessorTask.java:791)
at com.sun.grizzly.http.ProcessorTask.doProcess(ProcessorTask.java:693)
at com.sun.grizzly.http.ProcessorTask.process(ProcessorTask.java:954)
at com.sun.grizzly.http.DefaultProtocolFilter.execute(DefaultProtocolFilter.java:170)
at com.sun.grizzly.DefaultProtocolChain.executeProtocolFilter(DefaultProtocolChain.java:135)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:102)
at com.sun.grizzly.DefaultProtocolChain.execute(DefaultProtocolChain.java:88)
at com.sun.grizzly.http.HttpProtocolChain.execute(HttpProtocolChain.java:76)
at com.sun.grizzly.ProtocolChainContextTask.doCall(ProtocolChainContextTask.java:53)
at com.sun.grizzly.SelectionKeyContextTask.call(SelectionKeyContextTask.java:57)
at com.sun.grizzly.ContextTask.run(ContextTask.java:69)
at com.sun.grizzly.util.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:330)
at com.sun.grizzly.util.AbstractThreadPool$Worker.run(AbstractThreadPool.java:309)
at java.lang.Thread.run(Thread.java:619)
Caused by: com.sun.faces.spi.InjectionProviderException: com.sun.enterprise.container.common.spi.util.InjectionException: Exception attempting to inject Remote ejb-ref name=psiCtrBeanEjb,Remote 3.x interface =ems.ebs.control.PsiCtrRemote,ejb-link=null,lookup=null,mappedName=,jndi-name=corbaname:iiop:localhost:3920#ems.ebs.control.PsiCtrRemote,refType=Session into class psigui.control.SessionBeanGeneral
at org.glassfish.faces.integration.GlassFishInjectionProvider.inject(GlassFishInjectionProvider.java:98)
at com.sun.faces.mgbean.BeanBuilder.injectResources(BeanBuilder.java:205)
... 55 more
Caused by: com.sun.enterprise.container.common.spi.util.InjectionException: Exception attempting to inject Remote ejb-ref name=psiCtrBeanEjb,Remote 3.x interface =ems.ebs.control.PsiCtrRemote,ejb-link=null,lookup=null,mappedName=,jndi-name=corbaname:iiop:localhost:3920#ems.ebs.control.PsiCtrRemote,refType=Session into class psigui.control.SessionBeanGeneral
at com.sun.enterprise.container.common.impl.util.InjectionManagerImpl._inject(InjectionManagerImpl.java:614)
at com.sun.enterprise.container.common.impl.util.InjectionManagerImpl.inject(InjectionManagerImpl.java:384)
at com.sun.enterprise.container.common.impl.util.InjectionManagerImpl.injectInstance(InjectionManagerImpl.java:168)
at org.glassfish.faces.integration.GlassFishInjectionProvider.inject(GlassFishInjectionProvider.java:94)
... 56 more
Caused by: javax.naming.NamingException: Lookup failed for 'java:comp/env/psiCtrBeanEjb' in SerialContext [Root exception is javax.naming.NamingException: Exception resolving Ejb for 'Remote ejb-ref name=psiCtrBeanEjb,Remote 3.x interface =ems.ebs.control.PsiCtrRemote,ejb-link=null,lookup=null,mappedName=,jndi-name=corbaname:iiop:localhost:3920#ems.ebs.control.PsiCtrRemote,refType=Session' . Actual (possibly internal) Remote JNDI name used for lookup is 'corbaname:iiop:localhost:3920#ems.ebs.control.PsiCtrRemote__3_x_Internal_RemoteBusinessHome__' [Root exception is org.omg.CORBA.BAD_PARAM: vmcid: OMG minor code: 9 completed: No]]
at com.sun.enterprise.naming.impl.SerialContext.lookup(SerialContext.java:442)
at javax.naming.InitialContext.lookup(InitialContext.java:392)
at com.sun.enterprise.container.common.impl.util.InjectionManagerImpl._inject(InjectionManagerImpl.java:513)
... 59 more
Caused by: javax.naming.NamingException: Exception resolving Ejb for 'Remote ejb-ref name=psiCtrBeanEjb,Remote 3.x interface =ems.ebs.control.PsiCtrRemote,ejb-link=null,lookup=null,mappedName=,jndi-name=corbaname:iiop:localhost:3920#ems.ebs.control.PsiCtrRemote,refType=Session' . Actual (possibly internal) Remote JNDI name used for lookup is 'corbaname:iiop:localhost:3920#ems.ebs.control.PsiCtrRemote__3_x_Internal_RemoteBusinessHome__' [Root exception is org.omg.CORBA.BAD_PARAM: vmcid: OMG minor code: 9 completed: No]
at com.sun.ejb.EjbNamingReferenceManagerImpl.resolveEjbReference(EjbNamingReferenceManagerImpl.java:174)
at com.sun.enterprise.container.common.impl.ComponentEnvManagerImpl$EjbReferenceProxy.create(ComponentEnvManagerImpl.java:1040)
at com.sun.enterprise.naming.impl.GlassfishNamingManagerImpl.lookup(GlassfishNamingManagerImpl.java:688)
at com.sun.enterprise.naming.impl.GlassfishNamingManagerImpl.lookup(GlassfishNamingManagerImpl.java:657)
at com.sun.enterprise.naming.impl.JavaURLContext.lookup(JavaURLContext.java:148)
at com.sun.enterprise.naming.impl.SerialContext.lookup(SerialContext.java:428)



I added the s1as key of the v2 server to the truststore of the v3 server and vice versa, so the key setup should be correctly in place.

How can I tell the v3 server or the web app to use SSL when calling the EJB? In an application client or a standalone client you have to specify the keystore and so on via system properties of via command line arguments, where is this information specified in a web module?
There are a lot of tutorials out there dealing with access from a application client or standalone client to a SSL secured EJB, but I didn't found anything in respect of web clients.

Please help, I try to solve this problem for over a week now and don't get any step further...

Thanks in advance,
Martin

Hi,
I want to access a secured @Remote EJB running on an Glassfish v2 instance from a WebClient (WAR) running on another Glassfish v3 instance.

When not securing the Remote EJB via file-realm basic username/password authentication, access from the WAR is no problem simply using annotations @EJB(mappedName="Location of EJB").

But when the EJB is secured - which is pretty usual as also in my case the two applications are running on different machines - then getting access seems to be quite complicated (or what am I doing wrong?!):
1. is there a way to provide the username and password a) via annotations or b) deployment descriptors?

2. if not, how can one lookup the Remote EJB in the Web Client via InitialContext?! Unfortunately, the FAQ in this respect (https://glassfish.dev.java.net/javaee5/ejb/EJB_FAQ.html) does not says anything on accessing secured EJBs and the solution for properties provided there for standalone apps regarding the EJB lookup do not work:
I tried it this way:
Properties props = new Properties();

props.setProperty("java.naming.factory.initial","com.sun.enterprise.naming.SerialInitContextFactory");
props.setProperty("java.naming.factory.url.pkgs","com.sun.enterprise.naming");
props.setProperty("java.naming.factory.state","com.sun.corba.ee.impl.presentation.rmi.JNDIStateFactoryImpl");
props.setProperty("org.omg.CORBA.ORBInitialHost", "localhost");
props.setProperty("org.omg.CORBA.ORBInitialPort", "3700");
props.put("java.naming.security.principal", "username");
props.put("java.naming.security.credentials", "password");

ic = new InitialContext(props);

myBean = (MyBean) ic.lookup("ejb/MyBean");

but I get the following error:
javax.naming.NoInitialContextException: Cannot instantiate class: com.sun.enterprise.naming.SerialInitContextFactory [Root exception is java.lang.ClassNotFoundException: com.sun.enterprise.naming.SerialInitContextFactory]
at com.sun.enterprise.naming.GlassFishNamingBuilder.createInitialContextFactory(GlassFishNamingBuilder.java:100)

3. I also tried adding a security constraint (basic authentication with username and password) to the web client hoping the security identity is propagated to the Remote EJB, but that failed also with the exception (although I am not using the RunAs annotation):
iiop.secmechanism_exception
com.sun.enterprise.iiop.security.SecurityMechanismException: Cannot propagate username/password required by target when using run as identity
at com.sun.enterprise.iiop.security.SecurityMechanismSelector.propagateIdentity(SecurityMechanismSelector.java:641)


Can anyone help on this issue?
It can't be so complicated to just call a secured remote EJB from a web client, I think that this is a very common scenario! What am I doing wrong?
Thanks a lot!