Custom Login Module EAP6.1 / JBoss 7.2

Hi all,

I'm trying to setup a simple application with JBoss 7.2 (EAP6.1alpha) which uses a custom login module. (Cannot use one of the standard modules as I need to retrieve information from a legacy system in the background - AS400 host)

Currently our login module works fine with JBoss 4.2.2. We implemented it by extending AbstractServerLoginModule. Tried the same procedure with the new JBoss...

This is just simple teststuff... (Stripped exception handling)
@Override public boolean login() throws LoginException { NameCallback namecallback = new NameCallback("Enter username"); PasswordCallback passwordcallback = new PasswordCallback( "Enter password", false); CallbackHandler handler = this.callbackHandler; String username = ""; String password = ""; handler.handle(new Callback[] { namecallback, passwordcallback }); username = namecallback.getName(); char[] password2 = passwordcallback.getPassword(); password = new String(password2); System.out.println(username + " / " + password); if (username == null || password == null) { return false; } if ("test".equals(username)) { principal = new SimplePrincipal(username); loginOk = true; return true; } return false; } @Override protected Group[] getRoleSets() throws LoginException { Group[] groups = {}; return groups; }

I configured the security system like this:

<subsystem xmlns="urn:jboss:domain:security:1.2"> <security-domains> <security-domain name="first-domain" cache-type="default"> <authentication> <login-module code="x.y.z.FirstLoginModule" flag="required"> <module-option name="password-stacking" value="useFirstPass"/> </login-module> </authentication> </security-domain> ...

and annoted a bean that way:

@SecurityDomain(value = "first-domain")

Client-side:

jboss-ejb-client.properties (in CLI or Swing App)
remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false remote.connections=default remote.connection.default.host=localhost remote.connection.default.port = 4447 remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=true remote.connection.default.username=test remote.connection.default.password=test

This leads to the following exception:

JBAS014502: Invocation on method: public abstract java.lang.String a.b.c.D.test(java.lang.String) of bean: DImpl is not allowed

If I use "remote.connection.default.username=abcd"

There is another exception:

JBAS013323: Invalid User

It seems that login in general works, but what else happens there?!? What lacks?

Maybe I should mention that we don't use @RolesAllowed-Annotations. We have an Interceptor which reads some more information from our Principal and uses them to determine, if a) the user is allowed to call that method in general and b) with certain parameters (for "visibility"-reasons).

That's the first part of my problem...

Second is: I'd like to configure jboss-ejb-client.properties with the "remote.connection.default.callback.handler.class"-Property. If I set that property and a default username there is an error, that I cannot use both. If I only use my ClientCallbackHandler I get this:

javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

Googled for half a day but it's getting even more unclear...

Password is a weird thing as well. Inside my login module it looks like this "a7ab0e54-6706-455e-947a-9fedc6c9b894".

So, here are the questions:
1. How to configure the ClientCallbackHandler?
2. How to change the LoginModule (or the configuration) that calling the method is possible after using a correct username?
3. How to see the correct password "test" inside the login module? (Need to pass it to the legacy system...)

Any real good tipps / tutorials on this?

Kind regards,
Chris

Hi all,

a little update...

I did a small AuthorizationModule (extending AbstractAuthorizationModule) to get my LoginModule to work.

On the client-side I debugged PropertiesBasedEJBClientConfiguration and found what was wrong with my CallbackHandler. Handling the RealmCallback was missing.

Now my client connects to the server, gets authenticated by it's username and is able to call some business logic.

What's still missing:
There is NO call with a PasswordCallback if I use that jboss-ejb-client.properties

remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false remote.connections=default remote.connection.default.host=localhost remote.connection.default.port = 4447 remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false remote.connection.default.callback.handler.class=de.rlp.test.util.TestCallbackHandler

Inside the LoginModule I can only see the username that's being passed from client-side.

If I add

remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER

my method handle(Callback[] callbacks) has to provide
- username to a NameCallback
- password to a PasswordCallback
- realm to a RealmCallback

but afterwards I still see the following error

02.10.2013 12:51:20 org.jboss.remoting3.remote.RemoteConnection handleException ERROR: JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed Exception in thread "main" java.lang.IllegalStateException: EJBCLIENT000025: No EJB receiver available for handling [appName:, moduleName:JB7, distinctName:] combination for invocation context org.jboss.ejb.client.EJBClientInvocationContext@67e13e07 at org.jboss.ejb.client.EJBClientContext.requireEJBReceiver(EJBClientContext.java:693) at org.jboss.ejb.client.ReceiverInterceptor.handleInvocation(ReceiverInterceptor.java:116) at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:183) at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:177) at org.jboss.ejb.client.EJBInvocationHandler.doInvoke(EJBInvocationHandler.java:161) at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:124) at $Proxy0.hallo(Unknown Source) at a.b.c.HelloClient.main(HelloClient.java:78)

Does anybody know how to simply pass username AND password to the server-side? Wahat's the right SASL-mechanism?

Kind regards,
Chris

How did you add the user and password on the server side and to which realm did you add it?

I didn't add the user on the server side.

But I found a working solution one hour ago. My plan was to describe that one later if somebody else needs it...

Short solution: (described here: https://access.redhat.com/site/solutions/178323 - with some minor modifications)

I made the ApplicationRealm use "my" security domain:

<security-realm name="ApplicationRealm"> <authentication> <jaas name="first-domain"/> </authentication> </security-realm>

Deploy the LoginModule to my domain as a module and not inside the application.

module.xml
<?xml version="1.0" encoding="UTF-8"?> <module xmlns="urn:jboss:module:1.1" name="ownLogin"> <resources> <resource-root path="login.jar"/> </resources> <dependencies> <module name="org.picketbox"/> <module name="javax.api"/> <module name="org.jboss.logging"/> </dependencies> </module>

Make the LoginModule make use of the module via

<login-module code="a.b.c.login.FirstLoginModule" flag="required" module="ownLogin"> <module-option name="password-stacking" value="useFirstPass"/> </login-module>

After that remoting works with my CallbackHandler and it passes the password as cleartext to the server. (Next step will be to configure encryption/decryption of the password and send it to the external system.)

The tricky part was to understand that I have to deploy my LoginModule as a module in EAP. (I'm beginner in JBoss7/EAP, so I'm still learning the differences between the "stone-age"-version 4.2.2 and the new one...)

I didn't realize you had the application realm backed by JAAS from your earlier posts (I skipped some parts of the lengthy post), but glad to know you got it working!

Obviously I didn't find the right links last week...

https://community.jboss.org/message/739247#739247
<security-domain name="first-domain" cache-type="default"> <authentication> <login-module code="a.b.c.FirstLoginModule" flag="required" module="deployment.JB7.jar"> <module-option name="password-stacking" value="useFirstPass"/> </login-module> </authentication> </security-domain>

The solution with "linking" the realm to own security-domain to use JAAS is quite new...