'JBoss AS 7 remote standalone client auth

I have a some ear deployed on JBoss AS7 with jboss-app.xml

<jboss-app xmlns="http://www.jboss.com/xml/ns/javaee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
       version="7.0" xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee ">
<security-domain>FooDomain</security-domain>

In standalone.xml I have

<security-realm name="ApplicationRealm">
   <authentication>
       <jaas name="FooDomain"/>
   </authentication>
</security-realm>
...
<security-domain name="FooDomain" cache-type="default">
<authentication>
    <login-module code="Remoting" flag="optional">
        <module-option name="password-stacking" value="useFirstPass"/>
    </login-module>
    <login-module code="Database" flag="required">
        <module-option name="dsJndiName" value="java:/MyDS"/>
        <module-option name="principalsQuery" value="select password from users where user_id=?"/>
        <module-option name="rolesQuery" value="select role, 'Roles' from roles where user_id=?"/>
        <module-option name="password-stacking" value="useFirstPass"/>
    </login-module>
</authentication>
</security-domain>

I can make a lookup some ejb from standalone client and authentication is successful when I use code like this:

final Hashtable<Object, Object> p = new Hashtable<Object, Object>();
p.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
p.put(Context.SECURITY_PRINCIPAL, username);
p.put(Context.SECURITY_CREDENTIALS, password);
p.put("jboss.naming.client.ejb.context", true);
p.put(Context.PROVIDER_URL, "remote://10.10.1.18:4447");
p.put("jboss.naming.client.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
p.put(Context.INITIAL_CONTEXT_FACTORY, org.jboss.naming.remote.client.InitialContextFactory.class.getName());
context = new InitialContext(p);

The problem is that if I provide wrong credentials, I see in debug console

javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

but I can't catch it.

Server logs (not important parts cutted):

TRACE [DatabaseServerLoginModule] initialize
TRACE [DatabaseServerLoginModule] Security domain: FooDomain
TRACE [DatabaseServerLoginModule] DatabaseServerLoginModule, dsJndiName=java:/MyDS
TRACE [DatabaseServerLoginModule] principalsQuery=select password from users where user_id=?
TRACE [DatabaseServerLoginModule] rolesQuery=select role, 'Roles' from roles where user_id=?
TRACE [DatabaseServerLoginModule] suspendResume=true
TRACE [DatabaseServerLoginModule] login
TRACE [DatabaseServerLoginModule] suspendAnyTransaction
TRACE [DatabaseServerLoginModule] Excuting query: select password from users where user_id=?, with username: test
TRACE [DatabaseServerLoginModule] Obtained user password
TRACE [DatabaseServerLoginModule] resumeAnyTransaction
DEBUG [DatabaseServerLoginModule] Bad password for username=test
TRACE [DatabaseServerLoginModule] abort

When I try to use LoginContext just nothing happens on server. Configuration

public class DefaultJassConfiguration extends Configuration {
@Override
public AppConfigurationEntry[] getAppConfigurationEntry(String name) {
    Map options = new HashMap();
    options.put("debug", true);
    AppConfigurationEntry[] entries = {
            new AppConfigurationEntry("org.jboss.security.ClientLoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, options)
    };
    return entries;
}
}

Test

Configuration.setConfiguration(new DefaultJassConfiguration());
try {
        LoginContext lc = new LoginContext("FooDomain", new UsernamePasswordHandler("test", "test".toCharArray()));
        lc.login();
        System.out.println(lc.getSubject());
    } catch (LoginException e) {
        e.printStackTrace();
    }

Perhaps LoginContext don't know server address? I try to add 

System.setProperty("java.naming.provider.url", "remote://10.10.1.18:4447");

but with no effect.

How to make LoginContext work? Or how to catch SaslException? I consider to make some dummy bean with method always returned true and call it after login, but it looks ugly.

P.S. I'm sorry for my English (It makes me a bit shy)

javajbossejbjboss7.xjaas


Solution 1:[1]

ClientLoginModule is not currently supported on AS7 - all that login module does is associate the username and password with a thread local it does not perform any real authentication.

Regarding the InitialContext you should be seeing an exception thrown when you try and use it.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Darran L

Related Questions