Uploaded image for project: 'Application Server 7'
  1. Application Server 7
  2. AS7-4309

EJB client API implementation is missing configuration which enables "silent auth" for cluster nodes

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 7.1.2.Final (EAP)
    • 7.1.1.Final
    • EJB, Security
    • None
    • Hide

      Disabling silent auth could be considered a workaround:

      jpai:

      But ultimately, if you are really testing security then better switch off (explicitly) the silent auth mechanism or run the client on a different system. To disable silent auth, add the following property to each of the connection configurations:

      remote.connection.<connection-name>.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER
      Show
      Disabling silent auth could be considered a workaround: jpai: But ultimately, if you are really testing security then better switch off (explicitly) the silent auth mechanism or run the client on a different system. To disable silent auth, add the following property to each of the connection configurations: remote.connection.<connection-name>.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER

    Description

      rhusar:

      No authentication mechanism is specified in the test and the remoting connector has a security realm set-up (by default) but I am invoking SLSB with no problem.

      11:31:12,630 INFO [org.jboss.ejb.client.remoting.RemotingConnectionClusterNodeManager] (ejb-client-cluster-node-connection-creation-3-thread-2) Could not create a connection for cluster node ClusterNode{clusterName=&apos;ejb&apos;, nodeName=&apos;node-1&apos;, clientMappings=[ClientMapping{sourceNetworkAddress=/0:0:0:0:0:0:0:0, sourceNetworkMaskBits=0, destinationAddress=&apos;127.0.0.1&apos;, destinationPort=4547}], resolvedDestination=[Destination address=127.0.0.1, destination port=4547]} in cluster ejb: java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
    at org.jboss.ejb.client.remoting.IoFutureHelper.get(IoFutureHelper.java:91)
    at org.jboss.ejb.client.remoting.RemotingConnectionClusterNodeManager.getEJBReceiver(RemotingConnectionClusterNodeManager.java:91)
    at org.jboss.ejb.client.ClusterContext$EJBReceiverAssociationTask.run(ClusterContext.java:333)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:441)
    at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
    at java.util.concurrent.FutureTask.run(FutureTask.java:138)
    at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
    at java.lang.Thread.run(Thread.java:662)
Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
    at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:365)
    at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:214)
    at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)
    at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189)
    at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103)
    at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)
    at org.xnio.nio.NioHandle.run(NioHandle.java:90)
    at org.xnio.nio.WorkerThread.run(WorkerThread.java:184)
    at ...asynchronous invocation...(Unknown Source)
    at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:270)
    at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:251)
    at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:349)
    at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:333)
    at org.jboss.ejb.client.remoting.RemotingConnectionClusterNodeManager.getEJBReceiver(RemotingConnectionClusterNodeManager.java:89)
    ... 7 more

      jpai:

      The reason why the invocation to the bean works is because the client is being run from the same machine as the server. As a result the "silent auth" mechanism as explained "Local clients" section of this doc [1] comes into picture. The EJB client API by default has this mechanism enabled for connections it creates.

      Now the reason why you see that stacktrace which indicates a failure to create an auto connection to a node in the cluster is because the EJB client API implementation is missing this piece of configuration which enables "silent auth" for cluster nodes. We need to fix that to make it consistent with how we handle non-cluster node connection creation.

      [1] https://community.jboss.org/wiki/AS710Beta1-SecurityEnabledByDefault

      Attachments

        Issue Links

          is blocked by

          Task - Represents a small unit of work that is not end-user facing. AS7-4487 Add a <local /> element to the realm authentication definitions.

          • Critical - To be worked on immediately following BLOCKER issues.
          • Resolved

          Activity

            People

              jaikiran Jaikiran Pai (Inactive)
              rhn-engineering-rhusar Radoslav Husar
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: