Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-16149

[GSS](7.2.z) JBREM000308: Authentication failed (no mechanisms left) when EJB invocations across servers done with programatic auth

    XMLWordPrintable

Details

    • ?
    • Hide

      Create a user on the target server for example username: 'txn-user', password: 'txn-user-pa$$w0rd'. Then you'd need to add an authentication-client to the elytron subsystem JBoss instance, see these CLI commands:

      ./bin/add-user.sh -a -u txn-user -p 'txn-user-pa$$w0rd'

      /subsystem=elytron/authentication-configuration=ejb-auth:add(authentication-name="txn-user", credential-reference={clear-text="txn-user-pa$$w0rd"})
/subsystem=elytron/authentication-context=default:add(match-rules=[{authentication-configuration=ejb-auth}])
/subsystem=elytron:write-attribute(name=default-authentication-context,value=default)

      This would result in an elytron configuration like this:

              ...
        <subsystem xmlns="urn:wildfly:elytron:1.2" default-authentication-context="default" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
            <authentication-client>
                <authentication-configuration name="ejb-auth" authentication-name="txn-user">
                    <credential-reference clear-text="txn-user-pa$$w0rd"/>
                </authentication-configuration>
                <authentication-context name="default">
                    <match-rule authentication-configuration="ejb-auth"/>
                </authentication-context>
            </authentication-client>
            ...
      Show
      Create a user on the target server for example username: 'txn-user', password: 'txn-user-pa$$w0rd'. Then you'd need to add an authentication-client to the elytron subsystem JBoss instance, see these CLI commands: ./bin/add-user.sh -a -u txn-user -p 'txn-user-pa$$w0rd' /subsystem=elytron/authentication-configuration=ejb-auth:add(authentication-name= "txn-user" , credential-reference={clear-text= "txn-user-pa$$w0rd" }) /subsystem=elytron/authentication-context= default :add(match-rules=[{authentication-configuration=ejb-auth}]) /subsystem=elytron:write-attribute(name= default -authentication-context,value= default ) This would result in an elytron configuration like this: ... <subsystem xmlns= "urn:wildfly:elytron:1.2" default -authentication-context= " default " final -providers= "combined-providers" disallowed-providers= "OracleUcrypto" > <authentication-client> <authentication-configuration name= "ejb-auth" authentication-name= "txn-user" > <credential-reference clear-text= "txn-user-pa$$w0rd" /> </authentication-configuration> <authentication-context name= " default " > <match-rule authentication-configuration= "ejb-auth" /> </authentication-context> </authentication-client> ...
    • Hide

      *Take EAP 7.2
      unzip -d $JBOSS_HOME/ eap72-reproducer-overlay.zip
      ./start1.sh
      ./start2.sh
      ./test.sh*
      ------
      To run the 2nd reproducer jbeap-13963-reproducer.jar, setup eap72-reproducer-overlay.zip and then deploy the 2nd reproducer:
      Deploy jbeap-13963-reproducer.jar to standalone and standalone2 from eap72-reproducer-overlay.zip
      java -cp ./jbeap-13963-reproducer.jar:$JBOSS_HOME/bin/client/jboss-client.jar:$JBOSS_HOME/bin/client/jboss-cli-client.jar client.Client

      Show
      *Take EAP 7.2 unzip -d $JBOSS_HOME/ eap72-reproducer-overlay.zip ./start1.sh ./start2.sh ./test.sh* ------ To run the 2nd reproducer jbeap-13963-reproducer.jar, setup eap72-reproducer-overlay.zip and then deploy the 2nd reproducer: Deploy jbeap-13963-reproducer.jar to standalone and standalone2 from eap72-reproducer-overlay.zip java -cp ./jbeap-13963-reproducer.jar:$JBOSS_HOME/bin/client/jboss-client.jar:$JBOSS_HOME/bin/client/jboss-cli-client.jar client.Client

    Description

      standalone client -> EAP1 EJB1 -> EAP2 EJB2

      EAP1 fails when trying to finish the transaction with this error below, because it lost the authentication context. The EJB clients are using the WildFlyInitialContextFactory lookup approach.

      This issue is similar to JBEAP-15738 , except JBEAP-15738 was server to server config via remote outbound connections configured in the JBoss profile instead of WildFlyInitialContextFactory approach.

      public static Context getInitialContext(String host, Integer port, String username, String password)  throws NamingException {
   Properties props = new Properties();
   props.put(Context.INITIAL_CONTEXT_FACTORY,  "org.wildfly.naming.client.WildFlyInitialContextFactory");
   props.put(Context.PROVIDER_URL, String.format("%s://%s:%d", "remote+http", host, port));
   if(username != null && password != null) {
      props.put(Context.SECURITY_PRINCIPAL, username);
      props.put(Context.SECURITY_CREDENTIALS, password);
    }
   return new InitialContext(props);
}

      Exception in thread "main" javax.ejb.EJBTransactionRolledbackException: javax.transaction.RollbackException: ARJUNA016053: Could not commit transaction.
  at org.jboss.as.ejb3.tx.CMTTxInterceptor.endTransaction(CMTTxInterceptor.java:114)
  at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:261)
  at org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:362)
  at org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:144)
  at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
  at org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509)
  at org.jboss.weld.module.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:81)
  at org.jboss.as.weld.ejb.EjbRequestScopeActivationInterceptor.processInvocation(EjbRequestScopeActivationInterceptor.java:89)
  at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
  at org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)
  at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
  at org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47)
...
Caused by: javax.transaction.RollbackException: ARJUNA016053: Could not commit transaction.
  at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1300)
  at com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126)
  at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)
  at org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:77)
  at org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71)
  at org.jboss.as.ejb3.tx.CMTTxInterceptor.endTransaction(CMTTxInterceptor.java:88)
  ... 41 more
Caused by: org.wildfly.transaction.client.SynchronizationException: javax.transaction.xa.XAException: WFTXN0034: Failed to acquire a connection for this operation
  at org.wildfly.transaction.client.XAOutflowedResources$1.beforeCompletion(XAOutflowedResources.java:76)
  at org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:236)
  at org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:247)
  at org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.beforeCompletion(AbstractTransaction.java:292)
  at com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.beforeCompletion(SynchronizationImple.java:76)
  at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.beforeCompletion(TwoPhaseCoordinator.java:360)
  at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:91)
  at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
  at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1288)
  ... 46 more
Caused by: javax.transaction.xa.XAException: WFTXN0034: Failed to acquire a connection for this operation
  at org.wildfly.transaction.client.provider.remoting.RemotingRemoteTransactionPeer.getPeerIdentityXA(RemotingRemoteTransactionPeer.java:94)
  at org.wildfly.transaction.client.provider.remoting.RemotingRemoteTransactionPeer$1.beforeCompletion(RemotingRemoteTransactionPeer.java:166)
  at org.wildfly.transaction.client.SubordinateXAResource.beforeCompletion(SubordinateXAResource.java:143)
  at org.wildfly.transaction.client.XAOutflowedResources$1.beforeCompletion(XAOutflowedResources.java:73)
  ... 54 more
Caused by: org.wildfly.security.auth.AuthenticationException: JBREM000308: Authentication failed (no mechanisms left), tried: (none)
  at org.jboss.remoting3.ConnectionPeerIdentityContext.doAuthenticate(ConnectionPeerIdentityContext.java:368)
  at org.jboss.remoting3.ConnectionPeerIdentityContext.authenticate(ConnectionPeerIdentityContext.java:174)
  at org.jboss.remoting3.EndpointImpl$3.handleDone(EndpointImpl.java:506)
  at org.jboss.remoting3.EndpointImpl$3.handleDone(EndpointImpl.java:495)
  at org.xnio.IoFuture$HandlingNotifier.notify(IoFuture.java:208)
  at org.xnio.AbstractIoFuture$NotifierRunnable.run(AbstractIoFuture.java:720)
  at org.xnio.IoUtils$2.execute(IoUtils.java:71)
  at org.xnio.AbstractIoFuture.runNotifier(AbstractIoFuture.java:693)
  at org.xnio.AbstractIoFuture$CompleteState.withNotifier(AbstractIoFuture.java:132)
  at org.xnio.AbstractIoFuture.addNotifier(AbstractIoFuture.java:570)
  at org.jboss.remoting3.EndpointImpl.doGetConnection(EndpointImpl.java:495)
  at org.jboss.remoting3.EndpointImpl.getConnectedIdentity(EndpointImpl.java:434)
  at org.jboss.remoting3.UncloseableEndpoint.getConnectedIdentity(UncloseableEndpoint.java:52)
  at org.wildfly.transaction.client.provider.remoting.RemotingRemoteTransactionPeer.getPeerIdentity(RemotingRemoteTransactionPeer.java:87)
  at org.wildfly.transaction.client.provider.remoting.RemotingRemoteTransactionPeer.getPeerIdentityXA(RemotingRemoteTransactionPeer.java:92)
  ... 57 more

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. WFLY-9896 Server-server EJB transactional invocation rolls back if stateful bean is used and JBOSS-LOCAL-USER auth is not possible

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          incorporates

          Bug - A problem that impairs or prevents the functions of the product. EJBCLIENT-340 Ensure any AuthenticationContext associated with the invocation is propagated to the transaction call.

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved

          Bug - A problem that impairs or prevents the functions of the product. WFTC-71 Ensure the current AuthenticationContext is captured by the SubordinateXAResource.

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Resolved
          is duplicated by

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-16651 [GSS](7.2.z) Transactional remote-outbound-connection to an older version results in an ARJUNA016045 WARN message

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          is related to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-15738 [GSS](7.2.z) Server-server EJB transactional invocation rolls back if stateful bean is used and JBOSS-LOCAL-USER auth is not possible

          • Critical - To be worked on immediately following BLOCKER issues.
          • Verified

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-13963 [GSS](7.1.z) Server-server EJB transactional invocation rolls back if stateful bean is used and JBOSS-LOCAL-USER auth is not possible

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          relates to

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-17120 [GSS](7.2.z) Server-server EJB transactional invocation rolls back if MDB call remote EJB and JBOSS-LOCAL-USER auth is not possible

          • Critical - To be worked on immediately following BLOCKER issues.
          • Verified

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-17349 [GSS](7.2.z) EJB Recovery unable to authenticate when restarted server is trying to recover ejb xa transactions

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-18310 [GSS](7.4.z) EJB Recovery unable to authenticate when restarted server is trying to recover ejb xa transactions

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          links to

          Web Link KCS

          Activity

            People

              darran.lofthouse@redhat.com Darran Lofthouse
              rhn-support-bmaxwell Brad Maxwell
              Votes:
              0 Vote for this issue
              Watchers:
              13 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: