Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-16383

[GSS](7.2.z) WFLY-13381 - Unable to disable security on EJB over Http endpoint

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Major
    • 7.2.9.CR1, 7.2.9.GA
    • 7.2.0.GA
    • EJB
    • ?
    • Hide

      Workaround #1 - create a user that all clients specify user / pass

      Workaround #2

      • configure a security realm / security domain that always returns the same principal / groups on remoting / undertow
      • put a wildfly-config.xml in the standalone or application running in JBoss with config as shown below that configures an arbitrary user/pass (they can be anything they will not be used)
      embed-server

echo "create TestSecurityDomain that will always return principal=guest and roles=guest"
/subsystem=security/security-domain=TestSecurityDomain:add()
/subsystem=security/security-domain=TestSecurityDomain/authentication=classic:add(login-modules=[{code=Identity,flag=required, module-options={principal=anonymous,roles=anonymous}}])

echo "Create a TestRealm using TestSecurityDomain"
/core-service=management/security-realm=TestRealm:add()
/core-service=management/security-realm=TestRealm/authentication=jaas:add(name=TestSecurityDomain)
/core-service=management/security-realm=TestRealm/server-identity=ssl:add(keystore-path=application.keystore,keystore-relative-to=jboss.server.config.dir, keystore-password=password, alias=server, key-password=password, generate-self-signed-certificate-host=localhost)

echo "Change Remoting from ApplicationRealm to TestRealm"
/subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=security-realm,value=TestRealm)

echo "Configure undertow to use TestRealm"
/subsystem=undertow/server=default-server/host=default-host/setting=http-invoker:write-attribute(name=security-realm,value=TestRealm)
/subsystem=undertow/server=default-server/https-listener=https:write-attribute(name=security-realm,value=TestRealm)

echo "Change the default EJB to use TestSecurityDomain which the EJB side will use"
/subsystem=ejb3:write-attribute(name=default-security-domain,value=TestSecurityDomain)

echo "Remote ApplicationRealm to make sure we are testing TestRealm"
/core-service=management/security-realm=ApplicationRealm:remove()

      wildfly-config.xml :

      <?xml version="1.0" ?>
<configuration>
    <authentication-client xmlns="urn:elytron:1.0">
        <authentication-rules>
            <rule use-configuration="all"/>
        </authentication-rules>
        <authentication-configurations>
            <configuration name="all">
                <set-user-name name="anonymous"/>
                <credentials>
                    <clear-password password="anonymous"/>
                </credentials>
            </configuration>
        </authentication-configurations>
    </authentication-client>
</configuration>
      Show
      Workaround #1 - create a user that all clients specify user / pass Workaround #2 configure a security realm / security domain that always returns the same principal / groups on remoting / undertow put a wildfly-config.xml in the standalone or application running in JBoss with config as shown below that configures an arbitrary user/pass (they can be anything they will not be used) embed-server echo "create TestSecurityDomain that will always return principal=guest and roles=guest" /subsystem=security/security-domain=TestSecurityDomain:add() /subsystem=security/security-domain=TestSecurityDomain/authentication=classic:add(login-modules=[{code=Identity,flag=required, module-options={principal=anonymous,roles=anonymous}}]) echo "Create a TestRealm using TestSecurityDomain" /core-service=management/security-realm=TestRealm:add() /core-service=management/security-realm=TestRealm/authentication=jaas:add(name=TestSecurityDomain) /core-service=management/security-realm=TestRealm/server-identity=ssl:add(keystore-path=application.keystore,keystore-relative-to=jboss.server.config.dir, keystore-password=password, alias=server, key-password=password, generate-self-signed-certificate-host=localhost) echo "Change Remoting from ApplicationRealm to TestRealm" /subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=security-realm,value=TestRealm) echo "Configure undertow to use TestRealm" /subsystem=undertow/server= default -server/host= default -host/setting=http-invoker:write-attribute(name=security-realm,value=TestRealm) /subsystem=undertow/server= default -server/https-listener=https:write-attribute(name=security-realm,value=TestRealm) echo "Change the default EJB to use TestSecurityDomain which the EJB side will use" /subsystem=ejb3:write-attribute(name= default -security-domain,value=TestSecurityDomain) echo "Remote ApplicationRealm to make sure we are testing TestRealm" /core-service=management/security-realm=ApplicationRealm:remove() wildfly-config.xml : <?xml version= "1.0" ?> <configuration> <authentication-client xmlns= "urn:elytron:1.0" > <authentication-rules> <rule use-configuration= "all" /> </authentication-rules> <authentication-configurations> <configuration name= "all" > <set-user-name name= "anonymous" /> <credentials> <clear-password password= "anonymous" /> </credentials> </configuration> </authentication-configurations> </authentication-client> </configuration>
    • Hide

      unzip -d $JBOSS_HOME/ reproducer-overlay.zip

      Starting with this system property set will reproduce the error:
      ./bin/standalone.sh -DuseHttp

      Starting without the system property set, will use remote+http will will invoke fine as it works when the security-realm="ApplicationRealm" is removed from the remoting subsystem.

      ./bin/standalone.sh

      Show
      unzip -d $JBOSS_HOME/ reproducer-overlay.zip Starting with this system property set will reproduce the error: ./bin/standalone.sh -DuseHttp Starting without the system property set, will use remote+http will will invoke fine as it works when the security-realm="ApplicationRealm" is removed from the remoting subsystem. ./bin/standalone.sh

    Description

      For EJB over remote+http / http-remoting , removing the security-realm from the http-connector disables security and allows any remote client to connect to the endpoint without authenticating.

              <subsystem xmlns="urn:jboss:domain:remoting:4.0">
            <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
        </subsystem>

      For EJB over Http it goes over the http-invoker in undertow, removing the ApplicationRealm

              <subsystem xmlns="urn:jboss:domain:undertow:7.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other">
...
                <host name="default-host" alias="localhost">
                    <location name="/" handler="welcome-content"/>
                    <http-invoker security-realm="ApplicationRealm"/>
                </host>
            </server>

      It fails with:

      18:10:16,660 ERROR [org.jboss.as.ejb3.invocation] (default task-1) WFLYEJB0034: EJB Invocation failed on component Hello for method public abstract java.lang.String com.jboss.examples.ejb.Hello.sayHello(java.lang.String): java.lang.IllegalArgumentException: Parameter 'identity' may not be null
	at org.wildfly.common.Assert.checkNotNullParamChecked(Assert.java:71)
	at org.wildfly.common.Assert.checkNotNullParam(Assert.java:49)
	at org.wildfly.security.auth.server.SecurityDomain.forIdentity(SecurityDomain.java:187)
	at org.jboss.as.security.service.SimpleSecurityManager.push(SimpleSecurityManager.java:313)
	at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:52)
	at org.jboss.as.ejb3.security.SecurityContextInterceptor$1.run(SecurityContextInterceptor.java:49)
	at org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:97)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
	at org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
	at org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
	at org.jboss.as.ejb3.deployment.processors.EjbSuspendInterceptor.processInvocation(EjbSuspendInterceptor.java:57)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
	at org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
	at org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
	at org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
	at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438)
	at org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:619)
	at org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57)
	at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
	at org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
	at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198)
	at org.jboss.as.ejb3.remote.AssociationImpl.invokeWithIdentity(AssociationImpl.java:556)
	at org.jboss.as.ejb3.remote.AssociationImpl.invokeMethod(AssociationImpl.java:537)
	at org.jboss.as.ejb3.remote.AssociationImpl.lambda$receiveInvocationRequest$0(AssociationImpl.java:195)
	at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
	at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1985)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1487)
	at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1378)
	at java.lang.Thread.run(Thread.java:748)

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-19398 [GSS](7.3.z) WFLY-13381- Unable to disable security on EJB over Http endpoint

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Verified
          links to

          Web Link KCS

          Activity

            People

              rhn-support-ivassile Ilia Vassilev
              rhn-support-bmaxwell Brad Maxwell
              Votes:
              1 Vote for this issue
              Watchers:
              12 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: