Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-24180

[GSS](7.4.z) WFCORE - Security domain cache can be created with type default when using a JAAS realm for remoting

XMLWordPrintable

    • False
    • None
    • False
    • +
    • Hide
      • Create the infinispan cache:
      /subsystem=infinispan/cache-container=security:add()
/subsystem=infinispan/cache-container=security/local-cache=auth-cache:add()
/subsystem=infinispan/cache-container=security/local-cache=auth-cache/component=expiration:add(lifespan=300000, max-idle=60000)
/subsystem=infinispan/cache-container=security/local-cache=auth-cache/memory=heap:add(size=1000)
/subsystem=infinispan/cache-container=security:write-attribute(name=default-cache, value=auth-cache)
reload
      • Create properties files for a security domain:
      cat ${JBOSS_HOME}/standalone/configuration/jbossws-users.properties
# A sample users.properties file for use with the UsersRolesLoginModule
kermit=therealfrog
cat ${JBOSS_HOME}/standalone/configuration/jbossws-roles.properties 
# A sample roles.properties file for use with the UsersRolesLoginModule
kermit=friend
      • Create the security-domain using properties files (default user in the application is kermit=therealfrog in the files and the application):
      /subsystem=security/security-domain=jaas-domain:add(cache-type=infinispan)
/subsystem=security/security-domain=jaas-domain/authentication=classic:add(login-modules=[{code=UsersRoles, flag=required, module-options={usersProperties=>"file://${jboss.server.config.dir}/jbossws-users.properties", rolesProperties=>"file://${jboss.server.config.dir}/jbossws-roles.properties", unauthenticatedIdentity=anonymous}}])
      • Create the jaas realm and assign to remote:
      /core-service=management/security-realm=jaas-realm:add()
/core-service=management/security-realm=jaas-realm/authentication=jaas:add(name=jaas-domain)
/subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=security-realm, value=jaas-realm)
reload
      • Deploy the sample application sample-ejb.war.
      mvn clean package
      • In the standalone.conf add the following line to use byteman with the attached reproducer.btm.
      JAVA_OPTS="$JAVA_OPTS -javaagent:/path/to/byteman-download-4.0.19/lib/byteman.jar=script:/path/to/reproducer.btm,boot:/path/to/byteman-download-4.0.19/lib/byteman.jar -Djboss.modules.system.pkgs=org.jboss.byteman -Dorg.jboss.byteman.verbose=true"
      • When booting up the server the infinispan cache will be delayed for 30 by a byteman rule.
      11:36:21,093 ERROR [stderr] (MSC service thread 1-3) -----> ConfigurationServiceConfigurator.accept sleeping 30s... security jaas-domain
      • During those 30s execute the ejb client in the application (it throws an error but the authentication is created with DefaultAuthenticationCacheFactory):
      java -cp ${JBOSS_HOME}/bin/client/jboss-client.jar:target/classes com.redhat.sample.client.CalculatorClient

      11:36:37,460 ERROR [stderr] (default task-1) -----> JNDIBasedSecurityManagement.createSecurityDomainContext org.jboss.as.security.plugins.DefaultAuthenticationCacheFactory@598ff108 org.picketbox:main:org.jboss.security.auth.callback.JBossCallbackHandler org.picketbox:main:org.jboss.security.authentication.JBossCachedAuthenticationManager
      • Once fully started after the 30s check the cache is not infinispan (LRUCache) executing the client again:
      java -cp ${JBOSS_HOME}/bin/client/jboss-client.jar:target/classes com.redhat.sample.client.CalculatorClient

      11:38:48,149 ERROR [stderr] (default task-1) -----> JBossCachedAuthenticationManager.isValid kermit cache=class org.jboss.as.security.lru.LRUCache
      • If you don't execute the client during the 30s sleep the cache is infinispan:
      11:40:25,557 ERROR [stderr] (default task-1) -----> JBossCachedAuthenticationManager.isValid kermit cache=class org.jboss.as.clustering.infinispan.DefaultCache
      Show
      Create the infinispan cache: /subsystem=infinispan/cache-container=security:add() /subsystem=infinispan/cache-container=security/local-cache=auth-cache:add() /subsystem=infinispan/cache-container=security/local-cache=auth-cache/component=expiration:add(lifespan=300000, max-idle=60000) /subsystem=infinispan/cache-container=security/local-cache=auth-cache/memory=heap:add(size=1000) /subsystem=infinispan/cache-container=security:write-attribute(name= default -cache, value=auth-cache) reload Create properties files for a security domain: cat ${JBOSS_HOME}/standalone/configuration/jbossws-users.properties # A sample users.properties file for use with the UsersRolesLoginModule kermit=therealfrog cat ${JBOSS_HOME}/standalone/configuration/jbossws-roles.properties # A sample roles.properties file for use with the UsersRolesLoginModule kermit=friend Create the security-domain using properties files (default user in the application is kermit=therealfrog in the files and the application): /subsystem=security/security-domain=jaas-domain:add(cache-type=infinispan) /subsystem=security/security-domain=jaas-domain/authentication=classic:add(login-modules=[{code=UsersRoles, flag=required, module-options={usersProperties=> "file: //${jboss.server.config.dir}/jbossws-users.properties" , rolesProperties=> "file://${jboss.server.config.dir}/jbossws-roles.properties" , unauthenticatedIdentity=anonymous}}]) Create the jaas realm and assign to remote: /core-service=management/security-realm=jaas-realm:add() /core-service=management/security-realm=jaas-realm/authentication=jaas:add(name=jaas-domain) /subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=security-realm, value=jaas-realm) reload Deploy the sample application sample-ejb.war. mvn clean package In the standalone.conf add the following line to use byteman with the attached reproducer.btm . JAVA_OPTS= "$JAVA_OPTS -javaagent:/path/to/byteman-download-4.0.19/lib/byteman.jar=script:/path/to/reproducer.btm,boot:/path/to/byteman-download-4.0.19/lib/byteman.jar -Djboss.modules.system.pkgs=org.jboss.byteman -Dorg.jboss.byteman.verbose= true " When booting up the server the infinispan cache will be delayed for 30 by a byteman rule. 11:36:21,093 ERROR [stderr] (MSC service thread 1-3) -----> ConfigurationServiceConfigurator.accept sleeping 30s... security jaas-domain During those 30s execute the ejb client in the application (it throws an error but the authentication is created with DefaultAuthenticationCacheFactory): java -cp ${JBOSS_HOME}/bin/client/jboss-client.jar:target/classes com.redhat.sample.client.CalculatorClient 11:36:37,460 ERROR [stderr] (default task-1) -----> JNDIBasedSecurityManagement.createSecurityDomainContext org.jboss.as.security.plugins.DefaultAuthenticationCacheFactory@598ff108 org.picketbox:main:org.jboss.security.auth.callback.JBossCallbackHandler org.picketbox:main:org.jboss.security.authentication.JBossCachedAuthenticationManager Once fully started after the 30s check the cache is not infinispan (LRUCache) executing the client again: java -cp ${JBOSS_HOME}/bin/client/jboss-client.jar:target/classes com.redhat.sample.client.CalculatorClient 11:38:48,149 ERROR [stderr] (default task-1) -----> JBossCachedAuthenticationManager.isValid kermit cache=class org.jboss.as.security.lru.LRUCache If you don't execute the client during the 30s sleep the cache is infinispan: 11:40:25,557 ERROR [stderr] (default task-1) -----> JBossCachedAuthenticationManager.isValid kermit cache=class org.jboss.as.clustering.infinispan.DefaultCache

      There is a race at server boot between the service for the security-domain and the remoting interface when configured to use a JAAS realm. The JaasService waits for the security-manager but not for the security-domain (here).

      This way the remoting can start when the security-domain is not ready yet and then, if there is a client call at this point, the authentication is created with an incorrect cache. In this scenario the security-domain is created in the JNDI lookup here with the default LRU cache. Finally when the security-domain is started by the boot process the cache is not replaced (these lines).

      The final issue is the security-domain and its authentication is using a default cache instead of a infinispan one. So if the security-domain was configured to use infinispan all those settings are lost.

        1. reproducer.btm
          0.9 kB
          Ricardo Martin Camarero

              rhn-support-rmartinc Ricardo Martin Camarero
              rhn-support-rmartinc Ricardo Martin Camarero
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: