How can I enable unsecured and secured EJB access on JBoss EAP 7?
Environment
- Red Hat JBoss Enterprise Application Platform
- 7.x
Issue
How can I configure JBoss EAP 7 to allow remote access to unsecured EJB so that it can be accessed without a username/password?
I would like to configure EAP 7 so that when I provide user/password, my login chain will be called. When no user/password is provided, it's a an anoynmous call that gets to the server as well. The "anonymous user" won't have any roles, therefore he is only allowed to call EJBs annotated with "@PermitAll".
Resolution
Enable anonymous sasl authentication on the http-remoting-connector. Anonymous authentication is disabled by default. To enable it, add the following properties to the http-remoting-connector:
<subsystem xmlns="urn:jboss:domain:remoting:3.0">
<endpoint></endpoint>
<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm">
<properties>
<property name="SASL_MECHANISMS" value="ANONYMOUS,PLAIN"></property>
<property name="SASL_POLICY_NOANONYMOUS" value="false"></property>
</properties>
</http-connector>
</subsystem>
Here is a test client (HelloClient.java) and jboss-ejb-client.properties file. The test client first connects to a unsecured EJB using anonymous authentication. The client then sets the username/password and invokes a secured EJB.
As previously mentioned, anonymous authentication is disabled by default. Making this change relaxes some security checks.
HelloClient.java:
package jboss.example.ejb;
import java.util.Hashtable;
import javax.naming.InitialContext;
import javax.naming.Context;
import javax.naming.NamingException;
import javax.naming.NamingEnumeration;
import javax.naming.Binding;
import javax.security.auth.login.LoginContext;
import javax.security.auth.callback.CallbackHandler;
import org.jboss.security.auth.callback.SecurityAssociationHandler;
import org.jboss.security.SimplePrincipal;
import org.apache.log4j.Logger;
import org.apache.log4j.PropertyConfigurator;
import org.jboss.ejb.client.EJBClientConfiguration;
import org.jboss.ejb.client.PropertiesBasedEJBClientConfiguration;
import org.jboss.ejb.client.ContextSelector;
import org.jboss.ejb.client.EJBClientContext;
import org.jboss.ejb.client.remoting.ConfigBasedEJBClientContextSelector;
public class HelloClient
{
public static void main(String[] args) throws Exception
{
PropertyConfigurator.configure("log4j.properties");
testEJBClient();
testSecuredEJBClient();
}
private static void testEJBClient() throws Exception
{
System.out.println("*** EJB Client API ***");
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
InitialContext ctx = new InitialContext(env);
Object obj = ctx.lookup("ejb:SimpleEAR_EJB3/SimpleEAR_EJB3//Hello!jboss.example.ejb.Hello");
Hello ejbObject = (Hello) obj;
System.out.println(ejbObject.sayHello());
System.out.println("*** EJB Client API ***");
}
private static void testSecuredEJBClient() throws Exception
{
System.out.println("*** EJB Client API ***");
java.util.Properties p = new java.util.Properties();
p.put("remote.connections", "node1");
p.put("remote.connection.node1.protocol", "http-remoting");
p.put("remote.connection.node1.port", "8080"); // the default remoting port, replace if necessary
p.put("remote.connection.node1.host", "localhost"); // the host, replace if necessary
p.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "false"); // the server defaults to SSL_ENABLED=false
p.put("remote.connection.node1.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
p.put("remote.connection.node1.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "DIGEST");
p.put("remote.connection.node1.username", "admin");
p.put("remote.connection.node1.password", "admin");
EJBClientConfiguration cc = new PropertiesBasedEJBClientConfiguration(p);
ContextSelector<EJBClientContext> selector = new ConfigBasedEJBClientContextSelector(cc);
EJBClientContext.setSelector(selector);
Hashtable<String, String> env = new Hashtable<String, String>();
env.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
InitialContext ctx = new InitialContext(env);
Object obj = ctx.lookup("ejb:SimpleEAR_EJB3/SimpleEAR_EJB3//GoodBye!jboss.example.ejb.GoodBye");
GoodBye goodByeObject = (GoodBye) obj;
System.out.println(goodByeObject.sayGoodBye());
System.out.println("*** EJB Client API ***");
}
}
jboss-ejb-client.properties:
remote.connections=default
endpoint.name=client-endpoint
remote.connection.default.port=8080
remote.connection.default.host=localhost
remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false
# SSL related settings
#remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=true
#remote.connection.default.connect.options.org.xnio.Options.SSL_STARTTLS=true
remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false
remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=DIGEST,DIGEST-MD5
# The following setting is required when deferring to JAAS
remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false
remote.connection.default.protocol=http-remoting
#remote.connection.default.username=admin
#remote.connection.default.password=testing
Related Solutions
Diagnostic Steps
Enable TRACE level logging on the following logging categories, then reproduce the issue and attach the server.log file:
<logger category="org.jboss.as.domain.management.security">
<level name="TRACE"/>
</logger>
<logger category="org.jboss.sasl">
<level name="TRACE"/>
</logger>
<logger category="org.jboss.security">
<level name="TRACE"/>
</logger>
<logger category="org.jboss.as.ejb3">
<level name="TRACE"/>
</logger>
<logger category="org.jboss.remoting3">
<level name="TRACE"/>
</logger>
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.