"JBREM000200: Remote connection failed: javax.security.sasl.SaslException" encountered when client connects EJB in EAP 6

Solution Verified - Updated

Environment

  • JBoss Enterprise Application Platform (EAP)
    • 6.0.x
    • 6.1
    • 6.3

Issue

  • The following issue occurred when remotely calling EJB from an EJBClient
JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
  • We have disabled the remoting security in the standalone configuration or for the domain profile but there is still a JBREM000200 error
<subsystem xmlns="urn:jboss:domain:remoting:1.1">
    <connector name="remoting-connector" socket-binding="remoting"/>
</subsystem>

ERROR: JBREM000200: Remote connection failed: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed
Exception in thread "main" java.lang.IllegalStateException: EJBCLIENT000025: No EJB receiver available for handling [appName:appone, moduleName:ejb, distinctName:] combination for invocation context org.jboss.ejb.client.EJBClientInvocationContext@22241a0d

Resolution

Remoting security enabled

  • Suppose that you have the following mentioned in the standalone*.xml or in a domain profile
<security-realm name="ApplicationRealm">
    <authentication>
        <local default-user="$local" allowed-users="*"/>
        <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
    </authentication>
    <authorization>
        <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
    </authorization>
</security-realm>
...
<subsystem xmlns="urn:jboss:domain:remoting:1.1">
    <connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>
</subsystem>
  • There is a requirement to create a user for the application realm as follows:

$ bin/add-user.sh 

What type of user do you wish to add? 
 a) Management User (mgmt-users.properties) 
 b) Application User (application-users.properties)
(a): b

Enter the details of the new user to add.
Realm (ApplicationRealm) :
Username : ejbUser
Password : ejbPassword
Re-enter Password : ejbPassword
What roles do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[  ]: 
About to add user 'ejbUser' for realm 'ApplicationRealm'
Is this correct yes/no? y
Added user 'ejb' to file '/srv/eap/6.1/standalone/configuration/application-users.properties'
Added user 'ejb' to file '/srv/eap/6.1/domain/configuration/application-users.properties'
Added user 'ejb' with roles  to file '/srv/eap/6.1/standalone/configuration/application-roles.properties'
Added user 'ejb' with roles  to file '/srv/eap/6.1/domain/configuration/application-roles.properties'
...
  • After adding the user the call should be successful by specifying the user and password in the EJB client's property file as follows:
remote.connections=default
...
remote.connection.default.username=ejbUser
remote.connection.default.password=ejbPassword
...

Remoting security disabled

  • Suppose that you have the following mentioned in the standalone*.xml or in a domain profile
<subsystem xmlns="urn:jboss:domain:remoting:1.1">
    <connector name="remoting-connector" socket-binding="remoting"/>
</subsystem>
  • There is no need to add a user or special realms to the server
  • The client side must add this property for each configured connection to flag that the unauthenticated access is allowed. It dosn't matter whether the username and password is set also. So it is possible to have a mix of secured and unsecured connections within the same client scope.
remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false
  • The property need to be added dependence on the used approach
    • to the jboss-ejb-client.properties
    • to the properries Map passed to the InitialContext if a scoped-context is used
    • to the configuration of the EJBClientSelector if the ejb-client API is used

Root Cause

The issue usually occurs when

  • there is no user specified for Application Realm or any other security-realm which is specified to secure remoting-connector
  • the remoting-connector is configured without security and the client is not configured appropriate
  • This can also fail if the property remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false is missing in the jboss-ejb-client.properties file.
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.