How to disable security on the EJB remoting interface in JBoss EAP 8 / 7
Environment
- Red Hat JBoss Enterprise Application Platform (EAP)
- 8
- 7.x
Issue
- How to disable security on the EJB remoting interface in JBoss EAP 7
- How to allow anonymous remote ejb connections in EAP 8
Resolution
Security cannot be removed from the EJB/Remoting, instead anonymous authentication can be enabled.
EAP 8 / Elytron
/subsystem=elytron/sasl-authentication-factory=application-sasl-authentication:list-add(name=mechanism-configurations,index=0,value={mechanism-name=ANONYMOUS})
Which adds ANONYMOUS
<sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain">
<mechanism-configuration>
<mechanism mechanism-name="ANONYMOUS"/>
<mechanism mechanism-name="DIGEST-MD5">
<mechanism-realm realm-name="ApplicationRealm"/>
</mechanism>
</mechanism-configuration>
/subsystem=elytron/simple-permission-mapper=default-permission-mapper:list-add( name=permission-mappings[0].permission-sets, index=0, value={permission-set="login-permission"} )
Which gives anonymous the login-permissions so the client can connect:
<simple-permission-mapper name="default-permission-mapper" mapping-mode="first">
<permission-mapping>
<principal name="anonymous"/>
<permission-set name="login-permission"/>
<permission-set name="default-permissions"/>
</permission-mapping>
Note: When running / testing locally, it is recommended to disable the JBOSS-LOCAL-USER / $local authentication, as it will authenticate a client that is running on the same machine as the EAP instance if it can read a file under the $JBOSS_HOME directory, which can confuse things where it can work during testing but then you have an issue once you deploy where remote calls to different machines is needed. Removing the JBOSS-LOCAL-USER will require authentication even when the client is on the same machine and then you can test if you have correctly enabled anonymous authentications.
/subsystem=elytron/sasl-authentication-factory=application-sasl-authentication:list-remove(name=mechanism-configurations,index=0)
Which removes the JBOSS-LOCAL-USER line from :
<sasl-authentication-factory name="application-sasl-authentication" sasl-server-factory="configured" security-domain="ApplicationDomain">
<mechanism-configuration>
<mechanism mechanism-name="JBOSS-LOCAL-USER" realm-mapper="local"/>
EAP 7 / Picketbox (Legacy Security)
Adding the SASL_MECHANISMS and SASL_POLICY_NOANONYMOUS in the remoting subsystem connector such as:
/subsystem=remoting/http-connector=http-remoting-connector/property=SASL_MECHANISMS:add(value="ANONYMOUS,PLAIN")
/subsystem=remoting/http-connector=http-remoting-connector/property=SASL_POLICY_NOANONYMOUS:add(value=false)
Adds the properties:
<subsystem xmlns="urn:jboss:domain:remoting:4.0">
<endpoint/>
<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm">
<properties>
<property name="SASL_MECHANISMS" value="ANONYMOUS,PLAIN"/>
<property name="SASL_POLICY_NOANONYMOUS" value="false"/>
</properties>
</http-connector>
</subsystem>
Related Solutions
- How can I enable unsecured and secured EJB access on JBoss EAP 7
- How to disable security on the EJB remoting interface in JBoss EAP 6
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.