Remote JNDI Access - EJB/http-remoting with Elytron

[Szymon Klepacz]

I am migrating some old project from WildFly 11 to WildFly 19, however I am a bit confused about proper way of doing that.

Article Securing EJBs with Elytron suggests creating AuthenticationContext using xml /can be done programmatically as well) in the following way:

final Hashtable jndiProperties = new Hashtable();


jndiProperties.put(Context.INITIAL_CONTEXT_FACTORY, "org.wildfly.naming.client.WildFlyInitialContextFactory");

jndiProperties.put(Context.PROVIDER_URL, "remote+http://localhost:8080");

final Context context = new InitialContext(jndiProperties);

SecuredEJBRemote reference = (SecuredEJBRemote) context.lookup("ejb:/ejb-remote-server/SecuredEJB!" + SecuredEJBRemote.class.getName());

However, Developers  Guide suggest approach: 

final Properties jndiProperties = new Properties();
jndiProperties.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
// create the context
final Context context = new InitialContext(jndiProperties);
 
// lookup
Foo beanProxy = context.lookup("ejb:myapp/myejbmodule//FooBean!org.myapp.ejb.Foo");
String bar = beanProxy.sayBar();

My configuration: 

if (!ClientIdentification.UNAUTHENTICATED.equals(username)) {
    AuthenticationConfiguration authCfg = AuthenticationConfiguration.empty()
            .useName(username)
            .usePassword(password);

    authCtx = AuthenticationContext.empty().with(MatchRule.ALL, authCfg);
    AuthenticationContext.getContextManager().setThreadDefault(authCtx);
}

final Properties env = new Properties();
env.put(Context.INITIAL_CONTEXT_FACTORY, "org.wildfly.naming.client.WildFlyInitialContextFactory");
env.put(Context.PROVIDER_URL, "remote+http://<server>:8080");
env.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
Context context = InitialContext(env);

final LoginService loginService = (LoginService) context.lookup("ejb:XX/xx-module/LoginServiceImpl!" + LoginService.class.getName());

Moreover, I need to get a list of users from the DB, and for that single call I need unauthenticated user. This approach works perfectly fine on Windows, however, when I have a server on Linux and try to call client from Windows, following exception appears: 

Caused by: org.jboss.ejb.client.RequestSendFailedException: EJBCLIENT000409: No more destinations are available

at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:592)

at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:528)

at org.jboss.ejb.protocol.remote.RemotingEJBClientInterceptor.handleInvocationResult(RemotingEJBClientInterceptor.java:56)

at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:594)

at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:528)

at org.jboss.ejb.client.TransactionPostDiscoveryInterceptor.handleInvocationResult(TransactionPostDiscoveryInterceptor.java:133)

at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:594)

at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:528)

at org.jboss.ejb.client.DiscoveryEJBClientInterceptor.handleInvocationResult(DiscoveryEJBClientInterceptor.java:115)

at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:594)

at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:528)

at org.jboss.ejb.client.NamingEJBClientInterceptor.handleInvocationResult(NamingEJBClientInterceptor.java:79)

at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:594)

at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:528)

at org.jboss.ejb.client.TransactionInterceptor.handleInvocationResult(TransactionInterceptor.java:172)

at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:594)

at org.jboss.ejb.client.EJBClientInvocationContext.getResult(EJBClientInvocationContext.java:528)

at org.jboss.ejb.client.EJBClientInvocationContext.awaitResponse(EJBClientInvocationContext.java:938)

at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:177)

at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:112)

at com.sun.proxy.$Proxy3.getAllPossibleLoginNamesAndLicenseAvailabilities(Unknown Source)

at com.XX.client.service.ContextConnectionHandler.getAllPossibleLoginNames(ContextConnectionHandler.java:105)

... 12 more

Suppressed: org.jboss.ejb.client.RequestSendFailedException

at org.jboss.ejb.protocol.remote.RemoteEJBReceiver$1.handleFailed(RemoteEJBReceiver.java:101)

at org.jboss.ejb.protocol.remote.RemoteEJBReceiver$1.handleFailed(RemoteEJBReceiver.java:74)

at org.xnio.IoFuture$HandlingNotifier.notify(IoFuture.java:215)

at org.xnio.AbstractIoFuture$NotifierRunnable.run(AbstractIoFuture.java:720)

at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:949)

at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)

at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)

at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)

at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)

... 1 more

Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed:

   JBOSS-LOCAL-USER: javax.security.sasl.SaslException: ELY05128: Failed to read challenge file [Caused by java.io.FileNotFoundException: \tmp\local33325463155227110.challenge (The system cannot find the path specified)]

at org.jboss.remoting3.remote.ClientConnectionOpenListener.allMechanismsFailed(ClientConnectionOpenListener.java:109)

at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:446)

at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:242)

at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:92)

at org.xnio.conduits.ReadReadyHandler$ChannelListenerHandler.readReady(ReadReadyHandler.java:66)

at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)

at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)

at ...asynchronous invocation...(Unknown Source)

at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:571)

at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:537)

at org.jboss.remoting3.ConnectionInfo$None.getConnection(ConnectionInfo.java:82)

at org.jboss.remoting3.ConnectionInfo.getConnection(ConnectionInfo.java:55)

at org.jboss.remoting3.EndpointImpl.doGetConnection(EndpointImpl.java:488)

at org.jboss.remoting3.EndpointImpl.getConnectedIdentity(EndpointImpl.java:434)

at org.jboss.remoting3.UncloseableEndpoint.getConnectedIdentity(UncloseableEndpoint.java:52)

at org.jboss.remoting3.Endpoint.getConnectedIdentity(Endpoint.java:123)

at org.jboss.ejb.protocol.remote.RemoteEJBReceiver.lambda$getConnection$2(RemoteEJBReceiver.java:185)

at java.security.AccessController.doPrivileged(Native Method)

at org.jboss.ejb.protocol.remote.RemoteEJBReceiver.getConnection(RemoteEJBReceiver.java:185)

at org.jboss.ejb.protocol.remote.RemoteEJBReceiver.processInvocation(RemoteEJBReceiver.java:128)

at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:479)

at org.jboss.ejb.protocol.remote.RemotingEJBClientInterceptor.handleInvocation(RemotingEJBClientInterceptor.java:51)

at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:491)

at org.jboss.ejb.client.TransactionPostDiscoveryInterceptor.handleInvocation(TransactionPostDiscoveryInterceptor.java:79)

at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:491)

at org.jboss.ejb.client.DiscoveryEJBClientInterceptor.handleInvocation(DiscoveryEJBClientInterceptor.java:92)

at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:491)

at org.jboss.ejb.client.NamingEJBClientInterceptor.handleInvocation(NamingEJBClientInterceptor.java:67)

at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:491)

at org.jboss.ejb.client.TransactionInterceptor.handleInvocation(TransactionInterceptor.java:165)

at org.jboss.ejb.client.EJBClientInvocationContext.sendRequest(EJBClientInvocationContext.java:491)

at org.wildfly.common.context.Contextual.runExConsumer(Contextual.java:203)

at org.jboss.ejb.client.EJBClientInvocationContext.sendRequestInitial(EJBClientInvocationContext.java:327)

at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:173)

at org.jboss.ejb.client.EJBInvocationHandler.invoke(EJBInvocationHandler.java:112)

at com.sun.proxy.$Proxy3.getAllPossibleLoginNamesAndLicenseAvailabilities(Unknown Source)

at com.XX.client.service.ContextConnectionHandler.getAllPossibleLoginNames(ContextConnectionHandler.java:105)

at com.XX.client.XXSuite.handleLogin(XXSuite.java:388)

at com.XX.client.XXSuite.login(XXSuite.java:364)

at com.XX.client.ApplicationManager.launch(ApplicationManager.java:495)

at com.XX.client.ApplicationManager.access$000(ApplicationManager.java:123)

at com.XX.client.ApplicationManager$Launcher.doInBackground(ApplicationManager.java:317)

at com.XX.client.ApplicationManager$Launcher.doInBackground(ApplicationManager.java:299)

at javax.swing.SwingWorker$1.call(Unknown Source)

at java.util.concurrent.FutureTask.run(Unknown Source)

at javax.swing.SwingWorker.run(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

... 1 more

Suppressed: javax.security.sasl.SaslException: ELY05128: Failed to read challenge file [Caused by java.io.FileNotFoundException: \tmp\local33325463155227110.challenge (The system cannot find the path specified)]

at org.wildfly.security.sasl.localuser.LocalUserClient.evaluateMessage(LocalUserClient.java:108)

at org.wildfly.security.sasl.util.AbstractSaslParticipant.evaluateMessage(AbstractSaslParticipant.java:199)

at org.wildfly.security.sasl.util.AbstractSaslClient.evaluateChallenge(AbstractSaslClient.java:79)

at org.wildfly.security.sasl.util.AbstractDelegatingSaslClient.evaluateChallenge(AbstractDelegatingSaslClient.java:54)

at org.wildfly.security.sasl.util.PrivilegedSaslClient.lambda$evaluateChallenge$0(PrivilegedSaslClient.java:55)

at java.security.AccessController.doPrivileged(Native Method)

at org.wildfly.security.sasl.util.PrivilegedSaslClient.evaluateChallenge(PrivilegedSaslClient.java:55)

at org.jboss.remoting3.remote.ClientConnectionOpenListener$Authentication.lambda$handleEvent$0(ClientConnectionOpenListener.java:650)

at org.jboss.remoting3.EndpointImpl$TrackingExecutor.lambda$execute$0(EndpointImpl.java:949)

at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)

at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)

at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)

at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)

... 1 more

Caused by: java.io.FileNotFoundException: \tmp\local33325463155227110.challenge (The system cannot find the path specified)

at java.io.FileInputStream.open0(Native Method)

at java.io.FileInputStream.open(Unknown Source)

at java.io.FileInputStream.<init>(Unknown Source)

at org.wildfly.security.sasl.localuser.LocalUserClient.evaluateMessage(LocalUserClient.java:94)

... 13 more

QUESTIONS

Is my configuration correct? 

How can I fix SASL exception? 

-- One of the approaches would be to create dummy user in DB at first, authenticate with it. What would be the best approach?

 

[Tomaž Cerar]

Hi,

I would suggest looking at quickstars that cover all this scenarios.

secure remote ejb is covered by https://github.com/wildfly/quickstart/tree/19.0.0.Final/ejb-security 

where you can also find instructions of configuring elytron subsystem to allow the access.

client code can be seen at https://github.com/wildfly/quickstart/blob/19.0.0.Final/ejb-security/src/main/java/org/jboss/as/quickstarts/ejb_security/RemoteClient.java

hope this helps

--

tomaž

--
You received this message because you are subscribed to the Google Groups "WildFly" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/2eb37daa-c24e-4702-b277-36a41cd69d1a%40googlegroups.com.

[Szymon Klepacz]

Thanks for a quick response. I know this repository and it is not self-explanatory. 

e.i. class RemoteClient, line 36

 //jndiProperties.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");

 Why this is commented? Following Developer Guide mentioned above I see:

// the property below is required ONLY if there is no ejb client configuration loaded (such as a
// jboss-ejb-client.properties in the class path) and the context will be used to lookup EJBs

So Context.INITIAL_CONTEXT_FACTORY and Context.PROVIDER_URL are enough? 

Also, this user is authenticated from the first query.

To unsubscribe from this group and stop receiving emails from it, send an email to wil...@googlegroups.com.

[Farah Juma]

From your stack trace, it looks like you are running into a configuration issue since the wrong SASL mechanism (JBOSS-LOCAL-USER) is being used.

I would suggest taking a look at the migration guide as it goes over a few different scenarios.

This blog post might also be helpful:

https://developer.jboss.org/people/fjuma/blog/2017/09/08/getting-started-with-ejbs-and-elytron-part-1

[Thales Horta]

Hey Guys,

i'm getting the exactly the same issue, How did you solve this topic?

I'm migrating an application from WF9 to WF20.

Any help or Tips is really appreciated.

[Szymon Klepacz]

What are you trying to achieve? Which security mechanisms do you want to use? 

ELY05128: Failed to read challenge file  error usually appears when using JBOSS_LOCAL_USER mechanism, and server and client are not in the same network

[Thales Horta]

Hi, Sorry for late reply.

Your case is: we have an Applet running standalone on user machine, retreaving ejb from our Wildfly Server v20.

We did all clients and Jar updates, but still with the same error message

We include the wildfly-config.xml file but seems not solving the issue, are we missing any configuration?

Thanks in advance.

[Thales Horta]

Hi Thanks.

So here the Logs 

Instance  SessionFactoryPesagem created

 Criando lookup EJB :

 String ejb :ejb:sisferwebdesenvfab/sisfercore//Filial!br.com.fertipar.sisfercore.session.Filial

Instance Filial criada

org.jboss.ejb.client.RequestSendFailedException: EJBCLIENT000409: No more destinations are available

Suppressed: javax.ejb.NoSuchEJBException: EJBCLIENT000024: No EJB receiver available for handling destination "remote+http://192.168.131.202:8183"

========== Wildfly-configl.xml

<configuration>

    <authentication-client xmlns="urn:elytron:1.0">

        <authentication-rules>

            <rule use-configuration="default">

                <match-host name="0.0.0.0"/>

            </rule>

        </authentication-rules>

        <authentication-configurations>

            <configuration name="default">

                <sasl-mechanism-selector selector="#ALL" />

                <set-mechanism-properties>

                    <property key="wildfly.sasl.local-user.quiet-auth" value="false" />

                 </set-mechanism-properties>

                <providers>

                    <use-service-loader/>

                </providers>

                <!-- Used for EJB over HTTP, remoting invocations will use transparent auth-->

                <set-user-name name="**********" />

                <credentials>

                    <clear-password password=" **********  " />

                </credentials>

             </configuration>

        </authentication-configurations>

    </authentication-client>

Any more information needed, please, let me know and thanks again.

cheers,

TpH

[Szymon Klepacz]

Looks like you are trying to use HTTP mechanism (<!-- Used for EJB over HTTP) for remote EJB, but actually using SASL (sasl-mechanism-selector selector="#ALL" ) which is good!

How does your standalone configuration for SASL & HTTP mechanisms looks like?

[Thales Horta]

Actually, i'm not using standalone, is Domain-Controller setup, is that a problema?

Maybe I was not clear enought:

Client: an Applet running on user PC with Oracle Java.

Server: Domain Controller Wildfly 20.

Thanks again

[Thales Horta]

Hey, Just an update regarding the topic.

When running thr Apple at the same Server workshop fine..

For me seems a Sever side configuration, the question is, where can i set to allowe other subnets, for incoming remote connections?

Thanks agindo

Cheers 

You received this message because you are subscribed to a topic in the Google Groups "WildFly" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wildfly/0ehwGHUCGfs/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/77c79225-e03b-46ac-aa85-7130f871d407n%40googlegroups.com.

[Szymon Klepacz]

Than only Local Authentication works. Without knowing server configuration, hard to tell

[Thales Horta]

Hello,

Do you have any idea where I can find the solution? the point here is:

In any server at the same network (192.168.131.0/24) works fine.

For any different subnet, is not working.

any help is really appreciated.

Cheers.