ClientLoginModule in JAAS not invoking wildfly server on LoginContext.login() from remote EJB

399 views
Skip to first unread message

Pankaj Kumar

unread,
Nov 22, 2022, 10:54:13 AM11/22/22
to WildFly
Hello,

We are migrating Weblogic to Wildfly 26. JAAS security module is one of the module to migrate. EJBs are invoked from remote client. JAAS is used for authentication at remote client end. In case of weblogic "weblogic.security.auth.login.UsernamePasswordLoginModule" is configured as JAAS login module in configuration. when LoginContext is build and LoginContext.login() is called, there is a server call made for authentication using CustomLogin module in weblogic but not in wildfly.

To achieve this in wildfly we have configured "org.jboss.security.ClientLoginModule" as JAAS login module in configuration along with server configuration.

String user = "XX";

 String pwd = "XXX";

       CustomCallbackHandler handler = new CustomCallbackHandler(user, pwd.toCharArray());

       System.setProperty("java.security.auth.login.config", new File("/JAAS-login-modules.conf").getAbsolutePath() );   -->> in this file org.jboss.security.ClientLoginModule is configured in wildfly

           LoginContext lc = new LoginContext("ClientLoginModule", new Subject(), handler);

           lc.login();    -->> at this stage server call is happening in weblogic but not in wildfly.


Because of this following issues we are facing:

1. LoginContext.login() always return success irrespective of right or wrong credentials

2. Subject does not contains right roles

3. Subject.doAs(lc.getSubject(), previlegedAction); is always invoked, ideally this should only invoked if login is success.

we found some guide here, but ejb-security-jaas throws 404.

 https://github.com/wildfly/quickstart/blob/5ea045fac1b625efe1d149bab58829835417aa01/shared-doc/available-quickstarts.adoc 

Looking for help ASAP.


Thanks,

Pankaj K.

Darran Lofthouse

unread,
Nov 22, 2022, 11:13:52 AM11/22/22
to WildFly
What you are describing is how the ClientLoginModule operated, it did not perform a real authentication it just saved the supplied credentials ready for when the user makes an invocation.

However support for legacy security and PicketBox was removed from WildFly 25, at this point you should be using WildFly Elytron.  When using WildFly Elytron security authentication occurs as the connection is being established and using a CallbackHandler to the user can be prompted for credentials as part of the authentication process to get more immediate results.

Pankaj Kumar

unread,
Nov 22, 2022, 1:28:53 PM11/22/22
to WildFly
Thanks for quick response Darran. We have explored Elytron as well and written below code for authentication and have done server side configuration. But the Authentication is only called when ejb is invoked. is this correct?

AuthenticationConfiguration superUser = AuthenticationConfiguration.empty()

                   .setSaslMechanismSelector(SaslMechanismSelector.NONE.addMechanism("PLAIN")).useName(user)

                   .usePassword(pwd);

           final AuthenticationContext authCtx = AuthenticationContext.empty().with(MatchRule.ALL, superUser);

           AuthenticationContext.getContextManager().setThreadDefault(authCtx);            

           final Hashtable<String, String> jndiProperties = new Hashtable<>();

           jndiProperties.put(Context.INITIAL_CONTEXT_FACTORY, "org.wildfly.naming.client.WildFlyInitialContextFactory");

           jndiProperties.put(Context.PROVIDER_URL, "remote+http://localhost:8080");

           

           try {

               final Context context = new InitialContext(jndiProperties);

               SecuredEJBRemote reference = (SecuredEJBRemote) context.lookup("ejb:test-ear/secured-ejb/SecuredEjb!"

                       + SecuredEJBRemote.class.getName());

                     System.out.println("\n\n\n* * * * * * * * * * * * * * * * * * * * * * * * * * * * * *\n\n");

               System.out.println("Successfully called, caller principal " + reference.getSecurityInfo());

               System.out.println("\nPrincipal has guest permission: " + reference.userMethod());

               System.out.println("\nPrincipal has admin permission: " + reference.administrativeMethod());

               

           } catch (Exception e) {

              e.printStackTrace();

           }


How do we invoke authentication and get subject before invoking ejb? can you point to some documentation please?

Thanks,
Pankaj K.
Reply all
Reply to author
Forward
0 new messages