EJB over HTTP definition

426 views
Skip to first unread message

Arkady Zelekman

unread,
Mar 18, 2021, 4:06:06 PM3/18/21
to WildFly
Hi,

I would like to define ejb over http as simple as possible. I am looked here
and saw I should define elytron authentication factory.

I didn't find any reference with example to define such a factory from scratch and which changes should be done in standalone.xml. I would prefer to avoid define additional users or something like that, minimal changes are enough for me.

If it is possible to define without authentication, will be great for me.

Can someone lead me ?

Sonia Zaldana Calles

unread,
Mar 18, 2021, 5:00:13 PM3/18/21
to WildFly

Hi Arkady, 


Here’s a quickstart example that shows how to configure EJB over HTTP: https://github.com/wildfly/quickstart/tree/master/ejb-security


Essentially, you only need to add the security domain mapping to the EJB3 subsystem as follows: 

/subsystem=ejb3/application-security-domain={DomainName}:add(security-domain={ElytronSecurityDomain})


And then you can update the http-remoting-connector to use the out of the box sasl-authentication-factory “application-sasl-authentication” as follows: 

/subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=sasl-authentication-factory,value=application-sasl-authentication)


The above configuration is the simplest one, but if you would like a more detailed example showing how to configure your realms, domain and EJB over HTTP you can also check out this quickstart example: 

https://github.com/wildfly-security-incubator/elytron-examples/blob/master/ejb-security/configure-elytron.cli

You can ignore the credential store configuration. 


Regards, 

Sonia

Sonia Zaldana Calles

unread,
Mar 19, 2021, 9:23:45 AM3/19/21
to WildFly
Hi Arkady, 

I misinterpreted your earlier question. Apologies about that! To enable EJB over HTTP, take a look at the updated documentation here: https://docs.wildfly.org/23/Developer_Guide.html#Jakarta_Enterprise_Beans_over_HTTP

Note that before adding the http-authentication-factory as outlined in the documentation above, you might need to undefine the security-realm attribute as follows:
/subsystem=undertow/server=default-server/host=default-host/setting=http-invoker:undefine-attribute(name=security-realm)

Also, if you have further questions about configuring an http-authentication-factory, you can take a look at the documentation here: https://docs.wildfly.org/20/WildFly_Elytron_Security.html#configure-an-http-authentication-factory

Hope this is useful and I apologize once again for the mixup.

Regards, 
Sonia
On Thursday, March 18, 2021 at 4:06:06 PM UTC-4 azel...@gmail.com wrote:

Arkady Zelekman

unread,
Apr 12, 2021, 4:07:06 PM4/12/21
to WildFly
Hi, Sonia

I am trying to apply Elytron on my Wildfly 23 as following:

Server side:

1. In standalone.xml I added following changes:

<subsystem xmlns="urn:jboss:domain:ejb3:9.0">
...
            <application-security-domains>
                <application-security-domain name="other" security-domain="ApplicationDomain"/>
            </application-security-domains>
</subsystem>

 <subsystem xmlns="urn:jboss:domain:remoting:4.0">
            <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm" sasl-authentication-factory="application-sasl-authentication"/>
  </subsystem>

2. In application-users.properties I added following row:
system=ec54054d06eeee361d17555395898783

3. In application-roles.properties I added following row:
system=admin

Client side:
1. Have wildfly-config.xml with following content:

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <authentication-client xmlns="urn:elytron:1.0">
        <authentication-rules>
            <rule use-configuration="default-config"/>
        </authentication-rules>
        <authentication-configurations>
            <configuration name="default-config">
                <set-user-name name="system"/>
                <credentials>
                    <clear-password password="system"/>
                </credentials>
                <sasl-mechanism-selector selector="DIGEST-MD5"/>
                <providers>
                    <use-service-loader />
                </providers>
            </configuration>
        </authentication-configurations>
    </authentication-client>
</configuration>

2. Have jndi.properties with following content:

#Server runs on port 80
java.naming.provider.url=http://<SERVER-IP>:80/wildfly-services
java.naming.factory.initial=org.wildfly.naming.client.WildFlyInitialContextFactory

3. Client application has VM argument  -Dwildfly.config.url=<Path to wildfly-config.xml>

When I running the client application I am getting following exception:
java.io.IOException: WFHTTP000005: Invalid response code 400 (full response ClientResponse{responseHeaders={strict-transport-security=[max-age=31536000; includeSubDomains;], content-length=[76], content-type=[text/html], date=[Mon, 12 Apr 2021 10:42:36 GMT]}, responseCode=400, status='', protocol=HTTP/2.0})

All these worked fine in Wildfly 11, why it is not working with Wildfly 23 ? Am I missing something ?

Thank you very much in advance for the help.

Sonia Zaldana Calles

unread,
Apr 13, 2021, 3:39:54 PM4/13/21
to WildFly

Hi Arkady, 


If you want to use EJB over HTTP, you have to configure an http-authentication-factory in the undertow subsystem as shown here: https://docs.wildfly.org/23/Developer_Guide.html#Jakarta_Enterprise_Beans_over_HTTP


The http-invoker should be enabled by default in the standard configuration. If that’s the case, you should first undefine the security-realm attribute as follows:

/subsystem=undertow/server=default-server/host=default-host/setting=http-invoker:undefine-attribute(name=security-realm)

And then add the http-authentication-factory as follows:

/subsystem=undertow/server=default-server/host=default-host/setting=http-invoker:write-attribute(name=http-authentication-factory,value=application-http-authentication)

Additionally, in your invocation you need to make sure to use /wildfly-services in your URL, which I see you have already done. 


However, by inspecting your configuration, I see you are modifying the http-remoting-connector in the remoting subsystem in your code snippet by adding a sasl-authentication-factory. You shouldn’t be doing this if you want to configure EJB over HTTP. Perhaps you are trying to configure EJB over remoting as opposed to EJB over HTTP? 


EJB over Remoting uses SASL and you mentioned this configuration worked for you before, so perhaps this is what you were looking for. Here’s a blog post on how to configure EJB over Remoting:  https://developer.jboss.org/people/fjuma/blog/2017/09/08/getting-started-with-ejbs-and-elytron-part-1


Regards, 

Sonia

Arkady Zelekman

unread,
Apr 13, 2021, 4:02:58 PM4/13/21
to WildFly

Hi, Sonia

I found the problem: my Wildfly is running on port 80/443 (not 8080/8443). This is the desire of our customers. 

In standalone.xml it looks following:

    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
        <socket-binding name="http" port="${jboss.http.port:80}"/>
        <socket-binding name="https" port="${jboss.https.port:443}"/>

All client applications also refer to NX by port 80 or 443.

I was surprised to discover that this was the problem. When I replaced port to be 8080 and also changed client code to work with 8080, everything started to work. What is problem with port 80 in Wildfly 23 (worked fine in Wildfly 11) ? Is it a bug ? How to force my applied configuration to work with port 80 ? This issue is very serious for us.

Thank you very much in advance,
Arkady

Arkady Zelekman

unread,
Apr 13, 2021, 4:32:56 PM4/13/21
to WildFly
Hi, Sonia

I also has another question: where is "application-http-authentication" defined ? I don't see such a thing in standalone.xml. Is it something built-in by default or I should define it ?

Thanks,
Arkady

Sonia Zaldana Calles

unread,
Apr 13, 2021, 4:47:50 PM4/13/21
to Arkady Zelekman, WildFly

Hi Arkady, 


Here’s more information on how to configure your own http authentication factory: https://docs.wildfly.org/20/WildFly_Elytron_Security.html#configure-an-http-authentication-factory

As for your previous message, could you please send your current configuration? I am not sure whether you are using EJB over HTTP or EJB over Remoting. 


Regards,

Sonia



--
You received this message because you are subscribed to a topic in the Google Groups "WildFly" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wildfly/anZGOJAsUzU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wildfly+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wildfly/a8e0f58c-e0ac-43c3-b0df-b62568fc0992n%40googlegroups.com.

Arkady Zelekman

unread,
Apr 14, 2021, 1:00:44 AM4/14/21
to WildFly
Hi, Sonia

From your explanation, currently I am using " EJB over Remoting uses SASL " as I described in my code snippet above.
Everything works fine using port 8080, but we want to use port 80.

In Wildfly 11 it worked with port, but doesn't work in Wildfly 23. How to fix it ?

BTW, what is differences between goals of 2 approaches ("EJB over HTTP" and  "EJB over Remoting") ? Our goal is just not to see TCP packets between server and ejb clients, we want to see only HTTP packets. Seems me using approach of "EJB over Remoting" is more simple because we can rely on default Wildfly sasl mechanism. And in "EJB over HTTP" we must define our own http authentication factory because we don't have built-in wildfly defined.
Reply all
Reply to author
Forward
0 new messages