EJB Remote using elytron custom realm
491 views
Skip to first unread message
dt pham
Apr 6, 2021, 10:07:36 AM4/6/21
to WildFly
Dear all,
I have a custom realm under Elytron subsystem. The custom realm is working fine for my web login and accessing my secured EJBs. However, I would like to have the remote applications to access my secured EJBs using my custom realm instead of the "ApplicationRealm". Any hints? I went through the quickstart and developer guide, but I did not see any stuffs that I am looking for.
Farah Juma
Apr 7, 2021, 2:09:00 PM4/7/21
to WildFly
It sounds like you need to configure your http-remoting-connector so that it references a sasl-authentication-factory that is backed by your security-domain.
dt pham
Apr 7, 2021, 5:03:41 PM4/7/21
to WildFly
Thank you so much. Yes, I am getting some ideas from the link.
dt pham
Apr 8, 2021, 12:55:33 PM4/8/21
to WildFly
Dear Farah,
I followed the link you provided and I am able to make my remote application successfully invokes my secured EJB using my custom realm. That is a big step forward for me and I am really appreciate all the helps from you and the others on this group. Now I am hitting the next issue on the remote application which is I am unable to create a connection to the ConnectionFactory so I can subscribe to a topic to get data. it fails on factory.createConnection(). Just a note here, InitialContext is fine since my remote application can talk to the secured ejbs as I said above. My active MQ has <security elytron-enable="true" /> . I do lookup the factory with jndi name "ConnectionFactory" ( also tried "java:/ConnectionFactory" ). Not sure why the name is null here since it already login/invokes successfully the secured ejbs.
What do I miss configure here? I am using wildfly 23 final. Open Jdk 13
javax.jms.JMSSecurityException: AMQ229031: Unable to validate user from /10.1.71.163:3445. Username: null; SSL certificate subject DN: unavailable
at org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:540)
at org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:434)
at org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQClientProtocolManager.createSessionContext(ActiveMQClientProtocolManager.java:300)
at org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQClientProtocolManager.createSessionContext(ActiveMQClientProtocolManager.java:249)
at org.apache.activemq.artemis.core.client.impl.ClientSessionFactoryImpl.createSessionChannel(ClientSessionFactoryImpl.java:1401)
at org.apache.activemq.artemis.core.client.impl.ClientSessionFactoryImpl.createSessionInternal(ClientSessionFactoryImpl.java:705)
at org.apache.activemq.artemis.core.client.impl.ClientSessionFactoryImpl.createSession(ClientSessionFactoryImpl.java:316)
at org.apache.activemq.artemis.jms.client.ActiveMQConnection.authorize(ActiveMQConnection.java:684)
at org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory.createConnectionInternal(ActiveMQConnectionFactory.java:920)
at org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory.createConnection(ActiveMQConnectionFactory.java:299)
at org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory.createConnection(ActiveMQConnectionFactory.java:294)
dt pham
Apr 8, 2021, 1:08:08 PM4/8/21
to WildFly
enabled=false for the security of activemq will work, but I am curious how to have it works when the security is enabled.
Farah Juma
Apr 9, 2021, 3:17:55 PM4/9/21
to WildFly
Are you able to share more details about the client side configuration? How are the username and password being specified?
dt pham
Apr 12, 2021, 8:48:48 AM4/12/21
to WildFly
Hi Farah,
I just use the jndi.properties and here is what it looks like:java.naming.factory.initial=org.wildfly.naming.client.WildFlyInitialContextFactory
java.naming.provider.url=http-remoting://localhost:8090
java.naming.security.principal=dtpham
java.naming.security.credentials=xxxxxxx
Note that:
1) I do see the user was logging in my custom realm and the remote app successfully invoked my wildfly's secured ejbs
2) On wildfly side, I have my custom sasl looks like this (where "DPhamElytron" is my custom realm and "pham" is my security domain of the custom realm:
<sasl-authentication-factory name="pham-application-sasl-authentication" sasl-server-factory="configured" security-domain="pham">
<mechanism-configuration>
<mechanism mechanism-name="PLAIN">
<mechanism-realm realm-name="
DPhamElytron "/>
</mechanism>
</mechanism-configuration>
</sasl-authentication-factory>
....
<subsystem xmlns="urn:jboss:domain:remoting:4.0">
<http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm" sasl-authentication-factory="pham -application-sasl-authentication"/>
</subsystem>
dt pham
Apr 12, 2021, 9:14:20 AM4/12/21
to WildFly
FYI, I turn on trace on my remote app and see something interesting:
12-04-21 06:00:52:914 TRACE org.apache.commons.beanutils.BeanUtils - setProperty(ConnectionOptions{ha=false}, userInfo, <NULL>)
12-04-21 06:00:52:914 TRACE org.apache.commons.beanutils.BeanUtils - Target bean = ConnectionOptions{ha=false}
12-04-21 06:00:52:915 TRACE org.apache.commons.beanutils.BeanUtils - Target name = userInfo
12-04-21 06:00:52:916 TRACE org.apache.commons.beanutils.MethodUtils - Matching name=getUserInfo on class org.apache.activemq.artemis.uri.schema.serverLocator.ConnectionOptions
12-04-21 06:00:52:916 TRACE org.apache.commons.beanutils.MethodUtils - No match found.
12-04-21 06:00:52:917 TRACE org.apache.commons.beanutils.MethodUtils - Matching name=isUserInfo on class org.apache.activemq.artemis.uri.schema.serverLocator.ConnectionOptions
12-04-21 06:00:52:917 TRACE org.apache.commons.beanutils.MethodUtils - No match found.
dt pham
Apr 12, 2021, 3:25:57 PM4/12/21
to WildFly
Oh my fault. I found my issue. I do have user/pass in context, but when I created factory.createConnection(), I do need to pass user/pass in : factory.createConnection(user, pass) then it works with security enabled on activemq. No wonder the user was null.
Reply all
Reply to author
Forward
0 new messages