[英]Wildfly setup using ejb remote access and custom login module / applicationrealm is additionally called
When activating a custom login module for EJB remote authentification, the applicationrealm is additionally called for authentication. 当激活用于EJB远程认证的自定义登录模块时,还会调用applicationrealm进行认证。 Unfortunately, I do not know why.
不幸的是,我不知道为什么。
With the current implementation the user is logged in the customlogin module and logged in the ejb. 在当前实现中,用户登录到customlogin模块中,并登录到ejb中。 This is only successful as long as a user with same username and same password is registered in the application-users.properties.
仅在用户名和密码相同的用户在application-users.properties中注册后,此操作才能成功。 Change the user so the login does not work anymore.
更改用户,使登录名不再起作用。 I am at this point not clear whether the authentication is running exclusively through application-users.properties (ApplicationRealm) or combined via application-users.properties and via custom login module.
在这一点上,我目前还不清楚身份验证是仅通过application-users.properties(ApplicationRealm)运行还是通过application-users.properties和自定义登录模块组合运行。 and why does it authenticate with application-users.properties.
以及为什么要通过application-users.properties进行身份验证。
The goal is to authenticate EJB remote access completely by custom login module. 目的是通过自定义登录模块完全认证EJB远程访问。
Following the setup: 进行以下设置:
EJB remote client properties: EJB远程客户端属性:
props.put("java.naming.factory.initial", "org.jboss.naming.remote.client.InitialContextFactory");
props.put(java.naming.factory.url.pkgs, "org.jboss.ejb.client.naming");
props.put("jboss.naming.client.ejb.context", false);
props.put("org.jboss.ejb.client.scoped.context", true);
props.put("endpoint.name", "client-endpoint");
props.put("remote.connections", "default");
props.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", false);
props.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", false);
props.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
props.put("java.naming.provider.url", "http-remoting://127.0.0.1:8080");
props.put("remote.connection.default.host", "127.0.0.1");
props.put("remote.connection.default.port", "8080");
props.put("remote.connection.default.username", "username");
props.put("remote.connection.default.password", "password");
ejb url: ejb网址:
ejb:/my-app/MyServiceImpl!com.some.MyServiceInterface
standalone.xml configuration based on normal standalone.xml (not full): 基于常规standalone.xml的standalone.xml配置(不完整):
security-realm 安全领域
<security-realm name="MyRealm">
<authentication>
<jaas name="com.some.MyCustomLoginModule"/>
</authentication>
</security-realm>
security-domain 安全域
<security-domain name="MySecurityDomain" cache-type="default">
<authentication>
<login-module code="com.some.MyCustomLoginModule" flag="required" module="login.my">
<module-option name="usersProperties" value="user.properties"/>
<module-option name="rolesProperties" value="roles.properties"/>
</login-module>
</authentication>
</security-domain>
remoting subsystem 远程子系统
<subsystem xmlns="urn:jboss:domain:remoting:3.0">
<endpoint/>
<http-connector name="http-remoting-connector" connector-ref="default" security-realm="MyRealm"/>
</subsystem>
Implementation: 实现方式:
service impl 服务展示
@Stateless
@SecurityDomain("MySecurityDomain")
@DeclareRoles("user")
public class MyServiceImpl implements MyService {
private static final Logger logger = Logger.getLogger(MyServiceImpl .class);
@Resource
private EJBContext ejbContext;
@PermitAll
public String getPrincipalName() {
logger.info("Principal: " + ejbContext.getCallerPrincipal().getName());
return ejbContext.getCallerPrincipal().getName();
}
}
service interface 服务接口
@Remote
public interface MyService {
public String getPrincipalName();
}
custom login module 定制登录模块
import java.security.Principal;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import org.jboss.logging.Logger;
import org.jboss.security.auth.spi.UsersRolesLoginModule;
public class CustomLoginModule extends UsersRolesLoginModule {
private CustomPrincipal principal;
private static final Logger logger = Logger.getLogger(CustomLoginModule.class);
@Override
public void initialize(Subject arg0, CallbackHandler arg1, Map<String, ?> arg2, Map<String, ?> arg3) {
logger.info("init module from main class");
super.initialize(arg0, arg1, arg2, arg3);
}
public boolean login() throws LoginException {
logger.info("Calling login()");
logger.info("User before: " + getUsername());
boolean login = super.login();
logger.info("User: " + getUsername());
logger.info("Password: " + getUsersPassword());
if (login) {
principal = new CustomPrincipal(getUsername(), "An user description!");
}
return login;
}
protected Principal getIdentity() {
return principal != null ? principal : super.getIdentity();
}
}
The server-client product I work on also handles the login process completely by the back end through EJB and where the username and passwords are verified. 我正在研究的服务器-客户端产品还通过EJB以及身份验证用户名和密码的后端完全处理了登录过程。 Wildfly is only serving our server and we don't use the Wildfly's Management console so we don't use Wildfly's
application-users
. Wildfly只为我们的服务器提供服务,我们不使用Wildfly的管理控制台,因此不使用Wildfly的
application-users
。
We simply setup the ApplicationRealm like this: 我们只需像这样设置ApplicationRealm:
<security-realm name="MyRealm"> <authentication> <local default-user="$local" allowed-users="*" skip-group-loading="true"/> </authentication> </security-realm>
jboss-ejb.client.properties : jboss-ejb.client.properties:
remote.connections=default remote.connection.default.host=localhost remote.connection.default.port=8080 remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS=false remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED=false
and the login process is handled only through our EJBs. 并且登录过程仅通过我们的EJB处理。
NOTE : This might not be the solution for everyone with a similar setup. 注意 :这可能不是每个具有类似设置的解决方案。 The nature of our product allows us to do this and we have a certificate in place and this all runs only internally behind our customer's networks and firewalls.
我们产品的性质使我们能够做到这一点,并且我们拥有适当的证书,并且所有这些仅在内部运行在客户网络和防火墙之后。
i found my mistake. 我发现了我的错误。
the realm was wrong configured 领域配置错误
<jaas name="com.some.MyCustomLoginModule"/>
instead of 代替
<jaas name="MySecurityDomain"/>
i configured the class of the login module instead of the logical name of the security domain. 我配置了登录模块的类,而不是安全域的逻辑名。 instead of throwing an error - the jboss does a fallback authentification.
而不是抛出错误-jboss进行后备身份验证。 mmmhh ...
嗯...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.