Configuring security to access EJB through WS -- WFLYEJB0364 Connection rejected - wildfly
I have followed this tutorial to configure an user ejbuser with password 12345678 and role appCitas. The instructions that I followed are:
C:\wildfly-14.0.1.Final\bin>jboss-cli.bat
You are disconnected at the moment. Type 'connect' to connect to the server or 'help' for the list of supported commands.
[disconnected /] connect
[standalone#localhost:9990 /] /subsystem=elytron/filesystem-realm=proxyRealm:add(path=proxy-realm-users,relative-to=jboss.server.config.dir)
{"outcome" => "success"}
[standalone#localhost:9990 /] /subsystem=elytron/filesystem-realm=proxyRealm:add-identity(identity=ejbuser)
{"outcome" => "success"}
[standalone#localhost:9990 /] /subsystem=elytron/filesystem-realm=proxyRealm:set-password(identity=ejbuser,clear={password=12345678})
{"outcome" => "success"}
[standalone#localhost:9990 /] /subsystem=elytron/filesystem-realm=proxyRealm:add-identity-attribute(identity=ejbuser,name=Roles,value=["guest", "appCitas"])
{"outcome" => "success"}
[standalone#localhost:9990 /] /subsystem=elytron/simple-role-decoder=from-roles-attribute:add(attribute=Roles)
{"outcome" => "success"}
[standalone#localhost:9990 /] /subsystem=elytron/security-domain=proxySD:add(default-realm=proxyRealm,permission-mapper=default-permission-mapper,realms=[{realm=proxyRealm,role-decoder=from-roles-attribute},{realm=local}])
{"outcome" => "success"}
[standalone#localhost:9990 /] /subsystem=elytron/sasl-authentication-factory=proxy-application-sasl-autentication:add(mechanism-configurations=[{mechanism-name=JBOSS-LOCAL-USER,realm-mapper=local},{mechanism-name=DIGEST-MD5,mechanism-realm-configurations=[{realm-name=proxyRealm}]},{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=proxyRealm}]}],sasl-server-factory=configured,security-domain=proxySD)
{"outcome" => "success"}
[standalone#localhost:9990 /] /subsystem=ejb3/application-security-domain=other:add(security-domain=proxySD)
{"outcome" => "success"}
[standalone#localhost:9990 /] /subsystem=remoting/http-connector=http-remoting-connector:write-attribute(name=sasl-authentication-factory,value=proxy-application-sasl-autentication)
{
"outcome" => "success",
"response-headers" => {
"operation-requires-reload" => true,
"process-state" => "reload-required"
}
}
In mi EJB, I have
#WebService(
endpointInterface = "es.ssib.otic.test.prototipoEjbCitas.ApiCitasPublico",
name = "ApiCitasEjb")
#RolesAllowed("apiCitas")
#Stateless
public class ApiCitasPublicoImpl
implements ApiCitasPublico {
#Override
public #XmlElement(name = "pacienteCitaResponse", required = true) PacienteCitaResponse getPacienteCita(
#WebParam(name = "datosSolicitante") #XmlElement(required = true) IdPeticion idPaciente) {
...
}
And my jboss-app.xml is
<?xml version="1.0" encoding="UTF-8"?>
<jboss-app>
<security-domain>other</security-domain>
</jboss-app>
The ear deploys correctly and it does not show any log problem, yet I try to access a method from SoapUI and I add a Basic Authentication, with:
username: ejbuser
password: 12345678
Domain: I have tried with other, proxySD, proxyRealm and leaving it blank
Pre-emptive auth: I have combined all of the above values of "Domain" with both "Use-global-preference" and "Authenticate pre-emptively".
In all cases, I get a
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<soap:Fault>
<faultcode>soap:Server</faultcode>
<faultstring>WFLYEJB0364: Invocation on method: public es.ssib.otic.test.prototipoEjbCitas.beans.PacienteCitaResponse es.ssib.otic.test.prototipoEjbCitas.impl.ApiCitasPublicoImpl.getPacienteCita(es.ssib.otic.test.prototipoEjbCitas.beans.IdPeticion) of bean: ApiCitasPublicoImpl is not allowed</faultstring>
</soap:Fault>
</soap:Body>
</soap:Envelope>
If I remove the security configuration, I can access through SoapUI with no problems.
Working with WildFly 14.0.0.1 Final.
Note: This question is somewhat related to my previous one, but since I have reinstalled the wildfly and I have followed step by step the above mentioned tutorial, I think it is better to post it as a separate question.
Update
Following the lead of #fjuma's answer, I have configured the following:
[standalone#localhost:9990 /] /subsystem=elytron/http-authentication-factory=proxy-application-http-authentication:add(http-server-mechanism-factory=global,security-domain=proxySD,mechanism-configurations=[{mechanism-name=BASIC,mechanims-realm-configuration=[{realm-name=proxyAD}]}])
{"outcome" => "success"}
[standalone#localhost:9990 /] /subsystem=undertow/application-security-domain=proxyAD:add(http-authentication-factory=proxy-application-http-authentication)
{"outcome" => "success"}
And changed the value of security-domain in jboss-app.xml to proxyAD, I get an error deploying the ear:
{
"WFLYCTL0412: Required services that are not installed:" => ["jboss.security.security-domain.proxyAD"],
"WFLYCTL0180: Services with missing/unavailable dependencies" => [
"jboss.deployment.subunit.\"prototipoEarCitas-0.0.1-SNAPSHOT.ear\".\"prototipoEjbCitas-0.0.1-SNAPSHOT.jar\".component.ApiCitasPublicoImpl.CREATE is missing [jboss.security.security-domain.proxyAD]",
"jboss.ws.endpoint.\"prototipoEarCitas-0.0.1-SNAPSHOT.ear\".\"prototipoEjbCitas-0.0.1-SNAPSHOT.jar\".ApiCitasPublicoImpl is missing [jboss.security.security-domain.proxyAD]"
]
}
A couple things to note:
To make use of HTTP Basic authentication, an Elytron http-authentication-factory is needed. Documentation on how to configure this can be found here.
When using HTTP Basic authentication, an application-security-domain mapping also needs to be added in the Undertow subsystem. See https://developer.jboss.org/thread/276445 for more details related to this when using webservices.
###Update by the OP:
This is the final minimal set of commands to configure EJBs access through WS (tested on a clean, brand new Wildfly 14.0.1. Final):
C:\wildfly-14.0.1.Final\bin>jboss-cli.bat
You are disconnected at the moment. Type 'connect' to connect to the server or '
help' for the list of supported commands.
[disconnected /] connect
[standalone#localhost:9990 /] /subsystem=elytron/properties-realm=proxyRealm:add(groups-attribute=groups,groups-properties={path=proxy-roles.properties,relative-to=jboss.server.config.dir},users-properties={path=proxy-users.properties,relative-to=jboss.server.config.dir,plain-text=true})
{"outcome" => "success"}
[standalone#localhost:9990 /] /subsystem=elytron/security-domain=proxySD:add(realms=[{realm=proxyRealm,role-decoder=groups-to-roles}],default-realm=proxyRealm,permission-mapper=default-permission-mapper)
{"outcome" => "success"}
[standalone#localhost:9990 /] /subsystem=elytron/http-authentication-factory=proxy-http-auth:add(http-server-mechanism-factory=global,security-domain=proxySD,mechanism-configurations=[{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=proxyRealm}]}]
{"outcome" => "success"}
[standalone#localhost:9990 /] /subsystem=undertow/application-security-domain=proxySD:add(http-authentication-factory=proxy-http-auth)
{"outcome" => "success"}
[standalone#localhost:9990 /] /subsystem=elytron/sasl-authentication-factory=proxy-app-sasl-auth:add(mechanism-configurations=[{mechanism-name=JBOSS-LOCAL-USER,realm-mapper=local},{mechanism-name=BASIC,mechanism-realm-configurations=[{realm-name=proxyRealm}]}],sasl-server-factory=configured,security-domain=proxySD)
{"outcome" => "success"}
[standalone#localhost:9990 /] /subsystem=ejb3/application-security-domain=proxySD:add(security-domain=proxySD)
{"outcome" => "success"}
Notes:
As you may have noticed, I switched from a FileSystem realm to a Properties realm. This is not related to the issue, it is just that it made easier to debug.
Elytron's security domain (defined at the 3rd command), Undertow's application security domain (defined at the 4th command) and EJB's application-security-domain (defined at the 6th command) have all the same name proxySD. That the name is the same in all three subsystems is important, and bad things can happen if they have different names (I have not tried out all the combinations).
WS based on EJBs must be invoked with "authenticate pre-emptively", sending the authentication data in the first request without being prompted by the server. WS based on POJOs in a war use the authentication system for web pages, so there is no need to authentica pre-emptively.
Related
Wildfly Management API : What is URL for list Servergroups?
How to fetch server group details using Wildfly Management API https://wildfly.prod.idntegrator.cosng.net/management?operation=attribute&name=server-group { "outcome" : "failed", "failure-description" : "WFLYCTL0201: Unknown attribute 'servergroup'", "rolled-back" : true } I am not able to find much information here: https://docs.jboss.org/author/display/WFLY10/The%20HTTP%20management%20API.html I tried from Jboss CLI but it has no attribute like servergroup but has /server-group=generic type notation not sure how to put in rest call
As far as I know there is no way to read just the server groups from the HTTP Management API. The best you could do is something like: http://localhost:9990/management/?operation=resource This would include an array of the server groups. "server-group": { "main-server-group": null, "other-server-group": null } From CLI however you can use the read-children-names operation. /:read-children-names(child-type=server-group) Example output: [domain#localhost:9990 /] /:read-children-names(child-type=server-group) { "outcome" => "success", "result" => [ "main-server-group", "other-server-group" ] }
WildFly/JBoss Datasource definition for Derby fails
I'm hoping this is just a stupid question, but after googling around and browsing the WildFly docs, I can't seem to link things up. I have an EJB application which has been working since forever, but with JPA backed by the H2 database. The entity database has grown so large that the H2 implementation now has extreme performance problems and I need to migrate to a Derby backstore. The problem is that the H2 DS is sort of "baked into" WF as ExampleDS, but Derby is not, and I can't seem to get Derby defined as a datasource. My first try was to define it with a module.xml, but I wasn't having much luck, so as I don't need domain, I opted to just drop derbyclient.jar into standalone/deployments, which seemed to work fine. With the client JAR deployed, my attempt to define the DVDDerbyDS datasource gets this: [jboss#ftgme2 ~/wildfly-23.0.0.Final/bin]$ ./jboss-cli.sh -c [standalone#localhost:9990 /] /subsystem=datasources/data-source=DVDDerbyDS:add( \ > jndi-name=java:jboss/datasources/DVDDerbyDS,\ > driver-name=derbyclient,\ > connection-url=jdbc:derby://localhost:1527/DVD\ > ) { "outcome" => "failed", "failure-description" => { "WFLYCTL0412: Required services that are not installed:" => ["jboss.jdbc -driver.derbyclient"], "WFLYCTL0180: Services with missing/unavailable dependencies" => [ "org.wildfly.data-source.DVDDerbyDS is missing [jboss.jdbc-driver.de rbyclient]", "jboss.driver-demander.java:jboss/datasources/DVDDerbyDS is missing [jboss.jdbc-driver.derbyclient]" ] }, "rolled-back" => true } I'm guessing that this is a simple case of two operands that need to match not matching, probably the derbyclient info. But deploying derbyclient gives no hint of how to reference it, and every permutation I've tried has failed. Any ideas ? In the management console deployments, derbyclient.jar appears as deployed and enabled and is referred to only as derbyclient.jar. Modifying the CLI above still fails: – [standalone#localhost:9990 /] /subsystem=datasources/data-source=DVDDerbyDS:add( jndi-name=java:jboss/datasources/DVDDerbyDS, driver-name=derbyclient.jar, connection-url=jdbc:derby://localhost:1527/DVD) – { "outcome" => "failed", "failure-description" => { "WFLYCTL0412: Required services that are not installed:" => ["jboss.jdbc -driver.derbyclient_jar"], "WFLYCTL0180: Services with missing/unavailable dependencies" => [ "org.wildfly.data-source.DVDDerbyDS is missing [jboss.jdbc-driver.de rbyclient_jar]", "jboss.driver-demander.java:jboss/datasources/DVDDerbyDS is missing [jboss.jdbc-driver.derbyclient_jar]" ] }, "rolled-back" => true } – The same using derbyclient_jar. – [standalone#localhost:9990 /] /subsystem=datasources:installed-drivers-list { "outcome" => "success", "result" => [{ "driver-name" => "h2", "deployment-name" => undefined, "driver-module-name" => "com.h2database.h2", "module-slot" => "main", "driver-datasource-class-name" => "", "driver-xa-datasource-class-name" => "org.h2.jdbcx.JdbcDataSource", "datasource-class-info" => [{"org.h2.jdbcx.JdbcDataSource" => { "URL" => "java.lang.String", "description" => "java.lang.String", "loginTimeout" => "int", "password" => "java.lang.String", "url" => "java.lang.String", "user" => "java.lang.String" }}], "driver-class-name" => "org.h2.Driver", "driver-major-version" => 1, "driver-minor-version" => 4, "jdbc-compliant" => true }] } [standalone#localhost:9990 /] but [jboss#ftgme2 ~/wildfly-23.0.0.Final/standalone/deployments]$ cat derbyclient.jar.deployed derbyclient.jar [standalone#localhost:9990 /] /deployment=derbyclient.jar:browse-content(path=META-INF/services/) { "outcome" => "success", "result" => [{ "path" => "java.sql.Driver", "directory" => false, "file-size" => 47L }] }
It looks like the derbyclient.jar does not contain everything you need. It worked for me with the following. First you need to install the driver as a module: # Set the path to Derby and add a module for the driver set DERBY_HOME=/path/to/db-derby-10.15.2.0-bin module add --name=org.apache.derby --resources=$DERBY_HOME/lib/derbyclient.jar,$DERBY_HOME/lib/derbytools.jar,$DERBY_HOME/lib/derbyshared.jar --dependencies=javax.api,javax.transaction.api --resource-delimiter=, # Add the JDBC driver /subsystem=datasources/jdbc-driver=derby:add(driver-module-name=org.apache.derby, driver-name=derby, driver-class-name=org.apache.derby.jdbc.ClientDriver) Then you can add your data source: /subsystem=datasources/data-source=DVDDerbyDS:add(jndi-name=java:jboss/datasources/DVDDerbyDS, driver-name=derby, connection-url=jdbc:derby://localhost:1527/DVD)
How to solve the connecting between logstash to aws postgres issue?
I've a postgres database rds and I need to query it using logstash through JDBC inputs. I tried most of the solutions such as adding the useSSL=false, etc. But it seems there is an issue. still the logs are not so informative 'maybe bad JDBC string': Error: Sequel::DatabaseError: driver.new.connect returned nil: probably bad JDBC connection string Exception: Sequel::DatabaseConnectionError Stack: /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/sequel-5.35.0/lib/sequel/adapters/jdbc.rb:228:in connect' /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/sequel-5.35.0/lib/sequel/connection_pool.rb:122:in make_new' /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/sequel-5.35.0/lib/sequel/connection_pool/threaded.rb:209:in assign_connection' /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/sequel-5.35.0/lib/sequel/connection_pool/threaded.rb:139:in acquire' /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/sequel-5.35.0/lib/sequel/connection_pool/threaded.rb:91:in hold' /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/sequel-5.35.0/lib/sequel/database/connecting.rb:270:in synchronize' /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/sequel-5.35.0/lib/sequel/database/connecting.rb:279:in test_connection' /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/sequel-5.35.0/lib/sequel/database/connecting.rb:58:in connect' /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/sequel-5.35.0/lib/sequel/core.rb:125:in connect' /usr/share/logstash/vendor/bundle/jruby/2.5.0/gems/logstash-integration-jdbc-5.0.6/lib/logstash/plugin_mixins/jdbc/jdbc.rb:114:in block in jdbc_connect' and here is the .conf file which I use to connect: input { jdbc { jdbc_connection_string => "jdbc:psql://domain.xxxxxx.us-east-1.rds.amazonaws.com:5432/dbtest?useSSL=true" jdbc_user => "USERNAME" jdbc_password => "PASSWORD" jdbc_driver_library => "path/to/postgresql-42.2.16.jar" jdbc_driver_class => "org.postgresql.Driver" statement => "SELECT * from dbtableX" } } output { stdout { codec => json_lines } }
jboss cli command to get datasource connection pool details in json format
using jboss cli to get connection pool details, gets output like this { "outcome" => "success", "result" => { "ActiveCount" => 1, "AvailableCount" => 20L } } is there a way to get the same in json format?
You could use the --output-json argument. Something like: $JBOSS_HOME/bin/jboss-cli.sh -c --output-json "/subsystem=datasources/data-source=ExampleDS/statistics=pool:read-resource(include-runtime=true)"
Jboss-cli: JBAS014653 ("Expected [OBJECT] but was LIST") when trying to add datasource
I tried inserting a new XA-Datasource in Wildfly 8.1: /opt/wildfly/bin/jboss-cli.sh --connect --controller=192.168.1.220:9990 [standalone#192.168.1.220:9990 /] xa-data-source add --name=myName --jndi-name=java:jboss/datasources/myDS --driver-name=postgresql --user-name=myUser --password=myPass --use-java-context=true --use-ccm=true --min-pool-size=10 --max-pool-size=100 --transaction-isolation=TRANSACTION_READ_COMMITTED --pool-prefill=true --allocation-retry=1 --prepared-statements-cache-size=32 --share-prepared-statements=true --xa-datasource-class=org.postgresql.xa.PGXADataSource --xa-datasource-properties=[{ServerName=192.168.1.220},{PortNumber=5432},{DatabaseName=postgres}] --valid-connection-checker-class-name=org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLValidConnectionChecker --exception-sorter-properties=org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLExceptionSorter But I received this error: {"JBAS014653: Composite operation failed and was rolled back. Steps that failed:" => {"Operation step-1" => "JBAS014688: Wrong type for exception-sorter-properties. Expected [OBJECT] but was LIST"}} In the Web interface the value for Exception Sorter is a simple string. I tried many value types.
Use --exception-sorter-class-name=org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLExceptionSorter instead of --exception-sorter-properties=org.jboss.jca.adapters.jdbc.extensions.postgres.PostgreSQLExceptionSorter.