Invoke EJB from WildFly safely

7
votes

I'm trying to re-write my old application in enterprise, "business" way.
So, I've got a Swing client with login module and my own server created from scratch. The client use ssl certificate to encrypt TCP connection to the server (I check client certificate on server and server certificate on client) and then server use database to authenticate and authorize the user.

Now I'm trying to get it working with ejb hosted by WildFly 8 CR1. I want to use the same client-server keys pair to connect Swing client to WildFly server and then authenticate user with name and credentials stored in MySQL datasource. I have also roles stored in database and I want to use them to configure client principals.

I have simple, basic EJB invocation: 

Context ctx = new InitialContext();
MyBeanRemote bean = (MyBeanRemote)ctx.lookup("AppName/module-0.0.1-SNAPSHOT/MyBean!my.app.MyBeanRemote");
ResultType result = bean.doSomething();

I have jndi.properties file 

java.naming.factory.initial=org.jboss.naming.remote.client.InitialContextFactory
java.naming.provider.url=http-remoting://myServer:8080
jboss.naming.client.ejb.context=true
java.naming.security.principal=app-user-name
java.naming.security.credentials=password@123

And I have basic datasource configuration 

<datasource jta="false" jndi-name="java:jboss/datasources/MyDB" pool-name="MyDB" enabled="true" use-ccm="false">
<connection-url>jdbc:mysql://localhost:3306/Mydb</connection-url>
<driver-class>com.mysql.jdbc.Driver</driver-class>
<driver>mysql-connector-java-5.1.28-bin.jar</driver>
<security>
  <user-name>mysqlUser</user-name>
  <password>mysqlPass</password>
</security>
<validation>
  <validate-on-match>false</validate-on-match>
  <background-validation>false</background-validation>
</validation>
<statement>
  <share-prepared-statements>false</share-prepared-statements>
</statement>
</datasource>

Everything above works fine.

I have read some guides but still haven't find the one describes how to use composite of: EJB (not web) + WildFly 8 (not JBoss 7) + encryption by SSL + authenticate and authorization via datasource with login client module

Any help will be appreciated.

Sorry for my english, I often use this language for reading, not writing:)

1
javasslejbwildfly

1 Answers

2
votes

You would neet to create a security realm mapped to your remoting connector in the standalone.xml file, like such:

<management>  
   <security-realms>  
    <security-realm name="MyRealm">  
      <authentication>  
        <jaas name="my-domain"/>  
      </authentication>  
    </security-realm>  
</management>  

<subsystem xmlns="urn:jboss:domain:remoting:1.1">
  <connector name="remoting-connector" socket-binding="remoting" security-realm="MyRealm"/>
</subsystem>

Then you should enable the security domain with a proper LoginModule (a built-in one, or a your own):

<security-domains>
    <security-domain name="my-domain" cache-type="default">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
                <module-option name="dsJndiName" value="java:jboss/datasources/serviceDS"/>
                <module-option name="principalsQuery" value="SELECT identificationCode FROM devices WHERE name=?"/>
                <module-option name="rolesQuery" value="SELECT 'device', 'Roles' FROM devices WHERE name=?"/>
            </login-module>
        </authentication>
    </security-domain>
</security-realms>

Of course the datasource should point to a database in which the queries would find proper principals (users) and their roles. Be sure to check out two articles about remoting: https://docs.jboss.org/author/display/AS71/Remote+EJB+invocations+via+JNDI+-+EJB+client+API+or+remote-naming+project and https://docs.jboss.org/author/display/AS71/EJB+invocations+from+a+remote+client+using+JNDI. It seems like you are using the "old" remoting - the client login module is no longer supported from JBoss 7. The bottom line is that your ejb remoting config should look more like (notice the local users which are disallowed!):

remote.connections=default
remote.connection.default.host=localhost
remote.connection.default.port=8080
remote.connection.default.username=userName
remote.connection.default.password=password
remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS=JBOSS-LOCAL-USER
remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT=false

Be sure to check out https://github.com/wildfly/quickstart/tree/master/ejb-remote

Finally, remember to add your security domain mapping in your jboss-ejb3.xml:

<jboss:ejb-jar>
  <assembly-descriptor>  
    <s:security>     
      <ejb-name>*</ejb-name>    
      <s:security-domain>my-domain</s:security-domain>       
    </s:security>  
   </assembly-descriptor>
</jboss:ejb-jar