0
votes

I have a security-realm at the level of the http-connector (ApplicationRealm) and I have another security-realm for my remote-outbound-connection wich is MyRealm. When I set up the jboss-ejb-client properties, I set those two following properties:

remote.connection.default.username=${username}
remote.connection.default.password=${password}

that helps me authenticate the ApplicationRealm with the remoting server. The issue I am having is that when I am on the remote server there is no way to go through the security-realm: MyRealm because the principal is not shared between servers and I don't have or know a way to send the needed information to authenticate the user on the other server since the username and password I am getting from the JBossCallbackHandler are actually the credential used for the ApplicationRealm and not the one I need to validate my second realm.

I have tried to remove security-realm="ApplicationRealm" but it fails since the it requires an authentication mecanism.

Is there a way to send information to the remote server other then the username/password, for example the principal to validate MyRealm? Is there a way to deactivate the ApplicationRealm, replaced it or juste remove it?

    <subsystem xmlns="urn:jboss:domain:remoting:2.0">
        <endpoint worker="default"/>
        <http-connector name="http-remoting-connector" connector-ref="default" security-realm="ApplicationRealm"/>
        <outbound-connections>
            <remote-outbound-connection name="remote-ejb-connection" outbound-socket-binding-ref="remote-ejb" username="ejb" security-realm="MyRealm" protocol="http-remoting">
                <properties>
                    <property name="SASL_POLICY_NOANONYMOUS" value="true"/>
                    <property name="SSL_ENABLED" value="false"/>
                    <property name="SASL_POLICY_NOPLAINTEXT" value="false"/>
                </properties>
            </remote-outbound-connection>
        </outbound-connections>
    </subsystem>

Thank You!

1

1 Answers

0
votes

The situation described here is one of the primary motivations for the current security work being undertaken in WildFly - security propagation from server to server is something we are actively working to achieve.

http://darranl.blogspot.co.uk/2015/07/upcomming-wildfly-security-changes.html

In the meantime the following quickstart demonstrates one approach that can be taken using interceptors to propagate an identity from one server to another: -

https://github.com/wildfly/quickstart/tree/9.x/ejb-security-interceptors

Essentially the second server has authenticated the first server so this quickstart shows how the second server can trust the first server when the first server asks that a request is executed on behalf of another user.