Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-16149

[GSS](7.2.z) JBREM000308: Authentication failed (no mechanisms left) when EJB invocations across servers done with programatic auth

    Details

    • Target Release:
    • Steps to Reproduce:
      Hide

      *Take EAP 7.2
      unzip -d $JBOSS_HOME/ eap72-reproducer-overlay.zip
      ./start1.sh
      ./start2.sh
      ./test.sh*
      ------
      To run the 2nd reproducer jbeap-13963-reproducer.jar, setup eap72-reproducer-overlay.zip and then deploy the 2nd reproducer:
      Deploy jbeap-13963-reproducer.jar to standalone and standalone2 from eap72-reproducer-overlay.zip
      java -cp ./jbeap-13963-reproducer.jar:$JBOSS_HOME/bin/client/jboss-client.jar:$JBOSS_HOME/bin/client/jboss-cli-client.jar client.Client

      Show
      *Take EAP 7.2 unzip -d $JBOSS_HOME/ eap72-reproducer-overlay.zip ./start1.sh ./start2.sh ./test.sh* ------ To run the 2nd reproducer jbeap-13963-reproducer.jar, setup eap72-reproducer-overlay.zip and then deploy the 2nd reproducer: Deploy jbeap-13963-reproducer.jar to standalone and standalone2 from eap72-reproducer-overlay.zip java -cp ./jbeap-13963-reproducer.jar:$JBOSS_HOME/bin/client/jboss-client.jar:$JBOSS_HOME/bin/client/jboss-cli-client.jar client.Client
    • Workaround Description:
      Hide

      Create a user on the target server for example username: 'txn-user', password: 'txn-user-pa$$w0rd'. Then you'd need to add an authentication-client to the elytron subsystem JBoss instance, see these CLI commands:

      ./bin/add-user.sh -a -u txn-user -p 'txn-user-pa$$w0rd'
      
      /subsystem=elytron/authentication-configuration=ejb-auth:add(authentication-name="txn-user", credential-reference={clear-text="txn-user-pa$$w0rd"})
      /subsystem=elytron/authentication-context=default:add(match-rules=[{authentication-configuration=ejb-auth}])
      /subsystem=elytron:write-attribute(name=default-authentication-context,value=default)
      

      This would result in an elytron configuration like this:

              ...
              <subsystem xmlns="urn:wildfly:elytron:1.2" default-authentication-context="default" final-providers="combined-providers" disallowed-providers="OracleUcrypto">
                  <authentication-client>
                      <authentication-configuration name="ejb-auth" authentication-name="txn-user">
                          <credential-reference clear-text="txn-user-pa$$w0rd"/>
                      </authentication-configuration>
                      <authentication-context name="default">
                          <match-rule authentication-configuration="ejb-auth"/>
                      </authentication-context>
                  </authentication-client>
                  ...
      
      Show
      Create a user on the target server for example username: 'txn-user', password: 'txn-user-pa$$w0rd'. Then you'd need to add an authentication-client to the elytron subsystem JBoss instance, see these CLI commands: ./bin/add-user.sh -a -u txn-user -p 'txn-user-pa$$w0rd' /subsystem=elytron/authentication-configuration=ejb-auth:add(authentication-name= "txn-user" , credential-reference={clear-text= "txn-user-pa$$w0rd" }) /subsystem=elytron/authentication-context= default :add(match-rules=[{authentication-configuration=ejb-auth}]) /subsystem=elytron:write-attribute(name= default -authentication-context,value= default ) This would result in an elytron configuration like this: ... <subsystem xmlns= "urn:wildfly:elytron:1.2" default -authentication-context= " default " final -providers= "combined-providers" disallowed-providers= "OracleUcrypto" > <authentication-client> <authentication-configuration name= "ejb-auth" authentication-name= "txn-user" > <credential-reference clear-text= "txn-user-pa$$w0rd" /> </authentication-configuration> <authentication-context name= " default " > <match-rule authentication-configuration= "ejb-auth" /> </authentication-context> </authentication-client> ...
    • QE Test Coverage:
      ?

      Description

      standalone client -> EAP1 EJB1 -> EAP2 EJB2

      EAP1 fails when trying to finish the transaction with this error below, because it lost the authentication context. The EJB clients are using the WildFlyInitialContextFactory lookup approach.

      This issue is similar to JBEAP-15738 , except JBEAP-15738 was server to server config via remote outbound connections configured in the JBoss profile instead of WildFlyInitialContextFactory approach.

      public static Context getInitialContext(String host, Integer port, String username, String password)  throws NamingException {
         Properties props = new Properties();
         props.put(Context.INITIAL_CONTEXT_FACTORY,  "org.wildfly.naming.client.WildFlyInitialContextFactory");
         props.put(Context.PROVIDER_URL, String.format("%s://%s:%d", "remote+http", host, port));
         if(username != null && password != null) {
            props.put(Context.SECURITY_PRINCIPAL, username);
            props.put(Context.SECURITY_CREDENTIALS, password);
          }
         return new InitialContext(props);
      }
      
      Exception in thread "main" javax.ejb.EJBTransactionRolledbackException: javax.transaction.RollbackException: ARJUNA016053: Could not commit transaction.
        at org.jboss.as.ejb3.tx.CMTTxInterceptor.endTransaction(CMTTxInterceptor.java:114)
        at org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:261)
        at org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:362)
        at org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:144)
        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
        at org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509)
        at org.jboss.weld.module.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:81)
        at org.jboss.as.weld.ejb.EjbRequestScopeActivationInterceptor.processInvocation(EjbRequestScopeActivationInterceptor.java:89)
        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
        at org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)
        at org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
        at org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47)
      ...
      Caused by: javax.transaction.RollbackException: ARJUNA016053: Could not commit transaction.
        at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1300)
        at com.arjuna.ats.internal.jta.transaction.arjunacore.BaseTransaction.commit(BaseTransaction.java:126)
        at com.arjuna.ats.jbossatx.BaseTransactionManagerDelegate.commit(BaseTransactionManagerDelegate.java:89)
        at org.wildfly.transaction.client.LocalTransaction.commitAndDissociate(LocalTransaction.java:77)
        at org.wildfly.transaction.client.ContextTransactionManager.commit(ContextTransactionManager.java:71)
        at org.jboss.as.ejb3.tx.CMTTxInterceptor.endTransaction(CMTTxInterceptor.java:88)
        ... 41 more
      Caused by: org.wildfly.transaction.client.SynchronizationException: javax.transaction.xa.XAException: WFTXN0034: Failed to acquire a connection for this operation
        at org.wildfly.transaction.client.XAOutflowedResources$1.beforeCompletion(XAOutflowedResources.java:76)
        at org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:236)
        at org.wildfly.transaction.client.AbstractTransaction.performConsumer(AbstractTransaction.java:247)
        at org.wildfly.transaction.client.AbstractTransaction$AssociatingSynchronization.beforeCompletion(AbstractTransaction.java:292)
        at com.arjuna.ats.internal.jta.resources.arjunacore.SynchronizationImple.beforeCompletion(SynchronizationImple.java:76)
        at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.beforeCompletion(TwoPhaseCoordinator.java:360)
        at com.arjuna.ats.arjuna.coordinator.TwoPhaseCoordinator.end(TwoPhaseCoordinator.java:91)
        at com.arjuna.ats.arjuna.AtomicAction.commit(AtomicAction.java:162)
        at com.arjuna.ats.internal.jta.transaction.arjunacore.TransactionImple.commitAndDisassociate(TransactionImple.java:1288)
        ... 46 more
      Caused by: javax.transaction.xa.XAException: WFTXN0034: Failed to acquire a connection for this operation
        at org.wildfly.transaction.client.provider.remoting.RemotingRemoteTransactionPeer.getPeerIdentityXA(RemotingRemoteTransactionPeer.java:94)
        at org.wildfly.transaction.client.provider.remoting.RemotingRemoteTransactionPeer$1.beforeCompletion(RemotingRemoteTransactionPeer.java:166)
        at org.wildfly.transaction.client.SubordinateXAResource.beforeCompletion(SubordinateXAResource.java:143)
        at org.wildfly.transaction.client.XAOutflowedResources$1.beforeCompletion(XAOutflowedResources.java:73)
        ... 54 more
      Caused by: org.wildfly.security.auth.AuthenticationException: JBREM000308: Authentication failed (no mechanisms left), tried: (none)
        at org.jboss.remoting3.ConnectionPeerIdentityContext.doAuthenticate(ConnectionPeerIdentityContext.java:368)
        at org.jboss.remoting3.ConnectionPeerIdentityContext.authenticate(ConnectionPeerIdentityContext.java:174)
        at org.jboss.remoting3.EndpointImpl$3.handleDone(EndpointImpl.java:506)
        at org.jboss.remoting3.EndpointImpl$3.handleDone(EndpointImpl.java:495)
        at org.xnio.IoFuture$HandlingNotifier.notify(IoFuture.java:208)
        at org.xnio.AbstractIoFuture$NotifierRunnable.run(AbstractIoFuture.java:720)
        at org.xnio.IoUtils$2.execute(IoUtils.java:71)
        at org.xnio.AbstractIoFuture.runNotifier(AbstractIoFuture.java:693)
        at org.xnio.AbstractIoFuture$CompleteState.withNotifier(AbstractIoFuture.java:132)
        at org.xnio.AbstractIoFuture.addNotifier(AbstractIoFuture.java:570)
        at org.jboss.remoting3.EndpointImpl.doGetConnection(EndpointImpl.java:495)
        at org.jboss.remoting3.EndpointImpl.getConnectedIdentity(EndpointImpl.java:434)
        at org.jboss.remoting3.UncloseableEndpoint.getConnectedIdentity(UncloseableEndpoint.java:52)
        at org.wildfly.transaction.client.provider.remoting.RemotingRemoteTransactionPeer.getPeerIdentity(RemotingRemoteTransactionPeer.java:87)
        at org.wildfly.transaction.client.provider.remoting.RemotingRemoteTransactionPeer.getPeerIdentityXA(RemotingRemoteTransactionPeer.java:92)
        ... 57 more
      

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  dlofthouse Darran Lofthouse
                  Reporter:
                  bmaxwell Brad Maxwell
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  13 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: