I am trying to reproduce the scenario (in jboss-EAP-7.3 [wildfly-18]) as shown in figure. ejb-calls.png I can successfully do this when using remote+http protocol. But fails when trying to use only http. The issue is, server1 doesnt send any authentication information to server2. So, the call gets rejected and I see this log in server1
java.lang.SecurityException: WFHTTP000008: Authentication failed
and following log in server2
09:31:28,197 DEBUG [io.undertow.request.security] (default I/O-2) Setting authentication required for exchange HttpServerExchange{ POST /wildfly-services/ejb/v1/invoke/poc-ear2/remote-ejb2/-/Level2Ejb/-/com.poc.remote.ejb.level2.api.PodNameReturner/returnPodName}
Here are the configurations done on server1:
$server-1/bin/add-user.sh -a -u 'quickstartUser' -p 'quickstartPwd1!' -g 'guest'
then execute following CLI commands on server1
/subsystem=elytron/authentication-configuration=ejb-auth-config:add(authentication-name=quickstartUser, credential-reference={clear-text="quickstartPwd1!"})
/subsystem=elytron/authentication-context=ejb-auth-context:add(match-rules=[{authentication-configuration=ejb-auth-config}])
/socket-binding-group=standard-sockets/remote-destination-outbound-socket-binding=remote-ejb:add(host=localhost, port=8080)
/subsystem=remoting/remote-outbound-connection=remote-ejb-connection:add(authentication-context=ejb-auth-context, outbound-socket-binding-ref=remote-ejb)
:reload
Configurations on server2
${jboss.home.name}/bin/add-user.sh -a -u 'quickstartUser' -p 'quickstartPwd1!' -g 'guest'
execute following CLI commands
/subsystem=ejb3/application-security-domain=other:add(security-domain=ApplicationDomain)
/subsystem=remoting/http-connector=http-remoting-connector:undefine-attribute(name=security-realm)
:reload
code inside ejb1 looks like this:
public String returnPodName() {
System.out.println("Inside Level1Ejb, returning value of POD_NAME");
try {
InitialContext ic = getContext();
podNameReturner = (com.poc.remote.ejb.level2.api.PodNameReturner)
lookup(ic, "ejb:poc-ear2/remote-ejb2/Level2Ejb!com.poc.remote.ejb.level2.api.PodNameReturner");
if (null != podNameReturner) {
System.out.println("level2 ejb found. ");
} else {
System.out.println("level2 ejb not found.");
}
} catch (NamingException e) {
// TODO Auto-generated catch block
System.err.println("Error occured while looking up.");
e.printStackTrace();
}
//return "ejb level1: " + System.getenv("POD_NAME");
return System.getenv("POD_NAME") + " , level2 pod name: "+podNameReturner.returnPodName();
}
private static InitialContext getContext() throws NamingException {
final Hashtable<String, String> jndiProperties = new Hashtable<>();
jndiProperties.put(Context.INITIAL_CONTEXT_FACTORY, "org.wildfly.naming.client.WildFlyInitialContextFactory");
jndiProperties.put(Context.PROVIDER_URL, "http://localhost:8080/wildfly-services");
//jndiProperties.put(Context.SECURITY_CREDENTIALS, "quickstartUser");
//jndiProperties.put(Context.SECURITY_PRINCIPAL, "quickstartPwd1!");
return new InitialContext(jndiProperties);
}
private Object lookup(InitialContext ic, String name) {
try {
Object proxy = ic.lookup(name);
if (proxy == null) {
System.out.println("lookup(" + name + ") returns no proxy object");
}
return proxy;
} catch (NamingException e) {
System.out.println("Failed to lookup(" + name + ")");
return null;
}
}
As I already mentioned, client call gets rejected because there is no authentication information passed by server1. Any clues, what might be missing or going wrong here? I have gone through following links:
https://github.com/wildfly/quickstart/tree/18.0.x/ejb-multi-server
https://github.com/wildfly/quickstart/tree/18.0.x/ejb-security-context-propagation
https://github.com/wildfly-security-incubator/elytron-examples/tree/main/ejb-http