We Keep Coding

Java EE 7 EJB Authentication using WildFly - security annotations don't work

I am trying to establish a security domain using wildfly 18.0.1. These are the settings I use:
standalone.xml:
<security-domain name="my-security-domain" cache-type="default">
<authentication>
<login-module code="UsersRoles" flag="required">
<module-option name="usersProperties" value="users.properties"/>
<module-option name="rolesProperties" value="roles.properties"/>
</login-module>
</authentication>
</security-domain>
I created user with add-user.bat and created files: users.properties and roles.properties filled with created user data.
IntelliJ doesnt's seem to recognize security annotations and I can't import them:
#Stateless
#WebService(name = "HelloWorldType", portName = "HelloWorldPort", targetNamespace = "https://soap.soa.pl/lab1/ws")
#SecurityDomain("my-security-domain") // in standalone.xml
#DeclareRoles({"MyRole"})
#WebContext(contextRoot="lab1", urlPattern="/HelloWorld", authMethod="BASIC", transportGuarantee="NONE")
#SOAPBinding(style=SOAPBinding.Style.DOCUMENT, use=SOAPBinding.Use.LITERAL)
public class HelloWorld {
#WebMethod()
#RolesAllowed("MyRole")
public String sayHello(#WebParam(name = "message") String message) {
return "Here is the message: '" + message + "'";
}
}
Also, now I'm not able to start wildfly serwer:
18:49:25,854 INFO [org.jboss.as] (MSC service thread 1-2) WFLYSRV0049: WildFly Full 18.0.1.Final (WildFly Core 10.0.3.Final) starting
18:49:26,643 INFO [org.wildfly.security] (ServerService Thread Pool -- 25) ELY00001: WildFly Elytron version 1.10.4.Final
18:49:27,227 INFO [org.jboss.as.controller.management-deprecated] (Controller Boot Thread) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/core-service=management/management-interface=http-interface' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
18:49:27,256 INFO [org.jboss.as.controller.management-deprecated] (ServerService Thread Pool -- 13) WFLYCTL0028: Attribute 'security-realm' in the resource at address '/subsystem=undertow/server=default-server/https-listener=https' is deprecated, and may be removed in a future version. See the attribute description in the output of the read-resource-description operation to learn more about the deprecation.
18:49:27,321 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("add") failed - address: ([("deployment" => "lab1-ear.ear")]) - failure description: "WFLYSRV0137: No deployment content with hash 5cddb572897ba715135a11fe8d8c7c56f30099b5 is available in the deployment content repository for deployment 'lab1-ear.ear'. This is a fatal boot error. To correct the problem, either restart with the --admin-only switch set and use the CLI to install the missing content or remove it from the configuration, or remove the deployment from the xml configuration file and restart."
18:49:27,326 FATAL [org.jboss.as.server] (Controller Boot Thread) WFLYSRV0056: Server boot has failed in an unrecoverable manner; exiting. See previous messages for details.
18:49:27,337 INFO [org.jboss.as] (MSC service thread 1-7) WFLYSRV0050: WildFly Full 18.0.1.Final (WildFly Core 10.0.3.Final) stopped in 7ms
I have no idea why, especially the annotations, don't work.. please help.

You need to locate the jar file providing these annotation classes and add it to the Module Dependencies.
If your project is Gradle or Maven managed, add the dependency to build.gradle/pom.xml instead.

WebSphere Liberty Profile 17.0.0.4 Breaks JAX-RS Client TrustStore-

We are using the JAX-RS 2.0 Client in our WebSphere Liberty Profile application to call an external service. It works fine on WLP 16.0.0.4 with Java 8.0. When I try to run the same application on 17.0.0.4, we are getting certificate errors on the truststore.
After a lot of trial and error, it seems that WLP is no longer loading the truststore from the following property (this is from my jvm.options file):
-Djavax.net.ssl.trustStore=../../shared/resources/security/trust_yourIBM_TEST.jks
The above worked in 16.0.0.4, but the javax.net.ssl.trustStore property is no longer being used to point to the truststore (if I point the property to a missing file in 16.0.0.4, I get an error that the file is not found, but in 17.0.0.4, I don't get the error). So I added the following:
-Djavax.net.ssl.trustStore=../../shared/resources/security/trust_yourIBM_TEST.jks
-Dcom.ibm.ssl.trustStore=../../shared/resources/security/trust_yourIBM_TEST.jks
This is still not working. I cannot find WLP release notes anywhere that explain that JAX-RS behaves differently in WLP 17.x.
Does anyone know how I can point to the truststore in WLP 17.0.0.4?
==========================================
UPDATE #1 - 2018/01/24
I am using the exact same JDK, server.xml, bootstrap.properties, and jvm.options files, as well as the same application files. The only difference is the WLP instance. I am also using the same entries for the default truststore, which is pointing to the same file as I am pointing to in the jvm.properties I pasted above. Here are the startup log entries:
17.0.0.4
product = WebSphere Application Server 17.0.0.4 (wlp-1.0.19.201712061531)
wlp.install.dir = C:/IBM/WLP_17.0.0.4/
java.home = C:\IBMJava80\jre
java.version = 1.8.0_151
java.runtime = Java(TM) SE Runtime Environment (8.0.5.7 - pwa6480sr5fp7-20171216_01(SR5 FP7))
16.0.0.4
product = WebSphere Application Server 16.0.0.4 (wlp-1.0.15.cl160420161113-0206)
wlp.install.dir = C:/IBM/WLP_16.0.0.4/
java.home = C:\IBMJava80\jre
java.version = 1.8.0_151
java.runtime = Java(TM) SE Runtime Environment (8.0.5.7 - pwa6480sr5fp7-20171216_01(SR5 FP7))
Here is the error I get in 16.0.0.4 when I change the truststore to a non-existent file:
[1/24/18 10:50:06:025 EST] 0000006e id= uribm.services.expensesaggregator.ejb.ExpensesEjbCommonUtils E callUnifiedProfile() Exception has occurred Exception encountered during call to UP: javax.ws.rs.ProcessingException: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://w3-services1.w3-969.ibm.com/myw3/unified-profile/v1/docs/instances/masterByEmail?email=dlwester%40us.ibm.com: java.security.cert.CertificateException: No X509TrustManager implementation available for [userId=dlwester#us.ibm.com] : javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://w3-services1.w3-969.ibm.com/myw3/unified-profile/v1/docs/instances/masterByEmail?email=dlwester%40us.ibm.com: java.security.cert.CertificateException: No X509TrustManager implementation available
And here are my keystore/truststore entries (the truststore points to the same file as the jvm.options):
<!-- default keystore -->
<keyStore id="defaultKeyStore"
location="${keystoreLocation}"
password="${keystorePassword}" />
<!-- default truststore -->
<keyStore id="defaultTrustStore"
location="${truststoreLocation}"
password="${truststorePassword}" />
<ssl id="sslConfig"
keyStoreRef="defaultKeyStore"
trustStoreRef="defaultTrustStore"
sslProtocol="SSL_TLSv2"
serverKeyAlias="${serverKeyAlias}" />
================
UPDATE #2
I added the transportSecurity-1.0 feature to WLP, and now I am getting an error in 17.0.0.4 if I point to a non-existing file. If I point to the correct truststore file, I am now getting a different error:
[1/24/18 12:03:19:905 EST] 0000003d id= com.ibm.w3.security.tai.OAuthDownStreamTAI E getSslSocketFactoryWithTrustStore() exception encountered on sslContext.init() for truststore C:/IBM/WLP_17.0.0.4/usr/shared/resources//security/trust_yourIBM_TEST.jks - java.security.KeyManagementException: Default SSLContext is initialized automatically
I need to look into this error.

Alaine steered me in the right direction, so credit for this answer goes to him!
Fortunately, the solution to this problem was not complicated. I had to use the WLP feature transportSecurity-1.0 instead of ssl-1.0.
I had to add the following to my SSL config in server.xml:
<sslDefault sslRef="sslConfig" />
I also ran into problems with our TAI for OIDC. I had to replace the following statement:
SSLContext sslContext = SSLContext.getDefault();
with:
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
The issue in a nutshell is that the default SSL config is immutable, so you have to make sure you create your own config to override it, not change it.

RabbitMQ SSL Connection with Apring AMQP 1.4.3

I am trying to connect to RabbitMQ over SSL. I have followed the RabbitMQ SSL documentation linked [here}(https://www.rabbitmq.com/ssl.html).
As per RabbitMQ SSL documentation connecting using SSLv3 and TLSv1 is not recommeded due to known vulnerabilities. Due to this I have disabled these protocols on RabbitMQ as per instructions.
I am using Spring AMQP 1.4.3 to connect to RabbitMQ.
ApplicationContext context = new GenericXmlApplicationContext("classpath:/testConfig/testrabbit-context.xml");
RabbitTemplate template = context.getBean(RabbitTemplate.class);
MessageProperties messageProperties = new MessageProperties();
org.springframework.amqp.core.Message amqpMessage = new org.springframework.amqp.core.Message("Test".getBytes(), messageProperties);
String routingKey = "TEST.businessevent.route";
template.send(routingKey, amqpMessage);
My config:
<rabbit:connection-factory id="rabbitConnectionFactory"
connection-factory="clientConnectionFactory"
host="localhost"
port="5671"
username="username"
password="password"
virtual-host="test_host" />
<rabbit:admin connection-factory="rabbitConnectionFactory" />
<rabbit:template id="rabbitTemplate"
connection-factory="rabbitConnectionFactory" exchange="test_topic" />
<rabbit:topic-exchange name="test_topic" durable="true" />
<bean id="clientConnectionFactory" class="org.springframework.amqp.rabbit.connection.RabbitConnectionFactoryBean">
<property name="useSSL" value="true" />
<property name="sslPropertiesLocation" value="/testconfig/rabbitSSL.properties"/>
</bean>
rabbitSSL.properties:
keyStore=file:/client/keycert.p12
trustStore=file:/lib/security/rabbitStore
keyStore.passPhrase=testpassword
trustStore.passPhrase=testpassword
However when I use the above code and config to connect to RabbitMQ over SSL I am getting a fatal alert: protocol_version.
When I looked at the org.springframework.amqp.rabbit.connection.RabbitConnectionFactoryBean class that Spring is using to connect to RabbitMQ, I can see that the protocol appears to be hard coded to SSLv3.
SSLContext context = SSLContext.getInstance("SSLv3");
context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
this.connectionFactory.useSslProtocol(context);
This code works fine if I do not disable SSLv3 on RabbitMQ. However I need to connect to RabbitMQ using Tlsv1.2. Can I do that using Spring AMQP 1.4.3 or do I need to use another version.
Thanks for any help you can provide me with this issue.

While searching for RabbitMQ remote access I came across the below Spring application.properties configuration settings that can be done in Spring to configure the RabbitMQ connections.
https://www.oodlestechnologies.com/blogs/Connect-to-SSL-enabled-RabbitMQ-server-Springboot/
spring.rabbitmq.host=hostURL
spring.rabbitmq.port = hostPort
spring.rabbitmq.username = username
spring.rabbitmq.password = password
spring.rabbitmq.virtual-host=virtualHost
spring.rabbitmq.ssl.enabled=true
spring.rabbitmq.ssl.algorithm=TLSv1.2
https://www.baeldung.com/spring-remoting-amqp#2-configuration

I have opened a JIRA Issue for this.
In the meantime, the RabbitConnectionFactoryBean is just a convenience class to make configuring an underlying connection factory more "Spring friendly" with defaults.
Instead, you can perform this initialization in your own code (perhaps using a #Bean declaration using Java Configuration).

Okay, I was trying to connect by Spring Boot application(2.1.4.RELEASE) that uses spring-boot-starter-amqp (2.1.4.RELEASE) to an AWS Managed instance of RabbitMQ aka Amazon MQ and it would fail with a similar error. What worked for me was setting these properties.
spring.rabbitmq.ssl.enabled=true
spring.rabbitmq.ssl.algorithm=TLSv1.3
Setting these properties explicitly was not required in an application that was using Spring Boot and spring-boot-starter-amqp (2.7.8) and they worked out of the box. Here's a mention of the same in Spring AMQP Documentation.
https://docs.spring.io/spring-amqp/reference/html/#rabbitconnectionfactorybean-configuring-ssl

Jboss AS7, APR native connectors and sendfile

I've set out on an endeavour to implement support for a feature similar to mod_xsendfile on torquebox (www.torquebox.org). Torquebox is basically a bunch of code on top of JBoss AS 7, which makes my effort kinda equivalent to making sendfile work on JBoss AS 7.
The main problem here is probably my confusion over JBoss, but after wasting way too many hours exhausting all my googling resources, I have to beleive that there's someone out there who actually know how this thing works in AS 7.
As I understand this, sendfile is supported in JBoss by using the JBoss Web native connectors (http://www.jboss.org/jbossweb/downloads/jboss-native-2-0-10), namely the APR http connector.
After spending hours failing to install these on AS 7, which seems works like a charm for others (https://community.jboss.org/message/614790), grep'ing my local JBoss dir tells me, that these native connectors are appearently bundled with AS 7. In my case, the dll needed is placed in
%JBOSS_HOME%\modules\org\jboss\as\web\main\lib\win-x86_64
So epic fail, trying to install something that's already there.
Inspecting my standalone.xml configuration file also reveal this native connector is being used
<subsystem xmlns="urn:jboss:domain:web:1.1" default-virtual-server="default-host">
<connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
<virtual-server name="default-host" enable-welcome-root="false">
<alias name="localhost"/>
<alias name="example.com"/>
</virtual-server>
</subsystem>
Switching all logging levels to debug and inspecting the log shows the log message
standalone/log/server.log.2012-02-10:324:23:12:17,964 INFO [org.apache.coyote.http11.Http11AprProtocol] (MSC service thread 1-5) Starting Coyote HTTP/1.1 on http-127.0.0.1-127.0.0.1-8080
Where Http11AprProtocol indicates that the APR http connector is used. However, many posts on the web mention that the following line should also be shown:
org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
No matter the logging level, the AprLifecycleListener line never shows.
When I review this, is seems that the APR http connector is now in use.
According to the docs, I can get the following servlet to work
public class Sendfile extends HttpServlet {
protected void doGet(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
if(Boolean.TRUE == request.getAttribute("org.apache.tomcat.sendfile.support")){
// Send all the files!!
}
else{
throw new ServletException("BOOM!");
}
}
}
But no. The org.apache.tomcat.sendfile.support attribute is null and if try attempt to set http headers for sending a file (ignoring the support attribute) and set the rest of the required sendfile attributes, my browser thinks that it's receiving a file, but no data is transferred... and the connection is left hanging.
To conclude the question, it seems the required APR native connector is in use, sendfile should be enabled by default, but the server has no clue what Im trying to make it do.
How to proceed?

I was also lost hours trying to learn how it works. You did everything right. Just missed putting the Web System as native=true:
<subsystem xmlns="urn:jboss:domain:web:1.1"
default-virtual-server="default-host" native="true">
Startup with it:
11:00:26,018 DEBUG [org.apache.catalina.core.AprLifecycleListener] (MSC service thread 1-3) Loaded: apr-1
11:00:26,039 DEBUG [org.jboss.modules] (ServerService Thread Pool -- 58) Module org.jboss.xb:main defined by local module loader #d8d9850 (roots: /home/mmagnani/Development/jboss-eap/jboss-eap-6.0/modules)
11:00:26,070 DEBUG [org.apache.catalina.core.AprLifecycleListener] (MSC service thread 1-3) Loaded: z
11:00:26,071 DEBUG [org.apache.catalina.core.AprLifecycleListener] (MSC service thread 1-3) Loaded: crypto
11:00:26,072 DEBUG [org.apache.catalina.core.AprLifecycleListener] (MSC service thread 1-3) Loaded: ssl
11:00:26,079 DEBUG [org.jboss.as.ejb3] (ServerService Thread Pool -- 36) Adding EJB #Asynchronous support
11:00:26,082 DEBUG [org.jboss.as.ejb3] (ServerService Thread Pool -- 36) Configuring timers
11:00:26,092 DEBUG [org.jboss.as.ejb3] (ServerService Thread Pool -- 36) Adding EJB IIOP support
11:00:26,101 FINE [org.hornetq.core.server.impl.HornetQServerImpl] (MSC service thread 1-6) Starting server HornetQServerImpl::
11:00:26,120 DEBUG [org.apache.catalina.core.AprLifecycleListener] (MSC service thread 1-3) Loaded: tcnative-1
11:00:26,141 DEBUG [org.apache.catalina.core.AprLifecycleListener] (MSC service thread 1-3) Loaded Apache Tomcat Native library 1.1.23.
11:00:26,141 DEBUG [org.apache.catalina.core.AprLifecycleListener] (MSC service thread 1-3) APR capabilities: IPv6 [true], sendfile [true], random [true].
Good Luck :)

Active MQ JMX SSL

I'm trying to use SSL with the JMX connector that Active MQ creates, but with no success. I'm able to get SSL working with the JVM platform JMX connector, but that requires storing keystore and truststore passwords plaintext, which is a no-go for our project.
Using the instructions here, I set up managementContext in activemq.xml as follows:
<managementContext>
<managementContext createConnector="true">
<property xmlns="http://www.springframework.org/schema/beans" name="environment">
<map xmlns="http://www.springframework.org/schema/beans">
<entry xmlns="http://www.springframework.org/schema/beans"
key="javax.net.ssl.keyStore"
value="${activemq.base}/conf/keystore.jks"/>
<entry xmlns="http://www.springframework.org/schema/beans"
key="javax.net.ssl.keyStorePassword"
value="${keystore.password}"/>
<entry xmlns="http://www.springframework.org/schema/beans"
key="javax.net.ssl.trustStore"
value="${activemq.base}/conf/truststore.jks"/>
<entry xmlns="http://www.springframework.org/schema/beans"
key="javax.net.ssl.trustStorePassword"
value="${truststore.password}"/>
</map>
</property>
</managementContext>
</managementContext>
This section seems to be completely ignored when the connector starts up. I can connect without credentials. I also tried using username and password authentication instead of ssl for JMX, as seen here, and that worked fine.
Has anyone seen this before? Any ideas? Thanks!

Have you enabled jmx ssl in the activemq launch scripts? On windows in the activemq-admin or activemq batch files, uncomment and modify the SUNJMX settings.
JMX authentiation is independent of whether ssl is used. It is controlled by the authenticate attribute. By default it will use the jmx access files in your jre, so re-point them with the system properties shown below. You may get an error message stating that the files themselves must be access controlled, so set them with chmod on unix or cacls on windows. I would suggest even turning off the ssl and getting the authentication to work first. You can test with jconsole with a remote connection to confirm that it wants credentials. Then follow-up with the ssl stuff.
set SUNJMX=-Dcom.sun.management.jmxremote=true -Dcom.sun.management.jmxremote.port=1199 -Dcom.sun.management.jmxremote.authenticate=true -Dcom.sun.management.jmxremote.ssl=true -Dcom.sun.management.jmxremote.local.only=false -Dcom.sun.management.jmxremote.password.file=%ACTIVEMQ_BASE%/conf/access/jmx.password -Dcom.sun.management.jmxremote.access.file=%ACTIVEMQ_BASE%/conf/access/jmx.access

I had the same issue regarding the ActiveMQ SSL configuration (keystore & password) in the XML not working.
My requirement was to enable remote JMX monitoring of ActiveMQ with SSL and authentication through a firewall.
I resolved it using a custom JMX connector (via a Java Agent), rather than using the JMX connector that Active MQ creates.
see: JMX connectivity through a firewall for an example (JMXAgent.java)
The important entries for configuring SSL in the JMXAgent.java are:
Map<String, Object> env = new HashMap<String, Object>();
SslRMIClientSocketFactory csf = new SslRMIClientSocketFactory();
SslRMIServerSocketFactory ssf = new SslRMIServerSocketFactory();
env.put(RMIConnectorServer.RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE, csf);
env.put(RMIConnectorServer.RMI_SERVER_SOCKET_FACTORY_ATTRIBUTE, ssf);
You can also specify your authentication files in the env Map:
env.put("jmx.remote.x.password.file", System.getProperty("password.file","<default_path>"));
env.put("jmx.remote.x.access.file", System.getProperty("access.file","<default_path>"));
The Java Agent needs to be compiled and put into a jar with a valid manifest file as described here
Add the following to the activemq launch configuration (depending on activemq version/ environment and run ActiveMQ:
-javaagent:<full_path_to_agent_jar_file> \
-Dpassword.file=<full_path_to_jmx.password_file> \
-Daccess.file=<full_path_to_jmx.access_file> \
-Djavax.net.ssl.keyStore=<full_path_to_keystore_file> \
-Djavax.net.ssl.keyStorePassword=<password>
You should then be able to connect through jconsole (with correct security parameters)
The remote JMX connection URL will be something like:
service:jmx:rmi://<host>:<rmi_server_port>/jndi/rmi://<host>:<port>/jmxrmi
Note - ports can be configured in the Java Agent.