Category Archives: as7

Encrypted Database Passwords in JBoss

JBoss provides a simple mechanism to encrypt database passwords with blowfish. So the standalone.xml does not include our database passwords in plaintext anymore.

First you have to encrypt your password with org.picketbox.datasource.security.SecureIdentityLoginModule. This class includes a main method so you can run it with a single argument which has to be your plaintext password. The result will look like this:

Encoded password: 1ab234cf321cca

The class is included in jboss modules.

Then create a security-domain in your standalone.xml file:

<security-domain name="databaseSecure" cache-type="default">
  <authentication>
    <login-module code="org.picketbox.datasource.security.SecureIdentityLoginModule" flag="required">
      <module-option name="username" value="username"/>
      <module-option name="password" value="1ab234cf321cca"/>
    </login-module>
  </authentication>
</security-domain>

Or with cli:

/subsystem=security/security-domain=databaseSecure:add(cache-type=default)  
/subsystem=security/security-domain=databaseSecure/authentication=classic:add(login-modules=[{"code"=>"org.picketbox.datasource.security.SecureIdentityLoginModule", "flag"=>"required", "module-options"=>[("username"=>"username"), ("password"=>"1ab234cf321cca")]}])

 

The last step is to replace the username+password part of your datasource with a security-domain element. This would look like this in its simplest way:

<datasource jndi-name="java:jboss/datasources/mypgDS" pool-name="MypgDS" enabled="true" use-java-context="true">
  <connection-url>jdbc:postgresql:db1</connection-url>
  <driver>postgresql</driver>
  <security>
    <security-domain>databaseSecure</security-domain>
  </security>
</datasource>

After theses changes start your application server.

ATTENTION! The passphrase that is used for the Blowfish algorithm is hardcoded in the login module. To make this secure you have to change the password in that component. Change the source and recompile or create an extension and overwrite all necessary parts and add it as a new module.

Disable Deployment-Scanner in JBoss

Look for the deployment-scanner config in your standalone.xml and configure the scan interval to -1 to allow deployment onyl from shell or at startup. Here is the relevant part:

<subsystem xmlns="urn:jboss:domain:deployment-scanner:1.1">
  <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="-1"/>
</subsystem>

Or with cli:

/subsystem=deployment-scanner/scanner=default:write-attribute(name=scan-interval, value=-1)

 

Make your webapplication log debug messages under jboss

I often catch myself writing info-messages because jboss is configured to info-mode by default. By adding the following few lines you can make your application use debug mode:

<subsystem xmlns="urn:jboss:domain:logging:2.0">
  ...
  <!-- add begin -->
  <console-handler name="DEBUGCONSOLE">
    <level name="DEBUG" />
    <formatter>
      <pattern-formatter pattern="%d{HH:mm:ss,SSS} %-5p [%c] (%F:%L)  %s%E%n" />
    </formatter>
  </console-handler>
  <logger category="pm.mbo" use-parent-handlers="false">
    <level name="DEBUG" />
    <handlers>
      <handler name="DEBUGCONSOLE" />
    </handlers>
  </logger>
  <!-- add end -->
  ...
</subsystem>

Of course you have to change the category (your package name) in the logger. The snippet is from Wildfly 8.1. But it is the same approach for JBoss AS 7+.

JBoss Login Configuration

Here a short example for a security-domain that has to be configured in the urn:jboss:domain:security subsystem:

<security-domain name="mysecuritydomain" cache-type="default">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
      <module-option name="dsJndiName" value="java:jboss/datasources/ExampleDS" />
      <module-option name="principalsQuery" value="select u.password from users u where u.name=?" />
      <module-option name="rolesQuery" value="select r.name as rolename, 'Roles' as rolegroup from users u, roles r, users_roles ur where ur.user_id=u.id and ur.role_id=r.id and u.name=?" />
      <module-option name="hashAlgorithm" value="SHA-256" />
      <module-option name="hashEncoding" value="base64" />
      <module-option name="hashCharset" value="UTF-8" />
    </login-module>
  </authentication>
</security-domain>

To use the domain in your application here an example jboss-web.xml descriptor:

<?xml version="1.0" encoding="UTF-8"?>
<jboss-web xmlns="http://www.jboss.com/xml/ns/javaee"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
	xsi:schemaLocation="http://www.jboss.com/xml/ns/javaee http://www.jboss.org/j2ee/schema/jboss-web_6_0.xsd"
	version="6.0">
	<security-domain>mysecuritydomain</security-domain>
	<context-root>/example</context-root>
</jboss-web>

JBoss JDBC Module Creator

Every time I download a new jboss I have to add the needed jdbc module manually. And every time I have to look how the module.xml has to look like. So I decided to write a simple script that creates a module for PostgreSQL. with some configuration, it should be capable of creating every jdbc module you want. Just see the options it supports.

You can see my project at github: https://github.com/mbogner/jboss_module_creator

Here some instructions how to run it with default options:

[codesyntax lang=”bash”]

git clone https://github.com/mbogner/jboss_module_creator
cd jboss_module_creator
./jboss_module_creator.pl

[/codesyntax]

ActiveMQ Configuration under JBoss AS7

Update 11.7.2013:

New version for JBoss 7.2.0.Alpha1 / EAP 6.1.0.Alpha1 can be found here: http://blog.coffeebeans.at/?p=606

———————–

JBoss 7 and ActiveMQ finally work together.

  • Download the latest snapshot of activemq.rar.
  • Unzip the file and name the resulting folder activemq.rar.
  • Place the folder in you deployments folder of jboss.
  • Place the files ra.xml and ironjacamar.xml into the META-INF subfolder of the activemq.rar folder. Overwrite the existing ra.xml file.
  • Change both files as needed. Queues and topics are configured in ironjacamar.xml.
  • Create an empty file activemq.rar.dodeploy.

That’s it. Now you should be able to create a MDB that connects to a remote ActiveMQ server. Here an example to the configuration above:

import javax.ejb.ActivationConfigProperty;
import javax.ejb.MessageDriven;
import javax.inject.Inject;
import javax.jms.Message;
import javax.jms.MessageListener;

import org.jboss.ejb3.annotation.ResourceAdapter;
import org.jboss.logging.Logger;

/**
 * @author manuel
 *
 */
@MessageDriven(activationConfig = {
   @ActivationConfigProperty(propertyName = "destinationType",
      propertyValue = "javax.jms.Queue"),
   @ActivationConfigProperty(propertyName = "destination",
      propertyValue = "activemq/queue/TestQueue") })
@ResourceAdapter("activemq.rar")
public class RemoteActiveMQConsumer implements MessageListener {

	@Inject
	private Logger log;

	@Override
	public void onMessage(Message msg) {
		log.debugf("received message: %s", msg);
	}

}

UPDATE: 29.4.2013 (thanks to Bruno Valentim)

To get activemq running with JBoss 7.1.1 the following steps are required:

1) Instead of the mentioned snapshot use http://repo1.maven.org/maven2/org/apache/activemq/activemq-rar/5.7.0/activemq-rar-5.7.0.rar

2) under subsystem xmlns=”urn:jboss:domain:ejb3:1.2″ in standalone.xml add:

<mdb>
  <resource-adapter-ref resource-adapter-name=”activemq.rar”/>
  <bean-instance-pool-ref pool-name=”mdb-strict-max-pool”/>
</mdb>

Notice: a “A node is already registered at ‘(deployment => activemq-ra.rar)” exception could remain but it should work anyway.

Enable SSL in JBoss AS 7.1.0

It is quite simple to enable SSL (https) in AS 7.1.0. First create a keystore with a key for jboss in it. Be sure to use the same password for the keystore and the key.

keytool -genkey -alias jboss -keyalg RSA

This generates the file /home/manuel/.keystore with 664 permissions. We will use this file in the standalone.xml file located in the configuration dir of jboss. Just locate the web subsystem with the already predefined http connector and add the new https connector:

<connector name="https" protocol="HTTP/1.1" scheme="https"
 socket-binding="https" secure="true">
        <ssl name="https" key-alias="jboss" password="changeit"
        &nbsp;certificate-key-file="/home/manuel/.keystore"/>
</connector>

The key-alias jboss is default and you can use every name you want as long as you create a key with that name in the keystore. See the jboss-web.xsd for further configuration options.

Don’t forget to change the path to the keystore of your environment. If you are using default ports 8080 and 8443 like me, make sure not to change http to https only – also use the right port; so use https://localhost:8443 and not https://localhost:8080.

JBoss AS 7.1.0 Mail

Since version 7.1.0 JBoss AS includes a mail subsystem by default and it seems to work with a local postfix installation out of the box. Here is a simple mailer bean:

import javax.annotation.security.RolesAllowed;
import javax.enterprise.inject.Model;
import javax.inject.Inject;
import javax.mail.Message;
import javax.mail.MessagingException;
import javax.mail.Session;
import javax.mail.Transport;
import javax.mail.internet.InternetAddress;
import javax.mail.internet.MimeMessage;

import org.jboss.logging.Logger;

/**
 *
 * @author manuel
 *
 */
@Model
public class TestMailController {

	@Inject
	private Session session;

	@Inject
	private Logger log;

	public void sendMail() {
		log.debug("sending mail");
		final Message msg = new MimeMessage(session);
		try {

			final InternetAddress addressFrom = new InternetAddress(
					"manuel@coffeebeans.at");
			msg.setFrom(addressFrom);
			log.debug("set from");

			final InternetAddress[] recipients = new InternetAddress[] {
                             new InternetAddress("manuel@localhost") };
			msg.setRecipients(Message.RecipientType.TO, recipients);
			log.debug("set recipients");

			msg.addHeader("CustomHeader", "some value");
			log.debug("added custom header");

			msg.setSubject("testmail");
			log.debug("set subject");

			msg.setContent("my message", "text/plain");
			log.debug("set message");

			Transport.send(msg);
			log.debug("message sent");
		} catch (final MessagingException exc) {
			log.error(exc);
		}
	}
}

JBoss AS 7.1 Eclipse Startup Warning

Since 7.1 the following warning appears during server startup:

WARNING: -logmodule is deprecated. Please use the system property ‘java.util.logging.manager’ or the ‘java.util.logging.LogManager’ service loader.

This can be fixed be removing the following part from the launch configuration in the “Program arguments” section:

-logmodule org.jboss.logmanager