[jboss-user] [Security & JAAS/JBoss] - Migrating from JBoss 3.2.4 to 4.0.4GA, getting javax.jms.JMS
bploetz
do-not-reply at jboss.com
Thu Nov 9 16:57:03 EST 2006
I'm sure I'll get a RTFM reply from someone, but I assure you I've been banging my head against the wall for the last two days trying to figure out what is going wrong. I've read all of the documentation several times, the FAQs, the Wiki and the Forum, and I'm still stumped. I've seen other posts with similar problems, but none of them seem to have definitive solutions. Any and all help would be greatly appreciated.
Also note that since this issue seems to be related to the interaction of an MDB with JAAS, I wasn't sure whether to post this in the JMS forum or here. I'll start here......
Anyways, I'm in the process of migrating a J2EE app from JBoss 3.2.4 to JBoss 4.0.4GA. My app is a run of the mill web app which has some Message Driven Beans for firing off reports. Most of the JBoss config files that I used in 3.2.4 worked just fine unchanged when I moved them over to 4.0.4GA....with one notable exception: my MDBs and their interaction with their Queues.
So I have the following JMS queues defined in jboss-mq-destinations.xml:
| <?xml version="1.0" encoding="UTF-8"?>
| <!-- $Id: jbossmq-destinations-service.xml,v 1.4.6.1 2004/11/16 04:32:39 ejort Exp $ -->
| <server>
| <mbean code="org.jboss.mq.server.jmx.Queue" name="jboss.mq.destination:service=Queue,name=reportFailureQueue">
| <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
| <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends>
| <attribute name="JNDIName">jms/reportFailureQueue</attribute>
| <attribute name="RedeliveryLimit">5</attribute>
| <attribute name="RedeliveryDelay">10000</attribute>
| <attribute name="SecurityConf">
| <security>
| <role name="guest" read="true" write="true"/>
| </security>
| </attribute>
| </mbean>
| <mbean code="org.jboss.mq.server.jmx.Queue" name="jboss.mq.destination:service=Queue,name=reportRunnerQueue">
| <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
| <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends>
| <attribute name="JNDIName">jms/reportRunnerQueue</attribute>
| <attribute name="RedeliveryLimit">0</attribute>
| <attribute name="SecurityConf">
| <security>
| <role name="guest" read="true" write="true"/>
| </security>
| </attribute>
| </mbean>
| <mbean code="org.jboss.mq.server.jmx.Queue" name="jboss.mq.destination:service=Queue,name=correctionToolQueue">
| <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
| <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends>
| <attribute name="JNDIName">jms/correctionToolQueue</attribute>
| <attribute name="RedeliveryLimit">0</attribute>
| <attribute name="SecurityConf">
| <security>
| <role name="guest" read="true" write="true"/>
| </security>
| </attribute>
| </mbean>
| </server>
|
I have the following configuration in login-config.xml:
| <?xml version='1.0'?>
| <!DOCTYPE policy PUBLIC
| "-//JBoss//DTD JBOSS Security Config 3.0//EN"
| "http://www.jboss.org/j2ee/dtd/security_config.dtd">
|
| <policy>
| <!-- Used by clients within the application server VM such as
| mbeans and servlets that access EJBs.
| -->
| <application-policy name = "client-login">
| <authentication>
| <login-module code = "org.jboss.security.ClientLoginModule"
| flag = "required">
| </login-module>
| </authentication>
| </application-policy>
|
| <!-- Security domain for JBossMQ -->
| <application-policy name = "jbossmq">
| <authentication>
| <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
| flag = "required">
| <module-option name = "unauthenticatedIdentity">guest</module-option>
| <module-option name = "dsJndiName">java:/jdbc/OPSConsoleDataSource</module-option>
| <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
| <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
| <application-policy name = "JmsXARealm">
| <authentication>
| <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
| flag = "required">
| <module-option name = "principal">guest</module-option>
| <module-option name = "userName">guest</module-option>
| <module-option name = "password">guest</module-option>
| <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
| <!-- A template configuration for the jmx-console web application. This
| defaults to the UsersRolesLoginModule the same as other and should be
| changed to a stronger authentication mechanism as required.
| -->
| <application-policy name = "jmx-console">
| <authentication>
| <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
| flag = "required">
| <module-option name="usersProperties">jmx-console-users.properties</module-option>
| <module-option name="rolesProperties">jmx-console-roles.properties</module-option>
| <module-option name="hashAlgorithm">sha-256</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
| <!-- A template configuration for the web-console web application. This
| defaults to the UsersRolesLoginModule the same as other and should be
| changed to a stronger authentication mechanism as required.
| -->
| <application-policy name = "web-console">
| <authentication>
| <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
| flag = "required">
| <module-option name="usersProperties">jmx-console-users.properties</module-option>
| <module-option name="rolesProperties">jmx-console-roles.properties</module-option>
| <module-option name="hashAlgorithm">sha-256</module-option>
| </login-module>
| </authentication>
| </application-policy>
|
| <!-- The default login configuration used by any security domain that
| does not have a application-policy entry with a matching name
| -->
| <application-policy name = "other">
| <!-- A simple server login module, which can be used when the number
| of users is relatively small. It uses two properties files:
| users.properties, which holds users (key) and their password (value).
| roles.properties, which holds users (key) and a comma-separated list of
| their roles (value).
| The unauthenticatedIdentity property defines the name of the principal
| that will be used when a null username and password are presented as is
| the case for an unuathenticated web client or MDB. If you want to
| allow such users to be authenticated add the property, e.g.,
| unauthenticatedIdentity="nobody"
| -->
| <authentication>
| <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
| flag = "required" />
| </authentication>
| </application-policy>
|
| </policy>
|
I'm using Oracle for JMS persistence (i.e. oracle-jdbc2-service.xml and oracle-jdbc-state-service.xml) and have removed the Hypersonic DefaultDS.
An example MDB configuration for one of the MDBs fronting the Queue above:
| ejb-jar.xml:
|
| <?xml version="1.0"?>
| <!DOCTYPE ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN" "http://java.sun.com/dtd/ejb-jar_2_0.dtd">
| <ejb-jar>
| <enterprise-beans>
| <message-driven>
| <ejb-name>CorrectionToolMessageBean</ejb-name>
| <ejb-class>CorrectionToolMessageBean</ejb-class>
| <transaction-type>Container</transaction-type>
| <message-driven-destination>
| <destination-type>javax.jms.Queue</destination-type>
| </message-driven-destination>
| <ejb-ref>
| <ejb-ref-name>ejb/AccountingManagerHome</ejb-ref-name>
| <ejb-ref-type>Session</ejb-ref-type>
| <home>AccountingManagerHome</home>
| <remote>AccountingManager</remote>
| </ejb-ref>
| <security-identity>
| <run-as>
| <role-name>guest</role-name>
| </run-as>
| </security-identity>
| </message-driven>
| </enterprise-beans>
| <assembly-descriptor>
| <security-role>
| <role-name>guest</role-name>
| </security-role>
| <container-transaction>
| <method>
| <ejb-name>CorrectionToolMessageBean</ejb-name>
| <method-name>*</method-name>
| </method>
| <trans-attribute>Required</trans-attribute>
| </container-transaction>
| </assembly-descriptor>
| </ejb-jar>
|
| jboss.xml:
|
| <?xml version="1.0"?>
|
| <!DOCTYPE jboss PUBLIC "-//JBoss//DTD JBOSS 4.0//EN" "http://www.jboss.org/j2ee/dtd/jboss_4_0.dtd">
|
| <jboss>
|
| <enterprise-beans>
| <message-driven>
| <ejb-name>CorrectionToolMessageBean</ejb-name>
| <destination-jndi-name>jms/correctionToolQueue</destination-jndi-name>
| <mdb-user>guest</mdb-user>
| <mdb-passwd>guest</mdb-passwd>
| <mdb-client-id>guest</mdb-client-id>
| <configuration-name>Singleton Message Driven Bean</configuration-name>
| <ejb-ref>
| <ejb-ref-name>ejb/AccountingManagerHome</ejb-ref-name>
| <jndi-name>ejb/AccountingManagerHome</jndi-name>
| </ejb-ref>
| <security-identity>
| <run-as-principal>guest</run-as-principal>
| </security-identity>
| </message-driven>
| </enterprise-beans>
| </jboss>
|
|
Now, when the application is deployed, I'm getting the following exception:
| 16:12:20,841 INFO [ConnectionFactoryBindingService] Bound ConnectionManager 'jboss.jca:service=DataSourceBinding,name=jdbc/OPSConsoleDataSource' to JNDI name 'java:jdbc/OPSConsoleDataSource'
| 16:12:20,857 INFO [ConnectionFactoryBindingService] Bound ConnectionManager 'jboss.jca:service=DataSourceBinding,name=jdbc/OPSConsoleXADataSource' to JNDI name 'java:jdbc/OPSConsoleXADataSource'
| 16:12:22,107 INFO [reportFailureQueue] Bound to JNDI name: jms/reportFailureQueue
| 16:12:22,122 INFO [reportRunnerQueue] Bound to JNDI name: jms/reportRunnerQueue
| 16:12:22,122 INFO [correctionToolQueue] Bound to JNDI name: jms/correctionToolQueue
| 16:12:22,185 INFO [UILServerILService] JBossMQ UIL service available at : /0.0.0.0:8093
| 16:12:22,247 INFO [DLQ] Bound to JNDI name: queue/DLQ
| 16:12:22,247 INFO [ConnectionFactoryBindingService] Bound ConnectionManager 'jboss.jca:service=DataSourceBinding,name=jdbc/OPSConsoleReportingDataSource' to JNDI name 'java:jdbc/OPSConsoleReportingDataSource'
| 16:12:22,450 INFO [ConnectionFactoryBindingService] Bound ConnectionManager 'jboss.jca:service=ConnectionFactoryBinding,name=JmsXA' to JNDI name 'java:JmsXA'
| 16:12:22,544 INFO [TomcatDeployer] deploy, ctxPath=/jmx-console, warUrl=.../deploy/jmx-console.war/
|
| 16:12:22,904 INFO [EARDeployer] Init J2EE application: file:/E:/work/LTY-P000039-UPGRD/build/config
| /opsconsole/server/opsconsole/deploy/OpsConsole.ear
| 16:12:26,513 INFO [EjbModule] Deploying AccountingManagerEJB
| 16:12:26,778 INFO [EjbModule] Deploying BackofficeConsoleManagerEJB
| 16:12:26,903 INFO [EjbModule] Deploying CorrectionToolMessageBean
| 16:12:27,060 INFO [EjbModule] Deploying FeedsManagerEJB
| 16:12:27,169 INFO [EjbModule] Deploying ReportFailureMessageBean
| 16:12:27,310 INFO [EjbModule] Deploying ReportManagerEJB
| 16:12:27,435 INFO [EjbModule] Deploying ReportRunnerEJB
| 16:12:27,544 INFO [EjbModule] Deploying ReportRunnerMessageBean
| 16:12:27,700 INFO [BaseLocalProxyFactory] Bound EJB LocalHome 'AccountingManagerEJB' to jndi 'ejb/AccountingManagerHome'
| 16:12:27,700 INFO [EJBDeployer] Deployed: file:/E:/work/LTY-P000039-UPGRD/build/config/opsconsole/server/opsconsole/tmp/deploy/tmp22960OpsConsole.ear-contents/AccountingManagerEJB.jar
| 16:12:27,794 INFO [BaseLocalProxyFactory] Bound EJB LocalHome 'BackofficeConsoleManagerEJB' to jndi 'ejb/BackofficeConsoleManagerHome'
| 16:12:27,794 INFO [EJBDeployer] Deployed: file:/E:/work/LTY-P000039-UPGRD/build/config/opsconsole/server/opsconsole/tmp/deploy/tmp22960OpsConsole.ear-contents/BackofficeConsoleManagerEJB.jar
| 16:12:27,981 WARN [JMSContainerInvoker] JMS provider failure detected for CorrectionToolMessageBean
|
| javax.jms.JMSSecurityException: User: guest is NOT authenticated
| at org.jboss.mq.security.SecurityManager.authenticate(SecurityManager.java:230)
| at org.jboss.mq.security.ServerSecurityInterceptor.authenticate(ServerSecurityInterceptor.ja
| va:66)
| at org.jboss.mq.server.TracingInterceptor.authenticate(TracingInterceptor.java:750)
| at org.jboss.mq.server.JMSServerInvoker.authenticate(JMSServerInvoker.java:302)
| at org.jboss.mq.il.jvm.JVMServerIL.authenticate(JVMServerIL.java:316)
| at org.jboss.mq.Connection.authenticate(Connection.java:1065)
| at org.jboss.mq.Connection.<init>(Connection.java:252)
| at org.jboss.mq.SpyConnection.<init>(SpyConnection.java:79)
| at org.jboss.mq.SpyXAConnection.<init>(SpyXAConnection.java:59)
| at org.jboss.mq.SpyXAConnectionFactory.createXAConnection(SpyXAConnectionFactory.java:109)
| at org.jboss.mq.SpyXAConnectionFactory.createXAQueueConnection(SpyXAConnectionFactory.java:1
| 30)
| at org.jboss.jms.ConnectionFactoryHelper.createQueueConnection(ConnectionFactoryHelper.java:
| 147)
| at org.jboss.ejb.plugins.jms.JMSContainerInvoker.innerStartDelivery(JMSContainerInvoker.java
| :732)
| at org.jboss.ejb.plugins.jms.JMSContainerInvoker.startService(JMSContainerInvoker.java:839)
| at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:289)
| at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:245)
|
| at sun.reflect.GeneratedMethodAccessor3.invoke(Unknown Source)
| at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
| at java.lang.reflect.Method.invoke(Method.java:585)
|
|
Why is the "guest" user not authenticated? I should note that when I remove the security configuration from the EJB deployment descriptors (i.e. <security-identity>, <security-role>, <mdb-user|passwd|client-id>, etc), I get a different error:
| 12:26:37,624 WARN [JMSContainerInvoker] JMS provider failure detected for CorrectionToolMessageBean
|
| org.jboss.deployment.DeploymentException: Error during queue setup; - nested throwable: (javax.jms.JMSSecurityException: Connection not authorized to subscribe to destination: correctionToolQueue)
|
I'm sure this will boil down to some missing line in a config file somewhere, but I'm stumped. The same exact config above, minus the security configuration in the MDB deployment descriptors, worked just fine in 3.2.4.
Thanks in advance for any help!!
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3984665#3984665
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3984665
More information about the jboss-user
mailing list