user null not authenticated upon cache timeout
gfreemankc Jun 23, 2004 1:51 PMI'm having an issue using JBoss 3.2.3 where I've defined a JMS queue, with a unauthenticatedIdentity of guest. I'm able to publish messages to the queue, until the DefaultCacheTimout on the JaasSecurityManager is hit. At that point I get user: null is NOT authenticated messages.
Before the cache timeout, I see this in the trace log (of jms and security):
2004-06-23 12:33:32,937 TRACE [org.jboss.mq.Connection] Authenticating user null
2004-06-23 12:33:32,937 TRACE [org.jboss.mq.il.oil.OILServerIL] Connecting to : serverpc/192.168.1.101:8090
2004-06-23 12:33:32,937 TRACE [org.jboss.mq.il.oil.OILServerIL] Connecting with addr=serverpc/192.168.1.101, port=8090, localAddr=null, localPort=0, socketFactory=javax.net.DefaultSocketFactory@f77c8e
2004-06-23 12:33:32,937 TRACE [org.jboss.mq.il.oil.OILServerILService] Setting TcpNoDelay Option to:true
2004-06-23 12:33:32,937 TRACE [org.jboss.mq.server.TracingInterceptor] CALLED : authenticate
2004-06-23 12:33:32,937 TRACE [org.jboss.mq.security.ServerSecurityInterceptor] Autenticating user null/null
2004-06-23 12:33:32,937 TRACE [org.jboss.security.plugins.JaasSecurityManager.jbossmq] validateCache, info=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@18e8fe0
2004-06-23 12:33:32,937 TRACE [org.jboss.mq.security.SecurityManager] Username: null is authenticated
2004-06-23 12:33:32,937 TRACE [org.jboss.mq.security.SecurityManager] Adding group : class org.jboss.security.NestableGroup Roles(members:guest)
2004-06-23 12:33:32,937 TRACE [org.jboss.mq.server.TracingInterceptor] RETURN : authenticate
Note the validateCache call above....
After the cache timeout, I see the following in the trace log:
2004-06-23 12:33:33,046 TRACE [org.jboss.mq.Connection] Authenticating user null
2004-06-23 12:33:33,046 TRACE [org.jboss.mq.il.oil.OILServerIL] Connecting to : serverpc/192.168.1.101:8090
2004-06-23 12:33:33,046 TRACE [org.jboss.mq.il.oil.OILServerIL] Connecting with addr=serverpc/192.168.1.101, port=8090, localAddr=null, localPort=0, socketFactory=javax.net.DefaultSocketFactory@f77c8e
2004-06-23 12:33:33,046 TRACE [org.jboss.mq.il.oil.OILServerILService] Setting TcpNoDelay Option to:true
2004-06-23 12:33:33,046 TRACE [org.jboss.mq.server.TracingInterceptor] CALLED : authenticate
2004-06-23 12:33:33,046 TRACE [org.jboss.mq.security.ServerSecurityInterceptor] Autenticating user null/null
2004-06-23 12:33:33,062 TRACE [org.jboss.mq.sm.file.DynamicLoginModule] logout
2004-06-23 12:33:33,062 DEBUG [org.jboss.security.plugins.JaasSecurityManager.jbossmq] Login failure
javax.security.auth.login.LoginException: No LoginModules configured for jbossmq
at javax.security.auth.login.LoginContext.init(LoginContext.java:189)
at javax.security.auth.login.LoginContext.<init>(LoginContext.java:350)
at javax.security.auth.login.LoginContext.<init>(LoginContext.java:465)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:486)
at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:442)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:244)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:219)
at org.jboss.mq.security.SecurityManager.authenticate(SecurityManager.java:208)
at org.jboss.mq.security.ServerSecurityInterceptor.authenticate(ServerSecurityInterceptor.java:51)
at org.jboss.mq.server.TracingInterceptor.authenticate(TracingInterceptor.java:787)
at org.jboss.mq.server.JMSServerInvoker.authenticate(JMSServerInvoker.java:287)
at org.jboss.mq.il.oil.OILServerILService$Client.run(OILServerILService.java:329)
at java.lang.Thread.run(Thread.java:534)
2004-06-23 12:33:33,062 TRACE [org.jboss.mq.security.SecurityManager] User: null is NOT authenticated
2004-06-23 12:33:33,062 TRACE [org.jboss.mq.server.TracingInterceptor] EXCEPTION : authenticate:
javax.jms.JMSSecurityException: User: null is NOT authenticated
at org.jboss.mq.security.SecurityManager.authenticate(SecurityManager.java:232)
at org.jboss.mq.security.ServerSecurityInterceptor.authenticate(ServerSecurityInterceptor.java:51)
at org.jboss.mq.server.TracingInterceptor.authenticate(TracingInterceptor.java:787)
at org.jboss.mq.server.JMSServerInvoker.authenticate(JMSServerInvoker.java:287)
at org.jboss.mq.il.oil.OILServerILService$Client.run(OILServerILService.java:329)
at java.lang.Thread.run(Thread.java:534)
2004-06-23 12:33:33,062 TRACE [org.jboss.mq.server.TracingInterceptor] RETURN : authenticate
I can't figure out why it thinks there is no LoginModule configured for the jbossmq domain....
In my jbossmq-service.xml I have:
<mbean code="org.jboss.mq.security.SecurityManager" name="jboss.mq:service=SecurityManager"> <attribute name="DefaultSecurityConfig"> <security> <role name="guest" read="true" write="true" create="true"/> </security> </attribute> <attribute name="SecurityDomain">jbossmq</attribute> <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager</depends> </mbean>
My queue is defined as:
<mbean code="org.jboss.mq.server.jmx.Queue" name="jboss.mq.destination:service=Queue,name=ReactorEvents"> <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends> <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends> <attribute name="SecurityConf"> <security> <role name="guest" read="true" write="true"/> <role name="publisher" read="true" write="true" create="false"/> </security> </attribute> </mbean>
My jboss-service.xml has:
<mbean code="org.jboss.security.plugins.SecurityConfig" name="jboss.security:service=SecurityConfig"> <attribute name="LoginConfig">jboss.security:service=XMLLoginConfig</attribute> </mbean> <mbean code="org.jboss.security.auth.login.XMLLoginConfig" name="jboss.security:service=XMLLoginConfig"> <attribute name="ConfigResource">login-config.xml</attribute> </mbean> <!-- JAAS security manager and realm mapping --> <mbean code="org.jboss.security.plugins.JaasSecurityManagerService" name="jboss.security:service=JaasSecurityManager"> <attribute name="SecurityManagerClassName"> org.jboss.security.plugins.JaasSecurityManager </attribute> <attribute name="DefaultCacheTimeout">10</attribute> </mbean>
The login-config.xml has:
<!-- Security domain for JBossMQ --> <application-policy name = "jbossmq"> <authentication> <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule" flag = "required"> <module-option name = "unauthenticatedIdentity">guest</module-option> <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option> </login-module> </authentication> </application-policy>
And my jbossmq-state has:
<User> <Name>guest</Name> <Password>guest</Password> </User> and <Role name="guest"> <UserName>guest</UserName> <UserName>john</UserName> </Role>
I can't figure out why it works until the cache expires....
I had originally posted this in the Messaging forum, but as I looked at it more, the more I belive it's a security issue, so please forgive the cross-post.
Thank you in advance for your help.