Migrating from JBoss 3.2.4 to 4.0.4GA, getting javax.jms.JMS
bploetz Nov 9, 2006 4:57 PMI'm sure I'll get a RTFM reply from someone, but I assure you I've been banging my head against the wall for the last two days trying to figure out what is going wrong. I've read all of the documentation several times, the FAQs, the Wiki and the Forum, and I'm still stumped. I've seen other posts with similar problems, but none of them seem to have definitive solutions. Any and all help would be greatly appreciated.
Also note that since this issue seems to be related to the interaction of an MDB with JAAS, I wasn't sure whether to post this in the JMS forum or here. I'll start here......
Anyways, I'm in the process of migrating a J2EE app from JBoss 3.2.4 to JBoss 4.0.4GA. My app is a run of the mill web app which has some Message Driven Beans for firing off reports. Most of the JBoss config files that I used in 3.2.4 worked just fine unchanged when I moved them over to 4.0.4GA....with one notable exception: my MDBs and their interaction with their Queues.
So I have the following JMS queues defined in jboss-mq-destinations.xml:
<?xml version="1.0" encoding="UTF-8"?> <!-- $Id: jbossmq-destinations-service.xml,v 1.4.6.1 2004/11/16 04:32:39 ejort Exp $ --> <server> <mbean code="org.jboss.mq.server.jmx.Queue" name="jboss.mq.destination:service=Queue,name=reportFailureQueue"> <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends> <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends> <attribute name="JNDIName">jms/reportFailureQueue</attribute> <attribute name="RedeliveryLimit">5</attribute> <attribute name="RedeliveryDelay">10000</attribute> <attribute name="SecurityConf"> <security> <role name="guest" read="true" write="true"/> </security> </attribute> </mbean> <mbean code="org.jboss.mq.server.jmx.Queue" name="jboss.mq.destination:service=Queue,name=reportRunnerQueue"> <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends> <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends> <attribute name="JNDIName">jms/reportRunnerQueue</attribute> <attribute name="RedeliveryLimit">0</attribute> <attribute name="SecurityConf"> <security> <role name="guest" read="true" write="true"/> </security> </attribute> </mbean> <mbean code="org.jboss.mq.server.jmx.Queue" name="jboss.mq.destination:service=Queue,name=correctionToolQueue"> <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends> <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends> <attribute name="JNDIName">jms/correctionToolQueue</attribute> <attribute name="RedeliveryLimit">0</attribute> <attribute name="SecurityConf"> <security> <role name="guest" read="true" write="true"/> </security> </attribute> </mbean> </server>
I have the following configuration in login-config.xml:
<?xml version='1.0'?> <!DOCTYPE policy PUBLIC "-//JBoss//DTD JBOSS Security Config 3.0//EN" "http://www.jboss.org/j2ee/dtd/security_config.dtd"> <policy> <!-- Used by clients within the application server VM such as mbeans and servlets that access EJBs. --> <application-policy name = "client-login"> <authentication> <login-module code = "org.jboss.security.ClientLoginModule" flag = "required"> </login-module> </authentication> </application-policy> <!-- Security domain for JBossMQ --> <application-policy name = "jbossmq"> <authentication> <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required"> <module-option name = "unauthenticatedIdentity">guest</module-option> <module-option name = "dsJndiName">java:/jdbc/OPSConsoleDataSource</module-option> <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option> <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option> </login-module> </authentication> </application-policy> <application-policy name = "JmsXARealm"> <authentication> <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule" flag = "required"> <module-option name = "principal">guest</module-option> <module-option name = "userName">guest</module-option> <module-option name = "password">guest</module-option> <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option> </login-module> </authentication> </application-policy> <!-- A template configuration for the jmx-console web application. This defaults to the UsersRolesLoginModule the same as other and should be changed to a stronger authentication mechanism as required. --> <application-policy name = "jmx-console"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> <module-option name="usersProperties">jmx-console-users.properties</module-option> <module-option name="rolesProperties">jmx-console-roles.properties</module-option> <module-option name="hashAlgorithm">sha-256</module-option> </login-module> </authentication> </application-policy> <!-- A template configuration for the web-console web application. This defaults to the UsersRolesLoginModule the same as other and should be changed to a stronger authentication mechanism as required. --> <application-policy name = "web-console"> <authentication> <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required"> <module-option name="usersProperties">jmx-console-users.properties</module-option> <module-option name="rolesProperties">jmx-console-roles.properties</module-option> <module-option name="hashAlgorithm">sha-256</module-option> </login-module> </authentication> </application-policy> <!-- The default login configuration used by any security domain that does not have a application-policy entry with a matching name --> <application-policy name = "other"> <!-- A simple server login module, which can be used when the number of users is relatively small. It uses two properties files: users.properties, which holds users (key) and their password (value). roles.properties, which holds users (key) and a comma-separated list of their roles (value). The unauthenticatedIdentity property defines the name of the principal that will be used when a null username and password are presented as is the case for an unuathenticated web client or MDB. If you want to allow such users to be authenticated add the property, e.g., unauthenticatedIdentity="nobody" --> <authentication> <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required" /> </authentication> </application-policy> </policy>
I'm using Oracle for JMS persistence (i.e. oracle-jdbc2-service.xml and oracle-jdbc-state-service.xml) and have removed the Hypersonic DefaultDS.
An example MDB configuration for one of the MDBs fronting the Queue above:
ejb-jar.xml: <?xml version="1.0"?> <!DOCTYPE ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN" "http://java.sun.com/dtd/ejb-jar_2_0.dtd"> <ejb-jar> <enterprise-beans> <message-driven> <ejb-name>CorrectionToolMessageBean</ejb-name> <ejb-class>CorrectionToolMessageBean</ejb-class> <transaction-type>Container</transaction-type> <message-driven-destination> <destination-type>javax.jms.Queue</destination-type> </message-driven-destination> <ejb-ref> <ejb-ref-name>ejb/AccountingManagerHome</ejb-ref-name> <ejb-ref-type>Session</ejb-ref-type> <home>AccountingManagerHome</home> <remote>AccountingManager</remote> </ejb-ref> <security-identity> <run-as> <role-name>guest</role-name> </run-as> </security-identity> </message-driven> </enterprise-beans> <assembly-descriptor> <security-role> <role-name>guest</role-name> </security-role> <container-transaction> <method> <ejb-name>CorrectionToolMessageBean</ejb-name> <method-name>*</method-name> </method> <trans-attribute>Required</trans-attribute> </container-transaction> </assembly-descriptor> </ejb-jar> jboss.xml: <?xml version="1.0"?> <!DOCTYPE jboss PUBLIC "-//JBoss//DTD JBOSS 4.0//EN" "http://www.jboss.org/j2ee/dtd/jboss_4_0.dtd"> <jboss> <enterprise-beans> <message-driven> <ejb-name>CorrectionToolMessageBean</ejb-name> <destination-jndi-name>jms/correctionToolQueue</destination-jndi-name> <mdb-user>guest</mdb-user> <mdb-passwd>guest</mdb-passwd> <mdb-client-id>guest</mdb-client-id> <configuration-name>Singleton Message Driven Bean</configuration-name> <ejb-ref> <ejb-ref-name>ejb/AccountingManagerHome</ejb-ref-name> <jndi-name>ejb/AccountingManagerHome</jndi-name> </ejb-ref> <security-identity> <run-as-principal>guest</run-as-principal> </security-identity> </message-driven> </enterprise-beans> </jboss>
Now, when the application is deployed, I'm getting the following exception:
16:12:20,841 INFO [ConnectionFactoryBindingService] Bound ConnectionManager 'jboss.jca:service=DataSourceBinding,name=jdbc/OPSConsoleDataSource' to JNDI name 'java:jdbc/OPSConsoleDataSource' 16:12:20,857 INFO [ConnectionFactoryBindingService] Bound ConnectionManager 'jboss.jca:service=DataSourceBinding,name=jdbc/OPSConsoleXADataSource' to JNDI name 'java:jdbc/OPSConsoleXADataSource' 16:12:22,107 INFO [reportFailureQueue] Bound to JNDI name: jms/reportFailureQueue 16:12:22,122 INFO [reportRunnerQueue] Bound to JNDI name: jms/reportRunnerQueue 16:12:22,122 INFO [correctionToolQueue] Bound to JNDI name: jms/correctionToolQueue 16:12:22,185 INFO [UILServerILService] JBossMQ UIL service available at : /0.0.0.0:8093 16:12:22,247 INFO [DLQ] Bound to JNDI name: queue/DLQ 16:12:22,247 INFO [ConnectionFactoryBindingService] Bound ConnectionManager 'jboss.jca:service=DataSourceBinding,name=jdbc/OPSConsoleReportingDataSource' to JNDI name 'java:jdbc/OPSConsoleReportingDataSource' 16:12:22,450 INFO [ConnectionFactoryBindingService] Bound ConnectionManager 'jboss.jca:service=ConnectionFactoryBinding,name=JmsXA' to JNDI name 'java:JmsXA' 16:12:22,544 INFO [TomcatDeployer] deploy, ctxPath=/jmx-console, warUrl=.../deploy/jmx-console.war/ 16:12:22,904 INFO [EARDeployer] Init J2EE application: file:/E:/work/LTY-P000039-UPGRD/build/config /opsconsole/server/opsconsole/deploy/OpsConsole.ear 16:12:26,513 INFO [EjbModule] Deploying AccountingManagerEJB 16:12:26,778 INFO [EjbModule] Deploying BackofficeConsoleManagerEJB 16:12:26,903 INFO [EjbModule] Deploying CorrectionToolMessageBean 16:12:27,060 INFO [EjbModule] Deploying FeedsManagerEJB 16:12:27,169 INFO [EjbModule] Deploying ReportFailureMessageBean 16:12:27,310 INFO [EjbModule] Deploying ReportManagerEJB 16:12:27,435 INFO [EjbModule] Deploying ReportRunnerEJB 16:12:27,544 INFO [EjbModule] Deploying ReportRunnerMessageBean 16:12:27,700 INFO [BaseLocalProxyFactory] Bound EJB LocalHome 'AccountingManagerEJB' to jndi 'ejb/AccountingManagerHome' 16:12:27,700 INFO [EJBDeployer] Deployed: file:/E:/work/LTY-P000039-UPGRD/build/config/opsconsole/server/opsconsole/tmp/deploy/tmp22960OpsConsole.ear-contents/AccountingManagerEJB.jar 16:12:27,794 INFO [BaseLocalProxyFactory] Bound EJB LocalHome 'BackofficeConsoleManagerEJB' to jndi 'ejb/BackofficeConsoleManagerHome' 16:12:27,794 INFO [EJBDeployer] Deployed: file:/E:/work/LTY-P000039-UPGRD/build/config/opsconsole/server/opsconsole/tmp/deploy/tmp22960OpsConsole.ear-contents/BackofficeConsoleManagerEJB.jar 16:12:27,981 WARN [JMSContainerInvoker] JMS provider failure detected for CorrectionToolMessageBean javax.jms.JMSSecurityException: User: guest is NOT authenticated at org.jboss.mq.security.SecurityManager.authenticate(SecurityManager.java:230) at org.jboss.mq.security.ServerSecurityInterceptor.authenticate(ServerSecurityInterceptor.ja va:66) at org.jboss.mq.server.TracingInterceptor.authenticate(TracingInterceptor.java:750) at org.jboss.mq.server.JMSServerInvoker.authenticate(JMSServerInvoker.java:302) at org.jboss.mq.il.jvm.JVMServerIL.authenticate(JVMServerIL.java:316) at org.jboss.mq.Connection.authenticate(Connection.java:1065) at org.jboss.mq.Connection.<init>(Connection.java:252) at org.jboss.mq.SpyConnection.<init>(SpyConnection.java:79) at org.jboss.mq.SpyXAConnection.<init>(SpyXAConnection.java:59) at org.jboss.mq.SpyXAConnectionFactory.createXAConnection(SpyXAConnectionFactory.java:109) at org.jboss.mq.SpyXAConnectionFactory.createXAQueueConnection(SpyXAConnectionFactory.java:1 30) at org.jboss.jms.ConnectionFactoryHelper.createQueueConnection(ConnectionFactoryHelper.java: 147) at org.jboss.ejb.plugins.jms.JMSContainerInvoker.innerStartDelivery(JMSContainerInvoker.java :732) at org.jboss.ejb.plugins.jms.JMSContainerInvoker.startService(JMSContainerInvoker.java:839) at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:289) at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:245) at sun.reflect.GeneratedMethodAccessor3.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585)
Why is the "guest" user not authenticated? I should note that when I remove the security configuration from the EJB deployment descriptors (i.e. <security-identity>, <security-role>, <mdb-user|passwd|client-id>, etc), I get a different error:
12:26:37,624 WARN [JMSContainerInvoker] JMS provider failure detected for CorrectionToolMessageBean org.jboss.deployment.DeploymentException: Error during queue setup; - nested throwable: (javax.jms.JMSSecurityException: Connection not authorized to subscribe to destination: correctionToolQueue)
I'm sure this will boil down to some missing line in a config file somewhere, but I'm stumped. The same exact config above, minus the security configuration in the MDB deployment descriptors, worked just fine in 3.2.4.
Thanks in advance for any help!!