5 Replies Latest reply on Mar 11, 2005 4:38 PM by adrian.brock

JMS Authentication and JAAS

bwallis42 Jun 15, 2004 12:00 AM

Is there any relationship between the authentication I have to use for JMS (TopicConnection.createTopicConnection(user,pass)) and the authentication I use to access my beans (LoginContext.login()) or do we have two separate security domains each of which has to be setup and managed differently?

I have a client application that needs to use some EJBs to configure a notification server and then listen on a JMS topic for events that are then generated based on the configuration. As far as I can see, the client has to authenticate twice, once for the EJB access using JAAS and again to setup the topic connection.

Have I missed something or is this how it is meant to work?

thanks,
brian wallis...

1. Re: JMS Authentication and JAAS

starksm64 Jun 15, 2004 9:35 AM (in response to bwallis42)

Configure the jms security domain to use the org.jboss.resource.security.CallerIdentityLoginModule to use the ejb credentials.
Actions
2. Re: JMS Authentication and JAAS

bwallis42 Jun 15, 2004 11:11 PM (in response to bwallis42)
Thanks for the reply. But I think my initial question might have been a little misleading.

It is the client side that is accessing the beans AND connecting to the JMS topic, I have something like the following in the client app:

lc = new LoginContext("jbossmq",handler);
lc.login();
// ...
TopicConnectionFactory cf = ...;
TopicConnection tc = cf.createTopicConnection();

If I don't put the username/password into the createTopicConnection() call then the JMS connection fails.

My loginconfig for the client is:

jbossmq {
org.jboss.security.ClientLoginModule required;
};

and my server login-config.xml contains (as suggested):

<application-policy name="jbossmq">

<login-module
code="org.jboss.resource.security.CallerIdentityLoginModule"
flag="required"/>
<module-option
name="userName">guest</module-option>
<module-option
name="password">guest</module-option>
</login-module>

</application-policy>

In stepping through the client and server side code I cannot see how the info captured by the ClientLoginModule is used for the JMS connection. Obviously the SecurityAssociation principal and credential (set up by the ClientLoginModule) are not being propagated to the server. For a bean invocation from a client, the proxy SecurityInterceptor does this but what does this for a JMS connection?
[list=]
Actions
3. Re: JMS Authentication and JAAS

bwallis42 Jun 20, 2004 9:14 PM (in response to bwallis42)

Still cannot get this to work. Currently my client application is logging in twice, once using JAAS for the ejb access and once when creating the topic connection.

I cannot work out how to unify the security for JMS and EJBs when using both from an external client.

thanks,
brian wallis...
Actions
4. Re: JMS Authentication and JAAS

grungy Mar 2, 2005 10:53 PM (in response to bwallis42)

I have this exact same problem.

Rich client authenticating via JAAS ClientLoginModule to JBoss EJB server. This works fine. However the same JAAS authentication is ignored for opening connection to a JMS topic or queue and I have to manually supply the username and password in the call to open connection (meaning I am doing this twice).

Does anyone have a solution to the man's problem?
Actions
5. Re: JMS Authentication and JAAS

adrian.brock Mar 11, 2005 4:38 PM (in response to bwallis42)

Client JMS does not use JAAS.
It is a TODO in the spec for a future version.

The JMS Resource Adapter deployed within JBoss will use JAAS
because it is wrapped with a JCA connection manager that understands it.

The only portable solution is to write your own JMS wrapper that understands JAAS
and redirects createXXXConnection() to createXXXConnection(jaasUser, jaasCredential)
Actions

Go to original post