7 Replies Latest reply on Nov 24, 2005 6:47 AM by rudivankeirsbilck

Porting jbossmq security configuration from 3.2.3 to 4.0.2

rudivankeirsbilck Nov 22, 2005 11:12 AM

Hi all,

Up until now my app has been running smoothly on jboss 3.2.3. New features that I am about to start to implement require me to port to 4.0.2 and use EJB2.1

I was using jbossmq-state.xml before to configure user/password/role information:

<StateManager>
 <Users>
 <User>
 <Name>guest</Name>
 <Password>guest</Password>
 </User>
 <User>
 <Name>nobody</Name>
 <Password>nobody</Password>
 </User>
 <User>
 <Name>bspub</Name>
 <Password>bspub</Password>
 </User>
 <User>
 <Name>bssub</Name>
 <Password>bssub</Password>
 </User>
 </Users>
 <Roles>
 <Role name="guest">
 <UserName>guest</UserName>
 <UserName>john</UserName>
 </Role>
 <Role name="bluespacepublisher">
 <UserName>bspub</UserName>
 </Role>
 <Role name="bluespacesubscriber">
 <UserName>bssub</UserName>
 </Role>
 </Roles>
 <DurableSubscriptions>
 </DurableSubscriptions>
</StateManager>

I have taken the necessary steps to enable usage of jbossmq-state.xml by changing login-config.xml to:

 <!-- Security domain for JBossMQ when using file-state-service.xml -->
 <application-policy name = "jbossmq">
 <authentication>
 <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
 flag = "required">
 <module-option name = "unauthenticatedIdentity">guest</module-option>
 <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
 </login-module>
 </authentication>
 </application-policy>

and copying the file-state-service.xml to deploy/jms and my old jbossmq-state.xml file to the conf directory.

All my components that are posting messages on topics are using authenticated connections:

 String userName;
 try {
 userName = (String) initialContext.lookup("username");
 }
 catch (NamingException e) {
 Logger.EVENT.debug("A publisher has not yet defined the userName ejb-env entry, using default.");
 userName = "bspub";
 }
 String password;
 try {
 password = (String) initialContext.lookup("password");
 }
 catch (NamingException e) {
 Logger.EVENT.debug("A publisher has not yet defined the password ejb-env entry, using default.");
 password = "bspub";
 }
 TopicConnection connection = this.getTopicConnectionFactory(initialContext).createTopicConnection(userName, password);

The topics are all configured as the one below:

 <mbean code="org.jboss.mq.server.jmx.Topic"
 name="jboss.mq.destination:service=Topic,name=ReceiveMail">
 <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
 <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends>
 <attribute name="SecurityConf">
 <security>
 <role name="bluespacepublisher" read="true" write="true" create="true"/>
 <role name="bluespacesubscriber" read="true" write="false" create="true"/>
 </security>
 </attribute>
 </mbean>

All goes well, i.e. I am not getting any errors at deployment time, even the code executes fine until the transaction commits and then I see:

Caused by: org.jboss.tm.JBossRollbackException: Unable to commit, tx=TransactionImpl:XidImpl[FormatId=257, GlobalId=Thunder.local/73, BranchQual=, localId=73] status=STATUS_NO_TRANSACTION; - nested throwable: (org.jboss.mq.SpyXAException: - nested throwable: (javax.jms.JMSSecurityException: Connection not authorized to addMessages to destination: SendMail))
 at org.jboss.tm.TransactionImpl.commit(TransactionImpl.java:344)
 at org.jboss.ejb.plugins.TxInterceptorCMT.endTransaction(TxInterceptorCMT.java:486)
 ... 52 more
Caused by: org.jboss.mq.SpyXAException: - nested throwable: (javax.jms.JMSSecurityException: Connection not authorized to addMessages to destination: SendMail)
 at org.jboss.mq.SpyXAResource.prepare(SpyXAResource.java:134)
 at org.jboss.tm.TransactionImpl$Resource.prepare(TransactionImpl.java:2101)
 at org.jboss.tm.TransactionImpl.prepareResources(TransactionImpl.java:1553)
 at org.jboss.tm.TransactionImpl.commit(TransactionImpl.java:319)
 ... 53 more
Caused by: javax.jms.JMSSecurityException: Connection not authorized to addMessages to destination: SendMail
 at org.jboss.mq.security.ServerSecurityInterceptor.transact(ServerSecurityInterceptor.java:166)
 at org.jboss.mq.server.TracingInterceptor.transact(TracingInterceptor.java:438)
 at org.jboss.mq.server.JMSServerInvoker.transact(JMSServerInvoker.java:186)
 at org.jboss.mq.il.jvm.JVMServerIL.transact(JVMServerIL.java:327)
 at org.jboss.mq.Connection.send(Connection.java:1163)
 at org.jboss.mq.SpyXAResourceManager.prepare(SpyXAResourceManager.java:207)
 at org.jboss.mq.SpyXAResource.prepare(SpyXAResource.java:130)
 ... 56 more

My topic subscriber components all deploy fine and are all using SecurityConf entries in there deployment descriptors.

What have I missed?

Much obliged,

Rudi

1. Re: Porting jbossmq security configuration from 3.2.3 to 4.0

rudivankeirsbilck Nov 23, 2005 6:55 AM (in response to rudivankeirsbilck)

I have made some changes. I realized that when I publish messages, I am doing that in a XA context so I needed to change the login configuration for JmsXARealm too.

 <application-policy name = "JmsXARealm">
 <authentication>
 <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
 flag = "required">
 <module-option name = "unauthenticatedIdentity">guest</module-option>
 <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
 <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
 </login-module>
 </authentication>
 </application-policy>

The module-option-name for managedConnectionFactoryName does not make any difference, i.e. the same behavior with or without. I did not include it first time as I don't think I need it but that I thought I'd try it anyway.

Now the code is no longer executing fine but is giving me a SecurityException when I create the TopicSession:

 TopicConnection connection = this.getTopicConnectionFactory(initialContext).createTopicConnection(userName, password);
 TopicSession session = connection.createTopicSession(true, TopicSession.AUTO_ACKNOWLEDGE);

The exception is:

javax.jms.JMSException: Could not create a session: javax.resource.spi.SecurityException: No Passwdord credentials found
 at org.jboss.resource.adapter.jms.JmsSessionFactoryImpl.allocateConnection(JmsSessionFactoryImpl.java:392)
 at org.jboss.resource.adapter.jms.JmsSessionFactoryImpl.createTopicSession(JmsSessionFactoryImpl.java:155)
 at com.bluespace.core.implementation.jms.JMSFacadeDefaultImplementation.createTopicSession(JMSFacadeDefaultImplementation.java:44)
 at com.bluespace.core.implementation.jms.JMSFacadeDefaultImplementation.getTopicPublisherResources(JMSFacadeDefaultImplementation.java:195)
 at com.bluespace.core.implementation.jms.JMSFacadeDefaultImplementation.getTopicPublisherResources(JMSFacadeDefaultImplementation.java:71)
 at com.bluespace.core.implementation.events.publishers.abstracts.BlueSpacePublisherBean.publishOnTopics(BlueSpacePublisherBean.java:137)
 at com.bluespace.core.implementation.events.publishers.abstracts.BlueSpacePublisherBean.publish(BlueSpacePublisherBean.java:100)
 at com.bluespace.core.implementation.events.publishers.abstracts.BlueSpacePublisherBean.publish(BlueSpacePublisherBean.java:74)
 at com.bluespace.core.implementation.events.publishers.mailbox.ReadMailPublisherBean.publish(ReadMailPublisherBean.java:55)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
...

The username and password that I am providing is "pspub" and "bspub" which is defined in jbossmq-state.xml as you can see in my previous post.

Again, what am I missing here?

Many thanks,

Rudi

2. Re: Porting jbossmq security configuration from 3.2.3 to 4.0

rudivankeirsbilck Nov 23, 2005 7:49 AM (in response to rudivankeirsbilck)

I have made some changes. I realized that when I publish messages, I am doing that in a XA context so I needed to change the login configuration for JmsXARealm too.

 <application-policy name = "JmsXARealm">
 <authentication>
 <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
 flag = "required">
 <module-option name = "unauthenticatedIdentity">guest</module-option>
 <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
 <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
 </login-module>
 </authentication>
 </application-policy>

 TopicConnection connection = this.getTopicConnectionFactory(initialContext).createTopicConnection(userName, password);
 TopicSession session = connection.createTopicSession(true, TopicSession.AUTO_ACKNOWLEDGE);

The exception is:

javax.jms.JMSException: Could not create a session: javax.resource.spi.SecurityException: No Passwdord credentials found
 at org.jboss.resource.adapter.jms.JmsSessionFactoryImpl.allocateConnection(JmsSessionFactoryImpl.java:392)
 at org.jboss.resource.adapter.jms.JmsSessionFactoryImpl.createTopicSession(JmsSessionFactoryImpl.java:155)
 at com.bluespace.core.implementation.jms.JMSFacadeDefaultImplementation.createTopicSession(JMSFacadeDefaultImplementation.java:44)
 at com.bluespace.core.implementation.jms.JMSFacadeDefaultImplementation.getTopicPublisherResources(JMSFacadeDefaultImplementation.java:195)
 at com.bluespace.core.implementation.jms.JMSFacadeDefaultImplementation.getTopicPublisherResources(JMSFacadeDefaultImplementation.java:71)
 at com.bluespace.core.implementation.events.publishers.abstracts.BlueSpacePublisherBean.publishOnTopics(BlueSpacePublisherBean.java:137)
 at com.bluespace.core.implementation.events.publishers.abstracts.BlueSpacePublisherBean.publish(BlueSpacePublisherBean.java:100)
 at com.bluespace.core.implementation.events.publishers.abstracts.BlueSpacePublisherBean.publish(BlueSpacePublisherBean.java:74)
 at com.bluespace.core.implementation.events.publishers.mailbox.ReadMailPublisherBean.publish(ReadMailPublisherBean.java:55)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
...

The username and password that I am providing is "pspub" and "bspub" which is defined in jbossmq-state.xml as you can see in my previous post.

Again, what am I missing here?

Many thanks,

Rudi

3. Re: Porting jbossmq security configuration from 3.2.3 to 4.0

adrian.brock Nov 23, 2005 9:27 AM (in response to rudivankeirsbilck)

http://wiki.jboss.org/wiki/Wiki.jsp?page=JBossHelp
Read the docs before making random configuration changes
and use search. This question came up last week.
Actions
4. Re: Porting jbossmq security configuration from 3.2.3 to 4.0

rudivankeirsbilck Nov 23, 2005 11:11 AM (in response to rudivankeirsbilck)
I did try to find similar posts before posting this one and came up with:
http://www.jboss.com/index.html?module=bb&op=viewtopic&t=63621
and
http://www.jboss.com/index.html?module=bb&op=viewtopic&t=43891

The first seems to be exactly the same problem as I am having but nobody has answered that one.
The latter is very interesting where you say that
The purpose of the JmsXARealm is to provide a user/password when you do TopicConnectionFactory.createTopicConnection();
By default it provides guest/guest

However, I am using
tcf.createTopicConnection(username, password)

Also, the guy is trying to use the username/password of the caller of the session bean, where I am not trying to do that at all. I am picking up username and password from env-entry in ejb-jar so I am thinking that I definitely do not need CallerIdentityLoginModule.

I also found http://www.jboss.com/index.html?module=bb&op=viewtopic&t=72684
but I am using either:
<application-policy name = "jbossmq"> <authentication> <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule" flag = "required"> <module-option name = "unauthenticatedIdentity">guest</module-option> <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option> </login-module> </authentication> </application-policy>

or
<application-policy name = "jbossmq"> <authentication> <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required"> <module-option name = "unauthenticatedIdentity">guest</module-option> <module-option name = "dsJndiName">java:/BlueEventDS</module-option> <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option> <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option> </login-module> </authentication> </application-policy>
Actions
5. Re: Porting jbossmq security configuration from 3.2.3 to 4.0

rudivankeirsbilck Nov 23, 2005 12:02 PM (in response to rudivankeirsbilck)
I am back and I think I have found the root cause this time.
First I reverted my changes to JmsXARealm in logon-config.xml as Adrian indicated that I should not make unconsidered changes like that.

That also reverted my problem to getting
Caused by: javax.jms.JMSSecurityException: Connection not authorized to addMessages to destination: SendMail at org.jboss.mq.security.ServerSecurityInterceptor.transact(ServerSecurityInterceptor.java:166) at org.jboss.mq.server.TracingInterceptor.transact(TracingInterceptor.java:438)

I decided to debug ServerSecurityInterceptor and found that it is using the caller identity. Now I have not set up security on any of my beans, but the interceptor is using guest/guest as values and my topics are only allowing the role bluespacepublisher with attached user bspub to write to topics. Hence, the security exception.

Next question is, how do I actually solve this. Of course I can change things so that guest is allowed to write but I don't really want to do that. This would only work around the problem and leave a big hole in the security net of my app.

Is the only proper solution to set up security on method level with a user that is also allowed to write to topics? Don't shoot me Adrian if this is another obvious question ;-)

Many thanks,

Rudi
Actions
6. Re: Porting jbossmq security configuration from 3.2.3 to 4.0

adrian.brock Nov 23, 2005 1:25 PM (in response to rudivankeirsbilck)
"Rudi Vankeirsbilck" wrote:
Don't shoot me Adrian if this is another obvious question ;-)
Rudi

Bang!

You are in the wrong forum to ask questions about JCA pooling and security.
Your question has nothing to do with JMS (other than the JMS RAR is on the receiving end of your configuration :-).

http://wiki.jboss.org/wiki/Wiki.jsp?page=JBossJCAPooling

FAQ (read the spec): For security-domain-and-application the Subject always overrides any user/password from createConnection(user, password) in the CRI (ConnectionRequestInfo)

Or if you don't want to configure caller identity,
use the cunningly (but actually mis-)named
<application-managed-security/>

such that you can createXXXConnection(user, password) via JCA.
Actions

7. Re: Porting jbossmq security configuration from 3.2.3 to 4.0

rudivankeirsbilck Nov 24, 2005 6:47 AM (in response to rudivankeirsbilck)

Thank you Adrian, that helped a lot. Really appreciate that!

For others, I'll summarize what I have done to get it working:

Modify config-login.xml and add a new application policy:

 <application-policy name = "JmsXABlueSpaceRealm">
 <authentication>
 <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
 flag = "required">
 <module-option name = "principal">guest</module-option>
 <module-option name = "userName">blsptm01</module-option>
 <module-option name = "password">bluespace</module-option>
 <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXABlueSpace</module-option>
 </login-module>
 </authentication>
 </application-policy>

Create a new bluespace-jms-ds.xml that I am adding to my .ear as a nested deployment:

<connection-factories>
 <!-- JMS XA Resource adapter, use this to get transacted JMS in bluespace beans -->
 <tx-connection-factory>
 <jndi-name>JmsXABlueSpace</jndi-name>
 <xa-transaction/>
 <rar-name>jms-ra.rar</rar-name>
 <connection-definition>org.jboss.resource.adapter.jms.JmsConnectionFactory</connection-definition>
 <config-property name="SessionDefaultType" type="java.lang.String">javax.jms.Topic</config-property>
 <config-property name="JmsProviderAdapterJNDI" type="java.lang.String">java:/DefaultJMSProvider</config-property>
 <max-pool-size>20</max-pool-size>
 <security-domain-and-application>JmsXABlueSpaceRealm</security-domain-and-application>
 </tx-connection-factory>

</connection-factories>

This links to the new application-policy created in login-config.xml and avoid having to modify the default settings for JmsXARealm or change the default jms-ds.xml to point to my new JmsXABlueSpaceRealm

Add user blsptm01 to jbossmq-state.xml and assign the user the "bluespacepublisher" and "bluespacesubscriber" role.

I am not using the createTopicSession(username, password) call anymore (was not so in the past and required me to change the xdoclet entries for a big number of publisher bean)

Go to original post