2 Replies Latest reply on Mar 30, 2005 8:45 AM by nlmarco

javax.jms.JMSSecurityException

nlmarco Mar 29, 2005 11:39 AM

Hello *,

I've a message driven bean subscribed to a queue. The queue is created with the following xxx-service.xml:

<?xml version="1.0" encoding="UTF-8"?>

<server>
 <mbean code="org.jboss.mq.security.SecurityManager" name="jboss.mq:service=MyMQSecurityManager">
 <attribute name="DefaultSecurityConfig">
 <security>
 <role name="_LocalQueueWriter_" read="false" write="true"/>
 <role name="_LocalQueueReader_" read="true" write="false"/>
 </security>
 </attribute>
 <attribute name="SecurityDomain">java:/jaas/ipanemaLocal</attribute>
 <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager</depends>
 </mbean>

 <mbean code="org.jboss.mq.server.jmx.Queue"
 name="jboss.mq.destination:service=Queue,name=my/Queue">
 <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
 <depends optional-attribute-name="SecurityManager">jboss.mq:service=MyMQSecurityManager</depends>
 <attribute name="SecurityManager">jboss.mq:service=MyMQSecurityManager</attribute>
 <attribute name="RedeliveryDelay">10000</attribute>
 <attribute name="RedeliveryLimit">3</attribute>
 </mbean>
</server>

The MDB has security domain, user and password defined in the jboss.xml (excerpt):

...
 <container-configuration>
 <container-name>Standard Message Driven Bean</container-name>
 <role-mapping-manager>java:/jaas/session-roles</role-mapping-manager>
 <security-domain>java:/jaas/ipanemaLocal</security-domain>
 </container-configuration>
...
 <message-driven>
 <ejb-name>my/mdb/MyListener</ejb-name>
 <destination-jndi-name>queue/my/Queue</destination-jndi-name>
 <mdb-user>_LocalQueueReader_</mdb-user>
 <mdb-passwd>test</mdb-passwd>
 </message-driven>
...

It all works fine, if I allow "guest" to read and don't define an user for the mdb, but with the above configuration, the authentication fails. What is really strange is that it doesn't even trigger the login method of my custom LoginModule (which works fine when writing into the queue). Here's an excerpt of my jboss server log:

18:23:12,561 INFO [JMSContainerInvoker] Reconnected to JMS provider
18:23:12,562 WARN [JMSContainerInvoker] JMS provider failure detected:
javax.jms.JMSSecurityException: User: _LocalQueueReader_ is NOT authenticated
 at org.jboss.mq.security.SecurityManager.authenticate(SecurityManager.java:215)
 at org.jboss.mq.security.ServerSecurityInterceptor.authenticate(ServerSecurityInterceptor.java:51)
 at org.jboss.mq.server.TracingInterceptor.authenticate(TracingInterceptor.java:781)
 at org.jboss.mq.server.JMSServerInvoker.authenticate(JMSServerInvoker.java:287)
 at org.jboss.mq.il.jvm.JVMServerIL.authenticate(JVMServerIL.java:301)
 at org.jboss.mq.Connection.authenticate(Connection.java:1160)
 at org.jboss.mq.Connection.<init>(Connection.java:255)
 at org.jboss.mq.SpyConnection.<init>(SpyConnection.java:55)
 at org.jboss.mq.SpyXAConnection.<init>(SpyXAConnection.java:52)
 at org.jboss.mq.SpyXAConnectionFactory.createXAConnection(SpyXAConnectionFactory.java:98)
 at org.jboss.mq.SpyXAConnectionFactory.createXAQueueConnection(SpyXAConnectionFactory.java:119)
 at org.jboss.jms.ConnectionFactoryHelper.createQueueConnection(ConnectionFactoryHelper.java:67)
 at org.jboss.ejb.plugins.jms.JMSContainerInvoker.innerCreate(JMSContainerInvoker.java:690)
 at org.jboss.ejb.plugins.jms.JMSContainerInvoker.startService(JMSContainerInvoker.java:764)
 at org.jboss.ejb.plugins.jms.JMSContainerInvoker$ExceptionListenerImpl.onException(JMSContainerInvoker.java:1267)
 at org.jboss.ejb.plugins.jms.JMSContainerInvoker$1.run(JMSContainerInvoker.java:776)

What am I doing wrong? Any ideas?

Because my login module is not triggered, I assume that I have to define the security domain in a different way than I do for my session beans. But if so, how?

Thanks a lot for your help in advance!

Marco ;-)

1. Re: javax.jms.JMSSecurityException

raja05 Mar 30, 2005 12:10 AM (in response to nlmarco)

If you look at the logs, its throwing an exception when its trying to create the QueueConnection. Looking up SecurityMetadata.java says there are three permissions - read, write and create. You have not specified create access for _LocalQueueReader_. that might be the problem. And the defeault value for create is false, so it doesnt let you create a Topic.

PS: I think this belongs to the JMS forum but anyway.... ;-)
Actions
2. Re: javax.jms.JMSSecurityException

nlmarco Mar 30, 2005 8:45 AM (in response to nlmarco)

Hello Raja,

thanks a lot for your help!

"raja05" wrote:
You have not specified create access for _LocalQueueReader_. that might be the problem.
I've added 'create="true"', but unfortunately it had no effect.

BTW: I had 'create="false"' in the "guest" role, before, and this worked if I don't use authentication in the MDB. Additionally the log message tells me that the user is not authenticated - it doesn't say anything about authorization/permissions. IMHO authorization happens after authentication and hence, my login module should be asked. Right?

...any other idea? I still wonder whether the problem might come from the security domain. Is my configuration in jboss.xml correct with which I set the security domain for "Standard Message Driven Bean"?

"raja05" wrote:
PS: I think this belongs to the JMS forum but anyway.... ;-)
Unfortunately, people there didn't react at all first (to a previous posting) and after re-asking told me I should read the documentation (which I did already before). So I thought, I might be luckier here in the beginner's forum and in fact I was right :-) Seems, the people in the JMS forum are too busy actually programming at JBoss 5 and don't like to answer questions from confused users...

Best regards, Marco :-)
Actions

Go to original post