mdb-user/passwd for EJB3 Message Driven Bean?
zisch Sep 6, 2005 5:08 AMHi,
I have a JMS queue with a security configuration, so that only some authenticated user can subscribe:
<server> <mbean code="org.jboss.mq.server.jmx.Queue" name="jboss.mq.destination:service=Queue,name=retriever-indexingQueue"> <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends> <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends> <attribute name="SecurityConf"> <security> <role name="emanager" read="true" write="true" create="true"/> <role name="guest" read="false" write="false" create="false"/> </security> </attribute> </mbean> </server>
The above seems to work fine. However, I cannot get my EJB3-MDB to subscribe to this queue. All I ever get is the following exception:
javax.jms.JMSSecurityException: Connection not authorized to subscribe to destination: ch.e_act.e_archive.provider.retriever.indexer.IndexerBean at org.jboss.mq.security.ServerSecurityInterceptor.subscribe(ServerSecurityInterceptor.java:141) at org.jboss.mq.server.TracingInterceptor.subscribe(TracingInterceptor.java:816) at org.jboss.mq.server.JMSServerInvoker.subscribe(JMSServerInvoker.java:297) at org.jboss.mq.il.jvm.JVMServerIL.subscribe(JVMServerIL.java:314) at org.jboss.mq.Connection.addConsumer(Connection.java:826) at org.jboss.mq.SpyConnectionConsumer. (SpyConnectionConsumer.java:95) at org.jboss.mq.SpyConnection.createConnectionConsumer(SpyConnection.java:168) at org.jboss.ejb3.mdb.MDB.innerCreateQueue(MDB.java:308) at org.jboss.ejb3.mdb.MDB.innerCreate(MDB.java:232) at org.jboss.ejb3.mdb.MDB.start(MDB.java:136) at org.jboss.ejb3.mdb.MDB$ExceptionListenerImpl.onException(MDB.java:968) at org.jboss.ejb3.mdb.MDB$1.run(MDB.java:148)
From what I see in the logs, the Bean tries to subscribe without specifying a username/password:
using username/password: null/null
I started out with the following bean:
@MessageDriven(activateConfig = { @ActivationConfigProperty(propertyName="destinationType", propertyValue = "javax.jms.Queue"), @ActivationConfigProperty(propertyName="destination", propertyValue = "queue/retriever-indexingQueue") }) @SecurityDomain("mydomain") public class IndexerBean implements MessageListener { public void onMessage(Message msg) { /* ... */ } }
Now, it's clear to me, that I have to specify a username and password somewhere, but I couldn't find a way to do it. It seems with pre-EJB3, one would have specified mdb-user/mdb-password-elements in jboss.xml. How do I do this for EJB3? I would think there should be a (JBoss specific?) Annotation for that, but I couldn't find anything like that.
In my desperation, I tried the following:
@ActivationConfigProperty(propertyName="mdb-user", propertyValue="user"), @ActivationConfigProperty(propertyName="mdb-passwd", propertyValue="pwd")
But this didn't make a difference. (Also I couldn't find any reference, neither in the EJB3-Specs nor JBoss-specific, which Properties actually are allowed/recognized here. Is this documented somwhere?)
I have tried to add a "minimal" META-INF/jboss.xml to the JAR-File, but it didn't make any difference either:
<!DOCTYPE jboss PUBLIC "-//JBoss//DTD JBOSS 4.0//EN" "http://www.jboss.org/j2ee/dtd/jboss_4_0.dtd"> <jboss> <enterprise-beans> <message-driven> <ejb-name>mypackage.IndexerBean</ejb-name> <mdb-user>user</mdb-user> <mdb-passwd>password</mdb-passwd> </message-driven> </enterprise-beans> </jboss>
I tried to add an ejb-jar.xml:
<!DOCTYPE ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN" "http://java.sun.com/dtd/ejb-jar_2_0.dtd"> <ejb-jar> <description>[TODO]</description> <display-name>[TODO]</display-name> <enterprise-beans> <message-driven> <ejb-name>mypackage.IndexerBean</ejb-name> <ejb-class>mypackage.IndexerBean</ejb-class> <transaction-type>Container</transaction-type> <message-driven-destination> <destination-type>javax.jms.Queue</destination-type> </message-driven-destination> </message-driven> </enterprise-beans> </ejb-jar>
Now JBoss made another, temporary queue named 'queue/mypackage.IndexerBean', which quite confused me. I added:
<destination-jndi-name>queue/retriever-indexingQueue</destination-jndi-name>
to the jboss.xml, but JBoss still made 'queue/mypackage.IndexerBean' instead of trying to connect to 'queue/retriever-indexingQueue'. This only added to my confusion. Am I missing something here? (Anyway, I was actually hoping to get rid of the xml-files by using EJB3. ;-))
Also, even the subscription to the temporary queue 'queue/mypackage.IndexerBean' always failed, and I could see, that the user/password with which the subscription was attempted were still 'null'. It seems to me, that the jboss.xml didn't have any influence whatsoever. (While the ejb-jar.xml obviously got processed by JBoss.) Maybe jboss.xml is ignored by the EJB3-Deployer?
I tried several other things, like setting @RunAs or @RunAsPrincipal (both of which I didn't expect to work anyway ;-)), but nothing helped. After wading through docs, specs, forums, mailing-lists and wikis for two days I'm still stuck with this problem. (I also tried to give 'guest' all rights in the mbean-config for the queue, just for testing. But it seems I would have to set some 'unauthenticatedIdentity' option in the login-config for this to work. However, I didn't bother yet, because that's not really an option for me. I really want a "secured" queue. ;-))
Is there any way to have secured JMS queues and EJB3-MDB's, or is this simply a missing feature, and I have to do it with EJB 2.1?
Best regards,
Zisch