3 Replies Latest reply on Jan 6, 2011 10:46 AM by grosueugen

    Secured queues access and JCA-JMS(JmsXA)

    a_e_f
    a_e_f Apr 30, 2010 6:50 AM

      Hi!

       

      We are testing some apps with JBoss 5.0.0 EAP (afaik equivalent to 5.1.0 GA) and we are having some issues trying to configure user//pwd security on our queues accessed using the JmsXA connection factory.

       

      Keeping it simple, our app is a webapp that access queues in the same server using JmsXA (we dont use the other conn. factories because we need the connection pool for performance).

      The app sends the user//password when the connection factory is created with the usual "queueConnectionFactory.createQueueConnection(user, pwd);" (we also tryed to pass the user//pwd in the JNDI principal/credentials with same result...)

       

      The problem is that we are unable to configure JmsXA conn factories to autheticate, if we use the "regular" conn factories java:/ConnectionFactory, for instance, we aunthenticate nicely...

       

      Our config is this one:

       

      /messaging/jms-ds.xml

      <!-- JMS XA Resource adapter, use this to get transacted JMS in beans -->
   <tx-connection-factory>
      <jndi-name>JmsXA</jndi-name>
      <xa-transaction/>
      <rar-name>jms-ra.rar</rar-name>
      <connection-definition>org.jboss.resource.adapter.jms.JmsConnectionFactory</connection-definition>
      <config-property name="SessionDefaultType" type="java.lang.String">javax.jms.Topic</config-property>
      <config-property name="JmsProviderAdapterJNDI" type="java.lang.String">java:/DefaultJMSProvider</config-property>
      <max-pool-size>100</max-pool-size>
      <security-domain-and-application>JmsXARealm</security-domain-and-application>
      <depends>jboss.messaging:service=ServerPeer</depends>
   </tx-connection-factory>

       

       

      /data/login-config.xml

      <application-policy name="JmsXARealm">
        <authentication>
            <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
                             flag="required">
                <module-option name="dsJndiName">java:/DefaultDS</module-option>
                <module-option name="principalsQuery">
                    select PASSWD from JBM_USER where USER_ID=?</module-option>
                <module-option name="rolesQuery">
                    select ROLE_ID, 'Roles' from JBM_ROLE where USER_ID=?</module-option>
            </login-module>
        </authentication>
    </application-policy>

       

      /messaging/destinations-service.xml

      <mbean code="org.jboss.jms.server.destination.QueueService"
     name="jboss.mq.destination:service=Queue,name=ColaReintentosModificaciones" xmbean-dd="xmdesc/Queue-xmbean.xml">
      <depends optional-attribute-name="ServerPeer">jboss.messaging:service=ServerPeer</depends>
      <depends>jboss.messaging:service=PostOffice</depends>
    <attribute name="JNDIName">jms/ColaReintentosModificaciones</attribute>
    
    <attribute name="SecurityConfig">
      <security>
         <role name="usuarioColas" read="true" write="true" create="true"/>
      </security>
   </attribute>

       

       

      So we activated TRACE level logs and did some debugging and it seems like the user is not being passed as a principal to the underlying login module...

       

      This is the final error:

       

      2010-04-30 12:32:52,646 ERROR [org.jboss.resource.adapter.jms.JmsSessionFactoryImpl] (http-127.0.0.1-8280-2) could not create session
java.lang.SecurityException: Unauthenticated caller:null

       

      Our JmsXA conn factory uses the default secutiry realm JmsXARealm and a login module is configured at  login-config.xml, we've tryed DatabaseServerLoginModule and UsersRolesLoginModule.

      The default module configured is ConfiguredIdentityLoginModule, and it works, as it doesnt use the principal

       

      Doing a little debugging we traced out user//pwd at least until  the class: "org.jboss.resource.adapter.jms.JmsSessionFactoryImpl"

      inside the method: protected JmsSession allocateConnection(boolean transacted, int acknowledgeMode, int sessionType) throws JMSException

      there  a JmsConnectionRequestInfo is created populated with the corect user and password.

      Deeper in the code, th requesst arrives at org.jboss.security.auth.spi.DatabaseServerLoginModule where the username to lookup in the databse is null, so the query fails...

       

      Here goes the complete stack trace

      2010-04-30 12:32:52,646 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.JmsXARealm] (http-127.0.0.1-8280-2) Login failure
javax.security.auth.login.FailedLoginException: No matching username found in Principals
    at org.jboss.security.auth.spi.DatabaseServerLoginModule.getUsersPassword(DatabaseServerLoginModule.java:184)
    at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:245)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at javax.security.auth.login.LoginContext.invoke(Unknown Source)
    at javax.security.auth.login.LoginContext.access$000(Unknown Source)
    at javax.security.auth.login.LoginContext$4.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
    at javax.security.auth.login.LoginContext.login(Unknown Source)
    at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:553)
    at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:487)
    at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
    at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
    at org.jboss.security.integration.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:90)
    at org.jboss.resource.connectionmanager.BaseConnectionManager2.getSubject(BaseConnectionManager2.java:687)
    at org.jboss.resource.connectionmanager.BaseConnectionManager2.allocateConnection(BaseConnectionManager2.java:495)
    at org.jboss.resource.connectionmanager.BaseConnectionManager2$ConnectionManagerProxy.allocateConnection(BaseConnectionManager2.java:941)
    at org.jboss.resource.adapter.jms.JmsSessionFactoryImpl.allocateConnection(JmsSessionFactoryImpl.java:395)
    at org.jboss.resource.adapter.jms.JmsSessionFactoryImpl.createQueueSession(JmsSessionFactoryImpl.java:145)
    at PruebaJMSJBoss.service(PruebaJMSJBoss.java:96)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
    at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:905)
    at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:592)
    at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:2036)
    at java.lang.Thread.run(Unknown Source)
2010-04-30 12:32:52,646 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.JmsXARealm] (http-127.0.0.1-8280-2) End isValid, false
2010-04-30 12:32:52,646 ERROR [org.jboss.resource.adapter.jms.JmsSessionFactoryImpl] (http-127.0.0.1-8280-2) could not create session
java.lang.SecurityException: Unauthenticated caller:null
    at org.jboss.security.integration.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:92)
    at org.jboss.resource.connectionmanager.BaseConnectionManager2.getSubject(BaseConnectionManager2.java:687)
    at org.jboss.resource.connectionmanager.BaseConnectionManager2.allocateConnection(BaseConnectionManager2.java:495)
    at org.jboss.resource.connectionmanager.BaseConnectionManager2$ConnectionManagerProxy.allocateConnection(BaseConnectionManager2.java:941)
    at org.jboss.resource.adapter.jms.JmsSessionFactoryImpl.allocateConnection(JmsSessionFactoryImpl.java:395)
    at org.jboss.resource.adapter.jms.JmsSessionFactoryImpl.createQueueSession(JmsSessionFactoryImpl.java:145)
    at PruebaJMSJBoss.service(PruebaJMSJBoss.java:96)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
    at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:905)
    at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:592)
    at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:2036)
    at java.lang.Thread.run(Unknown Source)

       

       

      So... are we missing something?

       

      Any pointers on where to look?

       

      Thanxs in advance

      • 12897 Views
      • Tags:
        • 1. Re: Secured queues access and JCA-JMS(JmsXA)
          grosueugen
          grosueugen Dec 15, 2010 7:52 AM (in response to a_e_f)

          I have the same problem...

           

          and all examples I've seen are without JmsXA.

           

          Can anyone help us here?

           

          Thank you.

            • Actions
          • 2. Re: Secured queues access and JCA-JMS(JmsXA)
            a_e_f
            a_e_f Dec 21, 2010 10:51 AM (in response to grosueugen)

            Hi Eugen,

             

            In case it is usefull for you, I didn't find any 100% clean solution for this issue. Auth with JmsXA  seems to be broken AFAIK.

            The workarrounds we though at the moment where:

             

            1) Deploy your server and clients in a secured network, trust them to behave and leave your queues unsecured (not the best idea)

            2) Secure JNDI access to your JMS resources implementing your security at the JNDI layer... (havent tryed it, but it should work, so if you manage to do this way, some feedback will be welcomed)

            3) Try other JMS products, not JBoss, I know some of them that have working, pooled and secured JMS resources (very poor and sad workarround...)

             

            Greets

              • Actions
            • 3. Re: Secured queues access and JCA-JMS(JmsXA)
              grosueugen
              grosueugen Jan 6, 2011 10:46 AM (in response to a_e_f)

              Thank you for reply.

               

              Fortunately, the application is deployed into a secured network.

                • Actions