8 Replies Latest reply on Jun 14, 2011 8:19 AM by h.wolffenbuttel

jms-jca-provider and secured destination

joe_boy12 Jun 7, 2011 7:54 PM

Hello guys

I am trying to use transacted JMS in one of my projects using jms-jca-provider as follows,

<jms-jca-provider name="JBossMessaging" connection-factory="XAConnectionFactory">

<jms-bus busid="MyGatewayChannel">

<jms-message-filter dest-type="QUEUE" dest-name="queue/MyGatewayQueue" transacted="true" jms-security-principal="esbuser" jms-security-credential="esbpassword"/>

</jms-bus>

<jms-bus busid="MyEsbChannel">

<jms-message-filter dest-type="QUEUE" dest-name="queue/MyEsbQueue" transacted="true"/>

</jms-bus>

the gateway queue is secured and only esb role can read/write on that. When I deploy my code on server (JBossESB 5.1) it throws following Exception

javax.jms.JMSSecurityException: User: null is not authorized to read from destination MyGatewayQueue

if I use <jms-provider> instead of <jms-jca-provider> it works fine. what am I missing? do I need to specify security domain explicitly here?

Thanks

Joe

1. Re: jms-jca-provider and secured destination

h.wolffenbuttel Jun 8, 2011 4:14 AM (in response to joe_boy12)

I tried your setup with a ConnectionFactory and it works fine. Why are you using XAConnectionFactory? Do you really need the dual phase commit?

(B.t.w i'm using community version 4.9)

regards,

Hans
Actions
2. Re: jms-jca-provider and secured destination

joe_boy12 Jun 8, 2011 3:00 PM (in response to h.wolffenbuttel)

Hans,

Could you please share your config with me? I tried again w/o XA and it still not able to understand the user name from jms-security-principal attribute, and says user Null which makes me think that JCA inflow ingores these params.

Thnx
Joe
Actions
3. Re: jms-jca-provider and secured destination

h.wolffenbuttel Jun 9, 2011 7:28 AM (in response to joe_boy12)

The directory "\jbossesb-server-4.9\server\default\conf\props" contains 2 files: messaging-roles and messaging-users. If I have to quess it takes the variables from there. The one not working for U might be the messaging-users:

#
# user=password
#
guest=guest
# gatewayuser: clients that publish to the gateway
gatewayuser=gwpassword
# esbuser:
# internal ESB user
esbuser=esbpassword
Is your config the same?

Here's what I used:

<jms-jca-provider connection-factory=
"ConnectionFactory"
jndi-context-factory= "org.jnp.interfaces.NamingContextFactory"
jndi-pkg-prefix= "org.jboss.naming:org.jnp.interfaces"
name="JMS-JCA-Provider" transacted="true">
     <jms-bus busid="ABus">

          <jms-message-filter
             dest-name="queue/a_queue_esb" dest-type="QUEUE"
             persistent="true" transacted="true" jms-security-principal="esbuser" jms-security-credential="esbpassword"/>
     </jms-bus>
</jms-jca-provider>

Regards,

Hans
Actions
4. Re: jms-jca-provider and secured destination

joe_boy12 Jun 9, 2011 3:35 PM (in response to h.wolffenbuttel)

Hans thnx again, I am using DatabaseServerLoginModule in messaging-jboss-beans.xml as follows and not UsersRolesLoginModule for prop files, I tried that too but in vain.

this is what my messaging-jboss-beans.xml looks

<application-policy xmlns="urn:jboss:security-beans:1.0" name="messaging">
      <authentication>
         <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
            <module-option name="unauthenticatedIdentity">guest</module-option>
            <module-option name="dsJndiName">java:/JmsDS</module-option>
            <module-option name="principalsQuery">SELECT PASSWD FROM JBM_USER WHERE USER_ID=?</module-option>
            <module-option name="rolesQuery">SELECT ROLE_ID, 'Roles' FROM JBM_ROLE WHERE USER_ID=?</module-option>
         </login-module>
      </authentication>
   </application-policy>

and JmsDS is correctly mapped to Oracle where I have all the users and roles created and it actually works if I change it from jca to jms-provider. The jboss-esb.xml part is exactly same as yours except the queue names and thats it.

Is anybody having same issue with 5.1?

Thanks
Joe
Actions
5. Re: jms-jca-provider and secured destination

h.wolffenbuttel Jun 10, 2011 3:46 AM (in response to joe_boy12)

In the deploy directory there is a jms-ds.xml file which has a JmsXARealm. Maybe its using this realm instead of (or in addition to) your messaging realm. The login-config.xml file contains this realm:

<application-policy name="JmsXARealm">
- <authentication>
- <login-module code="org.jboss.resource.security.ConfiguredIdentityLoginModule" flag="required">
<module-option name="principal">guest</module-option>
<module-option name="userName">guest</module-option>
<module-option name="password">guest</module-option>
<module-option name="managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
</login-module>
</authentication>
</application-policy>

Try changing this to your database loginmodule.

Regards,

Hans
Actions
6. Re: jms-jca-provider and secured destination

joe_boy12 Jun 10, 2011 4:33 PM (in response to h.wolffenbuttel)

Hans, thnx for your continuous help - here is what I tried.

1. in jms-ds.xml I tried changing following property
<security-domain-and-application>JmsXARealm</security-domain-and-application> to "messaging" which is a DatabaseServerLoginModule from messaging-jboss-beans.xml but nope.

2. then I kept

jms-ds.xml as it is and changed login-config.xml as follows
   <application-policy name="JmsXARealm">
      <authentication>
         <login-module code="org.jboss.resource.security.ConfiguredIdentityLoginModule" flag="required">
            <module-option name="principal">esb</module-option>
            <module-option name="userName">esbuser</module-option>
            <module-option name="password">esbpassword</module-option>
            <module-option name="managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
         </login-module>
      </authentication>
   </application-policy>
but nope.

3. then I changed above login-module to DatabaseServerLoginModule same as from messaging-jboss-beans.xml but again no no.

Everytime I get following error when I deploy my esb. Not sure whats going on as it looked straightforward to me, do u think I need to change anything else too?. I will probably get the older SOA version and see if my setup works there.

=====
13:07:04,878 ERROR [JmsActivation] Unable to reconnect org.jboss.resource.adapter.jms.inflow.JmsActivationSpec@155c7a8(ra=org.jboss.resource.adapter.jms.JmsReso
urceAdapter@1bcf4e7 destination=queue/MyGatewayQueue destinationType=javax.jms.Queue tx=true durable=false reconnect=10 provider=java:/DefaultJMSProvider
user=null maxMessages=1 minSession=1 maxSession=15 keepAlive=60000 useDLQ=true DLQHandler=org.jboss.resource.adapter.jms.inflow.dlq.GenericDLQHandler DLQJndiNa
me=queue/DLQ DLQUser=null DLQMaxResent=5)
javax.jms.JMSSecurityException: User: null is not authorized to read from destination MyGatewayQueue
        at org.jboss.jms.server.container.SecurityAspect.check(SecurityAspect.java:311)
=====
Actions
7. Re: jms-jca-provider and secured destination

joe_boy12 Jun 10, 2011 4:58 PM (in response to joe_boy12)

Hans,

do you have anything extra in deployment.xml other than JMS destinations? I mean any other dependency for jms-jca

Thanks
Joe
Actions
8. Re: jms-jca-provider and secured destination

h.wolffenbuttel Jun 14, 2011 8:19 AM (in response to joe_boy12)

Here is what I have in addition to my queues in deployment.xml:

<depends>jboss.esb:deployment=soap.esb</depends>

<depends>jboss.esb:deployment=jbossesb.esb</depends>

<depends>jboss.esb:deployment=jbrules.esb</depends>

<depends>jboss.esb:deployment=spring.esb</depends>

Is there an option to try the community version 4.9? If so, please try first without the ajustments and after a succes apply them.

Regards,

Hans
Actions

Go to original post