5 Replies Latest reply on Feb 26, 2009 6:22 PM by lukeb

Problems with jaas SecurityDomain and @MessageDriven

lukeb Feb 18, 2009 8:53 AM

gaohoward suggested I post this here, here's the original posting from the messaging forum.

http://www.jboss.org/index.html?module=bb&op=viewtopic&t=150695

I'm porting an existing application from 422GA to 5 and am having trouble with security where we use @MessageDriven.

Within the app we have an existing bean with the @MessageDriven annotation. Within this annotation we set the user and password @ActivationConfigProperty. These credentials exist within our custom Jaas security domain.

I've changed the SecurityStore within messaging-jboss-beans.xml so that the security domain points to our domain (ie java:/jaas/MyDomain).

And finally within the destinations-service.xml I have put an entry for the queue referenced in the @MessageDriven bean (This queue used to be auto-created in 422 but understand this is no longer the default behaviour, hence the destinations-service.xml entry).

However, when I start Jboss5 I get the error:

09:04:09,502 ERROR [ExceptionUtil] ConnectionFactoryEndpoint[jboss.messaging.connectionfactory:servi
ce=ConnectionFactory] createFailoverConnectionDelegate [da-m6b2sbrf-1-
5gkxrbrf-w8ajbw-x1461k]
javax.jms.JMSSecurityException: User jmsuser is NOT authenticated
 at org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore.authenticate(JBossASSecurityMet
adataStore.java:223)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:597)
 at com.sun.jmx.mbeanserver.StandardMBeanIntrospector.invokeM2(StandardMBeanIntrospector.java
:93)
 at com.sun.jmx.mbeanserver.StandardMBeanIntrospector.invokeM2(StandardMBeanIntrospector.java
:27)
 at com.sun.jmx.mbeanserver.MBeanIntrospector.invokeM(MBeanIntrospector.java:208)
 at com.sun.jmx.mbeanserver.PerInterface.invoke(PerInterface.java:120)
 at com.sun.jmx.mbeanserver.MBeanSupport.invoke(MBeanSupport.java:262)
 at javax.management.StandardMBean.invoke(StandardMBean.java:391)
 at org.jboss.mx.server.RawDynamicInvoker.invoke(RawDynamicInvoker.java:164)
 at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)
 at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:210)
 at $Proxy236.authenticate(Unknown Source)
 at org.jboss.jms.server.endpoint.ServerConnectionFactoryEndpoint.createConnectionDelegateInt
ernal(ServerConnectionFactoryEndpoint.java:233)
 at org.jboss.jms.server.endpoint.ServerConnectionFactoryEndpoint.createConnectionDelegate(Se
rverConnectionFactoryEndpoint.java:171)
 at org.jboss.jms.server.endpoint.advised.ConnectionFactoryAdvised.org$jboss$jms$server$endpo
int$advised$ConnectionFactoryAdvised$createConnectionDelegate$aop(Conn
ectionFactoryAdvised.java:108)
 at org.jboss.jms.server.endpoint.advised.ConnectionFactoryAdvised.createConnectionDelegate(C
onnectionFactoryAdvised.java)
 at org.jboss.jms.wireformat.ConnectionFactoryCreateConnectionDelegateRequest.serverInvoke(Co
nnectionFactoryCreateConnectionDelegateRequest.java:91)
 at org.jboss.jms.server.remoting.JMSServerInvocationHandler.invoke(JMSServerInvocationHandle
r.java:143)
 at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:908)
 at org.jboss.remoting.transport.local.LocalClientInvoker.invoke(LocalClientInvoker.java:106)

 at org.jboss.remoting.Client.invoke(Client.java:1708)
 at org.jboss.remoting.Client.invoke(Client.java:612)
 at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate.org$jboss$jms$client$delega
te$ClientConnectionFactoryDelegate$createConnectionDelegate$aop(Client
ConnectionFactoryDelegate.java:171)
 at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate$createConnectionDelegate_N3
019492359065420858.invokeTarget(ClientConnectionFactoryDelegate$create
ConnectionDelegate_N3019492359065420858.java)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111)
 at org.jboss.jms.client.container.StateCreationAspect.handleCreateConnectionDelegate(StateCr
eationAspect.java:81)
 at org.jboss.aop.advice.org.jboss.jms.client.container.StateCreationAspect_z_handleCreateCon
nectionDelegate_23138316.invoke(StateCreationAspect_z_handleCreateConn
ectionDelegate_23138316.java)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
 at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate.createConnectionDelegate(Cl
ientConnectionFactoryDelegate.java)
 at org.jboss.jms.client.JBossConnectionFactory.createConnectionInternal(JBossConnectionFacto
ry.java:205)
 at org.jboss.jms.client.JBossConnectionFactory.createXAQueueConnection(JBossConnectionFactor
y.java:142)
 at org.jboss.resource.adapter.jms.inflow.JmsActivation.setupQueueConnection(JmsActivation.ja
va:533)
 at org.jboss.resource.adapter.jms.inflow.JmsActivation.setupConnection(JmsActivation.java:50
6)
 at org.jboss.resource.adapter.jms.inflow.JmsActivation.setup(JmsActivation.java:353)
 at org.jboss.resource.adapter.jms.inflow.JmsActivation$SetupActivation.run(JmsActivation.jav
a:729)
 at org.jboss.resource.work.WorkWrapper.execute(WorkWrapper.java:204)
 at org.jboss.util.threadpool.BasicTaskWrapper.run(BasicTaskWrapper.java:260)
 at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
 at java.lang.Thread.run(Thread.java:619)
09:04:09,659 WARN [JmsActivation] Failure in jms activation org.jboss.resource.adapter.jms.inflow.J
msActivationSpec@37de6a(ra=org.jboss.resource.adapter.jms.JmsResourceA
dapter@eb37cd destination=queue/E3rCorrespondenceMDB destinationType=javax.jms.Queue tx=true durable
=false reconnect=10 provider=java:/DefaultJMSProvider user=jmssrv pass
=<not shown> maxMessages=1024 minSession=1 maxSession=64 keepAlive=60000 useDLQ=false)
javax.jms.JMSSecurityException: User jmssrv is NOT authenticated
 at org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore.authenticate(JBossASSecurityMet
adataStore.java:223)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:597)
 at com.sun.jmx.mbeanserver.StandardMBeanIntrospector.invokeM2(StandardMBeanIntrospector.java
:93)
 at com.sun.jmx.mbeanserver.StandardMBeanIntrospector.invokeM2(StandardMBeanIntrospector.java
:27)
 at com.sun.jmx.mbeanserver.MBeanIntrospector.invokeM(MBeanIntrospector.java:208)
 at com.sun.jmx.mbeanserver.PerInterface.invoke(PerInterface.java:120)
 at com.sun.jmx.mbeanserver.MBeanSupport.invoke(MBeanSupport.java:262)
 at javax.management.StandardMBean.invoke(StandardMBean.java:391)
 at org.jboss.mx.server.RawDynamicInvoker.invoke(RawDynamicInvoker.java:164)
 at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)
 at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:210)
 at $Proxy236.authenticate(Unknown Source)
 at org.jboss.jms.server.endpoint.ServerConnectionFactoryEndpoint.createConnectionDelegateInt
ernal(ServerConnectionFactoryEndpoint.java:233)
 at org.jboss.jms.server.endpoint.ServerConnectionFactoryEndpoint.createConnectionDelegate(Se
rverConnectionFactoryEndpoint.java:171)
 at org.jboss.jms.server.endpoint.advised.ConnectionFactoryAdvised.org$jboss$jms$server$endpo
int$advised$ConnectionFactoryAdvised$createConnectionDelegate$aop(Conn
ectionFactoryAdvised.java:108)
 at org.jboss.jms.server.endpoint.advised.ConnectionFactoryAdvised.createConnectionDelegate(C
onnectionFactoryAdvised.java)
 at org.jboss.jms.wireformat.ConnectionFactoryCreateConnectionDelegateRequest.serverInvoke(Co
nnectionFactoryCreateConnectionDelegateRequest.java:91)
 at org.jboss.jms.server.remoting.JMSServerInvocationHandler.invoke(JMSServerInvocationHandle
r.java:143)
 at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:908)
 at org.jboss.remoting.transport.local.LocalClientInvoker.invoke(LocalClientInvoker.java:106)

 at org.jboss.remoting.Client.invoke(Client.java:1708)
 at org.jboss.remoting.Client.invoke(Client.java:612)
 at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate.org$jboss$jms$client$delega
te$ClientConnectionFactoryDelegate$createConnectionDelegate$aop(Client
ConnectionFactoryDelegate.java:171)
 at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate$createConnectionDelegate_N3
019492359065420858.invokeTarget(ClientConnectionFactoryDelegate$create
ConnectionDelegate_N3019492359065420858.java)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111)
 at org.jboss.jms.client.container.StateCreationAspect.handleCreateConnectionDelegate(StateCr
eationAspect.java:81)
 at org.jboss.aop.advice.org.jboss.jms.client.container.StateCreationAspect_z_handleCreateCon
nectionDelegate_23138316.invoke(StateCreationAspect_z_handleCreateConn
ectionDelegate_23138316.java)
 at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
 at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate.createConnectionDelegate(Cl
ientConnectionFactoryDelegate.java)
 at org.jboss.jms.client.JBossConnectionFactory.createConnectionInternal(JBossConnectionFacto
ry.java:205)
 at org.jboss.jms.client.JBossConnectionFactory.createXAQueueConnection(JBossConnectionFactor
y.java:142)
 at org.jboss.resource.adapter.jms.inflow.JmsActivation.setupQueueConnection(JmsActivation.ja
va:533)
 at org.jboss.resource.adapter.jms.inflow.JmsActivation.setupConnection(JmsActivation.java:50
6)
 at org.jboss.resource.adapter.jms.inflow.JmsActivation.setup(JmsActivation.java:353)
 at org.jboss.resource.adapter.jms.inflow.JmsActivation$SetupActivation.run(JmsActivation.jav
a:729)
 at org.jboss.resource.work.WorkWrapper.execute(WorkWrapper.java:204)
 at org.jboss.util.threadpool.BasicTaskWrapper.run(BasicTaskWrapper.java:260)
 at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
 at java.lang.Thread.run(Thread.java:619)

Here's my destinations-service.xml.


<mbean code="org.jboss.jms.server.destination.QueueService"
 name="jboss.messaging.destination:service=Queue,name=MyQueue"
 xmbean-dd="xmdesc/Queue-xmbean.xml">
 <depends optional-attribute-name="ServerPeer">jboss.messaging:service=ServerPeer</depends>
 <depends>jboss.messaging:service=PostOffice</depends>
 </mbean>

and here's my messaging-jboss-beans.xml showing the SecurityStore config.


<bean name="SecurityStore" class="org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore">
 <!-- default security configuration -->
 <property name="defaultSecurityConfig">
 <![CDATA[
 <security>
 <role name="guest" read="true" write="true" create="true"/>
 </security>
 ]]>
 </property>
 <property name="suckerPassword">changedit</property>
 <property name="securityDomain">java:/jaas/MyDomain</property>
 <property name="securityManagement"><inject bean="JNDIBasedSecurityManagement"/></property>
 <!-- @JMX annotation to export the management view of this bean -->
 <annotation>@org.jboss.aop.microcontainer.aspects.jmx.JMX(name="jboss.messaging:service=SecurityStore",exposedInterface=org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStoreMBean.class)</annotation>
 </bean>

I've tried both the fully qualified jndi jaas domain (as shown above) and just using MyDomain in the securityDomain property, all to no avail.

Thanks for any help you can provide.

1. Re: Problems with jaas SecurityDomain and @MessageDriven

jaikiran Feb 18, 2009 9:01 AM (in response to lukeb)

Enable TRACE level logging of jboss security package as explained in Q4 at http://www.jboss.org/community/docs/DOC-12198

That might give some idea as to why the authentication fails.
Actions
2. Re: Problems with jaas SecurityDomain and @MessageDriven

wolfgangknauf Feb 18, 2009 9:27 AM (in response to lukeb)

Hi,

did you add the security configuration for your SecurityDomain to "\server\default\conf\login-config.xml"? At least for SessionBeans this is required, I don't know how it works for MDBs.

If yes: try to activate logging of the security layer to see what the security layer does while deploying your MDB.
See the security FAQ at http://www.jboss.org/community/docs/DOC-12198, question 4.

Hope this helps

Wolfgang
Actions

3. Re: Problems with jaas SecurityDomain and @MessageDriven

lukeb Feb 18, 2009 11:46 AM (in response to lukeb)

Thanks guys, here's the culprit:

16:09:31,563 TRACE [MyDomain] Login failure
javax.security.auth.login.LoginException: unable to find LoginModule class: com.test.MyLoginModule
 at javax.security.auth.login.LoginContext.invoke(LoginContext.java:808)
 at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
 at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
 at java.security.AccessController.doPrivileged(Native Method)
 at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
 at javax.security.auth.login.LoginContext.login(LoginContext.java:579)

I haven't changed conf/login-config.xml as I have a dynamic login module specified in my ear.

So my ear has my-login-config-service.xml in the root and my-login-config-service.xml is specified in the application.xml

<server>
 <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
 name="my:service=DynamicLoginConfig">
 <attribute name="AuthConfig">
 META-INF/login-config.xml
 </attribute>
 <!-- The service which supports dynamic processing of login-config.xml
 configurations.
 -->
 <depends optional-attribute-name="LoginConfigService">
 jboss.security:service=XMLLoginConfig
 </depends>
 <!-- Optionally specify the security mgr service to use when
 this service is stopped to flush the auth caches of the domains
 registered by this service.
 -->
 <depends optional-attribute-name="SecurityManagerService">
 jboss.security:service=JaasSecurityManager
 </depends>
 </mbean>
</server>

and in my ear's meta-inf is this login-config.xml

<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
 "-//JBoss//DTD JBOSS Security Config 3.0//EN"
 "http://www.jboss.org/j2ee/dtd/security_config.dtd">
<policy>
 <application-policy name="MyDomain">
 <authentication>
 <login-module code="com.test.MyLoginModule"
 flag="required">
 <module-option name="restore-login-identity">
 true
 </module-option>
 </login-module>
 </authentication>
 </application-policy>
</policy>

com.test.MyLoginModule is packaged in a jar in my ear and is specified as a java module in application.xml.

It's a shame that the real problem (ie exception) is logged at the trace level, that's not very helpful.

However, I think I now have two problems...

1. My login module class doesn't appear to be on the classpath for the JaasSecurityMananger
2 I think my dynamic login config service is deploying after the mdb.

Should I move my jar containing the login module into the lib directory (it's exploded at development time and zipped for test/production) ?

The odd thing is that other @Service beans are using the domain quite happily, it's only deploying the mdb that causes the problem.

4. Re: Problems with jaas SecurityDomain and @MessageDriven

wolfgangknauf Feb 19, 2009 9:46 AM (in response to lukeb)
Hi,

(darn, jaikiran sent his last response while I was writing my own one ;-) )

for the deployment order: try to place a @Depends annotation on your MDB:
@Depends(value= "my:service=DynamicLoginConfig")

Hope this helps.

For the problem with JAR not finding I cannot help. When I built a small login module a while ago, I placed code and config in a ".sar" file which was put in the deploy folder.

Best regards

Wolfgang
Actions
5. Re: Problems with jaas SecurityDomain and @MessageDriven

lukeb Feb 26, 2009 6:22 PM (in response to lukeb)

Sorry - I get this weeks Terence points. Dump my jar into the deploy folder and it's deployed before the messaging stuff which references my login module. All is well.

Thanks for all the help.
Actions

Go to original post