10 Replies Latest reply on May 12, 2017 3:30 PM by vmurthy123

    javax.jms.JMSSecurityException: HQ119031: Unable to validate user: <username>

    vmurthy123

      Hi

      I am trying to connect remotely to hornetq on jboss eap 6.3.3 from a spring based application. I use the following 2.3.20.Final-redhat-1 version of the hornetq-jms-client.jar to connect.

      I use the following connection settings

       

      java.naming.factory.initial=org.jboss.naming.remote.client.InitialContextFactory

      java.naming.provider.url=remote://server:4447

      java.naming.factory.url.pkgs=org.jboss.naming:org.jnp.interfaces

       

      my remoting connector uses the ApplicationRealm for the authentication. I am able to get through JNDI but am not able to create the queue connection. I get the HQ119031: Unable to validate user: <username> exception. I do not have any security domain configured on my hornetq server and it uses the default other security domain.

        • 1. Re: javax.jms.JMSSecurityException: HQ119031: Unable to validate user: <username>
          jbertram

          Are you passing in the proper credentials when you create your JMS connection?  Both JNDI and JMS are secured independently of each other so both require credentials if they are secured.

          • 2. Re: javax.jms.JMSSecurityException: HQ119031: Unable to validate user: <username>
            vmurthy123

            Yes I am passing in the credentials when i create the JMS connection.

            So i see the user name i pass in the exception i get.as unable to validate user.

            • 3. Re: javax.jms.JMSSecurityException: HQ119031: Unable to validate user: <username>
              jbertram

              Can you share your server configuration (e.g. standalone-full.xml)?

              • 4. Re: javax.jms.JMSSecurityException: HQ119031: Unable to validate user: <username>
                vmurthy123

                <?xml version='1.0' encoding='UTF-8'?>

                 

                <server xmlns="urn:jboss:domain:1.6">

                 

                    <extensions>

                        <extension module="org.jboss.as.clustering.infinispan"/>

                        <extension module="org.jboss.as.connector"/>

                        <extension module="org.jboss.as.deployment-scanner"/>

                        <extension module="org.jboss.as.ee"/>

                        <extension module="org.jboss.as.ejb3"/>

                        <extension module="org.jboss.as.jaxrs"/>

                        <extension module="org.jboss.as.jdr"/>

                        <extension module="org.jboss.as.jmx"/>

                        <extension module="org.jboss.as.jpa"/>

                        <extension module="org.jboss.as.jsf"/>

                        <extension module="org.jboss.as.logging"/>

                        <extension module="org.jboss.as.mail"/>

                        <extension module="org.jboss.as.naming"/>

                        <extension module="org.jboss.as.messaging"/>

                        <extension module="org.jboss.as.pojo"/>

                        <extension module="org.jboss.as.remoting"/>

                        <extension module="org.jboss.as.sar"/>

                        <extension module="org.jboss.as.security"/>

                        <extension module="org.jboss.as.threads"/>

                        <extension module="org.jboss.as.transactions"/>

                        <extension module="org.jboss.as.web"/>

                        <extension module="org.jboss.as.webservices"/>

                        <extension module="org.jboss.as.weld"/>

                    </extensions>

                 

                 

                    <management>

                        <security-realms>

                            <security-realm name="ManagementRealm">

                                <authentication>

                                    <local default-user="$local" skip-group-loading="true"/>

                                    <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>

                                </authentication>

                                <authorization map-groups-to-roles="false">

                                    <properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>

                                </authorization>

                            </security-realm>

                            <security-realm name="ApplicationRealm">

                                <authentication>

                                    <local default-user="$local" allowed-users="*" skip-group-loading="true"/>

                                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>

                                </authentication>

                                <authorization>

                                    <properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>

                                </authorization>

                            </security-realm>

                        </security-realms>

                        <audit-log>

                            <formatters>

                                <json-formatter name="json-formatter"/>

                            </formatters>

                            <handlers>

                                <file-handler name="file" formatter="json-formatter" path="audit-log.log" relative-to="jboss.server.data.dir"/>

                            </handlers>

                            <logger log-boot="true" log-read-only="false" enabled="false">

                                <handlers>

                                    <handler name="file"/>

                                </handlers>

                            </logger>

                        </audit-log>

                        <management-interfaces>

                            <native-interface security-realm="ManagementRealm">

                                <socket-binding native="management-native"/>

                            </native-interface>

                            <http-interface security-realm="ManagementRealm">

                                <socket-binding http="management-http"/>

                            </http-interface>

                        </management-interfaces>

                        <access-control provider="simple">

                            <role-mapping>

                                <role name="SuperUser">

                                    <include>

                                        <user name="$local"/>

                                    </include>

                                </role>

                            </role-mapping>

                        </access-control>

                    </management>

                 

                    <profile>

                        <subsystem xmlns="urn:jboss:domain:messaging:1.4">

                            <hornetq-server>

                                <persistence-enabled>true</persistence-enabled>

                                <thread-pool-max-size>10</thread-pool-max-size>

                                <connection-ttl-override>30000</connection-ttl-override>

                                <message-expiry-scan-period>5000</message-expiry-scan-period>

                                <create-bindings-dir>true</create-bindings-dir>

                                <create-journal-dir>true</create-journal-dir>

                                <journal-type>NIO</journal-type>

                                <journal-sync-non-transactional>true</journal-sync-non-transactional>

                                <journal-min-files>10</journal-min-files>

                                <paging-directory path="/usr/share/jbossas/hornetq/paging"/>

                                <bindings-directory path="/usr/share/jbossas/hornetq/bindings"/>

                                <journal-directory path="/usr/share/jbossas/hornetq/journal"/>

                                <large-messages-directory path="/usr/share/jbossas/hornetq/large-messages"/>

                 

                                <connectors>

                                    <netty-connector name="netty" socket-binding="messaging"/>

                                    <netty-connector name="netty-throughput" socket-binding="messaging-throughput">

                                        <param key="batch-delay" value="50"/>

                                    </netty-connector>

                                    <in-vm-connector name="in-vm" server-id="0"/>

                                </connectors>

                 

                                <acceptors>

                                    <netty-acceptor name="netty" socket-binding="messaging"/>

                                    <netty-acceptor name="netty-throughput" socket-binding="messaging-throughput">

                                        <param key="batch-delay" value="50"/>

                                    </netty-acceptor>

                                    <in-vm-acceptor name="in-vm" server-id="0"/>

                                </acceptors>

                 

                                <security-settings>

                                    <security-setting match="#">

                                        <permission type="send" roles="messaging_user guest"/>

                                        <permission type="consume" roles="messaging_user guest"/>

                                        <permission type="createDurableQueue" roles="messaging_user"/>

                                        <permission type="deleteDurableQueue" roles="messaging_user"/>

                                        <permission type="createNonDurableQueue" roles="messaging_user"/>

                                        <permission type="deleteNonDurableQueue" roles="messaging_user"/>

                                        <permission type="manage" roles="messaging_user"/>

                                    </security-setting>

                                </security-settings>

                 

                                <address-settings>

                                    <address-setting match="#">

                                        <dead-letter-address>jms.queue.DLQ</dead-letter-address>

                                        <expiry-address>jms.queue.ExpiryQueue</expiry-address>

                                        <redelivery-delay>5</redelivery-delay>

                                    </address-setting>

                                </address-settings>

                 

                                <jms-connection-factories>

                                    <connection-factory name="RemoteConnectionFactory">

                                        <connectors>

                                            <connector-ref connector-name="netty"/>

                                        </connectors>

                                        <entries>

                                            <entry name="RemoteConnectionFactory"/>

                                            <entry name="java:jboss/exported/jms/RemoteConnectionFactory"/>

                                        </entries>

                                    </connection-factory>

                                    <connection-factory name="InVmConnectionFactory">

                                        <connectors>

                                            <connector-ref connector-name="in-vm"/>

                                        </connectors>

                                        <entries>

                                            <entry name="java:jboss/ConnectionFactory"/>

                                        </entries>

                                        <compress-large-messages>false</compress-large-messages>

                                        <failover-on-initial-connection>false</failover-on-initial-connection>

                                        <use-global-pools>true</use-global-pools>

                                    </connection-factory>

                                </jms-connection-factories>

                 

                                <jms-destinations>

                                    <jms-queue name="DLQ">

                                        <entry name="java:/jms/queue/DLQ"/>

                                        <durable>true</durable>

                                    </jms-queue>

                                    <jms-queue name="ExpiryQueue">

                                        <entry name="java:/jms/queue/ExpiryQueue"/>

                                        <durable>true</durable>

                                    </jms-queue>

                                    <jms-queue name="testQueue">

                                        <entry name="java:jboss/exported/jms/queue/testQueue"/>

                                        <durable>true</durable>

                                    </jms-queue>

                                </jms-destinations>

                            </hornetq-server>

                        </subsystem>

                        <subsystem xmlns="urn:jboss:domain:logging:1.4">

                            <console-handler name="CONSOLE">

                                <level name="INFO"/>

                                <formatter>

                                    <named-formatter name="PATTERN"/>

                                </formatter>

                            </console-handler>

                            <file-handler name="FILE" autoflush="true">

                                <formatter>

                                    <named-formatter name="PATTERN"/>

                                </formatter>

                                <file relative-to="jboss.server.log.dir" path="server.log"/>

                                <append value="true"/>

                            </file-handler>

                            <logger category="com.arjuna">

                                <level name="WARN"/>

                            </logger>

                            <logger category="org.apache.tomcat.util.modeler">

                                <level name="WARN"/>

                            </logger>

                            <logger category="org.jboss.as.config">

                                <level name="DEBUG"/>

                            </logger>

                            <logger category="sun.rmi">

                                <level name="WARN"/>

                            </logger>

                            <logger category="org.jboss.security" use-parent-handlers="true">

                                <level name="INFO"/>

                            </logger>

                            <root-logger>

                                <level name="INFO"/>

                                <handlers>

                                    <handler name="CONSOLE"/>

                                    <handler name="FILE"/>

                                </handlers>

                            </root-logger>

                            <formatter name="PATTERN">

                                <pattern-formatter pattern="%d %-5p [%c] (%t) %s%E%n"/>

                            </formatter>

                        </subsystem>

                        <subsystem xmlns="urn:jboss:domain:datasources:1.2">

                            <datasources>               

                                <drivers>

                                    <driver name="oracle" module="com.oracle">

                                        <xa-datasource-class>oracle.jdbc.xa.client.OracleXADataSource</xa-datasource-class>

                                    </driver>

                                    <driver name="h2" module="com.h2database.h2">

                                        <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>

                                    </driver>

                                    <driver name="sqlserver" module="sqlserver">

                                        <driver-class>com.microsoft.sqlserver.jdbc.SQLServerDriver</driver-class>

                                    </driver>

                                </drivers>

                            </datasources>

                        </subsystem>

                        <subsystem xmlns="urn:jboss:domain:deployment-scanner:1.1">

                            <deployment-scanner path="deployments" relative-to="jboss.server.base.dir" scan-interval="5000"/>

                        </subsystem>

                        <subsystem xmlns="urn:jboss:domain:ee:1.2">

                            <spec-descriptor-property-replacement>false</spec-descriptor-property-replacement>

                            <jboss-descriptor-property-replacement>true</jboss-descriptor-property-replacement>

                            <annotation-property-replacement>false</annotation-property-replacement>

                        </subsystem>

                        <subsystem xmlns="urn:jboss:domain:ejb3:1.4">

                            <session-bean>

                                <stateless>

                                    <bean-instance-pool-ref pool-name="slsb-strict-max-pool"/>

                                </stateless>

                                <stateful default-access-timeout="5000" cache-ref="simple"/>

                                <singleton default-access-timeout="5000"/>

                            </session-bean>

                            <pools>

                                <bean-instance-pools>

                                    <strict-max-pool name="slsb-strict-max-pool" max-pool-size="20" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>

                                    <strict-max-pool name="mdb-strict-max-pool" max-pool-size="20" instance-acquisition-timeout="5" instance-acquisition-timeout-unit="MINUTES"/>

                                </bean-instance-pools>

                            </pools>

                            <caches>

                                <cache name="simple" aliases="NoPassivationCache"/>

                                <cache name="passivating" passivation-store-ref="file" aliases="SimpleStatefulCache"/>

                            </caches>

                            <passivation-stores>

                                <file-passivation-store name="file"/>

                            </passivation-stores>

                            <async thread-pool-name="default"/>

                            <timer-service thread-pool-name="default">

                                <data-store path="timer-service-data" relative-to="jboss.server.data.dir"/>

                            </timer-service>

                            <remote connector-ref="remoting-connector" thread-pool-name="default"/>

                            <thread-pools>

                                <thread-pool name="default">

                                    <max-threads count="10"/>

                                    <keepalive-time time="100" unit="milliseconds"/>

                                </thread-pool>

                            </thread-pools>

                            <default-security-domain value="other"/>

                            <default-missing-method-permissions-deny-access value="true"/>

                        </subsystem>

                        <subsystem xmlns="urn:jboss:domain:infinispan:1.5">

                            <cache-container name="web" aliases="standard-session-cache" default-cache="local-web" module="org.jboss.as.clustering.web.infinispan">

                                <local-cache name="local-web" batching="true">

                                    <file-store passivation="false" purge="false"/>

                                </local-cache>

                            </cache-container>

                            <cache-container name="hibernate" default-cache="local-query" module="org.jboss.as.jpa.hibernate:4">

                                <local-cache name="entity">

                                    <transaction mode="NON_XA"/>

                                    <eviction strategy="LRU" max-entries="10000"/>

                                    <expiration max-idle="100000"/>

                                </local-cache>

                                <local-cache name="local-query">

                                    <transaction mode="NONE"/>

                                    <eviction strategy="LRU" max-entries="10000"/>

                                    <expiration max-idle="100000"/>

                                </local-cache>

                                <local-cache name="timestamps">

                                    <transaction mode="NONE"/>

                                    <eviction strategy="NONE"/>

                                </local-cache>

                            </cache-container>

                        </subsystem>

                        <subsystem xmlns="urn:jboss:domain:jaxrs:1.0"/>

                        <subsystem xmlns="urn:jboss:domain:jca:1.1">

                            <archive-validation enabled="true" fail-on-error="true" fail-on-warn="false"/>

                            <bean-validation enabled="true"/>

                            <default-workmanager>

                                <short-running-threads>

                                    <core-threads count="50"/>

                                    <queue-length count="50"/>

                                    <max-threads count="50"/>

                                    <keepalive-time time="10" unit="seconds"/>

                                </short-running-threads>

                                <long-running-threads>

                                    <core-threads count="50"/>

                                    <queue-length count="50"/>

                                    <max-threads count="50"/>

                                    <keepalive-time time="10" unit="seconds"/>

                                </long-running-threads>

                            </default-workmanager>

                            <cached-connection-manager/>

                        </subsystem>

                        <subsystem xmlns="urn:jboss:domain:jdr:1.0"/>

                        <subsystem xmlns="urn:jboss:domain:jmx:1.3">

                            <expose-resolved-model/>

                            <expose-expression-model/>

                            <remoting-connector/>

                        </subsystem>

                        <subsystem xmlns="urn:jboss:domain:jpa:1.1">

                            <jpa default-datasource="" default-extended-persistence-inheritance="DEEP"/>

                        </subsystem>

                        <subsystem xmlns="urn:jboss:domain:jsf:1.0"/>

                        <subsystem xmlns="urn:jboss:domain:mail:1.1">

                            <mail-session jndi-name="java:jboss/mail/Default">

                                <smtp-server outbound-socket-binding-ref="mail-smtp"/>

                            </mail-session>

                        </subsystem>

                        <subsystem xmlns="urn:jboss:domain:naming:1.4">

                            <remote-naming/>

                        </subsystem>

                        <subsystem xmlns="urn:jboss:domain:pojo:1.0"/>

                        <subsystem xmlns="urn:jboss:domain:remoting:1.1">

                            <connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>

                        </subsystem>

                        <subsystem xmlns="urn:jboss:domain:resource-adapters:1.1"/>

                        <subsystem xmlns="urn:jboss:domain:sar:1.0"/>

                        <subsystem xmlns="urn:jboss:domain:security:1.2">

                            <security-domains>

                                <security-domain name="other" cache-type="default">

                                    <authentication>

                                        <login-module code="Remoting" flag="optional">

                                            <module-option name="password-stacking" value="useFirstPass"/>

                                        </login-module>

                                        <login-module code="RealmDirect" flag="required">

                                            <module-option name="password-stacking" value="useFirstPass"/>

                                        </login-module>

                                    </authentication>

                                </security-domain>

                                <security-domain name="jboss-web-policy" cache-type="default">

                                    <authorization>

                                        <policy-module code="Delegating" flag="required"/>

                                    </authorization>

                                </security-domain>

                                <security-domain name="jboss-ejb-policy" cache-type="default">

                                    <authorization>

                                        <policy-module code="Delegating" flag="required"/>

                                    </authorization>

                                </security-domain>

                            </security-domains>

                        </subsystem>

                        <subsystem xmlns="urn:jboss:domain:threads:1.1"/>

                        <subsystem xmlns="urn:jboss:domain:transactions:1.5">

                            <core-environment>

                                <process-id>

                                    <uuid/>

                                </process-id>

                            </core-environment>

                            <recovery-environment socket-binding="txn-recovery-environment" status-socket-binding="txn-status-manager"/>

                            <coordinator-environment default-timeout="300"/>

                        </subsystem>

                        <subsystem xmlns="urn:jboss:domain:web:2.1" default-virtual-server="default-host" native="false">

                            <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>

                            <connector name="ajp" protocol="AJP/1.3" scheme="https" socket-binding="ajp" redirect-port="8443" secure="true"/>

                            <virtual-server name="default-host" enable-welcome-root="true">

                                <alias name="localhost"/>

                                <alias name="example.com"/>

                            </virtual-server>

                        </subsystem>

                        <subsystem xmlns="urn:jboss:domain:webservices:1.2">

                            <modify-wsdl-address>true</modify-wsdl-address>

                            <wsdl-host>${jboss.bind.address:127.0.0.1}</wsdl-host>

                            <endpoint-config name="Standard-Endpoint-Config"/>

                            <endpoint-config name="Recording-Endpoint-Config">

                                <pre-handler-chain name="recording-handlers" protocol-bindings="##SOAP11_HTTP ##SOAP11_HTTP_MTOM ##SOAP12_HTTP ##SOAP12_HTTP_MTOM">

                                    <handler name="RecordingHandler" class="org.jboss.ws.common.invocation.RecordingServerHandler"/>

                                </pre-handler-chain>

                            </endpoint-config>

                            <client-config name="Standard-Client-Config"/>

                        </subsystem>

                        <subsystem xmlns="urn:jboss:domain:weld:1.0"/>

                    </profile>

                 

                    <interfaces>

                        <interface name="management">

                            <inet-address value="${jboss.bind.address:server}"/>

                        </interface>

                        <interface name="public">

                            <inet-address value="${jboss.bind.address:server}"/>

                        </interface>

                    </interfaces>

                 

                    <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">

                        <socket-binding name="management-native" interface="management" port="${jboss.management.native.port:9999}"/>

                        <socket-binding name="management-http" interface="management" port="${jboss.management.http.port:9990}"/>

                        <socket-binding name="management-https" interface="management" port="${jboss.management.https.port:9443}"/>

                        <socket-binding name="ajp" port="8009"/>

                        <socket-binding name="http" port="8080"/>

                        <socket-binding name="https" port="8443"/>

                        <socket-binding name="remoting" port="4447"/>

                        <socket-binding name="txn-recovery-environment" port="4712"/>

                        <socket-binding name="txn-status-manager" port="4713"/>

                        <socket-binding name="messaging" port="5445"/>

                        <socket-binding name="messaging-throughput" port="5455"/>

                    </socket-binding-group>

                 

                </server>

                • 5. Re: javax.jms.JMSSecurityException: HQ119031: Unable to validate user: <username>
                  jbertram

                  Your configuration looks good as far as I can tell.  How did you add your user(s) details (e.g. add-user.sh)?

                  • 6. Re: javax.jms.JMSSecurityException: HQ119031: Unable to validate user: <username>
                    vmurthy123

                    Yes i added the user using add-user.sh

                    • 7. Re: javax.jms.JMSSecurityException: HQ119031: Unable to validate user: <username>
                      jbertram

                      I'm not sure what the problem could be at this point. Do you have an automated way to reproduce this that you could share?

                      • 8. Re: javax.jms.JMSSecurityException: HQ119031: Unable to validate user: <username>
                        vmurthy123

                        If I turn of the security on the hornetq server, i am able to make the connection and throw messages on the queue. Does the other security domain validate users and roles against the ones defined inside the ApplicationRealm?

                        • 9. Re: javax.jms.JMSSecurityException: HQ119031: Unable to validate user: <username>
                          jbertram

                          Does the other security domain validate users and roles against the ones defined inside the ApplicationRealm?

                          Yes, as far as I'm aware.

                          • 10. Re: javax.jms.JMSSecurityException: HQ119031: Unable to validate user: <username>
                            vmurthy123

                            Thank you. I will keep looking. I don't have a automated way to replicate this at the moment.