2 Replies Latest reply on Sep 7, 2005 2:50 AM by Matthias Meier

    mdb-user/passwd for EJB3 Message Driven Bean?

    Matthias Meier Newbie


      I have a JMS queue with a security configuration, so that only some authenticated user can subscribe:

       <mbean code="org.jboss.mq.server.jmx.Queue"
       <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
       <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends>
       <attribute name="SecurityConf">
       <role name="emanager" read="true" write="true" create="true"/>
       <role name="guest" read="false" write="false" create="false"/>

      The above seems to work fine. However, I cannot get my EJB3-MDB to subscribe to this queue. All I ever get is the following exception:

      javax.jms.JMSSecurityException: Connection not authorized to subscribe to destination: ch.e_act.e_archive.provider.retriever.indexer.IndexerBean
       at org.jboss.mq.security.ServerSecurityInterceptor.subscribe(ServerSecurityInterceptor.java:141)
       at org.jboss.mq.server.TracingInterceptor.subscribe(TracingInterceptor.java:816)
       at org.jboss.mq.server.JMSServerInvoker.subscribe(JMSServerInvoker.java:297)
       at org.jboss.mq.il.jvm.JVMServerIL.subscribe(JVMServerIL.java:314)
       at org.jboss.mq.Connection.addConsumer(Connection.java:826)
       at org.jboss.mq.SpyConnectionConsumer. (SpyConnectionConsumer.java:95)
       at org.jboss.mq.SpyConnection.createConnectionConsumer(SpyConnection.java:168)
       at org.jboss.ejb3.mdb.MDB.innerCreateQueue(MDB.java:308)
       at org.jboss.ejb3.mdb.MDB.innerCreate(MDB.java:232)
       at org.jboss.ejb3.mdb.MDB.start(MDB.java:136)
       at org.jboss.ejb3.mdb.MDB$ExceptionListenerImpl.onException(MDB.java:968)
       at org.jboss.ejb3.mdb.MDB$1.run(MDB.java:148)

      From what I see in the logs, the Bean tries to subscribe without specifying a username/password:

      using username/password: null/null

      I started out with the following bean:

      @MessageDriven(activateConfig =
       propertyValue = "javax.jms.Queue"),
       propertyValue = "queue/retriever-indexingQueue")
      public class IndexerBean implements MessageListener {
       public void onMessage(Message msg) {
       /* ... */

      Now, it's clear to me, that I have to specify a username and password somewhere, but I couldn't find a way to do it. It seems with pre-EJB3, one would have specified mdb-user/mdb-password-elements in jboss.xml. How do I do this for EJB3? I would think there should be a (JBoss specific?) Annotation for that, but I couldn't find anything like that.

      In my desperation, I tried the following:


      But this didn't make a difference. (Also I couldn't find any reference, neither in the EJB3-Specs nor JBoss-specific, which Properties actually are allowed/recognized here. Is this documented somwhere?)

      I have tried to add a "minimal" META-INF/jboss.xml to the JAR-File, but it didn't make any difference either:

      <!DOCTYPE jboss PUBLIC
       "-//JBoss//DTD JBOSS 4.0//EN"

      I tried to add an ejb-jar.xml:

      <!DOCTYPE ejb-jar PUBLIC
       "-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN"

      Now JBoss made another, temporary queue named 'queue/mypackage.IndexerBean', which quite confused me. I added:


      to the jboss.xml, but JBoss still made 'queue/mypackage.IndexerBean' instead of trying to connect to 'queue/retriever-indexingQueue'. This only added to my confusion. Am I missing something here? (Anyway, I was actually hoping to get rid of the xml-files by using EJB3. ;-))

      Also, even the subscription to the temporary queue 'queue/mypackage.IndexerBean' always failed, and I could see, that the user/password with which the subscription was attempted were still 'null'. It seems to me, that the jboss.xml didn't have any influence whatsoever. (While the ejb-jar.xml obviously got processed by JBoss.) Maybe jboss.xml is ignored by the EJB3-Deployer?

      I tried several other things, like setting @RunAs or @RunAsPrincipal (both of which I didn't expect to work anyway ;-)), but nothing helped. After wading through docs, specs, forums, mailing-lists and wikis for two days I'm still stuck with this problem. (I also tried to give 'guest' all rights in the mbean-config for the queue, just for testing. But it seems I would have to set some 'unauthenticatedIdentity' option in the login-config for this to work. However, I didn't bother yet, because that's not really an option for me. I really want a "secured" queue. ;-))

      Is there any way to have secured JMS queues and EJB3-MDB's, or is this simply a missing feature, and I have to do it with EJB 2.1?

      Best regards,