2 Replies Latest reply on Sep 7, 2005 2:50 AM by Matthias Meier

    mdb-user/passwd for EJB3 Message Driven Bean?

    Matthias Meier Newbie

      Hi,

      I have a JMS queue with a security configuration, so that only some authenticated user can subscribe:

      <server>
       <mbean code="org.jboss.mq.server.jmx.Queue"
       name="jboss.mq.destination:service=Queue,name=retriever-indexingQueue">
       <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
       <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends>
       <attribute name="SecurityConf">
       <security>
       <role name="emanager" read="true" write="true" create="true"/>
       <role name="guest" read="false" write="false" create="false"/>
       </security>
       </attribute>
       </mbean>
      </server>
      


      The above seems to work fine. However, I cannot get my EJB3-MDB to subscribe to this queue. All I ever get is the following exception:

      javax.jms.JMSSecurityException: Connection not authorized to subscribe to destination: ch.e_act.e_archive.provider.retriever.indexer.IndexerBean
       at org.jboss.mq.security.ServerSecurityInterceptor.subscribe(ServerSecurityInterceptor.java:141)
       at org.jboss.mq.server.TracingInterceptor.subscribe(TracingInterceptor.java:816)
       at org.jboss.mq.server.JMSServerInvoker.subscribe(JMSServerInvoker.java:297)
       at org.jboss.mq.il.jvm.JVMServerIL.subscribe(JVMServerIL.java:314)
       at org.jboss.mq.Connection.addConsumer(Connection.java:826)
       at org.jboss.mq.SpyConnectionConsumer. (SpyConnectionConsumer.java:95)
       at org.jboss.mq.SpyConnection.createConnectionConsumer(SpyConnection.java:168)
       at org.jboss.ejb3.mdb.MDB.innerCreateQueue(MDB.java:308)
       at org.jboss.ejb3.mdb.MDB.innerCreate(MDB.java:232)
       at org.jboss.ejb3.mdb.MDB.start(MDB.java:136)
       at org.jboss.ejb3.mdb.MDB$ExceptionListenerImpl.onException(MDB.java:968)
       at org.jboss.ejb3.mdb.MDB$1.run(MDB.java:148)


      From what I see in the logs, the Bean tries to subscribe without specifying a username/password:

      using username/password: null/null


      I started out with the following bean:

      @MessageDriven(activateConfig =
      {
       @ActivationConfigProperty(propertyName="destinationType",
       propertyValue = "javax.jms.Queue"),
       @ActivationConfigProperty(propertyName="destination",
       propertyValue = "queue/retriever-indexingQueue")
      })
      @SecurityDomain("mydomain")
      public class IndexerBean implements MessageListener {
       public void onMessage(Message msg) {
       /* ... */
       }
      }
      


      Now, it's clear to me, that I have to specify a username and password somewhere, but I couldn't find a way to do it. It seems with pre-EJB3, one would have specified mdb-user/mdb-password-elements in jboss.xml. How do I do this for EJB3? I would think there should be a (JBoss specific?) Annotation for that, but I couldn't find anything like that.

      In my desperation, I tried the following:

      @ActivationConfigProperty(propertyName="mdb-user",
       propertyValue="user"),
      @ActivationConfigProperty(propertyName="mdb-passwd",
       propertyValue="pwd")
      


      But this didn't make a difference. (Also I couldn't find any reference, neither in the EJB3-Specs nor JBoss-specific, which Properties actually are allowed/recognized here. Is this documented somwhere?)

      I have tried to add a "minimal" META-INF/jboss.xml to the JAR-File, but it didn't make any difference either:

      <!DOCTYPE jboss PUBLIC
       "-//JBoss//DTD JBOSS 4.0//EN"
       "http://www.jboss.org/j2ee/dtd/jboss_4_0.dtd">
      
      <jboss>
       <enterprise-beans>
       <message-driven>
       <ejb-name>mypackage.IndexerBean</ejb-name>
       <mdb-user>user</mdb-user>
       <mdb-passwd>password</mdb-passwd>
       </message-driven>
       </enterprise-beans>
      </jboss>


      I tried to add an ejb-jar.xml:

      <!DOCTYPE ejb-jar PUBLIC
       "-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN"
       "http://java.sun.com/dtd/ejb-jar_2_0.dtd">
      
      <ejb-jar>
       <description>[TODO]</description>
       <display-name>[TODO]</display-name>
       <enterprise-beans>
       <message-driven>
       <ejb-name>mypackage.IndexerBean</ejb-name>
       <ejb-class>mypackage.IndexerBean</ejb-class>
       <transaction-type>Container</transaction-type>
       <message-driven-destination>
       <destination-type>javax.jms.Queue</destination-type>
       </message-driven-destination>
       </message-driven>
       </enterprise-beans>
      </ejb-jar>
      


      Now JBoss made another, temporary queue named 'queue/mypackage.IndexerBean', which quite confused me. I added:

      <destination-jndi-name>queue/retriever-indexingQueue</destination-jndi-name>


      to the jboss.xml, but JBoss still made 'queue/mypackage.IndexerBean' instead of trying to connect to 'queue/retriever-indexingQueue'. This only added to my confusion. Am I missing something here? (Anyway, I was actually hoping to get rid of the xml-files by using EJB3. ;-))

      Also, even the subscription to the temporary queue 'queue/mypackage.IndexerBean' always failed, and I could see, that the user/password with which the subscription was attempted were still 'null'. It seems to me, that the jboss.xml didn't have any influence whatsoever. (While the ejb-jar.xml obviously got processed by JBoss.) Maybe jboss.xml is ignored by the EJB3-Deployer?

      I tried several other things, like setting @RunAs or @RunAsPrincipal (both of which I didn't expect to work anyway ;-)), but nothing helped. After wading through docs, specs, forums, mailing-lists and wikis for two days I'm still stuck with this problem. (I also tried to give 'guest' all rights in the mbean-config for the queue, just for testing. But it seems I would have to set some 'unauthenticatedIdentity' option in the login-config for this to work. However, I didn't bother yet, because that's not really an option for me. I really want a "secured" queue. ;-))

      Is there any way to have secured JMS queues and EJB3-MDB's, or is this simply a missing feature, and I have to do it with EJB 2.1?

      Best regards,
      Zisch