5 Replies Latest reply on Apr 15, 2009 3:18 AM by Sargis Harutyunyan

    Problem with user authorization using JBM Bridge configuatio

    Sargis Harutyunyan Newbie

      Hi all I am trying to configure JBM Bridge here is my test configuration:

      jms-ds.xml:

       <mbean code="org.jboss.jms.jndi.JMSProviderLoader"
       name="jboss.messaging:service=JMSProviderLoader,name=JMSProvider">
       <attribute name="ProviderName">DefaultJMSProvider</attribute>
       <attribute name="ProviderAdapterClass">org.jboss.jms.jndi.JNDIProviderAdapter</attribute>
       <attribute name="FactoryRef">java:/XAConnectionFactory</attribute>
       <attribute name="QueueFactoryRef">java:/XAConnectionFactory</attribute>
       <attribute name="TopicFactoryRef">java:/XAConnectionFactory</attribute>
       </mbean>
      
       <mbean code="org.jboss.jms.jndi.JMSProviderLoader"
       name="jboss.messaging:service=JMSProviderLoader,name=SOClassRemoteJMSProvider">
       <attribute name="ProviderName">SOClassRemoteJMSProvider</attribute>
       <attribute name="ProviderAdapterClass">org.jboss.jms.jndi.JNDIProviderAdapter</attribute>
       <!-- The combined connection factory -->
       <attribute name="FactoryRef">java:/XAConnectionFactory</attribute>
       <!-- The queue connection factory -->
       <attribute name="QueueFactoryRef">java:/XAConnectionFactory</attribute>
       <!-- The topic factory -->
       <attribute name="TopicFactoryRef">java:/XAConnectionFactory</attribute>
       <attribute name="Properties">
       java.naming.factory.initial=org.jnp.interfaces.NamingContextFactory
       java.naming.factory.url.pkgs=org.jboss.naming:org.jnp.interfaces
       java.naming.provider.url=192.168.100.78:1099
       </attribute>
       </mbean>
      


      *-bridge-service

      <?xml version="1.0" encoding="UTF-8"?>
      <server>
      
       <mbean code="org.jboss.jms.server.bridge.BridgeService"
       name="jboss.jms:service=Bridge,name=SOClassBridge" xmbean-dd="xmdesc/Bridge-xmbean.xml">
       <depends optional-attribute-name="SourceProviderLoader">jboss.messaging:service=JMSProviderLoader,name=JMSProvider</depends>
       <depends optional-attribute-name="TargetProviderLoader">jboss.messaging:service=JMSProviderLoader,name=SOClassRemoteJMSProvider</depends>
       <depends>jboss.messaging.destination:service=Queue,name=SOClassCallbacks</depends>
       <attribute name="SourceDestinationLookup">/queue/SOClassCallbacks</attribute>
       <attribute name="TargetDestinationLookup">/queue/EllipseRequests</attribute>
       <attribute name="SourceUsername">ellipse</attribute>
       <attribute name="SourcePassword">ellipse123</attribute>
       <attribute name="TargetUsername">soclass</attribute>
       <attribute name="TargetPassword">soclass123</attribute>
       <!-- Optional: The Quality Of Service mode to use, one of:
       QOS_AT_MOST_ONCE = 0;
       QOS_DUPLICATES_OK = 1;
       QOS_ONCE_AND_ONLY_ONCE = 2;-->
       <attribute name="QualityOfServiceMode">0</attribute>
       <!--
       <attribute name="Selector">specify-jms-selector-here</attribute>
       -->
       <attribute name="MaxBatchSize">5</attribute>
       <attribute name="MaxBatchTime">-1</attribute>
       <!--
       <attribute name="SubName">mysub</attribute>
       -->
       <!--
       <attribute name="ClientID">myClientID</attribute>
       -->
       <attribute name="FailureRetryInterval">5000</attribute>
       <attribute name="MaxRetries">-1</attribute>
       <attribute name="AddMessageIDInHeader">false</attribute>
       </mbean>
      
      </server>


      according my configs I want automatically forward messages from JMSProvider:/queue/SOClassCallbacks to SOClassRemoteJMSProvider:/queue/EllipseRequests.

      But I have problem with authorization, here is outputs with trace log level from JMSProvider:

      16:50:38,446 TRACE [SecurityAspect] checking access permissions to JBossQueue[EllipseRequests]
      16:50:38,446 DEBUG [JBossASSecurityMetadataStore] No SecurityMetadadata was available for EllipseRequests, using default security config
      16:50:38,446 TRACE [SecurityMetadata] Adding role: Role {name=guest;read=true;write=true;create=true}
      16:50:38,446 TRACE [JBossASSecurityMetadataStore] authenticating user soclass
      16:50:38,447 TRACE [JBossASSecurityMetadataStore] authorizing user soclass for role(s) [guest]
      16:50:38,447 TRACE [JBossASSecurityMetadataStore] user soclass is NOT authorized
      16:50:38,447 WARN [Bridge] jboss.jms:name=SOClassBridge,service=Bridge Failed to send + acknowledge batch, closing JMS objects
      javax.jms.JMSSecurityException: User: soclass is not authorized to write to destination EllipseRequests
       at org.jboss.jms.server.container.SecurityAspect.check(SecurityAspect.java:312)
       at org.jboss.jms.server.container.SecurityAspect.handleSendTransaction(SecurityAspect.java:190)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at org.jboss.aop.advice.PerInstanceAdvice.invoke(PerInstanceAdvice.java:122)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
       at org.jboss.jms.server.container.ServerLogInterceptor.invoke(ServerLogInterceptor.java:105)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
       at org.jboss.jms.server.endpoint.advised.ConnectionAdvised.sendTransaction(ConnectionAdvised.java)
       at org.jboss.jms.wireformat.ConnectionSendTransactionRequest.serverInvoke(ConnectionSendTransactionRequest.java:82)
       at org.jboss.jms.server.remoting.JMSServerInvocationHandler.invoke(JMSServerInvocationHandler.java:143)
       at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:908)
       at org.jboss.remoting.transport.local.LocalClientInvoker.invoke(LocalClientInvoker.java:106)
       at org.jboss.remoting.Client.invoke(Client.java:1708)
       at org.jboss.remoting.Client.invoke(Client.java:612)
       at org.jboss.remoting.Client.invoke(Client.java:600)
       at org.jboss.jms.client.delegate.DelegateSupport.doInvoke(DelegateSupport.java:189)
       at org.jboss.jms.client.delegate.DelegateSupport.doInvoke(DelegateSupport.java:160)
       at org.jboss.jms.client.delegate.ClientConnectionDelegate.org$jboss$jms$client$delegate$ClientConnectionDelegate$sendTransaction$aop(ClientConnectionDelegate.java:221)
      
      


      as I noticed JBM trying to authorize remote soclass user using local Security configs. Can you provide any info why its like this? Please note my remote configs is ok I tested it with JMS client application and I am able to read and write ti this queue

        • 1. Re: Problem with user authorization using JBM Bridge configu
          Sargis Harutyunyan Newbie

          One note also if I create EllipseRequests queue locally using following config:

           <mbean code="org.jboss.jms.server.destination.QueueService"
           name="jboss.messaging.destination:service=Queue,name=EllipseRequests"
           xmbean-dd="xmdesc/Queue-xmbean.xml">
           <depends optional-attribute-name="ServerPeer">jboss.messaging:service=ServerPeer</depends>
           <depends>jboss.messaging:service=PostOffice</depends>
           <attribute name="SecurityConfig">
           <security>
           <role name="seamusers" read="true" write="true" create="true"/>
           </security>
           </attribute>
           </mbean>
          
           <mbean code="org.jboss.jms.server.destination.QueueService"
           name="jboss.messaging.destination:service=Queue,name=EllipseCallbacks"
           xmbean-dd="xmdesc/Queue-xmbean.xml">
           <depends optional-attribute-name="ServerPeer">jboss.messaging:service=ServerPeer</depends>
           <depends>jboss.messaging:service=PostOffice</depends>
           <attribute name="SecurityConfig">
           <security>
           <role name="seamusers" read="true" write="true" create="true"/>
           </security>
           </attribute>
           </mbean>
          


          I have not authorization problem but it forward messages to locally created queue, not to remote one.

          • 2. Re: Problem with user authorization using JBM Bridge configu
            Yong Hao Gao Master

            Hi which versions of JBOSS AS and JBM are you using? and how did you configure your security within jboss?

            • 3. Re: Problem with user authorization using JBM Bridge configu
              Sargis Harutyunyan Newbie

              Sorry I should provide info about JBoss before here is my version:

              11:18:45,872 INFO [ServerImpl] JBoss (Microcontainer) [5.0.1.GA (build: SVNTag=JBoss_5_0_1_GA date=200902232048)] Started in 44s:525ms

              I just copy default server configuration and I am using:
              oracle-persistence-service.xml just and just change in DataSource. Please not I have not problem when I am working locally without bridging.

              and here is my security config:

              <!-- messaging application-policy definition -->
               <application-policy xmlns="urn:jboss:security-beans:1.0" name="messaging">
               <authentication>
               <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
               <module-option name="unauthenticatedIdentity">guest</module-option>
               <module-option name="dsJndiName">java:/FormMJMSDS</module-option>
               <module-option name="principalsQuery">SELECT PASSWD FROM JBM_USER WHERE USER_ID=?</module-option>
               <module-option name="rolesQuery">SELECT ROLE_ID, 'Roles' FROM JBM_ROLE WHERE USER_ID=?</module-option>
               </login-module>
               </authentication>
               </application-policy>
              
               <bean name="SecurityStore" class="org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore">
               <!-- default security configuration -->
               <property name="defaultSecurityConfig">
               <![CDATA[
               <security>
               <role name="guest" read="true" write="true" create="true"/>
               </security>
               ]]>
               </property>
               <property name="suckerPassword">CHANGE ME!!</property>
               <property name="securityDomain">java:/jaas/messaging</property>
               <property name="securityManagement"><inject bean="JNDIBasedSecurityManagement"/></property>
               <!-- @JMX annotation to export the management view of this bean -->
               <annotation>@org.jboss.aop.microcontainer.aspects.jmx.JMX(name="jboss.messaging:service=SecurityStore",exposedInterface=org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStoreMBean.class)</annotation>
               </bean>



              • 4. Re: Problem with user authorization using JBM Bridge configu
                Sargis Harutyunyan Newbie

                In fact the same story with user, for instance I have 2 JBoss servers running on different servers:

                1) JBoss - 1,
                username = local, password local123
                queue = LocalQueue
                2) JBoss - 2,
                username = remote, password remote123
                queue = RemoteQueue

                Now I want when there is messages in LocalQueue forward it automatically to RemoteQueue. and for do it I need to create user: 'remote' in JBoss - 1. I think its not logical and can create problem with maintenance. If I change password in one side I should do it also in other side as well.