3 Replies Latest reply on Jan 6, 2011 10:46 AM by grosueugen

    Secured queues access and JCA-JMS(JmsXA)

    Andres Ederra Newbie

      Hi!

       

      We are testing some apps with JBoss 5.0.0 EAP (afaik equivalent to 5.1.0 GA) and we are having some issues trying to configure user//pwd security on our queues accessed using the JmsXA connection factory.

       

      Keeping it simple, our app is a webapp that access queues in the same server using JmsXA (we dont use the other conn. factories because we need the connection pool for performance).

      The app sends the user//password when the connection factory is created with the usual "queueConnectionFactory.createQueueConnection(user, pwd);" (we also tryed to pass the user//pwd in the JNDI principal/credentials with same result...)

       

      The problem is that we are unable to configure JmsXA conn factories to autheticate, if we use the "regular" conn factories java:/ConnectionFactory, for instance, we aunthenticate nicely...

       

      Our config is this one:

       

      /messaging/jms-ds.xml

      <!-- JMS XA Resource adapter, use this to get transacted JMS in beans -->
         <tx-connection-factory>
            <jndi-name>JmsXA</jndi-name>
            <xa-transaction/>
            <rar-name>jms-ra.rar</rar-name>
            <connection-definition>org.jboss.resource.adapter.jms.JmsConnectionFactory</connection-definition>
            <config-property name="SessionDefaultType" type="java.lang.String">javax.jms.Topic</config-property>
            <config-property name="JmsProviderAdapterJNDI" type="java.lang.String">java:/DefaultJMSProvider</config-property>
            <max-pool-size>100</max-pool-size>
            <security-domain-and-application>JmsXARealm</security-domain-and-application>
            <depends>jboss.messaging:service=ServerPeer</depends>
         </tx-connection-factory>
      

       

       

      /data/login-config.xml

      <application-policy name="JmsXARealm">
              <authentication>
                  <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
                                   flag="required">
                      <module-option name="dsJndiName">java:/DefaultDS</module-option>
                      <module-option name="principalsQuery">
                          select PASSWD from JBM_USER where USER_ID=?</module-option>
                      <module-option name="rolesQuery">
                          select ROLE_ID, 'Roles' from JBM_ROLE where USER_ID=?</module-option>
                  </login-module>
              </authentication>
          </application-policy>
      

       

      /messaging/destinations-service.xml

      <mbean code="org.jboss.jms.server.destination.QueueService"
           name="jboss.mq.destination:service=Queue,name=ColaReintentosModificaciones" xmbean-dd="xmdesc/Queue-xmbean.xml">
            <depends optional-attribute-name="ServerPeer">jboss.messaging:service=ServerPeer</depends>
            <depends>jboss.messaging:service=PostOffice</depends>
          <attribute name="JNDIName">jms/ColaReintentosModificaciones</attribute>
          
          <attribute name="SecurityConfig">
            <security>
               <role name="usuarioColas" read="true" write="true" create="true"/>
            </security>
         </attribute>
      

       

       

      So we activated TRACE level logs and did some debugging and it seems like the user is not being passed as a principal to the underlying login module...

       

      This is the final error:

       

      2010-04-30 12:32:52,646 ERROR [org.jboss.resource.adapter.jms.JmsSessionFactoryImpl] (http-127.0.0.1-8280-2) could not create session
      java.lang.SecurityException: Unauthenticated caller:null
      

       

      Our JmsXA conn factory uses the default secutiry realm JmsXARealm and a login module is configured at  login-config.xml, we've tryed DatabaseServerLoginModule and UsersRolesLoginModule.

      The default module configured is ConfiguredIdentityLoginModule, and it works, as it doesnt use the principal

       

      Doing a little debugging we traced out user//pwd at least until  the class: "org.jboss.resource.adapter.jms.JmsSessionFactoryImpl"

      inside the method: protected JmsSession allocateConnection(boolean transacted, int acknowledgeMode, int sessionType) throws JMSException

      there  a JmsConnectionRequestInfo is created populated with the corect user and password.

      Deeper in the code, th requesst arrives at org.jboss.security.auth.spi.DatabaseServerLoginModule where the username to lookup in the databse is null, so the query fails...

       

      Here goes the complete stack trace

      2010-04-30 12:32:52,646 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.JmsXARealm] (http-127.0.0.1-8280-2) Login failure
      javax.security.auth.login.FailedLoginException: No matching username found in Principals
          at org.jboss.security.auth.spi.DatabaseServerLoginModule.getUsersPassword(DatabaseServerLoginModule.java:184)
          at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:245)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
          at java.lang.reflect.Method.invoke(Unknown Source)
          at javax.security.auth.login.LoginContext.invoke(Unknown Source)
          at javax.security.auth.login.LoginContext.access$000(Unknown Source)
          at javax.security.auth.login.LoginContext$4.run(Unknown Source)
          at java.security.AccessController.doPrivileged(Native Method)
          at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
          at javax.security.auth.login.LoginContext.login(Unknown Source)
          at org.jboss.security.plugins.auth.JaasSecurityManagerBase.defaultLogin(JaasSecurityManagerBase.java:553)
          at org.jboss.security.plugins.auth.JaasSecurityManagerBase.authenticate(JaasSecurityManagerBase.java:487)
          at org.jboss.security.plugins.auth.JaasSecurityManagerBase.isValid(JaasSecurityManagerBase.java:365)
          at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:160)
          at org.jboss.security.integration.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:90)
          at org.jboss.resource.connectionmanager.BaseConnectionManager2.getSubject(BaseConnectionManager2.java:687)
          at org.jboss.resource.connectionmanager.BaseConnectionManager2.allocateConnection(BaseConnectionManager2.java:495)
          at org.jboss.resource.connectionmanager.BaseConnectionManager2$ConnectionManagerProxy.allocateConnection(BaseConnectionManager2.java:941)
          at org.jboss.resource.adapter.jms.JmsSessionFactoryImpl.allocateConnection(JmsSessionFactoryImpl.java:395)
          at org.jboss.resource.adapter.jms.JmsSessionFactoryImpl.createQueueSession(JmsSessionFactoryImpl.java:145)
          at PruebaJMSJBoss.service(PruebaJMSJBoss.java:96)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
          at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
          at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
          at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
          at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
          at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
          at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
          at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:905)
          at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:592)
          at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:2036)
          at java.lang.Thread.run(Unknown Source)
      2010-04-30 12:32:52,646 TRACE [org.jboss.security.plugins.auth.JaasSecurityManagerBase.JmsXARealm] (http-127.0.0.1-8280-2) End isValid, false
      2010-04-30 12:32:52,646 ERROR [org.jboss.resource.adapter.jms.JmsSessionFactoryImpl] (http-127.0.0.1-8280-2) could not create session
      java.lang.SecurityException: Unauthenticated caller:null
          at org.jboss.security.integration.JBossSecuritySubjectFactory.createSubject(JBossSecuritySubjectFactory.java:92)
          at org.jboss.resource.connectionmanager.BaseConnectionManager2.getSubject(BaseConnectionManager2.java:687)
          at org.jboss.resource.connectionmanager.BaseConnectionManager2.allocateConnection(BaseConnectionManager2.java:495)
          at org.jboss.resource.connectionmanager.BaseConnectionManager2$ConnectionManagerProxy.allocateConnection(BaseConnectionManager2.java:941)
          at org.jboss.resource.adapter.jms.JmsSessionFactoryImpl.allocateConnection(JmsSessionFactoryImpl.java:395)
          at org.jboss.resource.adapter.jms.JmsSessionFactoryImpl.createQueueSession(JmsSessionFactoryImpl.java:145)
          at PruebaJMSJBoss.service(PruebaJMSJBoss.java:96)
          at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
          at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
          at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
          at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
          at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
          at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
          at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
          at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
          at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
          at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
          at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
          at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
          at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
          at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
          at org.apache.coyote.http11.Http11AprProcessor.process(Http11AprProcessor.java:905)
          at org.apache.coyote.http11.Http11AprProtocol$Http11ConnectionHandler.process(Http11AprProtocol.java:592)
          at org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:2036)
          at java.lang.Thread.run(Unknown Source)
      

       

       

      So... are we missing something?

       

      Any pointers on where to look?

       

      Thanxs in advance