1 Reply Latest reply on Dec 18, 2010 2:02 AM by alexpr

    JBoss message authentication

    alexpr
    alexpr Dec 10, 2010 3:26 AM

      Hi guys,

      I have 2 server and 2 instances JbossAS 5.0.1 run on (server A and server B). They use Jboss messaging to communite each other. So I want to config user/pass of queue in server A which server B listen to. Follow instruction of ebook JBoss AS 5 Development, I had config in server A:

      1. Add to file <server>/conf/login-config.xml

       

       

      <server>/conf/login-config.xml

      <application-policy name="JMSRealm">
        <authentication>
          <login-module
            code="org.jboss.security.auth.spi.DatabaseServerLoginModule"
            flag="required">
          <module-option name="dsJndiName">java:/MySqlDS</module-option>
          <module-option name="principalsQuery">
          SELECT passwd from jbm_user WHERE user_id=?
          </module-option>
          <module-option name="rolesQuery">
          SELECT role_id,'Roles' FROM jbm_role WHERE user_id=?
          </module-option>
          </login-module>
        </authentication>
      <application-policy>

       

      2. Insert a row in deploy\messaging\messaging-jboss-beans.xml

       

       

      deploy\messaging\messaging-jboss-beans.xml

      <bean name="SecurityStore" 
        class="org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore">
        <property name="defaultSecurityConfig">
        <![CDATA[
          <security>
            <role name="guest" read="true" write="true" create="true"/>
          </security>
        ]]>
        </property>
        <property name="securityDomain">JMSRealm</property>

      ....
      </bean>

       

      3. Config my Queue in server A like:

       

       

      destinations-service.xml
      <mbean code="org.jboss.jms.server.destination.QueueService"
            name="jboss.messaging.destination:service=Queue,name=TEST_QUEUE"
            xmbean-dd="xmdesc/Queue-xmbean.xml">
            <depends optional-attribute-name="ServerPeer">jboss.messaging:service=ServerPeer</depends>
            <depends>jboss.messaging:service=PostOffice</depends>
            <attribute name="SecurityConfig">
              <security>
                <role name="admin" read="true" write="true"/>
              </security>
            </attribute>
      </mbean>

       

      4. Create database and datasource java:/MySqlDS and data about user:

      INSERT INTO JBM_USER (USER_ID, PASSWD) VALUES ('admin', '123456');
      INSERT INTO JBM_ROLE (ROLE_ID, USER_ID) VALUES  ('admin','admin');

       

      After all done, From server B, I use user/pass (admin/123456) to connect to server A and send a JMSMessage to queue, but I fall at error:

      Header 1
      2010-12-10 13:43:11,093 ERROR [org.jboss.messaging.util.ExceptionUtil] (WorkerThread#1[192.168.133.29:4163]) ConnectionFactoryEndpoint[jboss.messaging.connectionfactory:service=ConnectionFactory] createFailoverConnectionDelegate [v9-tm8npihg-1-5xbjpihg-2w5gjq-100j3]
      javax.jms.JMSSecurityException: User admin is NOT authenticated
          at org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore.authenticate(JBossASSecurityMetadataStore.java:223)
          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
          at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
          at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
          at java.lang.reflect.Method.invoke(Unknown Source)
          at com.sun.jmx.mbeanserver.StandardMBeanIntrospector.invokeM2(Unknown Source)
          at com.sun.jmx.mbeanserver.StandardMBeanIntrospector.invokeM2(Unknown Source)
          at com.sun.jmx.mbeanserver.MBeanIntrospector.invokeM(Unknown Source)
          at com.sun.jmx.mbeanserver.PerInterface.invoke(Unknown Source)
          at com.sun.jmx.mbeanserver.MBeanSupport.invoke(Unknown Source)
          at javax.management.StandardMBean.invoke(Unknown Source)
          at org.jboss.mx.server.RawDynamicInvoker.invoke(RawDynamicInvoker.java:164)
          at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)
          at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:210)
          at $Proxy214.authenticate(Unknown Source)
          at org.jboss.jms.server.endpoint.ServerConnectionFactoryEndpoint.createConnectionDelegateInternal(ServerConnectionFactoryEndpoint.java:233)
          at org.jboss.jms.server.endpoint.ServerConnectionFactoryEndpoint.createConnectionDelegate(ServerConnectionFactoryEndpoint.java:171)
          at org.jboss.jms.server.endpoint.advised.ConnectionFactoryAdvised.org$jboss$jms$server$endpoint$advised$ConnectionFactoryAdvised$createConnectionDelegate$aop(ConnectionFactoryAdvised.java:108)
          at org.jboss.jms.server.endpoint.advised.ConnectionFactoryAdvised.createConnectionDelegate(ConnectionFactoryAdvised.java)
          at org.jboss.jms.wireformat.ConnectionFactoryCreateConnectionDelegateRequest.serverInvoke(ConnectionFactoryCreateConnectionDelegateRequest.java:91)
          at org.jboss.jms.server.remoting.JMSServerInvocationHandler.invoke(JMSServerInvocationHandler.java:143)
          at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:891)
          at org.jboss.remoting.transport.socket.ServerThread.completeInvocation(ServerThread.java:744)
          at org.jboss.remoting.transport.socket.ServerThread.processInvocation(ServerThread.java:697)
          at org.jboss.remoting.transport.socket.ServerThread.dorun(ServerThread.java:551)
          at org.jboss.remoting.transport.socket.ServerThread.run(ServerThread.java:232)

       

      So, I restart server A. Surprisingly, Server B send a jms message to server A successfull :-O

       

      Can't belive in my eyes, I restart server A again, it's fail to send jms message.

      Once more time again... and its fail too.

      After an hour search and google, I modified file deploy\messaging\messaging-jboss-beans.xml below:

      deploy\messaging\messaging-jboss-beans.xml
      <!-- messaging application-policy definition -->
         <application-policy xmlns="urn:jboss:security-beans:1.0" name="messaging">
            <authentication>
               <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
                  <module-option name="unauthenticatedIdentity">guest</module-option>
                  <module-option name="dsJndiName">java:/MySqlDS</module-option>  <------------------ here my change: java:/DefaultDS
                  <module-option name="principalsQuery">SELECT passwd from proxy_jbm_user WHERE user_id=?</module-option>
                  <module-option name="rolesQuery">SELECT role_id,'Roles' FROM proxy_jbm_role WHERE user_id=?</module-option>
               </login-module>
            </authentication>
         </application-policy>

         <bean name="SecurityStore" class="org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore">
            <!-- default security configuration -->
            <property name="defaultSecurityConfig">
               <![CDATA[
                  <security>
                     <role name="guest" read="true" write="true" create="true"/>
                  </security>
               ]]>
            </property>
            <property name="securityDomain">JMSRealm</property>
            <property name="suckerPassword">CHANGE ME!!</property>     
            <property name="securityDomain">messaging</property>
            <property name="securityManagement"><inject bean="JNDIBasedSecurityManagement"/></property>     
            <!-- @JMX annotation to export the management view of this bean -->
            <annotation>@org.jboss.aop.microcontainer.aspects.jmx.JMX(name="jboss.messaging:service=SecurityStore",exposedInterface=org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStoreMBean.class)</annotation>
            <!-- Password Annotation to inject the password from the common password utility
             <annotation>@org.jboss.security.integration.password.Password(securityDomain="messaging",methodName="setSuckerPassword")</annotation>
             -->
         </bean>

       

      And now it is running stable...

       

      So, my question is why I register an <application-policy> JMSRealm is not stable? What is <application-policy> messaging ? When I create a connection use ConnectionFactory, Which <application-policy> JbossAS use to authenticate? I guess JbossAS use <application-policy> messaging or my JMSRealm to validate.

       

      Thank you so much!

      • 5956 Views
      • Tags: