3 Replies Latest reply on Feb 1, 2011 5:12 AM by asterisk

Security problems with messaging on JBoss 5.1.0GA

asterisk Dec 16, 2010 6:47 AM

Hi,

I have two problems with messaging and security on JBoss 5.1.0GA with EJB2. At least some of these problems also occur with EJB3.

Problem 1:

I have a secured SLSB that creates a JMS connection. After that it is not possible to call another secured SLSB any more, because the security context gets lost. This problem is described more detailed here. Because of this problem I switched to HornetQ for messaging. However, with HornetQ I have another secruity problem, which is described here.

Problem 2:

I want to call a secured SLSB from a MDB. This fails with a security exception. The run-as statement does not help. This is similar to the problem I have when I switch messaging to HornetQ. But there it only fails if I do a call MDB -> SLSB -> SLSB. The call of the second SLSB fails. (see this thread)

I have created an example that shows both problems. The only thing you need is a clean JBoss 5.1.0GA installation and JBOSS_HOME pointing to it. Then go to example/mdb-ejb and call "./build.sh deploy" and "./build.sh" in another terminal. See the attachment for the example.

Does anybody know how to fix these security problems? I prefer to stay with the default messaging, but would switch to HornetQ, if this is the only way to fix my problems.

Thanks in advance!

jboss_security_errors_example.zip 3.3 MB

1. Re: Security problems with messaging on JBoss 5.1.0GA

akhtar24 Dec 21, 2010 7:37 AM (in response to asterisk)

    private QueueConnectionFactory connFctory;
    private Destination msgQueue;
    private Connection connection = null;
    private Session session = null;
    private MessageProducer messageProducer = null;

    public MailSenderBean() {

        try {

//            Properties props = new Properties();
//            props.setProperty("java.naming.factory.initial", "org.jnp.interfaces.NamingContextFactory");
//            props.setProperty("java.naming.factory.url.pkg", "org.jboss.naming:org.jnp.interfaces");
//            props.setProperty("java.naming.provider.url", "localhost:1099");
            //Context ctx = new InitialContext(props);
            Context ctx = new InitialContext();

            connFctory = (QueueConnectionFactory) ctx.lookup("ConnectionFactory");

            System.out.println("MailSenderBean: Start In sendMessage of JmsProducter, getting ConnectionFactory for jndi name: " + connFctory);
            connection = connFctory.createConnection();
            System.out.println("MailSenderBean: connection: " + connection);
            session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
            System.out.println("MailSenderBean: session: " + session);
            msgQueue = (Destination) ctx.lookup("queue/testQueue");
            System.out.println("MailSenderBean: Destination : " + msgQueue);
            messageProducer = session.createProducer(msgQueue);
            System.out.println("End To make connection : messageProducer : " + messageProducer);

        } catch (Exception e) {
            System.out.println("--------------------JMS Connection Error :");
            e.printStackTrace();
        }
    }

    public void sendMessage(Serializable payload) throws JmsProducerException {
        try {

            ObjectMessage message = null;
            System.out.println("In sendMessage of JmsProducter : session : " + session);

            message = session.createObjectMessage(payload);
            System.out.println("In sendMessage of JmsProducter : message : " + message);
            //messageProducer.send(message, javax.jms.DeliveryMode.PERSISTENT, javax.jms.Message.DEFAULT_PRIORITY, 1800000);
            messageProducer.send(message);
            System.out.println("Message sent to messageProducer");

            /*messageProducer.close();
            session.close();
            connection.close();
             */
        } catch (JMSException je) {
            throw new JmsProducerException(je);
        }
    }

And also create mbean queue to your message-service.xml or destinatation.xml in your jboss/server/default/deploy/messaging/
This will help you.
Actions
2. Security problems with messaging on JBoss 5.1.0GA

asterisk Jan 13, 2011 3:47 AM (in response to akhtar24)

Hello akhtar qureshi,

thanks for your reply!

Sorry, but I don't see what I should change in my example code. I do more or less the same steps as you in your example, but the critical call of another SLSB is missing in your code. The problem ist not to send a message. The problem is to call another SLSB after creating a JMS connection.

And yes, I have created the proper topic in the destinations-service.xml. You can see that in the example I have provided.

Kind regards
Actions
3. Security problems with messaging on JBoss 5.1.0GA

asterisk Feb 1, 2011 5:12 AM (in response to asterisk)

Hello,

I have fixed these problems. First of all, I have exchanged JBoss messaging by HornetQ. I use HornetQ 2.1.2Final, 2.0.0GA has another bug: Receive message many times

Now, as written above, there is another problem. I can't do a call MDB -> SLSB -> SLSB. The second call fails. I fixed this by disabling security for the local interface of all Beans that get called by an MDB. If you use xdoclet, you can use the following code:

* @ejb.permission role-name="myRole"
* view-type="remote"
* @ejb.permission unchecked="true"
* view-type="local"

Now JMS works.
Actions

Go to original post