8 Replies Latest reply on Jun 14, 2011 8:19 AM by Hans Wolffenbuttel

    jms-jca-provider and secured destination

    joe_boy12 Novice

      Hello guys

       

      I am trying to use transacted JMS in one of my projects using jms-jca-provider as follows,

       

      <jms-jca-provider name="JBossMessaging" connection-factory="XAConnectionFactory">

      <jms-bus busid="MyGatewayChannel">

        <jms-message-filter dest-type="QUEUE" dest-name="queue/MyGatewayQueue" transacted="true" jms-security-principal="esbuser" jms-security-credential="esbpassword"/>

      </jms-bus>

      <jms-bus busid="MyEsbChannel">

        <jms-message-filter dest-type="QUEUE" dest-name="queue/MyEsbQueue" transacted="true"/>

      </jms-bus>

       

      the gateway queue is secured and only esb role can read/write on that. When I deploy my code on server (JBossESB 5.1) it throws following Exception

      javax.jms.JMSSecurityException: User: null is not authorized to read from destination MyGatewayQueue

       

      if I use <jms-provider> instead of <jms-jca-provider> it works fine. what am I missing? do I need to specify security domain explicitly here?

       

      Thanks

      Joe

        • 1. Re: jms-jca-provider and secured destination
          Hans Wolffenbuttel Expert

          I tried your setup with a ConnectionFactory and it works fine. Why are you using XAConnectionFactory? Do you really need the dual phase commit?

           

          (B.t.w i'm using community version 4.9)

           

          regards,

           

          Hans

          • 2. Re: jms-jca-provider and secured destination
            joe_boy12 Novice

            Hans,

             

            Could you please share your config with me? I tried again w/o XA and it still not able to understand the user name from jms-security-principal attribute, and says user Null which makes me think that JCA inflow ingores these params.

             

            Thnx

            Joe

            • 3. Re: jms-jca-provider and secured destination
              Hans Wolffenbuttel Expert

              The directory "\jbossesb-server-4.9\server\default\conf\props" contains 2 files: messaging-roles and messaging-users. If I have to quess it takes the variables from there. The one not working for U might be the messaging-users:

               

              #
              # user=password
              #
              guest=guest

              # gatewayuser: clients that publish to the gateway
              gatewayuser=gwpassword

              # esbuser:
              # internal ESB user
              esbuser=esbpassword

              Is your config the same?

               

              Here's what I used:

               

              <jms-jca-provider connection-factory=

              "ConnectionFactory"

              jndi-context-factory= "org.jnp.interfaces.NamingContextFactory"

              jndi-pkg-prefix= "org.jboss.naming:org.jnp.interfaces"

              name="JMS-JCA-Provider" transacted="true">

                   <jms-bus busid="ABus">

                        <jms-message-filter

                           dest-name="queue/a_queue_esb" dest-type="QUEUE"

                           persistent="true" transacted="true" jms-security-principal="esbuser" jms-security-credential="esbpassword"/>

                   </jms-bus>

              </jms-jca-provider>

               

               

               

              Regards,

               

              Hans

               

               

              • 4. Re: jms-jca-provider and secured destination
                joe_boy12 Novice

                Hans thnx again, I am using DatabaseServerLoginModule in messaging-jboss-beans.xml as follows and not UsersRolesLoginModule for prop files, I tried that too but in vain.

                 

                this is what my messaging-jboss-beans.xml looks

                 

                  <application-policy xmlns="urn:jboss:security-beans:1.0" name="messaging">
                      <authentication>
                         <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required">
                            <module-option name="unauthenticatedIdentity">guest</module-option>
                            <module-option name="dsJndiName">java:/JmsDS</module-option>
                            <module-option name="principalsQuery">SELECT PASSWD FROM JBM_USER WHERE USER_ID=?</module-option>
                            <module-option name="rolesQuery">SELECT ROLE_ID, 'Roles' FROM JBM_ROLE WHERE USER_ID=?</module-option>
                         </login-module>
                      </authentication>
                   </application-policy>

                 

                and JmsDS is correctly mapped to Oracle where I have all the users and roles created and it actually works if I change it from jca to jms-provider. The jboss-esb.xml part is exactly same as yours except the queue names and thats it.

                 

                Is anybody having same issue with 5.1?

                 

                Thanks

                Joe

                • 5. Re: jms-jca-provider and secured destination
                  Hans Wolffenbuttel Expert

                  In the deploy directory there is a jms-ds.xml file which has a JmsXARealm. Maybe its using this realm instead of (or in addition to) your messaging realm. The login-config.xml file contains this realm:

                   

                  <application-policy name="JmsXARealm">

                  - <authentication>
                  - <login-module code="org.jboss.resource.security.ConfiguredIdentityLoginModule" flag="required">
                  <module-option name="principal">guest</module-option>
                  <module-option name="userName">guest</module-option>
                  <module-option name="password">guest</module-option>
                  <module-option name="managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
                  </login-module>
                  </authentication>
                  </application-policy>

                   

                  Try changing this to your database loginmodule.

                   

                  Regards,

                   

                  Hans

                  • 6. Re: jms-jca-provider and secured destination
                    joe_boy12 Novice

                    Hans, thnx for your continuous help - here is what I tried.

                     

                    1. in jms-ds.xml I tried changing following property

                    <security-domain-and-application>JmsXARealm</security-domain-and-application> to "messaging" which is a DatabaseServerLoginModule from messaging-jboss-beans.xml but nope.

                     

                    2. then I kept

                     

                    jms-ds.xml as it is and changed login-config.xml as follows

                       <application-policy name="JmsXARealm">
                          <authentication>
                             <login-module code="org.jboss.resource.security.ConfiguredIdentityLoginModule" flag="required">
                                <module-option name="principal">esb</module-option>
                                <module-option name="userName">esbuser</module-option>
                                <module-option name="password">esbpassword</module-option>
                                <module-option name="managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
                             </login-module>
                          </authentication>
                       </application-policy>

                    but nope.

                     

                    3. then I changed above login-module to DatabaseServerLoginModule same as from messaging-jboss-beans.xml but again no no.

                     

                    Everytime I get following error when I deploy my esb. Not sure whats going on as it looked straightforward to me, do u think I need to change anything else too?. I will probably get the older SOA version and see if my setup works there.

                     

                    =====

                    13:07:04,878 ERROR [JmsActivation] Unable to reconnect org.jboss.resource.adapter.jms.inflow.JmsActivationSpec@155c7a8(ra=org.jboss.resource.adapter.jms.JmsReso
                    urceAdapter@1bcf4e7 destination=queue/MyGatewayQueue destinationType=javax.jms.Queue tx=true durable=false reconnect=10 provider=java:/DefaultJMSProvider
                    user=null maxMessages=1 minSession=1 maxSession=15 keepAlive=60000 useDLQ=true DLQHandler=org.jboss.resource.adapter.jms.inflow.dlq.GenericDLQHandler DLQJndiNa
                    me=queue/DLQ DLQUser=null DLQMaxResent=5)
                    javax.jms.JMSSecurityException: User: null is not authorized to read from destination MyGatewayQueue
                            at org.jboss.jms.server.container.SecurityAspect.check(SecurityAspect.java:311)

                    =====

                    • 7. Re: jms-jca-provider and secured destination
                      joe_boy12 Novice

                      Hans,

                       

                      do you have anything extra in deployment.xml other than JMS destinations? I mean any other dependency for jms-jca

                       

                      Thanks

                      Joe

                      • 8. Re: jms-jca-provider and secured destination
                        Hans Wolffenbuttel Expert

                        Here is what I have in addition to my queues in deployment.xml:

                         

                         

                         

                         

                         

                        <depends>jboss.esb:deployment=soap.esb</depends>

                         

                        <depends>jboss.esb:deployment=jbossesb.esb</depends>

                         

                        <depends>jboss.esb:deployment=jbrules.esb</depends>

                         

                        <depends>jboss.esb:deployment=spring.esb</depends>

                         

                         

                        Is there an option to try the community version 4.9? If so, please try first without the ajustments and after a succes apply them.

                         

                        Regards,

                         

                        Hans