2 Replies Latest reply on Feb 17, 2012 2:58 PM by Ed Keen

    AS7.1 Secure queue using remote JNDI

    Ed Keen Newbie

      Distribution:  AS 7.1.0.Final

       

      I have successfully setup a secure remote queue and tested connectivity to it using the HornetQ native libraries.  However,  I am getting an error when testing the same thing using remote JNDI. 

       

      Here is my configuration:

       

      standalone.xml

      <subsystem xmlns="urn:jboss:domain:messaging:1.1">

        <security-settings>

            ......

       

          <security-setting match="jms.queue.testremotequeue">

            <permission type="send" roles="SvcRole"/>

            <permission type="consume" roles="SvcRole"/>

            <permission type="createNonDurableQueue" roles="SvcRole"/>

            <permission type="deleteNonDurableQueue" roles="SvcRole"/>

          </security-setting>

        </security-settings>

        <jms-connection-factories>

            .....

          <connection-factory name="RemoteConnectionFactory">

             <connectors>

              <connector-ref connector-name="netty"/>

             </connectors>

            <entries>

              <entry name="RemoteConnectionFactory"/>

              <entry name="java:jboss/exported/jms/RemoteConnectionFactory"/>

            </entries>

           </connection-factory>

             ......

         </jms-connection-factories>

         <jms-destinations>

            ......

            <jms-queue name="testremotequeue">

              <entry name="java:jboss/exported/jms/queue/testremotequeue"/>

            </jms-queue>

            ......

        </jms-destinations>

      </subsystem>

       

      <subsystem xmlns="urn:jboss:domain:security:1.1">

        <security-domains>

          <security-domain name="other" cache-type="default">

            <authentication>

              <login-module code="Remoting" flag="optional">

                <module-option name="password-stacking" value="useFirstPass"/>

              </login-module>

              <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">

                <module-option name="throwValidateError" value="true"/>

                <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

                <module-option name="java.naming.provider.url" value="ldap://mycompany.com:389/"/>

                <module-option name="java.naming.security.authentication" value="simple"/>

                <module-option name="allowEmptyPasswords" value="false"/>

                <module-option name="principalDNSuffix" value="@mycompany.com"/>

                <module-option name="baseCtxDN" value="CN=Users,DC=mycompany,DC=com"/>

                <module-option name="baseFilter" value="(sAMAccountName={0})"/>

                <module-option name="uidAttributeID" value="sAMAccountName"/>

                <module-option name="rolesCtxDN" value="CN=Users,DC=mycompany,DC=com"/>

                <module-option name="roleAttributeIsDN" value="true"/>

                <module-option name="roleAttributeID" value="memberOf"/>

                <module-option name="roleNameAttributeID" value="cn"/>

              </login-module>

            </authentication>

          </security-domain>

            ......

      </subsystem>

       

       

      Client code

      Using the native HornetQ library, this configuration works just fine:

       

          Queue queue = HornetQJMSClient.createQueue(queueName);

           Map<String, Object> connectionParams = new HashMap<String, Object>();

           connectionParams.put(TransportConstants.PORT_PROP_NAME, 5445);

           connectionParams.put(TransportConstants.HOST_PROP_NAME, "localhost");    

          TransportConfiguration transportConfiguration = new TransportConfiguration(NettyConnectorFactory.class.getName(),  connectionParams);

          ConnectionFactory factory = (ConnectionFactory) HornetQJMSClient.createConnectionFactoryWithoutHA(JMSFactoryType.CF, transportConfiguration);

          conn = factory.createConnection(userName, password);

           ....

       

      However, using JNDI, I am getting an error:

       

          Properties props = new Properties();

           props.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");

           props.put(Context.PROVIDER_URL, "remote://localhost:4447");

          props.put(Context.SECURITY_PRINCIPAL, userName);

          props.put(Context.SECURITY_CREDENTIALS, password);

           Context context = new InitialContext(props);

       

      On that last line, I get the following error.  This is going against the same queue with the same username & password:

       

      javax.naming.NamingException: Failed to create remoting connection [Root exception is java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed]

                at org.jboss.naming.remote.client.ClientUtil.namingException(ClientUtil.java:36)

                at org.jboss.naming.remote.client.InitialContextFactory.getInitialContext(InitialContextFactory.java:117)

                at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:667)

                at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:288)

                at javax.naming.InitialContext.init(InitialContext.java:223)

                at javax.naming.InitialContext.<init>(InitialContext.java:197)

                at com.fhlbi.cbs.common.util.RemoteQueueTest.main(RemoteQueueTest.java:33)

      Caused by: java.lang.RuntimeException: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

                at org.jboss.naming.remote.protocol.IoFutureHelper.get(IoFutureHelper.java:87)

                at org.jboss.naming.remote.client.cache.ConnectionCache.get(ConnectionCache.java:42)

                at org.jboss.naming.remote.client.InitialContextFactory.createConnection(InitialContextFactory.java:153)

                at org.jboss.naming.remote.client.InitialContextFactory.getOrCreateConnection(InitialContextFactory.java:126)

                at org.jboss.naming.remote.client.InitialContextFactory.getInitialContext(InitialContextFactory.java:106)

                ... 5 more

      Caused by: javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed

                at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:365)

                at org.jboss.remoting3.remote.ClientConnectionOpenListener$Capabilities.handleEvent(ClientConnectionOpenListener.java:214)

                at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)

                at org.xnio.channels.TranslatingSuspendableChannel.handleReadable(TranslatingSuspendableChannel.java:189)

                at org.xnio.channels.TranslatingSuspendableChannel$1.handleEvent(TranslatingSuspendableChannel.java:103)

                at org.xnio.ChannelListeners.invokeChannelListener(ChannelListeners.java:72)

                at org.xnio.nio.NioHandle.run(NioHandle.java:90)

                at org.xnio.nio.WorkerThread.run(WorkerThread.java:184)

                at ...asynchronous invocation...(Unknown Source)

                at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:270)

                at org.jboss.remoting3.EndpointImpl.doConnect(EndpointImpl.java:251)

                at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:349)

                at org.jboss.remoting3.EndpointImpl.connect(EndpointImpl.java:333)

                at org.jboss.naming.remote.client.cache.EndpointCache$EndpointWrapper.connect(EndpointCache.java:110)

                at org.jboss.naming.remote.client.cache.ConnectionCache.get(ConnectionCache.java:41)

                ... 8 more

        • 1. Re: AS7.1 Secure queue using remote JNDI
          Justin Bertram Master

          The JNDI look-up is protected by the "ApplicationRealm".  Here are the salient bits of XML:

           

              <management>

                      ...

                      <security-realm name="ApplicationRealm">

                          <authentication>

                              <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>

                          </authentication>

                      </security-realm>

                      ...

              </management>

               <profile>

                  ...

                  <subsystem xmlns="urn:jboss:domain:remoting:1.1">

                      <connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>

                  </subsystem>

                   ...

               </profile>

               ...

              <socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">

                  ...

                  <socket-binding name="remoting" port="4447"/>

                  ...

           

              </socket-binding-group>

           

          Therefore, you need to run bin/add-user.sh and add a new user to this realm.

          • 2. Re: AS7.1 Secure queue using remote JNDI
            Ed Keen Newbie

            I can't believe I missed that, Justin.  That fixed it.  Thank you!!!