4 Replies Latest reply on Mar 4, 2012 11:50 AM by pema

    javax.jms.JMSSecurityException: Unable to validate user: null

    ziggy25

      Environment:

       

      Jboss 7.1.0

      OS Windows

       

      I am trying a simple test to try out JMS using Jboss with the built in HornetQ JMS provider. After a lot of playing around i got it to get a response with the following properties  

           

                  final Properties env = new Properties();

                  env.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");

                  env.put(Context.PROVIDER_URL, "remote://localhost:4447");

                  env.put(Context.SECURITY_PRINCIPAL, "appuser2");

                  env.put(Context.SECURITY_CREDENTIALS, "passw0rd");         

       

      The problem though is that when i run it i get the following error:

       

          javax.jms.JMSSecurityException: Unable to validate user: null

              at org.hornetq.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:286)

              at org.hornetq.core.client.impl.ClientSessionFactoryImpl.createSessionInternal(ClientSessionFactoryImpl.java:695)

              at org.hornetq.core.client.impl.ClientSessionFactoryImpl.createSession(ClientSessionFactoryImpl.java:264)

              at org.hornetq.jms.client.HornetQConnection.authorize(HornetQConnection.java:589)

              at org.hornetq.jms.client.HornetQConnectionFactory.createConnectionInternal(HornetQConnectionFactory.java:694)

              at org.hornetq.jms.client.HornetQConnectionFactory.createConnection(HornetQConnectionFactory.java:121)

              at org.hornetq.jms.client.HornetQConnectionFactory.createConnection(HornetQConnectionFactory.java:116)

              at com.jms.client.ConsoleClient.runExample(ConsoleClient.java:51)

              at com.jms.client.ConsoleClient.main(ConsoleClient.java:20)

          Caused by: HornetQException[errorCode=105 message=Unable to validate user: null]

              ... 9 more

       

       

      I have been looking around on Google and every example seems to point to how to configure the security settings with HornetQ as a standalone server. I cant figure out how to configure the user on Jboss and whether i even need to.

       

       

      Any ideas?

        • 1. Re: javax.jms.JMSSecurityException: Unable to validate user: null
          jbertram

          Like everything else in JBoss AS 7.1.0.Final, JMS is secured by default.  It uses the same security domain as JNDI so you can use the same username and password (i.e. appuser2 and passw0rd respectively) in your call to javax.jms.ConnectionFactory.createConnection(String, String).  For example:

           

                  final Properties env = new Properties();

                  env.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");

                  env.put(Context.PROVIDER_URL, "remote://localhost:4447");

                  env.put(Context.SECURITY_PRINCIPAL, "guest");

                  env.put(Context.SECURITY_CREDENTIALS, "pass");

                  Context context = new InitialContext(env);

                  ConnectionFactory cf = (ConnectionFactory) context.lookup("jms/RemoteConnectionFactory");

                  Destination destination = (Destination) context.lookup("jms/queue/test");

                  context.close();

                  Connection connection = cf.createConnection("guest", "pass");

                  Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);

                  MessageProducer producer = session.createProducer(destination);

                  Message msg = session.createTextMessage("example text");

                  producer.send(msg);

                  connection.close();

          • 2. Re: javax.jms.JMSSecurityException: Unable to validate user: null
            ziggy25

            How do i configure the user and the roles they are supposed to have?

            For the current test i created a user using add-user with the following properties

             

            username: appuser2

            password: passw0rd

            roles : ApplicationRealm

             

            When i run it, it complains that appuser2 doesn't have permission to 'SEND'.

             

            javax.jms.JMSSecurityException: User: appuser2 doesn't have permission='SEND' on address jms.queue.testQueue

                at org.hornetq.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:286)

                at org.hornetq.core.client.impl.ClientProducerImpl.doSend(ClientProducerImpl.java:287)

             

            I am also confused as to the relationship between the permissions for JNDI/JMS and HornetQ. The standalone-full.xml has user permissions configuration for HornetQ and the application-user.properties and application-user.role.properties has some more user privileges configuration.

            • 3. Re: javax.jms.JMSSecurityException: Unable to validate user: null
              jbertram

              Here's the default <security-settings> in standalone-full.xml for AS 7.1.0.Final:

               

                              <security-settings>

                                  <security-setting match="#">

                                      <permission type="send" roles="guest"/>

                                      <permission type="consume" roles="guest"/>

                                      <permission type="createNonDurableQueue" roles="guest"/>

                                      <permission type="deleteNonDurableQueue" roles="guest"/>

                                  </security-setting>

                              </security-settings>

               

              My guess is that the user you're connecting with doesn't belong to the "guest" role.  You either need to your user to the role "guest", connect with a different user that already belongs to the role "guest", or create a new user that belongs to the role "guest" and connect with it.  These security settings are discussed more in the HornetQ documentation here.

               

              As far as the permissions for JNDI and JMS go...The first thing to remember is that there is no necessary link between JNDI and JMS.  JNDI authentication and JMS authentication/authorization are usually 100% independent of one another.  It just so happens that by default both the JNDI and JMS subsystems use the "other" security domain defined in standalone*.xml which means they share the same data for authorization and authentication for the sake of convenience.  Of course, this can be changed if desired and the two can use different security domains.

               

              To be clear, JNDI security only involves authentication (at least, at this point) whereas JMS security involves both authentication and authorization.

              • 4. Re: javax.jms.JMSSecurityException: Unable to validate user: null
                pema

                Hi,

                 

                I have just managed to send a JMS message from a remote client to a MDB using JBoss 7.1 and the built in HornetQ. After a lot of playing around my last problem was also the send permission JMSSecurityException.

                I had created a user with the guest role using add-user.bat.

                 

                The problem was that the script didn't put the new entry on a new line so my application-roles.properties looked like this:

                 

                     ...

                     #

                     # The following illustrates how an admin user could be defined, this

                     # is for illustration only and does not correspond to a usable password.

                     #

                     #admin=PowerUser,BillingAdmin,

                     #guest=guest jmsuser=guest

                 

                I had to manually put my entry (jmsuser=guest) on a new line to make it work.