5 Replies Latest reply on Feb 26, 2009 6:22 PM by luke biddell

    Problems with jaas SecurityDomain and @MessageDriven

    luke biddell Newbie

      gaohoward suggested I post this here, here's the original posting from the messaging forum.

      http://www.jboss.org/index.html?module=bb&op=viewtopic&t=150695


      I'm porting an existing application from 422GA to 5 and am having trouble with security where we use @MessageDriven.

      Within the app we have an existing bean with the @MessageDriven annotation. Within this annotation we set the user and password @ActivationConfigProperty. These credentials exist within our custom Jaas security domain.

      I've changed the SecurityStore within messaging-jboss-beans.xml so that the security domain points to our domain (ie java:/jaas/MyDomain).

      And finally within the destinations-service.xml I have put an entry for the queue referenced in the @MessageDriven bean (This queue used to be auto-created in 422 but understand this is no longer the default behaviour, hence the destinations-service.xml entry).

      However, when I start Jboss5 I get the error:

      09:04:09,502 ERROR [ExceptionUtil] ConnectionFactoryEndpoint[jboss.messaging.connectionfactory:servi
      ce=ConnectionFactory] createFailoverConnectionDelegate [da-m6b2sbrf-1-
      5gkxrbrf-w8ajbw-x1461k]
      javax.jms.JMSSecurityException: User jmsuser is NOT authenticated
       at org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore.authenticate(JBossASSecurityMet
      adataStore.java:223)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.sun.jmx.mbeanserver.StandardMBeanIntrospector.invokeM2(StandardMBeanIntrospector.java
      :93)
       at com.sun.jmx.mbeanserver.StandardMBeanIntrospector.invokeM2(StandardMBeanIntrospector.java
      :27)
       at com.sun.jmx.mbeanserver.MBeanIntrospector.invokeM(MBeanIntrospector.java:208)
       at com.sun.jmx.mbeanserver.PerInterface.invoke(PerInterface.java:120)
       at com.sun.jmx.mbeanserver.MBeanSupport.invoke(MBeanSupport.java:262)
       at javax.management.StandardMBean.invoke(StandardMBean.java:391)
       at org.jboss.mx.server.RawDynamicInvoker.invoke(RawDynamicInvoker.java:164)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)
       at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:210)
       at $Proxy236.authenticate(Unknown Source)
       at org.jboss.jms.server.endpoint.ServerConnectionFactoryEndpoint.createConnectionDelegateInt
      ernal(ServerConnectionFactoryEndpoint.java:233)
       at org.jboss.jms.server.endpoint.ServerConnectionFactoryEndpoint.createConnectionDelegate(Se
      rverConnectionFactoryEndpoint.java:171)
       at org.jboss.jms.server.endpoint.advised.ConnectionFactoryAdvised.org$jboss$jms$server$endpo
      int$advised$ConnectionFactoryAdvised$createConnectionDelegate$aop(Conn
      ectionFactoryAdvised.java:108)
       at org.jboss.jms.server.endpoint.advised.ConnectionFactoryAdvised.createConnectionDelegate(C
      onnectionFactoryAdvised.java)
       at org.jboss.jms.wireformat.ConnectionFactoryCreateConnectionDelegateRequest.serverInvoke(Co
      nnectionFactoryCreateConnectionDelegateRequest.java:91)
       at org.jboss.jms.server.remoting.JMSServerInvocationHandler.invoke(JMSServerInvocationHandle
      r.java:143)
       at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:908)
       at org.jboss.remoting.transport.local.LocalClientInvoker.invoke(LocalClientInvoker.java:106)
      
       at org.jboss.remoting.Client.invoke(Client.java:1708)
       at org.jboss.remoting.Client.invoke(Client.java:612)
       at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate.org$jboss$jms$client$delega
      te$ClientConnectionFactoryDelegate$createConnectionDelegate$aop(Client
      ConnectionFactoryDelegate.java:171)
       at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate$createConnectionDelegate_N3
      019492359065420858.invokeTarget(ClientConnectionFactoryDelegate$create
      ConnectionDelegate_N3019492359065420858.java)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111)
       at org.jboss.jms.client.container.StateCreationAspect.handleCreateConnectionDelegate(StateCr
      eationAspect.java:81)
       at org.jboss.aop.advice.org.jboss.jms.client.container.StateCreationAspect_z_handleCreateCon
      nectionDelegate_23138316.invoke(StateCreationAspect_z_handleCreateConn
      ectionDelegate_23138316.java)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
       at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate.createConnectionDelegate(Cl
      ientConnectionFactoryDelegate.java)
       at org.jboss.jms.client.JBossConnectionFactory.createConnectionInternal(JBossConnectionFacto
      ry.java:205)
       at org.jboss.jms.client.JBossConnectionFactory.createXAQueueConnection(JBossConnectionFactor
      y.java:142)
       at org.jboss.resource.adapter.jms.inflow.JmsActivation.setupQueueConnection(JmsActivation.ja
      va:533)
       at org.jboss.resource.adapter.jms.inflow.JmsActivation.setupConnection(JmsActivation.java:50
      6)
       at org.jboss.resource.adapter.jms.inflow.JmsActivation.setup(JmsActivation.java:353)
       at org.jboss.resource.adapter.jms.inflow.JmsActivation$SetupActivation.run(JmsActivation.jav
      a:729)
       at org.jboss.resource.work.WorkWrapper.execute(WorkWrapper.java:204)
       at org.jboss.util.threadpool.BasicTaskWrapper.run(BasicTaskWrapper.java:260)
       at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
       at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
       at java.lang.Thread.run(Thread.java:619)
      09:04:09,659 WARN [JmsActivation] Failure in jms activation org.jboss.resource.adapter.jms.inflow.J
      msActivationSpec@37de6a(ra=org.jboss.resource.adapter.jms.JmsResourceA
      dapter@eb37cd destination=queue/E3rCorrespondenceMDB destinationType=javax.jms.Queue tx=true durable
      =false reconnect=10 provider=java:/DefaultJMSProvider user=jmssrv pass
      =<not shown> maxMessages=1024 minSession=1 maxSession=64 keepAlive=60000 useDLQ=false)
      javax.jms.JMSSecurityException: User jmssrv is NOT authenticated
       at org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore.authenticate(JBossASSecurityMet
      adataStore.java:223)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:597)
       at com.sun.jmx.mbeanserver.StandardMBeanIntrospector.invokeM2(StandardMBeanIntrospector.java
      :93)
       at com.sun.jmx.mbeanserver.StandardMBeanIntrospector.invokeM2(StandardMBeanIntrospector.java
      :27)
       at com.sun.jmx.mbeanserver.MBeanIntrospector.invokeM(MBeanIntrospector.java:208)
       at com.sun.jmx.mbeanserver.PerInterface.invoke(PerInterface.java:120)
       at com.sun.jmx.mbeanserver.MBeanSupport.invoke(MBeanSupport.java:262)
       at javax.management.StandardMBean.invoke(StandardMBean.java:391)
       at org.jboss.mx.server.RawDynamicInvoker.invoke(RawDynamicInvoker.java:164)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)
       at org.jboss.mx.util.MBeanProxyExt.invoke(MBeanProxyExt.java:210)
       at $Proxy236.authenticate(Unknown Source)
       at org.jboss.jms.server.endpoint.ServerConnectionFactoryEndpoint.createConnectionDelegateInt
      ernal(ServerConnectionFactoryEndpoint.java:233)
       at org.jboss.jms.server.endpoint.ServerConnectionFactoryEndpoint.createConnectionDelegate(Se
      rverConnectionFactoryEndpoint.java:171)
       at org.jboss.jms.server.endpoint.advised.ConnectionFactoryAdvised.org$jboss$jms$server$endpo
      int$advised$ConnectionFactoryAdvised$createConnectionDelegate$aop(Conn
      ectionFactoryAdvised.java:108)
       at org.jboss.jms.server.endpoint.advised.ConnectionFactoryAdvised.createConnectionDelegate(C
      onnectionFactoryAdvised.java)
       at org.jboss.jms.wireformat.ConnectionFactoryCreateConnectionDelegateRequest.serverInvoke(Co
      nnectionFactoryCreateConnectionDelegateRequest.java:91)
       at org.jboss.jms.server.remoting.JMSServerInvocationHandler.invoke(JMSServerInvocationHandle
      r.java:143)
       at org.jboss.remoting.ServerInvoker.invoke(ServerInvoker.java:908)
       at org.jboss.remoting.transport.local.LocalClientInvoker.invoke(LocalClientInvoker.java:106)
      
       at org.jboss.remoting.Client.invoke(Client.java:1708)
       at org.jboss.remoting.Client.invoke(Client.java:612)
       at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate.org$jboss$jms$client$delega
      te$ClientConnectionFactoryDelegate$createConnectionDelegate$aop(Client
      ConnectionFactoryDelegate.java:171)
       at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate$createConnectionDelegate_N3
      019492359065420858.invokeTarget(ClientConnectionFactoryDelegate$create
      ConnectionDelegate_N3019492359065420858.java)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:111)
       at org.jboss.jms.client.container.StateCreationAspect.handleCreateConnectionDelegate(StateCr
      eationAspect.java:81)
       at org.jboss.aop.advice.org.jboss.jms.client.container.StateCreationAspect_z_handleCreateCon
      nectionDelegate_23138316.invoke(StateCreationAspect_z_handleCreateConn
      ectionDelegate_23138316.java)
       at org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.java:102)
       at org.jboss.jms.client.delegate.ClientConnectionFactoryDelegate.createConnectionDelegate(Cl
      ientConnectionFactoryDelegate.java)
       at org.jboss.jms.client.JBossConnectionFactory.createConnectionInternal(JBossConnectionFacto
      ry.java:205)
       at org.jboss.jms.client.JBossConnectionFactory.createXAQueueConnection(JBossConnectionFactor
      y.java:142)
       at org.jboss.resource.adapter.jms.inflow.JmsActivation.setupQueueConnection(JmsActivation.ja
      va:533)
       at org.jboss.resource.adapter.jms.inflow.JmsActivation.setupConnection(JmsActivation.java:50
      6)
       at org.jboss.resource.adapter.jms.inflow.JmsActivation.setup(JmsActivation.java:353)
       at org.jboss.resource.adapter.jms.inflow.JmsActivation$SetupActivation.run(JmsActivation.jav
      a:729)
       at org.jboss.resource.work.WorkWrapper.execute(WorkWrapper.java:204)
       at org.jboss.util.threadpool.BasicTaskWrapper.run(BasicTaskWrapper.java:260)
       at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
       at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
       at java.lang.Thread.run(Thread.java:619)
      


      Here's my destinations-service.xml.
      
      <mbean code="org.jboss.jms.server.destination.QueueService"
       name="jboss.messaging.destination:service=Queue,name=MyQueue"
       xmbean-dd="xmdesc/Queue-xmbean.xml">
       <depends optional-attribute-name="ServerPeer">jboss.messaging:service=ServerPeer</depends>
       <depends>jboss.messaging:service=PostOffice</depends>
       </mbean>
      


      and here's my messaging-jboss-beans.xml showing the SecurityStore config.

      
      <bean name="SecurityStore" class="org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore">
       <!-- default security configuration -->
       <property name="defaultSecurityConfig">
       <![CDATA[
       <security>
       <role name="guest" read="true" write="true" create="true"/>
       </security>
       ]]>
       </property>
       <property name="suckerPassword">changedit</property>
       <property name="securityDomain">java:/jaas/MyDomain</property>
       <property name="securityManagement"><inject bean="JNDIBasedSecurityManagement"/></property>
       <!-- @JMX annotation to export the management view of this bean -->
       <annotation>@org.jboss.aop.microcontainer.aspects.jmx.JMX(name="jboss.messaging:service=SecurityStore",exposedInterface=org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStoreMBean.class)</annotation>
       </bean>
      



      I've tried both the fully qualified jndi jaas domain (as shown above) and just using MyDomain in the securityDomain property, all to no avail.

      Thanks for any help you can provide.

        • 1. Re: Problems with jaas SecurityDomain and @MessageDriven
          jaikiran pai Master

          Enable TRACE level logging of jboss security package as explained in Q4 at http://www.jboss.org/community/docs/DOC-12198

          That might give some idea as to why the authentication fails.

          • 2. Re: Problems with jaas SecurityDomain and @MessageDriven
            Wolfgang Knauf Master

            Hi,

            did you add the security configuration for your SecurityDomain to "\server\default\conf\login-config.xml"? At least for SessionBeans this is required, I don't know how it works for MDBs.

            If yes: try to activate logging of the security layer to see what the security layer does while deploying your MDB.
            See the security FAQ at http://www.jboss.org/community/docs/DOC-12198, question 4.

            Hope this helps

            Wolfgang

            • 3. Re: Problems with jaas SecurityDomain and @MessageDriven
              luke biddell Newbie

              Thanks guys, here's the culprit:

              16:09:31,563 TRACE [MyDomain] Login failure
              javax.security.auth.login.LoginException: unable to find LoginModule class: com.test.MyLoginModule
               at javax.security.auth.login.LoginContext.invoke(LoginContext.java:808)
               at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
               at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
               at java.security.AccessController.doPrivileged(Native Method)
               at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
               at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
              


              I haven't changed conf/login-config.xml as I have a dynamic login module specified in my ear.

              So my ear has my-login-config-service.xml in the root and my-login-config-service.xml is specified in the application.xml

              <server>
               <mbean code="org.jboss.security.auth.login.DynamicLoginConfig"
               name="my:service=DynamicLoginConfig">
               <attribute name="AuthConfig">
               META-INF/login-config.xml
               </attribute>
               <!-- The service which supports dynamic processing of login-config.xml
               configurations.
               -->
               <depends optional-attribute-name="LoginConfigService">
               jboss.security:service=XMLLoginConfig
               </depends>
               <!-- Optionally specify the security mgr service to use when
               this service is stopped to flush the auth caches of the domains
               registered by this service.
               -->
               <depends optional-attribute-name="SecurityManagerService">
               jboss.security:service=JaasSecurityManager
               </depends>
               </mbean>
              </server>
              


              and in my ear's meta-inf is this login-config.xml

              <?xml version='1.0'?>
              <!DOCTYPE policy PUBLIC
               "-//JBoss//DTD JBOSS Security Config 3.0//EN"
               "http://www.jboss.org/j2ee/dtd/security_config.dtd">
              <policy>
               <application-policy name="MyDomain">
               <authentication>
               <login-module code="com.test.MyLoginModule"
               flag="required">
               <module-option name="restore-login-identity">
               true
               </module-option>
               </login-module>
               </authentication>
               </application-policy>
              </policy>
              


              com.test.MyLoginModule is packaged in a jar in my ear and is specified as a java module in application.xml.

              It's a shame that the real problem (ie exception) is logged at the trace level, that's not very helpful.

              However, I think I now have two problems...

              1. My login module class doesn't appear to be on the classpath for the JaasSecurityMananger
              2 I think my dynamic login config service is deploying after the mdb.

              Should I move my jar containing the login module into the lib directory (it's exploded at development time and zipped for test/production) ?

              The odd thing is that other @Service beans are using the domain quite happily, it's only deploying the mdb that causes the problem.



              • 4. Re: Problems with jaas SecurityDomain and @MessageDriven
                Wolfgang Knauf Master

                Hi,

                (darn, jaikiran sent his last response while I was writing my own one ;-) )

                for the deployment order: try to place a @Depends annotation on your MDB:

                @Depends(value= "my:service=DynamicLoginConfig")


                Hope this helps.

                For the problem with JAR not finding I cannot help. When I built a small login module a while ago, I placed code and config in a ".sar" file which was put in the deploy folder.

                Best regards

                Wolfgang

                • 5. Re: Problems with jaas SecurityDomain and @MessageDriven
                  luke biddell Newbie

                  Sorry - I get this weeks Terence points. Dump my jar into the deploy folder and it's deployed before the messaging stuff which references my login module. All is well.

                  Thanks for all the help.