0 Replies Latest reply on Jun 23, 2004 1:51 PM by Gregg Freeman

    user null not authenticated upon cache timeout

    Gregg Freeman Newbie

      I'm having an issue using JBoss 3.2.3 where I've defined a JMS queue, with a unauthenticatedIdentity of guest. I'm able to publish messages to the queue, until the DefaultCacheTimout on the JaasSecurityManager is hit. At that point I get user: null is NOT authenticated messages.

      Before the cache timeout, I see this in the trace log (of jms and security):

      2004-06-23 12:33:32,937 TRACE [org.jboss.mq.Connection] Authenticating user null
      2004-06-23 12:33:32,937 TRACE [org.jboss.mq.il.oil.OILServerIL] Connecting to : serverpc/192.168.1.101:8090
      2004-06-23 12:33:32,937 TRACE [org.jboss.mq.il.oil.OILServerIL] Connecting with addr=serverpc/192.168.1.101, port=8090, localAddr=null, localPort=0, socketFactory=javax.net.DefaultSocketFactory@f77c8e
      2004-06-23 12:33:32,937 TRACE [org.jboss.mq.il.oil.OILServerILService] Setting TcpNoDelay Option to:true
      2004-06-23 12:33:32,937 TRACE [org.jboss.mq.server.TracingInterceptor] CALLED : authenticate
      2004-06-23 12:33:32,937 TRACE [org.jboss.mq.security.ServerSecurityInterceptor] Autenticating user null/null
      2004-06-23 12:33:32,937 TRACE [org.jboss.security.plugins.JaasSecurityManager.jbossmq] validateCache, info=org.jboss.security.plugins.JaasSecurityManager$DomainInfo@18e8fe0
      2004-06-23 12:33:32,937 TRACE [org.jboss.mq.security.SecurityManager] Username: null is authenticated
      2004-06-23 12:33:32,937 TRACE [org.jboss.mq.security.SecurityManager] Adding group : class org.jboss.security.NestableGroup Roles(members:guest)
      2004-06-23 12:33:32,937 TRACE [org.jboss.mq.server.TracingInterceptor] RETURN : authenticate


      Note the validateCache call above....
      After the cache timeout, I see the following in the trace log:


      2004-06-23 12:33:33,046 TRACE [org.jboss.mq.Connection] Authenticating user null
      2004-06-23 12:33:33,046 TRACE [org.jboss.mq.il.oil.OILServerIL] Connecting to : serverpc/192.168.1.101:8090
      2004-06-23 12:33:33,046 TRACE [org.jboss.mq.il.oil.OILServerIL] Connecting with addr=serverpc/192.168.1.101, port=8090, localAddr=null, localPort=0, socketFactory=javax.net.DefaultSocketFactory@f77c8e
      2004-06-23 12:33:33,046 TRACE [org.jboss.mq.il.oil.OILServerILService] Setting TcpNoDelay Option to:true
      2004-06-23 12:33:33,046 TRACE [org.jboss.mq.server.TracingInterceptor] CALLED : authenticate
      2004-06-23 12:33:33,046 TRACE [org.jboss.mq.security.ServerSecurityInterceptor] Autenticating user null/null
      2004-06-23 12:33:33,062 TRACE [org.jboss.mq.sm.file.DynamicLoginModule] logout
      2004-06-23 12:33:33,062 DEBUG [org.jboss.security.plugins.JaasSecurityManager.jbossmq] Login failure
      javax.security.auth.login.LoginException: No LoginModules configured for jbossmq
      at javax.security.auth.login.LoginContext.init(LoginContext.java:189)
      at javax.security.auth.login.LoginContext.<init>(LoginContext.java:350)
      at javax.security.auth.login.LoginContext.<init>(LoginContext.java:465)
      at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:486)
      at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:442)
      at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:244)
      at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:219)
      at org.jboss.mq.security.SecurityManager.authenticate(SecurityManager.java:208)
      at org.jboss.mq.security.ServerSecurityInterceptor.authenticate(ServerSecurityInterceptor.java:51)
      at org.jboss.mq.server.TracingInterceptor.authenticate(TracingInterceptor.java:787)
      at org.jboss.mq.server.JMSServerInvoker.authenticate(JMSServerInvoker.java:287)
      at org.jboss.mq.il.oil.OILServerILService$Client.run(OILServerILService.java:329)
      at java.lang.Thread.run(Thread.java:534)
      2004-06-23 12:33:33,062 TRACE [org.jboss.mq.security.SecurityManager] User: null is NOT authenticated
      2004-06-23 12:33:33,062 TRACE [org.jboss.mq.server.TracingInterceptor] EXCEPTION : authenticate:
      javax.jms.JMSSecurityException: User: null is NOT authenticated
      at org.jboss.mq.security.SecurityManager.authenticate(SecurityManager.java:232)
      at org.jboss.mq.security.ServerSecurityInterceptor.authenticate(ServerSecurityInterceptor.java:51)
      at org.jboss.mq.server.TracingInterceptor.authenticate(TracingInterceptor.java:787)
      at org.jboss.mq.server.JMSServerInvoker.authenticate(JMSServerInvoker.java:287)
      at org.jboss.mq.il.oil.OILServerILService$Client.run(OILServerILService.java:329)
      at java.lang.Thread.run(Thread.java:534)
      2004-06-23 12:33:33,062 TRACE [org.jboss.mq.server.TracingInterceptor] RETURN : authenticate


      I can't figure out why it thinks there is no LoginModule configured for the jbossmq domain....

      In my jbossmq-service.xml I have:
      <mbean code="org.jboss.mq.security.SecurityManager" name="jboss.mq:service=SecurityManager">
       <attribute name="DefaultSecurityConfig">
       <security>
       <role name="guest" read="true" write="true" create="true"/>
       </security>
       </attribute>
       <attribute name="SecurityDomain">jbossmq</attribute>
       <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager</depends>
       </mbean>
      


      My queue is defined as:
      <mbean code="org.jboss.mq.server.jmx.Queue"
       name="jboss.mq.destination:service=Queue,name=ReactorEvents">
       <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
       <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends>
       <attribute name="SecurityConf">
       <security>
       <role name="guest" read="true" write="true"/>
       <role name="publisher" read="true" write="true" create="false"/>
       </security>
       </attribute>
       </mbean>
      


      My jboss-service.xml has:
       <mbean code="org.jboss.security.plugins.SecurityConfig"
       name="jboss.security:service=SecurityConfig">
       <attribute name="LoginConfig">jboss.security:service=XMLLoginConfig</attribute>
       </mbean>
       <mbean code="org.jboss.security.auth.login.XMLLoginConfig"
       name="jboss.security:service=XMLLoginConfig">
       <attribute name="ConfigResource">login-config.xml</attribute>
       </mbean>
      
       <!-- JAAS security manager and realm mapping -->
       <mbean code="org.jboss.security.plugins.JaasSecurityManagerService"
       name="jboss.security:service=JaasSecurityManager">
       <attribute name="SecurityManagerClassName">
       org.jboss.security.plugins.JaasSecurityManager
       </attribute>
       <attribute name="DefaultCacheTimeout">10</attribute>
       </mbean>
      


      The login-config.xml has:
       <!-- Security domain for JBossMQ -->
       <application-policy name = "jbossmq">
       <authentication>
       <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
       flag = "required">
       <module-option name = "unauthenticatedIdentity">guest</module-option>
       <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
       </login-module>
       </authentication>
       </application-policy>
      


      And my jbossmq-state has:
      <User>
       <Name>guest</Name>
       <Password>guest</Password>
      </User>
      and
      <Role name="guest">
       <UserName>guest</UserName>
       <UserName>john</UserName>
      </Role>
      
      



      I can't figure out why it works until the cache expires....

      I had originally posted this in the Messaging forum, but as I looked at it more, the more I belive it's a security issue, so please forgive the cross-post.

      Thank you in advance for your help.