11 Replies Latest reply on Mar 22, 2009 7:58 PM by Thai Huynh

    Anyway of removing the MDB username and password from the jb

    Gray Newbie

      Is there any way of removing the mdb-user and mdb-passwd fields from jboss.xml but my MDB still being to connect to my secure JMS destination?



      I have an application that contains JMS Destinations that are secured in JAAS realm

      I have MDBs that listen to these JMS Destinations

      In my EJB jar located inside my EAR there is a file called jboss.xml. In order for my MDBs to be able to listen to the secured JMS Destinations I have to supply a username and password for each of them

      <mdb-user>internal_jms_user</mdb-user>
      <mdb-passwd>password</mdb-passwd>


      Now I don't mind having usernames and passwords in my datasource configuration for connection pooling my database connections since they are at least not inside the EAR - just the jboss server itself. That means I can just get one of the administratos to key in a password that I don't know in our production environment

      But it *really* bugs me that I am currently stuck with this username and password in jboss.xml since that lives inside the EAR that I give to the admin team to deploy.

      Surely there must some way of removing this username and password from the deployment artifact? It breaks the whole separation of roles between developer and deployer which believe it or not we actually have in our organisation (since it is a bank).

      Suggestions? Workarounds? I'm open to any ideas here.



      Kindest Regards,

      Graeme.

        • 1. Re: Anyway of removing the MDB username/password from jboss.
          Gray Newbie

          Extra information follows

          My ideal solution would be to remove these jms usernames and passwords from the jboss.xml altogether and then doing some magic in the server JAAS login config xml file to make it so that the jms identity is configured there (which meets my criteria of being outside of the EAR) and the MDB gets it automatically. However I'm not sure if that is possible even if your jms destinations and ejb container are forunate enough to be sharing the same JAAS realm.

          I would really appreciate some wisdom here on ways of removing the JMS password from the jboss.xml (and therefore out of the EAR).

          My only workarounds at the moment are to either
          1) Get the admin to actually check out from CVS, run the ant build and generate the deployment artifact themselves or
          2) Get the admin team to unpack the EAR, unpack the EJB jar, update the jboss.xml with the prod password, then repack the JAR and EAR.

          Obviously both of these are convoluted workarounds.

          Kindest Regards,

          Graeme.

          • 2. Re: Anyway of removing the MDB username and password from th
            Gray Newbie

            I really need ideas here. Anyone?

            I was thinking perhaps maybe a ConfiguredIdentityLoginModule might be an answer. But right now I don't even know if it's possible to use JAAS to authenticate an MDB to a JMS Destination rather than using the explicit username/password in the jboss.xml...

            • 3. Re: Anyway of removing the MDB username and password from th
              Gray Newbie

              Another option I thought of by reading the various forum posts was using resource factory to supply the jms connections meaning I could supply the connection parameters (username and password) in a xml file similar to my jdbc datasources. Is this a possibility? If it is how would I tell the mdb to use a connection from this factory rather than looking for username and password in the jboss xml file?

              • 4. Re: Anyway of removing the MDB username and password from th
                Gray Newbie

                No replies yet.

                Has anyone had a chance to consider the question I raised regarding removing the message driven bean jms username and password from the jboss.xml file?

                • 5. Re: Anyway of removing the MDB username and password from th
                  Adrian Brock Master

                  Raise a feature request (and/or supply a patch) on JIRA.

                  The most obvious solution is to allow an optional JAAS config on the JMSProviderAdapter.
                  i.e. if the MDB (or JMS RAR) does not provide a user/password it asks
                  JAAS for the user/password and does createConnection(jaasUser, jaasPassword).

                  I'd raise the issue in the Developer's security forum first, to discuss implementation
                  details/issues on the JAAS side, e.g. maybe you want this same user/password
                  for the JNDI context, not just the JMS connection creation.
                  http://www.jboss.org/index.html?module=bb&op=viewforum&f=171

                  • 6. Re: Anyway of removing the MDB username and password from th
                    Gray Newbie

                    Thanks for the reply Adrian.

                    Forgive my persistence but am I correct to assume therefore that there is no way of currently getting your MDB to subscribe to a secured JMS destination without using those two fields in the jboss.xml?

                    I was really hoping for a reply along the lines of "oh thats easy you just put **** into the conf/login-conf.xml file and jaas will do it for you" or "oh thats easy you just put **** into the jboss.xml file to make use a JMS resource factory connection rather than manually opening a JMS connection". :)

                    I guess if it's truly not possible I will just have write the deployment script workaround (unpacks the ear and ejb jar, puts in the password that the deployer specifies and repacks the jar then ear).

                    Kindest Regards,

                    Graeme.

                    • 7. Re: Anyway of removing the MDB username and password from th
                      Scott Stark Master

                       

                      ...
                       <message-driven>
                       <ejb-name>SomeMDB</ejb-name> <destination-jndi-name>someDest</destination-jndi-name>
                       <mdb-user>${SomeMDB.mdb-user}</mdb-user>
                       <mdb-passwd>${SomeMDB.mdb-passwd}</mdb-passwd>
                       </message-driven>
                      ...
                      


                      and define the SomeMDB.mdb-user, SomeMDB.mdb-passwd system properties in the properties-service.xml.

                      • 8. Re: Anyway of removing the MDB username and password from th
                        Gray Newbie

                        That's brilliant Scott. Works like a charm...

                        Thanks,

                        Graeme.

                        • 9. Re: Anyway of removing the MDB username and password from th
                          Thai Huynh Newbie


                          Hi all, we are trying to remove hardcoding the username and password for the MDB from jboss.xml. Tried as suggested but for some reason the property values aren't being picked up in jboss.xml.


                          1. deploy/properties-service.xml:

                          <mbean code="org.jboss.varia.property.SystemPropertiesService"
                           name="jboss:type=Service,name=SystemProperties">
                          
                           <!--
                           | Set raw properties file style properties.
                           -->
                          
                           <attribute name="Properties">
                          
                           username=john
                           password=needle
                          
                           </attribute>
                           </mbean>



                          2. jboss.xml:

                          <message-driven>
                           <ejb-name>SaMDB</ejb-name>
                           <destination-jndi-name>queue/TO_SA</destination-jndi-name>
                          
                           <mdb-user>${username}</mdb-user>
                           <mdb-passwd>${password}</mdb-passwd>
                          
                           <resource-ref>
                           <res-ref-name>jms/QCF</res-ref-name>
                           <jndi-name>ConnectionFactory</jndi-name>
                           </resource-ref>
                           </message-driven>


                          3. <JBOSS_SERVER/common/lib/properties-plugin.jar exists

                          4. Tried in JBoss version 5.0.0.GA and 5.0.1.GA

                          5. ${username} has not been evaluated, got the following exception:

                          javax.jms.JMSSecurityException: User ${username} is NOT authenticated



                          Any help or leads would be most appreciated.


                          Thanks,

                          Thai

                          • 10. Re: Anyway of removing the MDB username and password from th
                            jaikiran pai Master

                            Try this for now:

                            run.bat -Dusername=john -Dpassword=needle


                            Let me see the docs for PropertiesService and how it works and its syntax.

                            • 11. Re: Anyway of removing the MDB username and password from th
                              Thai Huynh Newbie

                              Thank you for your reply jaikiran.

                              The problem with using the -D option for the JVM will mean that anyone logged on to the machine will be able to view the username and password when they view the process using the ps command.

                              However, I think you have just made me realised that we will be deploying on a Windows server for this application and will be using the Windows Service process to start JBoss so that might not pose a
                              after all (i.e. we can use the -D option). Am I right? Will confirm this now.

                              Still, it will be good to find out what was the problem with the properties-service.xml not loading for jboss.xml.


                              Thanks,

                              -Thai