0 Replies Latest reply on Nov 9, 2006 4:57 PM by Brian Ploetz

    Migrating from JBoss 3.2.4 to 4.0.4GA, getting javax.jms.JMS

    Brian Ploetz Newbie

      I'm sure I'll get a RTFM reply from someone, but I assure you I've been banging my head against the wall for the last two days trying to figure out what is going wrong. I've read all of the documentation several times, the FAQs, the Wiki and the Forum, and I'm still stumped. I've seen other posts with similar problems, but none of them seem to have definitive solutions. Any and all help would be greatly appreciated.

      Also note that since this issue seems to be related to the interaction of an MDB with JAAS, I wasn't sure whether to post this in the JMS forum or here. I'll start here......

      Anyways, I'm in the process of migrating a J2EE app from JBoss 3.2.4 to JBoss 4.0.4GA. My app is a run of the mill web app which has some Message Driven Beans for firing off reports. Most of the JBoss config files that I used in 3.2.4 worked just fine unchanged when I moved them over to 4.0.4GA....with one notable exception: my MDBs and their interaction with their Queues.

      So I have the following JMS queues defined in jboss-mq-destinations.xml:

      <?xml version="1.0" encoding="UTF-8"?>
      <!-- $Id: jbossmq-destinations-service.xml,v 1.4.6.1 2004/11/16 04:32:39 ejort Exp $ -->
      <server>
       <mbean code="org.jboss.mq.server.jmx.Queue" name="jboss.mq.destination:service=Queue,name=reportFailureQueue">
       <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
       <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends>
       <attribute name="JNDIName">jms/reportFailureQueue</attribute>
       <attribute name="RedeliveryLimit">5</attribute>
       <attribute name="RedeliveryDelay">10000</attribute>
       <attribute name="SecurityConf">
       <security>
       <role name="guest" read="true" write="true"/>
       </security>
       </attribute>
       </mbean>
       <mbean code="org.jboss.mq.server.jmx.Queue" name="jboss.mq.destination:service=Queue,name=reportRunnerQueue">
       <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
       <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends>
       <attribute name="JNDIName">jms/reportRunnerQueue</attribute>
       <attribute name="RedeliveryLimit">0</attribute>
       <attribute name="SecurityConf">
       <security>
       <role name="guest" read="true" write="true"/>
       </security>
       </attribute>
       </mbean>
       <mbean code="org.jboss.mq.server.jmx.Queue" name="jboss.mq.destination:service=Queue,name=correctionToolQueue">
       <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
       <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends>
       <attribute name="JNDIName">jms/correctionToolQueue</attribute>
       <attribute name="RedeliveryLimit">0</attribute>
       <attribute name="SecurityConf">
       <security>
       <role name="guest" read="true" write="true"/>
       </security>
       </attribute>
       </mbean>
      </server>
      


      I have the following configuration in login-config.xml:

      <?xml version='1.0'?>
      <!DOCTYPE policy PUBLIC
       "-//JBoss//DTD JBOSS Security Config 3.0//EN"
       "http://www.jboss.org/j2ee/dtd/security_config.dtd">
      
      <policy>
       <!-- Used by clients within the application server VM such as
       mbeans and servlets that access EJBs.
       -->
       <application-policy name = "client-login">
       <authentication>
       <login-module code = "org.jboss.security.ClientLoginModule"
       flag = "required">
       </login-module>
       </authentication>
       </application-policy>
      
       <!-- Security domain for JBossMQ -->
       <application-policy name = "jbossmq">
       <authentication>
       <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
       flag = "required">
       <module-option name = "unauthenticatedIdentity">guest</module-option>
       <module-option name = "dsJndiName">java:/jdbc/OPSConsoleDataSource</module-option>
       <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
       <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
       </login-module>
       </authentication>
       </application-policy>
      
       <application-policy name = "JmsXARealm">
       <authentication>
       <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
       flag = "required">
       <module-option name = "principal">guest</module-option>
       <module-option name = "userName">guest</module-option>
       <module-option name = "password">guest</module-option>
       <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
       </login-module>
       </authentication>
       </application-policy>
      
       <!-- A template configuration for the jmx-console web application. This
       defaults to the UsersRolesLoginModule the same as other and should be
       changed to a stronger authentication mechanism as required.
       -->
       <application-policy name = "jmx-console">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
       flag = "required">
       <module-option name="usersProperties">jmx-console-users.properties</module-option>
       <module-option name="rolesProperties">jmx-console-roles.properties</module-option>
       <module-option name="hashAlgorithm">sha-256</module-option>
       </login-module>
       </authentication>
       </application-policy>
      
       <!-- A template configuration for the web-console web application. This
       defaults to the UsersRolesLoginModule the same as other and should be
       changed to a stronger authentication mechanism as required.
       -->
       <application-policy name = "web-console">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
       flag = "required">
       <module-option name="usersProperties">jmx-console-users.properties</module-option>
       <module-option name="rolesProperties">jmx-console-roles.properties</module-option>
       <module-option name="hashAlgorithm">sha-256</module-option>
       </login-module>
       </authentication>
       </application-policy>
      
       <!-- The default login configuration used by any security domain that
       does not have a application-policy entry with a matching name
       -->
       <application-policy name = "other">
       <!-- A simple server login module, which can be used when the number
       of users is relatively small. It uses two properties files:
       users.properties, which holds users (key) and their password (value).
       roles.properties, which holds users (key) and a comma-separated list of
       their roles (value).
       The unauthenticatedIdentity property defines the name of the principal
       that will be used when a null username and password are presented as is
       the case for an unuathenticated web client or MDB. If you want to
       allow such users to be authenticated add the property, e.g.,
       unauthenticatedIdentity="nobody"
       -->
       <authentication>
       <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
       flag = "required" />
       </authentication>
       </application-policy>
      
      </policy>
      


      I'm using Oracle for JMS persistence (i.e. oracle-jdbc2-service.xml and oracle-jdbc-state-service.xml) and have removed the Hypersonic DefaultDS.

      An example MDB configuration for one of the MDBs fronting the Queue above:

      ejb-jar.xml:
      
      <?xml version="1.0"?>
      <!DOCTYPE ejb-jar PUBLIC "-//Sun Microsystems, Inc.//DTD Enterprise JavaBeans 2.0//EN" "http://java.sun.com/dtd/ejb-jar_2_0.dtd">
      <ejb-jar>
       <enterprise-beans>
       <message-driven>
       <ejb-name>CorrectionToolMessageBean</ejb-name>
       <ejb-class>CorrectionToolMessageBean</ejb-class>
       <transaction-type>Container</transaction-type>
       <message-driven-destination>
       <destination-type>javax.jms.Queue</destination-type>
       </message-driven-destination>
       <ejb-ref>
       <ejb-ref-name>ejb/AccountingManagerHome</ejb-ref-name>
       <ejb-ref-type>Session</ejb-ref-type>
       <home>AccountingManagerHome</home>
       <remote>AccountingManager</remote>
       </ejb-ref>
       <security-identity>
       <run-as>
       <role-name>guest</role-name>
       </run-as>
       </security-identity>
       </message-driven>
       </enterprise-beans>
       <assembly-descriptor>
       <security-role>
       <role-name>guest</role-name>
       </security-role>
       <container-transaction>
       <method>
       <ejb-name>CorrectionToolMessageBean</ejb-name>
       <method-name>*</method-name>
       </method>
       <trans-attribute>Required</trans-attribute>
       </container-transaction>
       </assembly-descriptor>
      </ejb-jar>
      
      jboss.xml:
      
      <?xml version="1.0"?>
      
      <!DOCTYPE jboss PUBLIC "-//JBoss//DTD JBOSS 4.0//EN" "http://www.jboss.org/j2ee/dtd/jboss_4_0.dtd">
      
      <jboss>
      
       <enterprise-beans>
       <message-driven>
       <ejb-name>CorrectionToolMessageBean</ejb-name>
       <destination-jndi-name>jms/correctionToolQueue</destination-jndi-name>
       <mdb-user>guest</mdb-user>
       <mdb-passwd>guest</mdb-passwd>
       <mdb-client-id>guest</mdb-client-id>
       <configuration-name>Singleton Message Driven Bean</configuration-name>
       <ejb-ref>
       <ejb-ref-name>ejb/AccountingManagerHome</ejb-ref-name>
       <jndi-name>ejb/AccountingManagerHome</jndi-name>
       </ejb-ref>
       <security-identity>
       <run-as-principal>guest</run-as-principal>
       </security-identity>
       </message-driven>
       </enterprise-beans>
      </jboss>
      
      


      Now, when the application is deployed, I'm getting the following exception:

      16:12:20,841 INFO [ConnectionFactoryBindingService] Bound ConnectionManager 'jboss.jca:service=DataSourceBinding,name=jdbc/OPSConsoleDataSource' to JNDI name 'java:jdbc/OPSConsoleDataSource'
      16:12:20,857 INFO [ConnectionFactoryBindingService] Bound ConnectionManager 'jboss.jca:service=DataSourceBinding,name=jdbc/OPSConsoleXADataSource' to JNDI name 'java:jdbc/OPSConsoleXADataSource'
      16:12:22,107 INFO [reportFailureQueue] Bound to JNDI name: jms/reportFailureQueue
      16:12:22,122 INFO [reportRunnerQueue] Bound to JNDI name: jms/reportRunnerQueue
      16:12:22,122 INFO [correctionToolQueue] Bound to JNDI name: jms/correctionToolQueue
      16:12:22,185 INFO [UILServerILService] JBossMQ UIL service available at : /0.0.0.0:8093
      16:12:22,247 INFO [DLQ] Bound to JNDI name: queue/DLQ
      16:12:22,247 INFO [ConnectionFactoryBindingService] Bound ConnectionManager 'jboss.jca:service=DataSourceBinding,name=jdbc/OPSConsoleReportingDataSource' to JNDI name 'java:jdbc/OPSConsoleReportingDataSource'
      16:12:22,450 INFO [ConnectionFactoryBindingService] Bound ConnectionManager 'jboss.jca:service=ConnectionFactoryBinding,name=JmsXA' to JNDI name 'java:JmsXA'
      16:12:22,544 INFO [TomcatDeployer] deploy, ctxPath=/jmx-console, warUrl=.../deploy/jmx-console.war/
      
      16:12:22,904 INFO [EARDeployer] Init J2EE application: file:/E:/work/LTY-P000039-UPGRD/build/config
      /opsconsole/server/opsconsole/deploy/OpsConsole.ear
      16:12:26,513 INFO [EjbModule] Deploying AccountingManagerEJB
      16:12:26,778 INFO [EjbModule] Deploying BackofficeConsoleManagerEJB
      16:12:26,903 INFO [EjbModule] Deploying CorrectionToolMessageBean
      16:12:27,060 INFO [EjbModule] Deploying FeedsManagerEJB
      16:12:27,169 INFO [EjbModule] Deploying ReportFailureMessageBean
      16:12:27,310 INFO [EjbModule] Deploying ReportManagerEJB
      16:12:27,435 INFO [EjbModule] Deploying ReportRunnerEJB
      16:12:27,544 INFO [EjbModule] Deploying ReportRunnerMessageBean
      16:12:27,700 INFO [BaseLocalProxyFactory] Bound EJB LocalHome 'AccountingManagerEJB' to jndi 'ejb/AccountingManagerHome'
      16:12:27,700 INFO [EJBDeployer] Deployed: file:/E:/work/LTY-P000039-UPGRD/build/config/opsconsole/server/opsconsole/tmp/deploy/tmp22960OpsConsole.ear-contents/AccountingManagerEJB.jar
      16:12:27,794 INFO [BaseLocalProxyFactory] Bound EJB LocalHome 'BackofficeConsoleManagerEJB' to jndi 'ejb/BackofficeConsoleManagerHome'
      16:12:27,794 INFO [EJBDeployer] Deployed: file:/E:/work/LTY-P000039-UPGRD/build/config/opsconsole/server/opsconsole/tmp/deploy/tmp22960OpsConsole.ear-contents/BackofficeConsoleManagerEJB.jar
      16:12:27,981 WARN [JMSContainerInvoker] JMS provider failure detected for CorrectionToolMessageBean
      
       javax.jms.JMSSecurityException: User: guest is NOT authenticated
       at org.jboss.mq.security.SecurityManager.authenticate(SecurityManager.java:230)
       at org.jboss.mq.security.ServerSecurityInterceptor.authenticate(ServerSecurityInterceptor.ja
       va:66)
       at org.jboss.mq.server.TracingInterceptor.authenticate(TracingInterceptor.java:750)
       at org.jboss.mq.server.JMSServerInvoker.authenticate(JMSServerInvoker.java:302)
       at org.jboss.mq.il.jvm.JVMServerIL.authenticate(JVMServerIL.java:316)
       at org.jboss.mq.Connection.authenticate(Connection.java:1065)
       at org.jboss.mq.Connection.<init>(Connection.java:252)
       at org.jboss.mq.SpyConnection.<init>(SpyConnection.java:79)
       at org.jboss.mq.SpyXAConnection.<init>(SpyXAConnection.java:59)
       at org.jboss.mq.SpyXAConnectionFactory.createXAConnection(SpyXAConnectionFactory.java:109)
       at org.jboss.mq.SpyXAConnectionFactory.createXAQueueConnection(SpyXAConnectionFactory.java:1
       30)
       at org.jboss.jms.ConnectionFactoryHelper.createQueueConnection(ConnectionFactoryHelper.java:
       147)
       at org.jboss.ejb.plugins.jms.JMSContainerInvoker.innerStartDelivery(JMSContainerInvoker.java
       :732)
       at org.jboss.ejb.plugins.jms.JMSContainerInvoker.startService(JMSContainerInvoker.java:839)
       at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:289)
       at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:245)
      
       at sun.reflect.GeneratedMethodAccessor3.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
      
      


      Why is the "guest" user not authenticated? I should note that when I remove the security configuration from the EJB deployment descriptors (i.e. <security-identity>, <security-role>, <mdb-user|passwd|client-id>, etc), I get a different error:

      12:26:37,624 WARN [JMSContainerInvoker] JMS provider failure detected for CorrectionToolMessageBean
      
      org.jboss.deployment.DeploymentException: Error during queue setup; - nested throwable: (javax.jms.JMSSecurityException: Connection not authorized to subscribe to destination: correctionToolQueue)
      


      I'm sure this will boil down to some missing line in a config file somewhere, but I'm stumped. The same exact config above, minus the security configuration in the MDB deployment descriptors, worked just fine in 3.2.4.

      Thanks in advance for any help!!