5 Replies Latest reply on Mar 11, 2005 4:38 PM by Adrian Brock

    JMS Authentication and JAAS

    Brian Wallis Master

      Is there any relationship between the authentication I have to use for JMS (TopicConnection.createTopicConnection(user,pass)) and the authentication I use to access my beans (LoginContext.login()) or do we have two separate security domains each of which has to be setup and managed differently?

      I have a client application that needs to use some EJBs to configure a notification server and then listen on a JMS topic for events that are then generated based on the configuration. As far as I can see, the client has to authenticate twice, once for the EJB access using JAAS and again to setup the topic connection.

      Have I missed something or is this how it is meant to work?

      brian wallis...

        • 1. Re: JMS Authentication and JAAS
          Scott Stark Master

          Configure the jms security domain to use the org.jboss.resource.security.CallerIdentityLoginModule to use the ejb credentials.

          • 2. Re: JMS Authentication and JAAS
            Brian Wallis Master

            Thanks for the reply. But I think my initial question might have been a little misleading.

            It is the client side that is accessing the beans AND connecting to the JMS topic, I have something like the following in the client app:

            lc = new LoginContext("jbossmq",handler);
            // ...
            TopicConnectionFactory cf = ...;
            TopicConnection tc = cf.createTopicConnection();

            If I don't put the username/password into the createTopicConnection() call then the JMS connection fails.

            My loginconfig for the client is:

            jbossmq {
            org.jboss.security.ClientLoginModule required;

            and my server login-config.xml contains (as suggested):

            <application-policy name="jbossmq">



            In stepping through the client and server side code I cannot see how the info captured by the ClientLoginModule is used for the JMS connection. Obviously the SecurityAssociation principal and credential (set up by the ClientLoginModule) are not being propagated to the server. For a bean invocation from a client, the proxy SecurityInterceptor does this but what does this for a JMS connection?


                • 3. Re: JMS Authentication and JAAS
                  Brian Wallis Master

                  Still cannot get this to work. Currently my client application is logging in twice, once using JAAS for the ejb access and once when creating the topic connection.

                  I cannot work out how to unify the security for JMS and EJBs when using both from an external client.

                  brian wallis...

                  • 4. Re: JMS Authentication and JAAS
                    grungy Newbie

                    I have this exact same problem.

                    Rich client authenticating via JAAS ClientLoginModule to JBoss EJB server. This works fine. However the same JAAS authentication is ignored for opening connection to a JMS topic or queue and I have to manually supply the username and password in the call to open connection (meaning I am doing this twice).

                    Does anyone have a solution to the man's problem?

                    • 5. Re: JMS Authentication and JAAS
                      Adrian Brock Master

                      Client JMS does not use JAAS.
                      It is a TODO in the spec for a future version.

                      The JMS Resource Adapter deployed within JBoss will use JAAS
                      because it is wrapped with a JCA connection manager that understands it.

                      The only portable solution is to write your own JMS wrapper that understands JAAS
                      and redirects createXXXConnection() to createXXXConnection(jaasUser, jaasCredential)