1 Reply Latest reply on Mar 11, 2005 4:31 PM by Adrian Brock

    Connection not authorized to addMessages to destination: DLQ

    David Trahan Newbie

      I need to secure access to all jms queues and topics so I configured this in jbossmq-service.xml:

      <mbean code="org.jboss.mq.security.SecurityManager" name="jboss.mq:service=SecurityManager">
       <attribute name="DefaultSecurityConfig">
       <security>
       <role name="myrole" read="true" write="true" create="true"/>
       </security>
       </attribute>
       <attribute name="SecurityDomain">java:/jaas/jbossmq</attribute>
       <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager</depends>
       </mbean>


      Authentication is redirected to my database in login-config.xml:

      <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
       <module-option name = "unauthenticatedIdentity">guest</module-option>
       <module-option name = "dsJndiName">java:/My_ds</module-option>
       <module-option name = "principalsQuery">SELECT PASSWD FROM JMSUSERS WHERE USERNAME=?</module-option>
       <module-option name = "rolesQuery">SELECT USERROLES, 'Roles' FROM JMSUSERROLES WHERE USERNAME=?</module-option>
       </login-module>
      


      I have dlquser and dlqpassword set in standardjboss.xml:

      <invoker-proxy-binding>
       <name>message-driven-bean</name>
       <invoker-mbean>default</invoker-mbean>
       <proxy-factory>org.jboss.ejb.plugins.jms.JMSContainerInvoker</proxy-factory>
       <proxy-factory-config>
       <JMSProviderAdapterJNDI>DefaultJMSProvider</JMSProviderAdapterJNDI>
       <ServerSessionPoolFactoryJNDI>StdJMSPool</ServerSessionPoolFactoryJNDI>
       <!-- WARN: Don't set this to zero until a bug in the pooled executor is fixed -->
       <MinimumSize>1</MinimumSize>
       <MaximumSize>15</MaximumSize>
       <KeepAliveMillis>30000</KeepAliveMillis>
       <MaxMessages>1</MaxMessages>
       <MDBConfig>
       <ReconnectIntervalSec>10</ReconnectIntervalSec>
       <DLQConfig>
       <DestinationQueue>queue/DLQ</DestinationQueue>
       <MaxTimesRedelivered>10</MaxTimesRedelivered>
       <TimeToLive>0</TimeToLive>
       <DLQUser>dave</DLQUser>
       <DLQPassword>dave</DLQPassword>
       </DLQConfig>
       </MDBConfig>
       </proxy-factory-config>
       </invoker-proxy-binding>


      However when a message is sent to the dlq, I get the error:
      Connection not authorized to addMessages to destination: DLQ
      (see stacktrace at end)

      To make sure the dlquser/dlqpassword were being recognized, I audited the JMSUSERS and JMSUSERROLES tables. JMS is definitely performing the lookup and is passing in the value for dlquser. If I use a bad password then I get an "authorization failed" message so it appears to be successfully validating the dlquser/dlqpassword.

      I know that the dlquser (dave) is in the required role (myrole) because other createQueueConnection(user,password) commands work fine.

      Is the dlq looking for a different role or something?

      Any other clues? Thanks a million!

      Here's the full stacktrace:
      11:17:45,184 WARN [DLQHandler] Message resent too many times; sending it to DLQ; message id=ID:3-11099527557391
      11:17:45,184 ERROR [DLQHandler] Could not send message to Dead Letter Queue
      javax.jms.JMSSecurityException: Connection not authorized to addMessages to destination: DLQ
      at org.jboss.mq.security.ServerSecurityInterceptor.addMessage(ServerSecurityInterceptor.java:152)
      at org.jboss.mq.server.TracingInterceptor.addMessage(TracingInterceptor.java:270)
      at org.jboss.mq.server.JMSServerInvoker.addMessage(JMSServerInvoker.java:136)
      at org.jboss.mq.il.jvm.JVMServerIL.addMessage(JVMServerIL.java:136)
      at org.jboss.mq.Connection.sendToServer(Connection.java:1020)
      at org.jboss.mq.SpySession.sendMessage(SpySession.java:1005)
      at org.jboss.mq.SpyMessageProducer.send(SpyMessageProducer.java:265)
      at org.jboss.mq.SpyMessageProducer.send(SpyMessageProducer.java:212)
      at org.jboss.ejb.plugins.jms.DLQHandler.sendMessage(DLQHandler.java:299)
      at org.jboss.ejb.plugins.jms.DLQHandler.handleRedeliveredMessage(DLQHandler.java:241)
      at org.jboss.ejb.plugins.jms.JMSContainerInvoker$MessageListenerImpl.onMessage(JMSContainerInvoker.java:1239)
      at org.jboss.jms.asf.StdServerSession.onMessage(StdServerSession.java:256)
      at org.jboss.mq.SpyMessageConsumer.sessionConsumerProcessMessage(SpyMessageConsumer.java:904)
      at org.jboss.mq.SpyMessageConsumer.addMessage(SpyMessageConsumer.java:159)
      at org.jboss.mq.SpySession.run(SpySession.java:351)
      at org.jboss.jms.asf.StdServerSession.run(StdServerSession.java:180)
      at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:748)
      at java.lang.Thread.run(Thread.java:534)