4 Replies Latest reply on Jul 8, 2005 2:21 AM by jaikiran pai

    Invoking a session bean from Message Driven Bean

    jaikiran pai Master

      Hi,
      I am facing a problem regarding, invoking a session bean from a MDB. I have a MDB in which i am looking up a session bean and invoking method on it. Till some days back, everything was working fine. I was able to invoke the method. But all of a sudden a few days ago, i am getting a SecurityException while invoking the bean which states that principal = null.

      After exploring on the same, i found out that the MDB does not have the identity of the caller. So it will not be able to lookup any bean. I tried using the <run-as> attribute in the deployment descriptor, but even this did not work.

      I am really surprised, that till some days back without doing anything special in the deployment descriptors or code, i was able to invoke the session bean. But now it's giving me the following error:


      12:45:14,386 ERROR [LogInterceptor] EJBException, causedBy:
      java.lang.SecurityException: Authentication exception, principal=null
      at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:164)
      at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:81)
      at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:120)
      at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invokeHome(ProxyFactoryFinderInterceptor.java:93)
      at org.jboss.ejb.StatelessSessionContainer.internalInvokeHome(StatelessSessionContainer.java:319)
      at org.jboss.ejb.Container.invoke(Container.java:720)
      at org.jboss.ejb.plugins.local.BaseLocalProxyFactory.invokeHome(BaseLocalProxyFactory.java:293)
      at org.jboss.ejb.plugins.local.LocalHomeProxy.invoke(LocalHomeProxy.java:110)
      at $Proxy41.create(Unknown Source)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:324)
      at com.teradata.tap.system.util.ServiceLocator.getLocalBean(ServiceLocator.java:282)
      at com.teradata.crm.processingengine.util.ProcessingEngineExecutionManager.lockProcessingEngine(ProcessingEngineExecutionManager.java:182)
      at com.teradata.crm.processingengine.util.ProcessingEngineExecutionManager.execute(ProcessingEngineExecutionManager.java:94)
      at com.teradata.crm.processingengine.ejb.ProcessingExecutionStarterMDBean.onMessage(ProcessingExecutionStarterMDBean.java:106)
      at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
      at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
      at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
      at java.lang.reflect.Method.invoke(Method.java:324)
      at org.jboss.ejb.MessageDrivenContainer$ContainerInterceptor.invoke(MessageDrivenContainer.java:460)
      at org.jboss.resource.connectionmanager.CachedConnectionInterceptor.invoke(CachedConnectionInterceptor.java:185)
      at org.jboss.ejb.plugins.AbstractTxInterceptor.invokeNext(AbstractTxInterceptor.java:84)
      at org.jboss.ejb.plugins.AbstractTxInterceptorBMT.invokeNext(AbstractTxInterceptorBMT.java:144)
      at org.jboss.ejb.plugins.MessageDrivenTxInterceptorBMT.invoke(MessageDrivenTxInterceptorBMT.java:32)
      at org.jboss.ejb.plugins.MessageDrivenInstanceInterceptor.invoke(MessageDrivenInstanceInterceptor.java:62)
      at org.jboss.ejb.plugins.RunAsSecurityInterceptor.invoke(RunAsSecurityInterceptor.java:90)
      at org.jboss.ejb.plugins.LogInterceptor.invoke(LogInterceptor.java:191)
      at org.jboss.ejb.plugins.ProxyFactoryFinderInterceptor.invoke(ProxyFactoryFinderInterceptor.java:122)
      at org.jboss.ejb.MessageDrivenContainer.internalInvoke(MessageDrivenContainer.java:374)
      at org.jboss.ejb.Container.invoke(Container.java:700)
      at org.jboss.ejb.plugins.jms.JMSContainerInvoker.invoke(JMSContainerInvoker.java:824)
      at org.jboss.ejb.plugins.jms.JMSContainerInvoker$MessageListenerImpl.onMessage(JMSContainerInvoker.java:1114)
      at org.jboss.jms.asf.StdServerSession.onMessage(StdServerSession.java:256)
      at org.jboss.mq.SpyMessageConsumer.sessionConsumerProcessMessage(SpyMessageConsumer.java:633)
      at org.jboss.mq.SpyMessageConsumer.addMessage(SpyMessageConsumer.java:433)
      at org.jboss.mq.SpySession.run(SpySession.java:298)
      at org.jboss.jms.asf.StdServerSession.run(StdServerSession.java:180)
      at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:727)
      at java.lang.Thread.run(Thread.java:534)


      Does anyone know what might be the reason for the same. And also, does this mean that i can never invoke a session bean from a MDB(i have seen examples where people have done it, even my code was working fine so far)

      Thank you

        • 1. Re: Invoking a session bean from Message Driven Bean
          Kamal Chandana Newbie

          For sure you can invoke a session bean from a MDB, I have experience in that.

          Kamal

          • 2. Re: Invoking a session bean from Message Driven Bean
            jaikiran pai Master

            Thanks Kamal, for the reply. While invoking the session bean from MDB, had you done any special configuration settings in the xml files(like run-as in ejb-jar.xml or changes to login-config.xml file)?

            Even i was able to access the session beans from MDB(WITHOUT any changes to login-config.xml or specifying run-as in ejb-jar.xml). But since a few days back i am facing this problem.

            After going through some threads on this forum, i found some tips like changing the login-config.xml and ejb-jar.xml. My ORIGINAL login-config.xml was as below:

            <?xml version='1.0'?>
            <!DOCTYPE policy PUBLIC
             "-//JBoss//DTD JBOSS Security Config 3.0//EN"
             "http://www.jboss.org/j2ee/dtd/security_config.dtd">
            
            <!-- The XML based JAAS login configuration read by the
            org.jboss.security.auth.login.XMLLoginConfig mbean. Add
            an application-policy element for each security domain.
            
            The outline of the application-policy is:
            <application-policy name="security-domain-name">
             <authentication>
             <login-module code="login.module1.class.name" flag="control_flag">
             <module-option name = "option1-name">option1-value</module-option>
             <module-option name = "option2-name">option2-value</module-option>
             ...
             </login-module>
            
             <login-module code="login.module2.class.name" flag="control_flag">
             ...
             </login-module>
             ...
             </authentication>
            </application-policy>
            
            $Revision: 1.6.2.2 $
            -->
            
            <policy>
             <!-- Used by clients within the application server VM such as
             mbeans and servlets that access EJBs.
             -->
             <application-policy name = "client-login">
             <authentication>
             <login-module code = "org.jboss.security.ClientLoginModule"
             flag = "required">
             </login-module>
             </authentication>
             </application-policy>
            
             <!-- Security domain for JBossMQ -->
             <application-policy name = "jbossmq">
             <authentication>
             <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
             flag = "required">
             <module-option name = "unauthenticatedIdentity">guest</module-option>
             <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
             </login-module>
             </authentication>
             </application-policy>
            
             <!-- Security domains for testing new jca framework -->
             <application-policy name = "HsqlDbRealm">
             <authentication>
             <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
             flag = "required">
             <module-option name = "principal">sa</module-option>
             <module-option name = "userName">sa</module-option>
             <module-option name = "password"></module-option>
             <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
             </login-module>
             </authentication>
             </application-policy>
            
             <application-policy name = "FirebirdDBRealm">
             <authentication>
             <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
             flag = "required">
             <module-option name = "principal">sysdba</module-option>
             <module-option name = "userName">sysdba</module-option>
             <module-option name = "password">masterkey</module-option>
             <module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=FirebirdDS</module-option>
             </login-module>
             </authentication>
             </application-policy>
            
             <application-policy name = "JmsXARealm">
             <authentication>
             <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
             flag = "required">
             <module-option name = "principal">guest</module-option>
             <module-option name = "userName">guest</module-option>
             <module-option name = "password">guest</module-option>
             <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
             </login-module>
             </authentication>
             </application-policy>
            
             <!-- A template configuration for the jmx-console web application. This
             defaults to the UsersRolesLoginModule the same as other and should be
             changed to a stronger authentication mechanism as required.
             -->
             <application-policy name = "jmx-console">
             <authentication>
             <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required" />
             </authentication>
             </application-policy>
            
             <!-- A template configuration for the web-console web application. This
             defaults to the UsersRolesLoginModule the same as other and should be
             changed to a stronger authentication mechanism as required.
             -->
             <application-policy name = "web-console">
             <authentication>
             <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required" />
             </authentication>
             </application-policy>
            
             <!-- The default login configuration used by any security domain that
             does not have a application-policy entry with a matching name
             -->
             <application-policy name = "other">
             <!-- A simple server login module, which can be used when the number
             of users is relatively small. It uses two properties files:
             users.properties, which holds users (key) and their password (value).
             roles.properties, which holds users (key) and a comma-separated list of
             their roles (value).
             The unauthenticatedIdentity property defines the name of the principal
             that will be used when a null username and password are presented as is
             the case for an unuathenticated web client or MDB. If you want to
             allow such users to be authenticated add the property, e.g.,
             unauthenticatedIdentity="nobody"
             -->
             <authentication>
             <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required" />
             </authentication>
             </application-policy>
            
            </policy>


            Later i changed it to(Have highlited the change in Bold):


            <?xml version='1.0'?>
            <!DOCTYPE policy PUBLIC
             "-//JBoss//DTD JBOSS Security Config 3.0//EN"
             "http://www.jboss.org/j2ee/dtd/security_config.dtd">
            
            <!-- The XML based JAAS login configuration read by the
            org.jboss.security.auth.login.XMLLoginConfig mbean. Add
            an application-policy element for each security domain.
            
            The outline of the application-policy is:
            <application-policy name="security-domain-name">
             <authentication>
             <login-module code="login.module1.class.name" flag="control_flag">
             <module-option name = "option1-name">option1-value</module-option>
             <module-option name = "option2-name">option2-value</module-option>
             ...
             </login-module>
            
             <login-module code="login.module2.class.name" flag="control_flag">
             ...
             </login-module>
             ...
             </authentication>
            </application-policy>
            
            $Revision: 1.6.2.2 $
            -->
            
            <policy>
             <!-- Used by clients within the application server VM such as
             mbeans and servlets that access EJBs.
             -->
             <application-policy name = "client-login">
             <authentication>
             <login-module code = "org.jboss.security.ClientLoginModule"
             flag = "required">
             </login-module>
             </authentication>
             </application-policy>
            
             <!-- Security domain for JBossMQ -->
             <application-policy name = "jbossmq">
             <authentication>
             <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
             flag = "required">
             <module-option name = "unauthenticatedIdentity">guest</module-option>
             <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
             </login-module>
             </authentication>
             </application-policy>
            
             <!-- Security domains for testing new jca framework -->
             <application-policy name = "HsqlDbRealm">
             <authentication>
             <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
             flag = "required">
             <module-option name = "principal">sa</module-option>
             <module-option name = "userName">sa</module-option>
             <module-option name = "password"></module-option>
             <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
             </login-module>
             </authentication>
             </application-policy>
            
             <application-policy name = "FirebirdDBRealm">
             <authentication>
             <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
             flag = "required">
             <module-option name = "principal">sysdba</module-option>
             <module-option name = "userName">sysdba</module-option>
             <module-option name = "password">masterkey</module-option>
             <module-option name = "managedConnectionFactoryName">jboss.jca:service=XaTxCM,name=FirebirdDS</module-option>
             </login-module>
             </authentication>
             </application-policy>
            
             <application-policy name = "JmsXARealm">
             <authentication>
             <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
             flag = "required">
             <module-option name = "principal">guest</module-option>
             <module-option name = "userName">guest</module-option>
             <module-option name = "password">guest</module-option>
             <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
             </login-module>
             </authentication>
             </application-policy>
            
             <!-- A template configuration for the jmx-console web application. This
             defaults to the UsersRolesLoginModule the same as other and should be
             changed to a stronger authentication mechanism as required.
             -->
             <application-policy name = "jmx-console">
             <authentication>
             <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required" />
             </authentication>
             </application-policy>
            
             <!-- A template configuration for the web-console web application. This
             defaults to the UsersRolesLoginModule the same as other and should be
             changed to a stronger authentication mechanism as required.
             -->
             <application-policy name = "web-console">
             <authentication>
             <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required" />
             </authentication>
             </application-policy>
            
             <!-- The default login configuration used by any security domain that
             does not have a application-policy entry with a matching name
             -->
             <application-policy name = "other">
             <!-- A simple server login module, which can be used when the number
             of users is relatively small. It uses two properties files:
             users.properties, which holds users (key) and their password (value).
             roles.properties, which holds users (key) and a comma-separated list of
             their roles (value).
             The unauthenticatedIdentity property defines the name of the principal
             that will be used when a null username and password are presented as is
             the case for an unuathenticated web client or MDB. If you want to
             allow such users to be authenticated add the property, e.g.,
             unauthenticatedIdentity="nobody"
             -->
             <authentication>
             <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required" >
             <module-option name = "unauthenticatedIdentity">guest</module-option> </login-module>
             </authentication>
             </application-policy>
            
            </policy>



            After doing this and adding the run-as entry in ejb-jar.xml, i WAS able to invoke the session bean from the MDB. But, i still dont understand, why was i able to invoke the bean, earlier without these settings.

            I also found a small comment in the login-config.xml file(in BOLD):

             <!-- The default login configuration used by any security domain that
             does not have a application-policy entry with a matching name
             --> <application-policy name = "other">
             <!-- A simple server login module, which can be used when the number
             of users is relatively small. It uses two properties files:
             users.properties, which holds users (key) and their password (value).
             roles.properties, which holds users (key) and a comma-separated list of
             their roles (value).
             The unauthenticatedIdentity property defines the name of the principal
             that will be used when a null username and password are presented as is
             the case for an unuathenticated web client or MDB. If you want to
             allow such users to be authenticated add the property, e.g.,
             unauthenticatedIdentity="nobody"
             -->
             <authentication>
             <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required" >
             <module-option name = "unauthenticatedIdentity">guest</module-option>
             </login-module>
             </authentication>
             </application-policy>


            Does this indicate that there is some mismatch in the security-domain being used for the MDBs and the application policies defined in login-config.xml, because of which the "other" login configuration is being used, instead of the "jbossmq" login configuration(Please see that "jbossmq" login configuration has <module-option name = "unauthenticatedIdentity">guest</module-option> set by DEFAULT, because of which may be i was able to invoke the bean earlier).

            If yes, how might this mismatch have occured.

            Please let me know, if anyone has any answers.

            Thank you.

            • 3. Re: Invoking a session bean from Message Driven Bean
              Kamal Chandana Newbie

              jaikiran,

              Can you change the tag as below and check whether it works?


              <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag="required" />
              <module-option name = "unauthenticatedIdentity">nobody</module-option>


              The value "guest" may not be identified by the UsersRolesLoginModule.


              Kamal Chandana



              • 4. Re: Invoking a session bean from Message Driven Bean
                jaikiran pai Master

                Hi Kamal,

                It works even if i specify
                <module-option name = "unauthenticatedIdentity">guest</module-option>


                Problem arises when i remove entire <module-option ......>
                tag itself.

                -Jaikiran