5 Replies Latest reply on Jul 11, 2007 11:26 AM by Adrian Brock

    Connection not authorized to addMessages to destination

    teo doro Newbie


      I have configured a durable topic and I have deployed my simple MDB.

      my Oracle'jms_tables contains:

      JMS_SUBSCRIPTIONS:

      CLIENTID SUBNAME TOPIC SELECTOR
      -------------------------------------------------------------------------
      ID:1 myTopic myTopic

      JMS_USERS:


      USERID PASSWD CLIENTID
      dynsub dynsub
      nobody nobody
      john needle DurableSubscriberExample
      j2ee j2ee
      guest guest



      When I try to publish a text message:
      ......
      TopicConnectionFactory tcf = (TopicConnectionFactory)tmp;
      conn = tcf.createTopicConnection("john","needle");
      topic = (Topic)jndiContext.lookup("topic/myTopic");
      session = conn.createTopicSession(false,
      TopicSession.AUTO_ACKNOWLEDGE);
      conn.start();
      TopicPublisher send = session.createPublisher(topic);
      TextMessage tm = session.createTextMessage("test message!");
      send.publish(tm);
      send.close();


      I receive the following exception:

      javax.jms.JMSSecurityException: Connection not authorized to addMessages to destination: myTopic
      at org.jboss.mq.security.ServerSecurityInterceptor.addMessage(ServerSecurityInterceptor.java:167)
      at org.jboss.mq.server.TracingInterceptor.addMessage(TracingInterceptor.java:226)
      at org.jboss.mq.server.JMSServerInvoker.addMessage(JMSServerInvoker.java:112)
      at org.jboss.mq.il.uil2.ServerSocketManagerHandler.handleMsg(ServerSocketManagerHandler.java:111)
      at org.jboss.mq.il.uil2.SocketManager$ReadTask.handleMsg(SocketManager.java:395)
      at org.jboss.mq.il.uil2.msgs.BaseMsg.run(BaseMsg.java:398)
      at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:748)
      at java.lang.Thread.run(Thread.java:595)
      Process exited with exit code 0.


      Please help me.
      teo


        • 1. Re: Connection not authorized to addMessages to destination
          Adrian Brock Master

          Your question is unanswerable, since you don't show the security configuration for the
          destination or JMS_ROLES.

          i.e. one of the roles "john" is in needs to have "write" access to the myTopic.

          • 2. Re: Connection not authorized to addMessages to destination
            teo doro Newbie

            Hi, Thanks Adrian for your reply.
            The following is my configuration's files:


            ----- jbossmq-destinations-service.xml: -----

            <mbean code="org.jboss.mq.server.jmx.Topic"
             name="jboss.mq.destination:service=Topic,name=myTopic">
             <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
             <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends>
             <attribute name="SecurityConf">
             <security>
             <role name="durpublisher" read="true" write="true" create="true"/>
             </security>
             </attribute>
             </mbean>
            
            -----------------------------------------------------------------------------
            
            
            
             ----- jbossmq-service.xml: -----
            
             <?xml version="1.0" encoding="UTF-8"?>
            
            <!-- $Id: jbossmq-service.xml 38187 2005-11-16 23:55:44Z adrian $ -->
            
            <server>
            
             <!-- ==================================================================== -->
             <!-- JBossMQ -->
             <!-- ==================================================================== -->
            
            
             <!-- ==================================================================== -->
             <!-- JBossMQ Interceptor chain configuration -->
             <!-- ==================================================================== -->
             <!-- To tune performance, you can have the Invoker skip over the TracingInterceptor -->
             <!-- and/or the SecurityManager, but then you loose the ability to trace and/or enforce security. -->
             <mbean code="org.jboss.mq.server.jmx.Invoker" name="jboss.mq:service=Invoker">
             <depends optional-attribute-name="NextInterceptor">jboss.mq:service=TracingInterceptor</depends>
             <depends>jboss:service=Naming</depends>
             </mbean>
            
             <mbean code="org.jboss.mq.server.jmx.InterceptorLoader" name="jboss.mq:service=TracingInterceptor">
             <attribute name="InterceptorClass">org.jboss.mq.server.TracingInterceptor</attribute>
             <depends optional-attribute-name="NextInterceptor">jboss.mq:service=SecurityManager</depends>
             </mbean>
            
             <mbean code="org.jboss.mq.security.SecurityManager" name="jboss.mq:service=SecurityManager">
             <attribute name="DefaultSecurityConfig">
             <security>
             <role name="durpublisher" read="true" write="true" create="true"/>
             </security>
             </attribute>
             <attribute name="SecurityDomain">java:/jaas/jbossmq</attribute>
             <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager</depends>
             </mbean>
            
             <!--
             | The ClientMonitorInterceptor disconnects clients that have been idle for to long.
             | This interceptor is not enabled by default since the server might disconnect clients
             | when the it is under high load.
             -->
             <!--
             <mbean code="org.jboss.mq.server.jmx.ClientMonitorInterceptor" name="jboss.mq:service=ClientMonitorInterceptor">
             <attribute name="ClientTimeout">80000</attribute>
             <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager</depends>
             </mbean>
             -->
            
             <!-- A Thread pool service -->
             <mbean code="org.jboss.util.threadpool.BasicThreadPool"
             name="jboss.mq:service=ThreadPool">
             <attribute name="Name">JMSThread</attribute>
             <attribute name="ThreadGroupName">JBossMQ Server Threads</attribute>
             <!-- The max number of threads in the pool -->
             <attribute name="MaximumPoolSize">10</attribute>
             <!-- The max number of tasks before the queue is full -->
             <attribute name="MaximumQueueSize">1000</attribute>
             <!-- The behavior of the pool when a task is added and the queue is full.
             abort - a RuntimeException is thrown
             run - the calling thread executes the task
             wait - the calling thread blocks until the queue has room
             discard - the task is silently discarded without being run
             discardOldest - check to see if a task is about to complete and enque
             the new task if possible, else run the task in the calling thread
             -->
             <attribute name="BlockingMode">run</attribute>
             </mbean>
            
             <!-- ==================================================================== -->
             <!-- System Destinations -->
             <!-- ==================================================================== -->
            
             <!-- Dead Letter Queue -->
             <mbean code="org.jboss.mq.server.jmx.Queue"
             name="jboss.mq.destination:service=Queue,name=DLQ">
             <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
             <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends>
             </mbean>
            
            
             <StateManager>
             <Users>
             <User>
             <Name>john</Name>
             <Password>needle</Password>
             <Id>DurableSubscriberExample</Id>
             </User>
             </Users>
             <DurableSubscriptions>
             <DurableSubscription>
             <ClientID>DurableSubscriberExample</ClientID>
             <Name>test</Name>
             <TopicName>myTopic</TopicName>
             </DurableSubscription>
             </DurableSubscriptions>
            </StateManager>
            
            </server>
            -------------------------------------------------------------------------
            TABLES:
            
             JMS_ROLES:
             ROLEID USERID
            -------------------------------- ---------
            durpublisher dynsub
            publisher dynsub
            guest guest
            j2ee guest
            john guest
            durpublisher john
            publisher john
            subscriber john
            noacc nobody
            
            
            JMS_USERS :
            
            
            USERID PASSWD CLIENTID
            ----------------- ---------------------
            dynsub dynsub
            nobody nobody
            john needle DurableSubscriberExample
            j2ee j2ee
            guest guest
            



            Now the error is changed, when I'm try to deploy my MDB I receive this error:

            22:49:40,975 INFO [EjbModule] Deploying MessageDrivenEJB
            22:49:41,223 WARN [JMSContainerInvoker] JMS provider failure detected for MessageDrivenEJB
            org.jboss.deployment.DeploymentException: Error during topic setup; - nested throwable: (javax.jms.JMSSecurityException: Connection not authorized to do durable subscription on topic: myTopic)
            at org.jboss.deployment.DeploymentException.rethrowAsDeploymentException(DeploymentException.java:53)
            at org.jboss.ejb.plugins.jms.JMSContainerInvoker.innerStartDelivery(JMSContainerInvoker.java:720)
            at org.jboss.ejb.plugins.jms.JMSContainerInvoker.startService(JMSContainerInvoker.java:839)
            at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:289)
            at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:245)
            at sun.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
            at java.lang.reflect.Method.invoke(Method.java:585)


            But If I use <role name="guest" read="true" write="true" create="true"/> I do it without errors!
            


            This is my ejb-jar.xml:

            <message-driven>
            Message Driven Bean
            <display-name>MessageDrivenEJB</display-name>
            <ejb-name>MessageDrivenEJB</ejb-name>
            <ejb-class>it.java.lab.mdb.MessageDrivenEJBBean</ejb-class>
            <messaging-type>javax.jms.MessageListener</messaging-type>
            <transaction-type>Container</transaction-type>
            <message-destination-type>javax.jms.Topic</message-destination-type>
            <activation-config>
            <activation-config-property>
            <activation-config-property-name>destinationType</activation-config-property-name>
            <activation-config-property-value>javax.jms.Topic</activation-config-property-value>
            </activation-config-property>
            <activation-config-property>
            <activation-config-property-name>subscriptionDurability</activation-config-property-name>
            <activation-config-property-value>Durable</activation-config-property-value>
            </activation-config-property>
            <activation-config-property>
            <activation-config-property-name>subscriptionName</activation-config-property-name>
            <activation-config-property-value>myTopic</activation-config-property-value>
            </activation-config-property>
            <activation-config-property>
            <activation-config-property-name>destination</activation-config-property-name>
            <activation-config-property-value>topic/myTopic</activation-config-property-value>
            </activation-config-property>
            </activation-config>
            </message-driven>

            Please let me know if you need any others details to help me!
            Thanks in advance
            Teo









            • 3. Re: Connection not authorized to addMessages to destination
              Adrian Brock Master

              Do you have any intention of reading the documentation to understand how this works?

              Let me "not" explain it by asking you some questions?

              Which roles is the MDB running under?
              Is it the roles of the default user since you don't specify a user/password (unauthenticated)?
              What is the unauthenticated user?
              Is it 'guest"?
              What roles does "guest" have?
              Does any of those roles have "create" authority on the topic?

              • 4. Re: Connection not authorized to addMessages to destination
                teo doro Newbie

                Hi Adrian,
                yes, I'm reading the documentation, ..probably I'm asking because I don't understand what says the documentation about JBossMQ's configuration. (I'm a newbie so I'm learning..)
                I have written every parts of my configuration's file only to explain with more
                details which was my trouble.
                So I'm very very sorry if It's a problem inside this forum.
                Anyway thanks a lot for your suggestions.
                I'll try to read documentation with more attention, I hope that will be more kind than you.

                bye


                • 5. Re: Connection not authorized to addMessages to destination
                  Adrian Brock Master

                   

                  "teodoro21" wrote:
                  Hi Adrian,
                  yes, I'm reading the documentation, ..probably I'm asking because I don't understand what says the documentation about JBossMQ's configuration. (I'm a newbie so I'm learning..)


                  Then quid pro quo. Tell me which parts you are having difficulty understanding
                  so I can update it to make it easier to understand


                  I have written every parts of my configuration's file only to explain with more
                  details which was my trouble.
                  So I'm very very sorry if It's a problem inside this forum.


                  The problem is that originally you posted irrelevant information
                  and later you posted *ALL* information with "It works but I don't know why?"
                  or more probably "Is this correct, because I can't be bothered thinking about it"? :-)


                  Anyway thanks a lot for your suggestions.


                  My real suggestion would be to research security (it is an important area).
                  authentication/authorization using users, roles and authorities is a very common
                  and simple pattern to grok.


                  I'll try to read documentation with more attention, I hope that will be more kind than you.


                  If you really want to be treated with "kid gloves" then post in the newbies forum,
                  or at least make some attempt to show you've tried to understand.
                  e.g. "I've read this {link here}, but I don't know what it means by ..."