2 Replies Latest reply on Mar 30, 2005 8:45 AM by Marco Schulze

    javax.jms.JMSSecurityException

    Marco Schulze Newbie

      Hello *,

      I've a message driven bean subscribed to a queue. The queue is created with the following xxx-service.xml:

      <?xml version="1.0" encoding="UTF-8"?>
      
      <server>
       <mbean code="org.jboss.mq.security.SecurityManager" name="jboss.mq:service=MyMQSecurityManager">
       <attribute name="DefaultSecurityConfig">
       <security>
       <role name="_LocalQueueWriter_" read="false" write="true"/>
       <role name="_LocalQueueReader_" read="true" write="false"/>
       </security>
       </attribute>
       <attribute name="SecurityDomain">java:/jaas/ipanemaLocal</attribute>
       <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager</depends>
       </mbean>
      
       <mbean code="org.jboss.mq.server.jmx.Queue"
       name="jboss.mq.destination:service=Queue,name=my/Queue">
       <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
       <depends optional-attribute-name="SecurityManager">jboss.mq:service=MyMQSecurityManager</depends>
       <attribute name="SecurityManager">jboss.mq:service=MyMQSecurityManager</attribute>
       <attribute name="RedeliveryDelay">10000</attribute>
       <attribute name="RedeliveryLimit">3</attribute>
       </mbean>
      </server>


      The MDB has security domain, user and password defined in the jboss.xml (excerpt):
      ...
       <container-configuration>
       <container-name>Standard Message Driven Bean</container-name>
       <role-mapping-manager>java:/jaas/session-roles</role-mapping-manager>
       <security-domain>java:/jaas/ipanemaLocal</security-domain>
       </container-configuration>
      ...
       <message-driven>
       <ejb-name>my/mdb/MyListener</ejb-name>
       <destination-jndi-name>queue/my/Queue</destination-jndi-name>
       <mdb-user>_LocalQueueReader_</mdb-user>
       <mdb-passwd>test</mdb-passwd>
       </message-driven>
      ...
      


      It all works fine, if I allow "guest" to read and don't define an user for the mdb, but with the above configuration, the authentication fails. What is really strange is that it doesn't even trigger the login method of my custom LoginModule (which works fine when writing into the queue). Here's an excerpt of my jboss server log:
      18:23:12,561 INFO [JMSContainerInvoker] Reconnected to JMS provider
      18:23:12,562 WARN [JMSContainerInvoker] JMS provider failure detected:
      javax.jms.JMSSecurityException: User: _LocalQueueReader_ is NOT authenticated
       at org.jboss.mq.security.SecurityManager.authenticate(SecurityManager.java:215)
       at org.jboss.mq.security.ServerSecurityInterceptor.authenticate(ServerSecurityInterceptor.java:51)
       at org.jboss.mq.server.TracingInterceptor.authenticate(TracingInterceptor.java:781)
       at org.jboss.mq.server.JMSServerInvoker.authenticate(JMSServerInvoker.java:287)
       at org.jboss.mq.il.jvm.JVMServerIL.authenticate(JVMServerIL.java:301)
       at org.jboss.mq.Connection.authenticate(Connection.java:1160)
       at org.jboss.mq.Connection.<init>(Connection.java:255)
       at org.jboss.mq.SpyConnection.<init>(SpyConnection.java:55)
       at org.jboss.mq.SpyXAConnection.<init>(SpyXAConnection.java:52)
       at org.jboss.mq.SpyXAConnectionFactory.createXAConnection(SpyXAConnectionFactory.java:98)
       at org.jboss.mq.SpyXAConnectionFactory.createXAQueueConnection(SpyXAConnectionFactory.java:119)
       at org.jboss.jms.ConnectionFactoryHelper.createQueueConnection(ConnectionFactoryHelper.java:67)
       at org.jboss.ejb.plugins.jms.JMSContainerInvoker.innerCreate(JMSContainerInvoker.java:690)
       at org.jboss.ejb.plugins.jms.JMSContainerInvoker.startService(JMSContainerInvoker.java:764)
       at org.jboss.ejb.plugins.jms.JMSContainerInvoker$ExceptionListenerImpl.onException(JMSContainerInvoker.java:1267)
       at org.jboss.ejb.plugins.jms.JMSContainerInvoker$1.run(JMSContainerInvoker.java:776)

      What am I doing wrong? Any ideas?

      Because my login module is not triggered, I assume that I have to define the security domain in a different way than I do for my session beans. But if so, how?

      Thanks a lot for your help in advance!

      Marco ;-)

        • 1. Re: javax.jms.JMSSecurityException
          Raja Master

          If you look at the logs, its throwing an exception when its trying to create the QueueConnection. Looking up SecurityMetadata.java says there are three permissions - read, write and create. You have not specified create access for _LocalQueueReader_. that might be the problem. And the defeault value for create is false, so it doesnt let you create a Topic.

          PS: I think this belongs to the JMS forum but anyway.... ;-)

          • 2. Re: javax.jms.JMSSecurityException
            Marco Schulze Newbie

            Hello Raja,

            thanks a lot for your help!

            "raja05" wrote:
            You have not specified create access for _LocalQueueReader_. that might be the problem.
            I've added 'create="true"', but unfortunately it had no effect.

            BTW: I had 'create="false"' in the "guest" role, before, and this worked if I don't use authentication in the MDB. Additionally the log message tells me that the user is not authenticated - it doesn't say anything about authorization/permissions. IMHO authorization happens after authentication and hence, my login module should be asked. Right?

            ...any other idea? I still wonder whether the problem might come from the security domain. Is my configuration in jboss.xml correct with which I set the security domain for "Standard Message Driven Bean"?

            "raja05" wrote:
            PS: I think this belongs to the JMS forum but anyway.... ;-)
            Unfortunately, people there didn't react at all first (to a previous posting) and after re-asking told me I should read the documentation (which I did already before). So I thought, I might be luckier here in the beginner's forum and in fact I was right :-) Seems, the people in the JMS forum are too busy actually programming at JBoss 5 and don't like to answer questions from confused users...

            Best regards, Marco :-)