cmain
asked on
JBoss JMS Security Pain!
I am sending a message to a jboss server using the following code.
private static final String CONNECTION_FACTORY = "UIL2ConnectionFactory";
Context ctx = new InitialContext();
Object o = ctx.lookup(CONNECTION_FACT ORY);
QueueConnectionFactory factory =
(QueueConnectionFactory)ct x.lookup(C ONNECTION_ FACTORY);
Queue destination = (Queue)ctx.lookup(queueNam e);
QueueConnection connection = factory.createQueueConnect ion();
QueueSession session = connection.createQueueSess ion(false, Session.AUTO_ACKNOWLEDGE);
QueueSender sender = session.createSender(desti nation);
ObjectMessage message = session.createObjectMessag e(msg);
sender.send(message);
sender.close();
session.close();
connection.close();
My JNDI configuration is as follows.
java.naming.factory.initia l=org.jnp. interfaces .NamingCon textFactor y
java.naming.provider.url=e uropa:1099
java.naming.factory.url.pk gs=org.jbo ss.naming: org.jnp.in terfaces
This code only works (The message arrives in jboss) if it runs on the local host.
If I execute the same code on a remote machine, pointing to jboss, I get no error, but the message is not delivered.
I tried using "ConnectionFactory" instead of UIL2ConnectionFactory, and got a security exception on one of the remote machines.
I suspect that this is a security issue.
If that is the problem, how do I open up the message bean to the whole planet?
I need to send the message from a remote machine.
private static final String CONNECTION_FACTORY = "UIL2ConnectionFactory";
Context ctx = new InitialContext();
Object o = ctx.lookup(CONNECTION_FACT
QueueConnectionFactory factory =
(QueueConnectionFactory)ct
Queue destination = (Queue)ctx.lookup(queueNam
QueueConnection connection = factory.createQueueConnect
QueueSession session = connection.createQueueSess
QueueSender sender = session.createSender(desti
ObjectMessage message = session.createObjectMessag
sender.send(message);
sender.close();
session.close();
connection.close();
My JNDI configuration is as follows.
java.naming.factory.initia
java.naming.provider.url=e
java.naming.factory.url.pk
This code only works (The message arrives in jboss) if it runs on the local host.
If I execute the same code on a remote machine, pointing to jboss, I get no error, but the message is not delivered.
I tried using "ConnectionFactory" instead of UIL2ConnectionFactory, and got a security exception on one of the remote machines.
I suspect that this is a security issue.
If that is the problem, how do I open up the message bean to the whole planet?
I need to send the message from a remote machine.
It seems that the JNDI configuration is not read on your local machine. Try to use the InitialContext(Hashtable) constructor instead and put your values into a Hashtable and pass it in
ASKER
You are both incorrect.
I nevertheless tried putting the JNDI properties into the code, with the same result.
The second comment from rama merely explains how to reference beans inside the container. I have already stated that I am trying to connect to the machine from another host. The references are therefore useless to me. I have pasted the full source code below.
Since I do get an exception with the normal connection factory, I suspect that this is all a security issue.
On one of the machines I get the following, no exception message, nothing.
C:\Workflow-Service\svr>ja va -cp phoenix-util.jar;jbossall- client.jar za.co.pala
ntir.workflow.WorkflowPack et
Properties...
Factory...
Queue...
Session...
Create Object Message...
Sent...
On one of the others I get the following when I use ConnectionFactory instead of UIL2ConnectionFactory.
No Exception message, no message arrives on the queue.
Properties...
Factory...
Queue...
Cannot authenticate user; - nested throwable: (java.net.ConnectException : Connection refused: connect)
org.jboss.mq.SpyJMSExcepti on: Cannot authenticate user; - nested throwable: (java.net.ConnectException : Connection refus
ed: connect)
at org.jboss.mq.Connection.au thenticate (Connectio n.java:883 )
at org.jboss.mq.Connection.<i nit>(Conne ction.java :238)
at org.jboss.mq.Connection.<i nit>(Conne ction.java :315)
at org.jboss.mq.SpyConnection .<init>(Sp yConnectio n.java:60)
at org.jboss.mq.SpyConnection Factory.cr eateQueueC onnection( SpyConnect ionFactory .java:116)
at za.co.palantir.workflow.Wo rkflowPack et.send(Wo rkflowPack et.java:11 2)
at za.co.palantir.workflow.Wo rkflowPack et.main(Wo rkflowPack et.java:75 )
Caused by: java.net.ConnectException: Connection refused: connect
at java.net.PlainSocketImpl.s ocketConne ct(Native Method)
at java.net.PlainSocketImpl.d oConnect(U nknown Source)
at java.net.PlainSocketImpl.c onnectToAd dress(Unkn own Source)
at java.net.PlainSocketImpl.c onnect(Unk nown Source)
at java.net.Socket.connect(Un known Source)
at java.net.Socket.connect(Un known Source)
at java.net.Socket.<init>(Unk nown Source)
at java.net.Socket.<init>(Unk nown Source)
at javax.net.DefaultSocketFac tory.creat eSocket(Un known Source)
at org.jboss.mq.il.oil.OILSer verIL.crea teConnecti on(OILServ erIL.java: 563)
at org.jboss.mq.il.oil.OILSer verIL.chec kConnectio n(OILServe rIL.java:5 07)
at org.jboss.mq.il.oil.OILSer verIL.auth enticate(O ILServerIL .java:289)
at org.jboss.mq.Connection.au thenticate (Connectio n.java:876 )
... 6 more
public static void send(WorkflowPacket msg, String queueName)
throws JMSException,
NamingException {
// Test code
System.out.println("Proper ties...");
java.util.Hashtable env = new java.util.Hashtable();
env.put(Context.INITIAL_CO NTEXT_FACT ORY, "org.jnp.interfaces.Naming ContextFac tory");
env.put(Context.PROVIDER_U RL, "europa:1099");
env.put("java.naming.facto ry.url.pkg s", "org.jboss.naming:org.jnp. interfaces ");
Context ctx = new InitialContext(env);
//Context ctx = new InitialContext();
System.out.println("Factor y...");
Object o = ctx.lookup(CONNECTION_FACT ORY);
QueueConnectionFactory factory =
(QueueConnectionFactory)ct x.lookup(C ONNECTION_ FACTORY);
System.out.println("Queue. ..");
Queue destination = (Queue)ctx.lookup(queueNam e);
QueueConnection connection = factory.createQueueConnect ion();
QueueSession session = connection.createQueueSess ion(false, Session.AUTO_ACKNOWLEDGE);
System.out.println("Sessio n...");
QueueSender sender = session.createSender(desti nation);
ObjectMessage message = session.createObjectMessag e(msg);
System.out.println("Create Object Message...");
sender.send(message);
System.out.println("Sent.. .");
sender.close();
session.close();
connection.close();
}
I nevertheless tried putting the JNDI properties into the code, with the same result.
The second comment from rama merely explains how to reference beans inside the container. I have already stated that I am trying to connect to the machine from another host. The references are therefore useless to me. I have pasted the full source code below.
Since I do get an exception with the normal connection factory, I suspect that this is all a security issue.
On one of the machines I get the following, no exception message, nothing.
C:\Workflow-Service\svr>ja
ntir.workflow.WorkflowPack
Properties...
Factory...
Queue...
Session...
Create Object Message...
Sent...
On one of the others I get the following when I use ConnectionFactory instead of UIL2ConnectionFactory.
No Exception message, no message arrives on the queue.
Properties...
Factory...
Queue...
Cannot authenticate user; - nested throwable: (java.net.ConnectException
org.jboss.mq.SpyJMSExcepti
ed: connect)
at org.jboss.mq.Connection.au
at org.jboss.mq.Connection.<i
at org.jboss.mq.Connection.<i
at org.jboss.mq.SpyConnection
at org.jboss.mq.SpyConnection
at za.co.palantir.workflow.Wo
at za.co.palantir.workflow.Wo
Caused by: java.net.ConnectException:
at java.net.PlainSocketImpl.s
at java.net.PlainSocketImpl.d
at java.net.PlainSocketImpl.c
at java.net.PlainSocketImpl.c
at java.net.Socket.connect(Un
at java.net.Socket.connect(Un
at java.net.Socket.<init>(Unk
at java.net.Socket.<init>(Unk
at javax.net.DefaultSocketFac
at org.jboss.mq.il.oil.OILSer
at org.jboss.mq.il.oil.OILSer
at org.jboss.mq.il.oil.OILSer
at org.jboss.mq.Connection.au
... 6 more
public static void send(WorkflowPacket msg, String queueName)
throws JMSException,
NamingException {
// Test code
System.out.println("Proper
java.util.Hashtable env = new java.util.Hashtable();
env.put(Context.INITIAL_CO
env.put(Context.PROVIDER_U
env.put("java.naming.facto
Context ctx = new InitialContext(env);
//Context ctx = new InitialContext();
System.out.println("Factor
Object o = ctx.lookup(CONNECTION_FACT
QueueConnectionFactory factory =
(QueueConnectionFactory)ct
System.out.println("Queue.
Queue destination = (Queue)ctx.lookup(queueNam
QueueConnection connection = factory.createQueueConnect
QueueSession session = connection.createQueueSess
System.out.println("Sessio
QueueSender sender = session.createSender(desti
ObjectMessage message = session.createObjectMessag
System.out.println("Create
sender.send(message);
System.out.println("Sent..
sender.close();
session.close();
connection.close();
}
Which JBoss version is that?
How is the users configured?
Does the exception happens on all machines, or only on one machine, and everything works fine on the other machines?
If it is only on one machine, is it always the same machine, no matter the order which machines runs first?
How is the users configured?
Does the exception happens on all machines, or only on one machine, and everything works fine on the other machines?
If it is only on one machine, is it always the same machine, no matter the order which machines runs first?
ASKER
The jboss version is 3.2.2.
There are no users configured, nor do i really want any configured. I want to open the security. I need to test it before I try and add all the security.
There are no users configured, nor do i really want any configured. I want to open the security. I need to test it before I try and add all the security.
And the other questions?
ASKER
Hi,
Further to this, I have discovered that another application was using port 1099 on the source machine.
I have removed this, and now am getting a different error. The machine, even though I can ping it, is not responding.
C:\Workflow-Service\svr>ja va -cp phoenix-util.jar;jbossall- client.jar ;. za.co.pa
lantir.workflow.WorkflowPa cket
Properties...
Factory...
Receive timed out
javax.naming.Communication Exception: Receive timed out [Root exception is java.n
et.SocketTimeoutException: Receive timed out]
at org.jnp.interfaces.NamingC ontext.dis coverServe r(NamingCo ntext.java :11
15)
at org.jnp.interfaces.NamingC ontext.che ckRef(Nami ngContext. java:1192)
at org.jnp.interfaces.NamingC ontext.loo kup(Naming Context.ja va:514)
at org.jnp.interfaces.NamingC ontext.loo kup(Naming Context.ja va:507)
at javax.naming.InitialContex t.lookup(U nknown Source)
at za.co.palantir.workflow.Wo rkflowPack et.send(Wo rkflowPack et.java:10 5)
I am using the following confiugration.
I have tried with ConnectionFactory and UIL2ConnectionFactory
System.out.println("Proper ties...");
java.util.Hashtable env = new java.util.Hashtable();
env.put(Context.INITIAL_CO NTEXT_FACT ORY, "org.jnp.interfaces.Naming ContextFac tory");
env.put(Context.PROVIDER_U RL, "10.100.16.123:1099");
env.put("java.naming.facto ry.url.pkg s", "org.jboss.naming:org.jnp. interfaces ");
Context ctx = new InitialContext(env);
//Context ctx = new InitialContext();
System.out.println("Factor y...");
Object o = ctx.lookup(CONNECTION_FACT ORY);
QueueConnectionFactory factory =
(QueueConnectionFactory)ct x.lookup(C ONNECTION_ FACTORY);
Further to this, I have discovered that another application was using port 1099 on the source machine.
I have removed this, and now am getting a different error. The machine, even though I can ping it, is not responding.
C:\Workflow-Service\svr>ja
lantir.workflow.WorkflowPa
Properties...
Factory...
Receive timed out
javax.naming.Communication
et.SocketTimeoutException:
at org.jnp.interfaces.NamingC
15)
at org.jnp.interfaces.NamingC
at org.jnp.interfaces.NamingC
at org.jnp.interfaces.NamingC
at javax.naming.InitialContex
at za.co.palantir.workflow.Wo
I am using the following confiugration.
I have tried with ConnectionFactory and UIL2ConnectionFactory
System.out.println("Proper
java.util.Hashtable env = new java.util.Hashtable();
env.put(Context.INITIAL_CO
env.put(Context.PROVIDER_U
env.put("java.naming.facto
Context ctx = new InitialContext(env);
//Context ctx = new InitialContext();
System.out.println("Factor
Object o = ctx.lookup(CONNECTION_FACT
QueueConnectionFactory factory =
(QueueConnectionFactory)ct
ASKER
I have managed to get it to connect now, but specifiying the IP Address.
I now get authentication errors.
Cannot authenticate user; - nested throwable: (java.net.ConnectException : Connec
tion refused: connect)
org.jboss.mq.SpyJMSExcepti on: Cannot authenticate user; - nested throwable: (jav
a.net.ConnectException: Connection refused: connect)
at org.jboss.mq.Connection.au thenticate (Connectio n.java:883 )
at org.jboss.mq.Connection.<i nit>(Conne ction.java :238)
at org.jboss.mq.Connection.<i nit>(Conne ction.java :315)
at org.jboss.mq.SpyConnection .<init>(Sp yConnectio n.java:60)
at org.jboss.mq.SpyConnection Factory.cr eateQueueC onnection( SpyConnect ion
Factory.java:116)
at za.co.palantir.workflow.Wo rkflowPack et.send(Wo rkflowPack et.java:11 1)
at za.co.palantir.workflow.Wo rkflowPack et.main(Wo rkflowPack et.java:75 )
Caused by: java.net.ConnectException: Connection refused: connect
at java.net.PlainSocketImpl.s ocketConne ct(Native Method)
at java.net.PlainSocketImpl.d oConnect(U nknown Source)
at java.net.PlainSocketImpl.c onnectToAd dress(Unkn own Source)
at java.net.PlainSocketImpl.c onnect(Unk nown Source)
at java.net.Socket.connect(Un known Source)
at java.net.Socket.connect(Un known Source)
at java.net.Socket.<init>(Unk nown Source)
at java.net.Socket.<init>(Unk nown Source)
at javax.net.DefaultSocketFac tory.creat eSocket(Un known Source)
at org.jboss.mq.il.uil2.UILSe rverIL.cre ateConnect ion(UILSer verIL.java :57
9)
at org.jboss.mq.il.uil2.UILSe rverIL.get SocketMgr( UILServerI L.java:500 )
at org.jboss.mq.il.uil2.UILSe rverIL.aut henticate( UILServerI L.java:302 )
at org.jboss.mq.Connection.au thenticate (Connectio n.java:876 )
... 6 more
C:\Workflow-Service\svr>
I now get authentication errors.
Cannot authenticate user; - nested throwable: (java.net.ConnectException
tion refused: connect)
org.jboss.mq.SpyJMSExcepti
a.net.ConnectException: Connection refused: connect)
at org.jboss.mq.Connection.au
at org.jboss.mq.Connection.<i
at org.jboss.mq.Connection.<i
at org.jboss.mq.SpyConnection
at org.jboss.mq.SpyConnection
Factory.java:116)
at za.co.palantir.workflow.Wo
at za.co.palantir.workflow.Wo
Caused by: java.net.ConnectException:
at java.net.PlainSocketImpl.s
at java.net.PlainSocketImpl.d
at java.net.PlainSocketImpl.c
at java.net.PlainSocketImpl.c
at java.net.Socket.connect(Un
at java.net.Socket.connect(Un
at java.net.Socket.<init>(Unk
at java.net.Socket.<init>(Unk
at javax.net.DefaultSocketFac
at org.jboss.mq.il.uil2.UILSe
9)
at org.jboss.mq.il.uil2.UILSe
at org.jboss.mq.il.uil2.UILSe
at org.jboss.mq.Connection.au
... 6 more
C:\Workflow-Service\svr>
So you got back to the original problem? And again, it is on a specific machine?
ASKER
No, not at all.
I am back to the original problem.
My very first assertion was that it was a security problem.
I get the same error from the machines, they cannot authenticate.
If someone has an answer to my orignal question - How do I open up the queue to everyone so that it will work? I will close the question.
Regards
Craig.
I am back to the original problem.
My very first assertion was that it was a security problem.
I get the same error from the machines, they cannot authenticate.
If someone has an answer to my orignal question - How do I open up the queue to everyone so that it will work? I will close the question.
Regards
Craig.
I found this on the subject http://forum.capescience.com/showflat.php?Cat=&Board=webservices&Number=745&page=9&view=collapsed&sb=5&o=&fpart=1
Furthermore, do you nhave the following derfinition in the queue definition in the config file?
<role name="noacc" read="true" write="true" create="false"/>
Furthermore, do you nhave the following derfinition in the queue definition in the config file?
<role name="noacc" read="true" write="true" create="false"/>
Please post your topic/queue definition code. Find it in jbossmq-destinations-servi ce.xml
ASKER
<mbean code="org.jboss.mq.server. jmx.Queue"
name="jboss.mq.destination :service=Q ueue,name= WorkflowMe ssageEJB">
<depends optional-attribute-name="D estination Manager">j boss.mq:se rvice=Dest inationMan ager</depe nds>
<attribute name="SecurityConf">
<security>
<role name="guest" read="true" write="true"/>
<role name="publisher" read="true" write="true" create="true"/>
<role name="noacc" read="true" write="true" create="true"/>
</security>
</mbean>
I have tried it with and without the security information.
Do I have to log in somehow?
I am using a vanilla downloaded jboss 3.2.2 (we have to use 3.2.2 - political reasons).
Maybe there is a bug or something.
What does jms listen on?
name="jboss.mq.destination
<depends optional-attribute-name="D
<attribute name="SecurityConf">
<security>
<role name="guest" read="true" write="true"/>
<role name="publisher" read="true" write="true" create="true"/>
<role name="noacc" read="true" write="true" create="true"/>
</security>
</mbean>
I have tried it with and without the security information.
Do I have to log in somehow?
I am using a vanilla downloaded jboss 3.2.2 (we have to use 3.2.2 - political reasons).
Maybe there is a bug or something.
What does jms listen on?
ASKER
Hi All,
I have solved the problem for myself.
As it turns out, the bindings on JBoss are screwed up. It really is a mickey mouse application server with buggered documentation.
You need to edit uil2-service.xml, and change the binding address from ${jboss.bind.address} to your IP address. The default binding 0.0.0.0 does not work.
It has nothing to do with authentication. Jboss does not bind to all the interfaces using 0.0.0.0 as it should, and its error handling is so sub standard that it reports network connection errors as authentication errors, or just defaults to the local machine when it cannot connect to the specified remote machine. Quite rediculous, and very annying wild goose chase. At least I learned something about the security.
Regards
Craig.
I have solved the problem for myself.
As it turns out, the bindings on JBoss are screwed up. It really is a mickey mouse application server with buggered documentation.
You need to edit uil2-service.xml, and change the binding address from ${jboss.bind.address} to your IP address. The default binding 0.0.0.0 does not work.
It has nothing to do with authentication. Jboss does not bind to all the interfaces using 0.0.0.0 as it should, and its error handling is so sub standard that it reports network connection errors as authentication errors, or just defaults to the local machine when it cannot connect to the specified remote machine. Quite rediculous, and very annying wild goose chase. At least I learned something about the security.
Regards
Craig.
You should ask for a refund if your points in Community Support since you solved the problem yourself.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.