cmain
asked on
JBoss JMS Security Pain!
I am sending a message to a jboss server using the following code.
private static final String CONNECTION_FACTORY = "UIL2ConnectionFactory";
Context ctx = new InitialContext();
Object o = ctx.lookup(CONNECTION_FACT
QueueConnectionFactory factory =
(QueueConnectionFactory)ct
Queue destination = (Queue)ctx.lookup(queueNam
QueueConnection connection = factory.createQueueConnect
QueueSession session = connection.createQueueSess
QueueSender sender = session.createSender(desti
ObjectMessage message = session.createObjectMessag
sender.send(message);
sender.close();
session.close();
connection.close();
My JNDI configuration is as follows.
java.naming.factory.initia
java.naming.provider.url=e
java.naming.factory.url.pk
This code only works (The message arrives in jboss) if it runs on the local host.
If I execute the same code on a remote machine, pointing to jboss, I get no error, but the message is not delivered.
I tried using "ConnectionFactory" instead of UIL2ConnectionFactory, and got a security exception on one of the remote machines.
I suspect that this is a security issue.
If that is the problem, how do I open up the message bean to the whole planet?
I need to send the message from a remote machine.
private static final String CONNECTION_FACTORY = "UIL2ConnectionFactory";
Context ctx = new InitialContext();
Object o = ctx.lookup(CONNECTION_FACT
QueueConnectionFactory factory =
(QueueConnectionFactory)ct
Queue destination = (Queue)ctx.lookup(queueNam
QueueConnection connection = factory.createQueueConnect
QueueSession session = connection.createQueueSess
QueueSender sender = session.createSender(desti
ObjectMessage message = session.createObjectMessag
sender.send(message);
sender.close();
session.close();
connection.close();
My JNDI configuration is as follows.
java.naming.factory.initia
java.naming.provider.url=e
java.naming.factory.url.pk
This code only works (The message arrives in jboss) if it runs on the local host.
If I execute the same code on a remote machine, pointing to jboss, I get no error, but the message is not delivered.
I tried using "ConnectionFactory" instead of UIL2ConnectionFactory, and got a security exception on one of the remote machines.
I suspect that this is a security issue.
If that is the problem, how do I open up the message bean to the whole planet?
I need to send the message from a remote machine.
Tommy Braas
It seems that the JNDI configuration is not read on your local machine. Try to use the InitialContext(Hashtable) constructor instead and put your values into a Hashtable and pass it in
ASKER
You are both incorrect.
I nevertheless tried putting the JNDI properties into the code, with the same result.
The second comment from rama merely explains how to reference beans inside the container. I have already stated that I am trying to connect to the machine from another host. The references are therefore useless to me. I have pasted the full source code below.
Since I do get an exception with the normal connection factory, I suspect that this is all a security issue.
On one of the machines I get the following, no exception message, nothing.
C:\Workflow-Service\svr>ja
ntir.workflow.WorkflowPack
Properties...
Factory...
Queue...
Session...
Create Object Message...
Sent...
On one of the others I get the following when I use ConnectionFactory instead of UIL2ConnectionFactory.
No Exception message, no message arrives on the queue.
Properties...
Factory...
Queue...
Cannot authenticate user; - nested throwable: (java.net.ConnectException
org.jboss.mq.SpyJMSExcepti
ed: connect)
at org.jboss.mq.Connection.au
at org.jboss.mq.Connection.<i
at org.jboss.mq.Connection.<i
at org.jboss.mq.SpyConnection
at org.jboss.mq.SpyConnection
at za.co.palantir.workflow.Wo
at za.co.palantir.workflow.Wo
Caused by: java.net.ConnectException:
at java.net.PlainSocketImpl.s
at java.net.PlainSocketImpl.d
at java.net.PlainSocketImpl.c
at java.net.PlainSocketImpl.c
at java.net.Socket.connect(Un
at java.net.Socket.connect(Un
at java.net.Socket.<init>(Unk
at java.net.Socket.<init>(Unk
at javax.net.DefaultSocketFac
at org.jboss.mq.il.oil.OILSer
at org.jboss.mq.il.oil.OILSer
at org.jboss.mq.il.oil.OILSer
at org.jboss.mq.Connection.au
... 6 more
public static void send(WorkflowPacket msg, String queueName)
throws JMSException,
NamingException {
// Test code
System.out.println("Proper
java.util.Hashtable env = new java.util.Hashtable();
env.put(Context.INITIAL_CO
env.put(Context.PROVIDER_U
env.put("java.naming.facto
Context ctx = new InitialContext(env);
//Context ctx = new InitialContext();
System.out.println("Factor
Object o = ctx.lookup(CONNECTION_FACT
QueueConnectionFactory factory =
(QueueConnectionFactory)ct
System.out.println("Queue.
Queue destination = (Queue)ctx.lookup(queueNam
QueueConnection connection = factory.createQueueConnect
QueueSession session = connection.createQueueSess
System.out.println("Sessio
QueueSender sender = session.createSender(desti
ObjectMessage message = session.createObjectMessag
System.out.println("Create
sender.send(message);
System.out.println("Sent..
sender.close();
session.close();
connection.close();
}
I nevertheless tried putting the JNDI properties into the code, with the same result.
The second comment from rama merely explains how to reference beans inside the container. I have already stated that I am trying to connect to the machine from another host. The references are therefore useless to me. I have pasted the full source code below.
Since I do get an exception with the normal connection factory, I suspect that this is all a security issue.
On one of the machines I get the following, no exception message, nothing.
C:\Workflow-Service\svr>ja
ntir.workflow.WorkflowPack
Properties...
Factory...
Queue...
Session...
Create Object Message...
Sent...
On one of the others I get the following when I use ConnectionFactory instead of UIL2ConnectionFactory.
No Exception message, no message arrives on the queue.
Properties...
Factory...
Queue...
Cannot authenticate user; - nested throwable: (java.net.ConnectException
org.jboss.mq.SpyJMSExcepti
ed: connect)
at org.jboss.mq.Connection.au
at org.jboss.mq.Connection.<i
at org.jboss.mq.Connection.<i
at org.jboss.mq.SpyConnection
at org.jboss.mq.SpyConnection
at za.co.palantir.workflow.Wo
at za.co.palantir.workflow.Wo
Caused by: java.net.ConnectException:
at java.net.PlainSocketImpl.s
at java.net.PlainSocketImpl.d
at java.net.PlainSocketImpl.c
at java.net.PlainSocketImpl.c
at java.net.Socket.connect(Un
at java.net.Socket.connect(Un
at java.net.Socket.<init>(Unk
at java.net.Socket.<init>(Unk
at javax.net.DefaultSocketFac
at org.jboss.mq.il.oil.OILSer
at org.jboss.mq.il.oil.OILSer
at org.jboss.mq.il.oil.OILSer
at org.jboss.mq.Connection.au
... 6 more
public static void send(WorkflowPacket msg, String queueName)
throws JMSException,
NamingException {
// Test code
System.out.println("Proper
java.util.Hashtable env = new java.util.Hashtable();
env.put(Context.INITIAL_CO
env.put(Context.PROVIDER_U
env.put("java.naming.facto
Context ctx = new InitialContext(env);
//Context ctx = new InitialContext();
System.out.println("Factor
Object o = ctx.lookup(CONNECTION_FACT
QueueConnectionFactory factory =
(QueueConnectionFactory)ct
System.out.println("Queue.
Queue destination = (Queue)ctx.lookup(queueNam
QueueConnection connection = factory.createQueueConnect
QueueSession session = connection.createQueueSess
System.out.println("Sessio
QueueSender sender = session.createSender(desti
ObjectMessage message = session.createObjectMessag
System.out.println("Create
sender.send(message);
System.out.println("Sent..
sender.close();
session.close();
connection.close();
}
Which JBoss version is that?
How is the users configured?
Does the exception happens on all machines, or only on one machine, and everything works fine on the other machines?
If it is only on one machine, is it always the same machine, no matter the order which machines runs first?
How is the users configured?
Does the exception happens on all machines, or only on one machine, and everything works fine on the other machines?
If it is only on one machine, is it always the same machine, no matter the order which machines runs first?
ASKER
The jboss version is 3.2.2.
There are no users configured, nor do i really want any configured. I want to open the security. I need to test it before I try and add all the security.
There are no users configured, nor do i really want any configured. I want to open the security. I need to test it before I try and add all the security.
And the other questions?
ASKER
Hi,
Further to this, I have discovered that another application was using port 1099 on the source machine.
I have removed this, and now am getting a different error. The machine, even though I can ping it, is not responding.
C:\Workflow-Service\svr>ja
lantir.workflow.WorkflowPa
Properties...
Factory...
Receive timed out
javax.naming.Communication
et.SocketTimeoutException:
at org.jnp.interfaces.NamingC
15)
at org.jnp.interfaces.NamingC
at org.jnp.interfaces.NamingC
at org.jnp.interfaces.NamingC
at javax.naming.InitialContex
at za.co.palantir.workflow.Wo
I am using the following confiugration.
I have tried with ConnectionFactory and UIL2ConnectionFactory
System.out.println("Proper
java.util.Hashtable env = new java.util.Hashtable();
env.put(Context.INITIAL_CO
env.put(Context.PROVIDER_U
env.put("java.naming.facto
Context ctx = new InitialContext(env);
//Context ctx = new InitialContext();
System.out.println("Factor
Object o = ctx.lookup(CONNECTION_FACT
QueueConnectionFactory factory =
(QueueConnectionFactory)ct
Further to this, I have discovered that another application was using port 1099 on the source machine.
I have removed this, and now am getting a different error. The machine, even though I can ping it, is not responding.
C:\Workflow-Service\svr>ja
lantir.workflow.WorkflowPa
Properties...
Factory...
Receive timed out
javax.naming.Communication
et.SocketTimeoutException:
at org.jnp.interfaces.NamingC
15)
at org.jnp.interfaces.NamingC
at org.jnp.interfaces.NamingC
at org.jnp.interfaces.NamingC
at javax.naming.InitialContex
at za.co.palantir.workflow.Wo
I am using the following confiugration.
I have tried with ConnectionFactory and UIL2ConnectionFactory
System.out.println("Proper
java.util.Hashtable env = new java.util.Hashtable();
env.put(Context.INITIAL_CO
env.put(Context.PROVIDER_U
env.put("java.naming.facto
Context ctx = new InitialContext(env);
//Context ctx = new InitialContext();
System.out.println("Factor
Object o = ctx.lookup(CONNECTION_FACT
QueueConnectionFactory factory =
(QueueConnectionFactory)ct
ASKER
I have managed to get it to connect now, but specifiying the IP Address.
I now get authentication errors.
Cannot authenticate user; - nested throwable: (java.net.ConnectException
tion refused: connect)
org.jboss.mq.SpyJMSExcepti
a.net.ConnectException: Connection refused: connect)
at org.jboss.mq.Connection.au
at org.jboss.mq.Connection.<i
at org.jboss.mq.Connection.<i
at org.jboss.mq.SpyConnection
at org.jboss.mq.SpyConnection
Factory.java:116)
at za.co.palantir.workflow.Wo
at za.co.palantir.workflow.Wo
Caused by: java.net.ConnectException:
at java.net.PlainSocketImpl.s
at java.net.PlainSocketImpl.d
at java.net.PlainSocketImpl.c
at java.net.PlainSocketImpl.c
at java.net.Socket.connect(Un
at java.net.Socket.connect(Un
at java.net.Socket.<init>(Unk
at java.net.Socket.<init>(Unk
at javax.net.DefaultSocketFac
at org.jboss.mq.il.uil2.UILSe
9)
at org.jboss.mq.il.uil2.UILSe
at org.jboss.mq.il.uil2.UILSe
at org.jboss.mq.Connection.au
... 6 more
C:\Workflow-Service\svr>
I now get authentication errors.
Cannot authenticate user; - nested throwable: (java.net.ConnectException
tion refused: connect)
org.jboss.mq.SpyJMSExcepti
a.net.ConnectException: Connection refused: connect)
at org.jboss.mq.Connection.au
at org.jboss.mq.Connection.<i
at org.jboss.mq.Connection.<i
at org.jboss.mq.SpyConnection
at org.jboss.mq.SpyConnection
Factory.java:116)
at za.co.palantir.workflow.Wo
at za.co.palantir.workflow.Wo
Caused by: java.net.ConnectException:
at java.net.PlainSocketImpl.s
at java.net.PlainSocketImpl.d
at java.net.PlainSocketImpl.c
at java.net.PlainSocketImpl.c
at java.net.Socket.connect(Un
at java.net.Socket.connect(Un
at java.net.Socket.<init>(Unk
at java.net.Socket.<init>(Unk
at javax.net.DefaultSocketFac
at org.jboss.mq.il.uil2.UILSe
9)
at org.jboss.mq.il.uil2.UILSe
at org.jboss.mq.il.uil2.UILSe
at org.jboss.mq.Connection.au
... 6 more
C:\Workflow-Service\svr>
So you got back to the original problem? And again, it is on a specific machine?
ASKER
No, not at all.
I am back to the original problem.
My very first assertion was that it was a security problem.
I get the same error from the machines, they cannot authenticate.
If someone has an answer to my orignal question - How do I open up the queue to everyone so that it will work? I will close the question.
Regards
Craig.
I am back to the original problem.
My very first assertion was that it was a security problem.
I get the same error from the machines, they cannot authenticate.
If someone has an answer to my orignal question - How do I open up the queue to everyone so that it will work? I will close the question.
Regards
Craig.
I found this on the subject http://forum.capescience.com/showflat.php?Cat=&Board=webservices&Number=745&page=9&view=collapsed&sb=5&o=&fpart=1
Furthermore, do you nhave the following derfinition in the queue definition in the config file?
<role name="noacc" read="true" write="true" create="false"/>
Furthermore, do you nhave the following derfinition in the queue definition in the config file?
<role name="noacc" read="true" write="true" create="false"/>
Please post your topic/queue definition code. Find it in jbossmq-destinations-servi
ASKER
<mbean code="org.jboss.mq.server.
name="jboss.mq.destination
<depends optional-attribute-name="D
<attribute name="SecurityConf">
<security>
<role name="guest" read="true" write="true"/>
<role name="publisher" read="true" write="true" create="true"/>
<role name="noacc" read="true" write="true" create="true"/>
</security>
</mbean>
I have tried it with and without the security information.
Do I have to log in somehow?
I am using a vanilla downloaded jboss 3.2.2 (we have to use 3.2.2 - political reasons).
Maybe there is a bug or something.
What does jms listen on?
name="jboss.mq.destination
<depends optional-attribute-name="D
<attribute name="SecurityConf">
<security>
<role name="guest" read="true" write="true"/>
<role name="publisher" read="true" write="true" create="true"/>
<role name="noacc" read="true" write="true" create="true"/>
</security>
</mbean>
I have tried it with and without the security information.
Do I have to log in somehow?
I am using a vanilla downloaded jboss 3.2.2 (we have to use 3.2.2 - political reasons).
Maybe there is a bug or something.
What does jms listen on?
ASKER
Hi All,
I have solved the problem for myself.
As it turns out, the bindings on JBoss are screwed up. It really is a mickey mouse application server with buggered documentation.
You need to edit uil2-service.xml, and change the binding address from ${jboss.bind.address} to your IP address. The default binding 0.0.0.0 does not work.
It has nothing to do with authentication. Jboss does not bind to all the interfaces using 0.0.0.0 as it should, and its error handling is so sub standard that it reports network connection errors as authentication errors, or just defaults to the local machine when it cannot connect to the specified remote machine. Quite rediculous, and very annying wild goose chase. At least I learned something about the security.
Regards
Craig.
I have solved the problem for myself.
As it turns out, the bindings on JBoss are screwed up. It really is a mickey mouse application server with buggered documentation.
You need to edit uil2-service.xml, and change the binding address from ${jboss.bind.address} to your IP address. The default binding 0.0.0.0 does not work.
It has nothing to do with authentication. Jboss does not bind to all the interfaces using 0.0.0.0 as it should, and its error handling is so sub standard that it reports network connection errors as authentication errors, or just defaults to the local machine when it cannot connect to the specified remote machine. Quite rediculous, and very annying wild goose chase. At least I learned something about the security.
Regards
Craig.
You should ask for a refund if your points in Community Support since you solved the problem yourself.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.