10 Replies Latest reply on Jul 12, 2012 3:30 PM by jesper.pedersen

    Resource Adapter + authentication

    dimonv

      Hi all,

       

      I'm testing my resource adapter with JBoss AS 7.1 and trying to protect it by means of a security-domain. I configured:

                              <security>
                                  <security-domain>other</security-domain>
                              </security>

       

      but the subject in the method MyManagedConnectionImpl.getConnection(Subject subject, ConnectionRequestInfo crInfo) is null.

      Can anybody write me what is the right way to protect a JCA connection factory by means of a security-domain?

       

      Thanks

        • 1. Re: Resource Adapter + authentication
          dimonv

          Hi,

           

          I tested authentication with JBoss AS 7.1.0.Final-Prerelease and with 7.1.0.Final: same issue.

          <security-domain> is just ignored.

           

          I have no ideas what I could try more and I doubt that I configured something wrong.

           

          That's why I have all reasons to concider it as a bug.

          • 2. Re: Resource Adapter + authentication
            dimonv

            Unfortunately I cannot find the source code for ironjacamar version 1.0.7.Final which is used in JBoss AS 7.1.0.Final but on debugin I could find the origin of this issue: org.jboss.as.connector.subsystems.resourceadapters.RaOperationUtil.buildConnectionDefinitionObject(OperationContext, ModelNode, String)

            • 3. Re: Resource Adapter + authentication
              bjorwes

              Hi,

               

              I seem to have the same problem on JBoss 7.1.1-FINAL - even though the related issue is supposed to be resolved.

              I have a resource adapter for connection to WMQ, that tries to use a <security-domain> for SSL-authentication to the MQ-server.

               

              Note that the connection to WMQ works if I only use the <application/> tag for the resource adapter, but we need to use SSL and it simply seems to not pick up the configuration.

               

               

              {code:xml}

              <subsystem xmlns="urn:jboss:domain:resource-adapters:1.0"> 

              ..................               

                  <connection-definitions>

                      <connection-definition class-name="com.ibm.mq.connector.outbound.ManagedQueueConnectionFactoryImpl" jndi-name="java:jboss/six-qcf" enabled="true" use-java-context="true" pool-name="QueueConnection" use-ccm="true">

                          <config-property name="port">

                              PORTNAME

                          </config-property>

                          <config-property name="hostName">

                              HOSTNAME

                          </config-property>

                          <config-property name="channel">

                              CHANNELNAME

                          </config-property>

                          <config-property name="transportType">

                              CLIENT

                          </config-property>

                          <config-property name="queueManager">

                              QMQR-NAME

                          </config-property>

                          <security>

                              <security-domain>ResourceAdapter-policy</security-domain>

                          </security>

                      </connection-definition>

                  </connection-definitions>

              </subsystem>

               

              <subsystem xmlns="urn:jboss:domain:security:1.1">

              ........................

                  <security-domain name="ResourceAdapter-policy" cache-type="default">

                      <jsse keystore-password="****" keystore-type="JKS" keystore-url="/opt/jboss/etc/keystore.jks" truststore-password="***" truststore-type="JKS" truststore-url="/opt/jboss/etc/truststore.jks" cipher-suites="TLS_RSA_WITH_AES_128_CBC_SHA" server-alias="host-key" client-alias="host-key"/>

                  </security-domain>

              </subsystem>

               

              {code}

               

              The following error message is shown in server.log:

              11:53:46,871 WARN  [org.springframework.jms.listener.DefaultMessageListenerContainer] (Container-1) Setup of JMS message listener invoker failed for destination 'com.ibm.mq.connector.outbound.MQQueueProxy@296df388' - trying to recover. Cause: PB00024: Access Denied:Unauthenticated caller:null

              11:53:46,872 WARN  [org.springframework.jms.listener.DefaultMessageListenerContainer] (Container-1) Could not refresh JMS Connection for destination 'com.ibm.mq.connector.outbound.MQQueueProxy@296df388' - retrying in 5000 ms. Cause: PB00024: Access Denied:Unauthenticated caller:null

              • 4. Re: Resource Adapter + authentication
                jesper.pedersen

                We have test cases for this - so retry with the latest snapshot.

                • 5. Re: Resource Adapter + authentication
                  bjorwes

                  Thanks, will try that.

                   

                  Am quite new to this, so excuses in advance for silly questions like this:

                   

                  Could you direct me to where I can download the latest snapshot, please?  And, would I need to do anything to trigger these test cases?

                   

                  Thank you

                  • 6. Re: Resource Adapter + authentication
                    dimonv

                    sorry, but snapshot of what? JBoss AS?

                    • 7. Re: Resource Adapter + authentication
                      bjorwes

                      Any more comments on this?

                      As you see from the two last posts, it is not obvious what we are supposed to get the latest snapshot of, or where it is located.

                       

                      Thanks for any additional clarification on this

                      • 8. Re: Resource Adapter + authentication
                        bjorwes

                        We were able to get around this issue with SSL settings for WMQ resource adapter.

                         

                        By setting system properties in the topmost section of standalone.xml:

                        <system-properties>

                                    <property name="javax.net.ssl.trustStore" value="/opt/jboss/etc/truststore.jks"/>

                                    <property name="javax.net.ssl.trustStorePassword" value="${truststore_password}"/>

                              <property name="javax.net.ssl.keyStore" value="/opt/jboss/etc/keystore.jks"/>

                              <property name="javax.net.ssl.keyStorePassword" value="${truststore_password}"/>

                        </system-properties>

                         

                        And specify the ssCipherSuite to be used against our SSL-enabled WMQ Channel in the <connection-definitions> tag under resource adapter settings:

                        <config-property name="sslCipherSuite">

                             SSL_RSA_WITH_RC4_128_SHA

                        </config-property>

                         

                        Dont know if this fixes your issue, Dmitri, but at least it shows its possible to get around the issue.

                        • 9. Re: Resource Adapter + authentication
                          ndipiazza

                          I have this problem as well in JBoss 7.1.1.Final connecting to SQL Server with windows domain auth. Seems to ignore my domain parameter.

                           

                          Where can I get this fix sir?

                           

                          Here is my related comment on an issue tracker. https://issues.jboss.org/browse/AS7-3824?focusedCommentId=12705739#comment-12705739

                          • 10. Re: Resource Adapter + authentication
                            jesper.pedersen

                            Use latest nightly snapshot of AS7 - or JBoss Enterprise Application Platform 6.0.0.GA