10 Replies Latest reply: Jul 12, 2012 3:30 PM by Jesper Pedersen RSS

Resource Adapter + authentication

Dmitri Voronov Novice

Hi all,

 

I'm testing my resource adapter with JBoss AS 7.1 and trying to protect it by means of a security-domain. I configured:

                        <security>
                            <security-domain>other</security-domain>
                        </security>

 

but the subject in the method MyManagedConnectionImpl.getConnection(Subject subject, ConnectionRequestInfo crInfo) is null.

Can anybody write me what is the right way to protect a JCA connection factory by means of a security-domain?

 

Thanks

  • 1. Re: Resource Adapter + authentication
    Dmitri Voronov Novice

    Hi,

     

    I tested authentication with JBoss AS 7.1.0.Final-Prerelease and with 7.1.0.Final: same issue.

    <security-domain> is just ignored.

     

    I have no ideas what I could try more and I doubt that I configured something wrong.

     

    That's why I have all reasons to concider it as a bug.

  • 2. Re: Resource Adapter + authentication
    Dmitri Voronov Novice

    Unfortunately I cannot find the source code for ironjacamar version 1.0.7.Final which is used in JBoss AS 7.1.0.Final but on debugin I could find the origin of this issue: org.jboss.as.connector.subsystems.resourceadapters.RaOperationUtil.buildConnectionDefinitionObject(OperationContext, ModelNode, String)

  • 3. Re: Resource Adapter + authentication
    Bjørn Westblad Newbie

    Hi,

     

    I seem to have the same problem on JBoss 7.1.1-FINAL - even though the related issue is supposed to be resolved.

    I have a resource adapter for connection to WMQ, that tries to use a <security-domain> for SSL-authentication to the MQ-server.

     

    Note that the connection to WMQ works if I only use the <application/> tag for the resource adapter, but we need to use SSL and it simply seems to not pick up the configuration.

     

     

     

     

    <subsystem xmlns="urn:jboss:domain:resource-adapters:1.0"> 

    ..................               

        <connection-definitions>

            <connection-definition class-name="com.ibm.mq.connector.outbound.ManagedQueueConnectionFactoryImpl" jndi-name="java:jboss/six-qcf" enabled="true" use-java-context="true" pool-name="QueueConnection" use-ccm="true">

                <config-property name="port">

                    PORTNAME

                </config-property>

                <config-property name="hostName">

                    HOSTNAME

                </config-property>

                <config-property name="channel">

                    CHANNELNAME

                </config-property>

                <config-property name="transportType">

                    CLIENT

                </config-property>

                <config-property name="queueManager">

                    QMQR-NAME

                </config-property>

                <security>

                    <security-domain>ResourceAdapter-policy</security-domain>

                </security>

            </connection-definition>

        </connection-definitions>

    </subsystem>

     

    <subsystem xmlns="urn:jboss:domain:security:1.1">

    ........................

        <security-domain name="ResourceAdapter-policy" cache-type="default">

            <jsse keystore-password="****" keystore-type="JKS" keystore-url="/opt/jboss/etc/keystore.jks" truststore-password="***" truststore-type="JKS" truststore-url="/opt/jboss/etc/truststore.jks" cipher-suites="TLS_RSA_WITH_AES_128_CBC_SHA" server-alias="host-key" client-alias="host-key"/>

        </security-domain>

    </subsystem>

     

     

     

     

    The following error message is shown in server.log:

    11:53:46,871 WARN  [org.springframework.jms.listener.DefaultMessageListenerContainer] (Container-1) Setup of JMS message listener invoker failed for destination 'com.ibm.mq.connector.outbound.MQQueueProxy@296df388' - trying to recover. Cause: PB00024: Access Denied:Unauthenticated caller:null

    11:53:46,872 WARN  [org.springframework.jms.listener.DefaultMessageListenerContainer] (Container-1) Could not refresh JMS Connection for destination 'com.ibm.mq.connector.outbound.MQQueueProxy@296df388' - retrying in 5000 ms. Cause: PB00024: Access Denied:Unauthenticated caller:null

  • 4. Re: Resource Adapter + authentication
    Jesper Pedersen Master

    We have test cases for this - so retry with the latest snapshot.

  • 5. Re: Resource Adapter + authentication
    Bjørn Westblad Newbie

    Thanks, will try that.

     

    Am quite new to this, so excuses in advance for silly questions like this:

     

    Could you direct me to where I can download the latest snapshot, please?  And, would I need to do anything to trigger these test cases?

     

    Thank you

  • 6. Re: Resource Adapter + authentication
    Dmitri Voronov Novice

    sorry, but snapshot of what? JBoss AS?

  • 7. Re: Resource Adapter + authentication
    Bjørn Westblad Newbie

    Any more comments on this?

    As you see from the two last posts, it is not obvious what we are supposed to get the latest snapshot of, or where it is located.

     

    Thanks for any additional clarification on this

  • 8. Re: Resource Adapter + authentication
    Bjørn Westblad Newbie

    We were able to get around this issue with SSL settings for WMQ resource adapter.

     

    By setting system properties in the topmost section of standalone.xml:

    <system-properties>

                <property name="javax.net.ssl.trustStore" value="/opt/jboss/etc/truststore.jks"/>

                <property name="javax.net.ssl.trustStorePassword" value="${truststore_password}"/>

          <property name="javax.net.ssl.keyStore" value="/opt/jboss/etc/keystore.jks"/>

          <property name="javax.net.ssl.keyStorePassword" value="${truststore_password}"/>

    </system-properties>

     

    And specify the ssCipherSuite to be used against our SSL-enabled WMQ Channel in the <connection-definitions> tag under resource adapter settings:

    <config-property name="sslCipherSuite">

         SSL_RSA_WITH_RC4_128_SHA

    </config-property>

     

    Dont know if this fixes your issue, Dmitri, but at least it shows its possible to get around the issue.

  • 9. Re: Resource Adapter + authentication
    Nicholas DiPiazza Novice

    I have this problem as well in JBoss 7.1.1.Final connecting to SQL Server with windows domain auth. Seems to ignore my domain parameter.

     

    Where can I get this fix sir?

     

    Here is my related comment on an issue tracker. https://issues.jboss.org/browse/AS7-3824?focusedCommentId=12705739#comment-12705739

  • 10. Re: Resource Adapter + authentication
    Jesper Pedersen Master

    Use latest nightly snapshot of AS7 - or JBoss Enterprise Application Platform 6.0.0.GA