JMSSecurityException when MDB subscribes to topic in Foreign WL JMS Server
Steve Chan
Server1 has its own domain and has a JMSServer deployed. A local user has
been created and added to the JMSUsers group. This group has been given
permission to access the Topic in the JMSServer.
Server2 has its own domain and has deployed a "Foreign JMS Server" mapped to
server1's JMS Server. A local user has been created that will serve as the
security identity in the MDB's run-as. A MDB attempts to subscribe from the
Topic in the remote Foreign JMS Server by specifying the security identity
to run-as being the local user created just for this purpose. The MDB has a
credential-map between the local user and the remote user in server1 that is
in the group that has JMS permissions.
A "trusted relationship" has been established between these two domains.
When the MDB is deployed we get a weblogic.jms.common.JMSSecurityException.
We have even tried with a credential-map to another remote user that exists
but does not belong to the JMSUsers group, and we get the exact same
exception and error message. Its as if server2 authenticates as the correct
user in server1 but somehow lost its group affiliation.
Let me paste the JMSSecurityException followed by the two deployment
descriptors for that MDB. Any help will be much appreciated:
[EJB:010196]'weblogic.jms.common.JMSSecurityException: Access denied to
resource: type=<jms>, application=, destinationType=topic, resource=T,
action=receive' Linked exception =
'weblogic.jms.common.JMSSecurityException: Access denied to resource:
type=<jms>, application=, destinationType=topic, resource=T, action=receive'
weblogic.jms.common.JMSSecurityException: Access denied to resource:
type=<jms>, application=, destinationType=topic, resource=T, action=receive
at
weblogic.rjvm.BasicOutboundRequest.sendReceive(BasicOutboundRequest.java:108
)
at
weblogic.rmi.internal.BasicRemoteRef.invoke(BasicRemoteRef.java:138)
at
weblogic.jms.dispatcher.DispatcherImpl_812_WLStub.dispatchSyncFuture(Unknown
Source)
at
weblogic.jms.dispatcher.DispatcherWrapperState.dispatchSync(DispatcherWrappe
rState.java:339)
at
weblogic.jms.client.JMSSession.consumerCreate(JMSSession.java:1814)
at
weblogic.jms.client.JMSSession.createConsumer(JMSSession.java:1645)
at
weblogic.jms.client.JMSSession.createSubscriber(JMSSession.java:1376)
at
weblogic.ejb20.internal.JMSConnectionPoller.setUpTopicSessions(JMSConnection
Poller.java:1472)
at
weblogic.ejb20.internal.JMSConnectionPoller.createJMSConnection(JMSConnectio
nPoller.java:1834)
at
weblogic.ejb20.internal.JMSConnectionPoller.connectToJMS(JMSConnectionPoller
.java:1087)
at
weblogic.ejb20.internal.JMSConnectionPoller.trigger(JMSConnectionPoller.java
:970)
at
weblogic.time.common.internal.ScheduledTrigger.run(ScheduledTrigger.java:243
)
at
weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubjec
t.java:317)
at
weblogic.security.service.SecurityManager.runAs(SecurityManager.java:118)
at
weblogic.time.common.internal.ScheduledTrigger.executeLocally(ScheduledTrigg
er.java:229)
at
weblogic.time.common.internal.ScheduledTrigger.execute(ScheduledTrigger.java
:223)
at
weblogic.time.server.ScheduledTrigger.execute(ScheduledTrigger.java:50)
at weblogic.kernel.ExecuteThread.execute(ExecuteThread.java:197)
at weblogic.kernel.ExecuteThread.run(ExecuteThread.java:170)
Caused by: weblogic.jms.common.JMSSecurityException: Access denied to
resource: type=<jms>, application=, destinationType=topic, resource=T,
action=receive
at weblogic.jms.JMSService.checkPermission(JMSService.java:1140)
at weblogic.jms.JMSService.checkRecvPermission(JMSService.java:1157)
at
weblogic.jms.frontend.FESession.consumerCreate(FESession.java:1049)
at weblogic.jms.frontend.FESession.invoke(FESession.java:2552)
at
weblogic.jms.dispatcher.Request.wrappedFiniteStateMachine(Request.java:621)
at
weblogic.jms.dispatcher.DispatcherImpl.dispatchAsyncInternal(DispatcherImpl.
java:128)
at
weblogic.jms.dispatcher.DispatcherImpl.dispatchSyncFuture(DispatcherImpl.jav
a:180)
at weblogic.jms.dispatcher.DispatcherImpl_WLSkel.invoke(Unknown
Source)
at
weblogic.rmi.internal.BasicServerRef.invoke(BasicServerRef.java:477)
at
weblogic.rmi.internal.BasicServerRef$1.run(BasicServerRef.java:420)
at
weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubjec
t.java:353)
at
weblogic.security.service.SecurityManager.runAs(SecurityManager.java:144)
at
weblogic.rmi.internal.BasicServerRef.handleRequest(BasicServerRef.java:415)
at
weblogic.rmi.internal.BasicExecuteRequest.execute(BasicExecuteRequest.java:3
0)
... 2 more
>
<ejb-jar>
<enterprise-beans>
<message-driven>
<ejb-name>SecurityMDB</ejb-name>
<ejb-class>research.MDBSecurityTesta</ejb-class>
<transaction-type>Container</transaction-type>
<message-driven-destination>
<destination-type>javax.jms.Topic</destination-type>
</message-driven-destination>
<security-identity><run-as><role-name>SecurityRole</role-name></run-as></sec
urity-identity>
</message-driven>
</enterprise-beans>
<assembly-descriptor>
<security-role><role-name>SecurityRole</role-name></security-role>
</assembly-descriptor>
</ejb-jar>
<weblogic-ejb-jar>
<weblogic-enterprise-bean>
<ejb-name>SecurityMDB</ejb-name>
<message-driven-descriptor>
<pool><initial-beans-in-free-pool>1</initial-beans-in-free-pool></pool>
<destination-jndi-name>FT</destination-jndi-name>
<connection-factory-jndi-name>FCF</connection-factory-jndi-name>
</message-driven-descriptor>
<jndi-name>SecurityMDB</jndi-name>
</weblogic-enterprise-bean>
<security-role-assignment>
<role-name>SecurityRole</role-name>
<principal-name>LocalUser</principal-name>
</security-role-assignment>
</weblogic-ejb-jar>