8 Replies Latest reply: May 13, 2012 11:01 PM by Akshay Koul RSS

    spring message-driven-channel-adapter + weblogic JMSSecurityException

    ferp
      Hi all,

      I defined a message-driven-channel-adapter for retrieving messages from weblogic container.
      It works well until I don't define on weblogic jms queue a security policy.

      So on my applicationContext.xml

      <!-- A default JMS message listener -->
      <jms:message-driven-channel-adapter id="jmsMessageChannelAdapter"
      connection-factory="myConnectionFactory"
      destination="myQueue"
      channel="myListenerChannel"/>
      <jee:jndi-lookup id="myConnectionFactory" jndi-name="${connection.factory.jndi.name}">
      <jee:environment>
      java.naming.factory.initial=${java.naming.factory.initial}
      java.naming.provider.url=${java.naming.provider.url}
      java.naming.security.principal=${java.naming.security.principal}
      java.naming.security.credentials=${java.naming.security.credentials}
      </jee:environment>
      </jee:jndi-lookup>
      <jee:jndi-lookup id="myQueue" jndi-name="${queue.jndi.name}">
      <jee:environment>
      java.naming.factory.initial=${java.naming.factory.initial}
      java.naming.provider.url=${java.naming.provider.url}
      java.naming.security.principal=${java.naming.security.principal}
      java.naming.security.credentials=${java.naming.security.credentials}
      </jee:environment>
      </jee:jndi-lookup>


      On weblogic realm I defined my user ${java.naming.security.principal} and the message-driven-channel-adapter works well --> I'm able to retrieve messages from weblogic queue.

      As soon as I add to my weblogic queue a security policy defined as:

      Group : Administrators
      Or
      User : WLS_JMS_USER

      I got below error:

      02.mag.2012 13:57:21,925 - (LISTENER SERVICE) (org.springframework.jms.listener.DefaultMessageListenerContainer#0-1) [WARN  ]-[DefaultMessageListenerContainer    (819 )] - Setup of JMS message listener invoker failed for destination 'mb0_sb_queue!WL.mb0_sb_queue' - trying to recover.
      Cause: Access denied to resource: type=<jms>, application=mb0_sb_queue, destinationType=queue, resource=WL.mb0_sb_queue, action=receive
      weblogic.jms.common.JMSSecurityException: Access denied to resource: type=<jms>, application=mb0_sb_queue, destinationType=queue, resource=WL.mb0_sb_queue, action=receive
      at weblogic.jms.dispatcher.DispatcherAdapter.convertToJMSExceptionAndThrow(DispatcherAdapter.java:110)
      at weblogic.jms.dispatcher.DispatcherAdapter.dispatchSync(DispatcherAdapter.java:45)
      at weblogic.jms.client.JMSSession.consumerCreate(JMSSession.java:2914)
      at weblogic.jms.client.JMSSession.setupConsumer(JMSSession.java:2687)
      at weblogic.jms.client.JMSSession.createConsumer(JMSSession.java:2628)
      at weblogic.jms.client.JMSSession.createConsumer(JMSSession.java:2608)
      at weblogic.jms.client.WLSessionImpl.createConsumer(WLSessionImpl.java:880)
      at org.springframework.jms.listener.AbstractPollingMessageListenerContainer.createConsumer(AbstractPollingMessageListenerContainer.java:501)
      at org.springframework.jms.listener.AbstractPollingMessageListenerContainer.createListenerConsumer(AbstractPollingMessageListenerContainer.java:223)
      at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.initResourcesIfNecessary(DefaultMessageListenerContainer.java:1082)
      at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.invokeListener(DefaultMessageListenerContainer.java:1058)
      at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.executeOngoingLoop(DefaultMessageListenerContainer.java:1051)
      at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.run(DefaultMessageListenerContainer.java:948)
      at java.lang.Thread.run(Thread.java:619)


      I'm trying to understand what is missing.

      Any help ss greatly appreciated!!!

      Thanks and regards
      ferp
        • 1. Re: spring message-driven-channel-adapter + weblogic JMSSecurityException
          Akshay Koul
          Spring JMS and WebLogic JMS have given a tough time to lot of us.

          When Spring looks up the connection factory & queue, it does so using the proper credentials, but since the actual publish/consume takes place in a different thread, the security information doesn't get passed on to that new thread.

          There is apparently a flag called "exposeAccessContext" that you can set on the connection factory & queue in Spring to ensure that the security credentials are available to other threads.

          -Akshay
          • 2. Re: spring message-driven-channel-adapter + weblogic JMSSecurityException
            ferp
            Hi Akshay,

            thanks a lot for the feedback.

            So I've added that flag on the connection factory & queue in Spring:

            <jee:jndi-lookup id="connectionFactory" jndi-name="WL.mb0_sb.CF" expose-access-context="true">
            <jee:environment>
            java.naming.factory.initial=weblogic.jndi.WLInitialContextFactory
            java.naming.provider.url=t3://bsrpdev0012.dev.b-source.net:7841
            java.naming.security.principal=...
            java.naming.security.credentials=...
            </jee:environment>
            </jee:jndi-lookup>
            <jee:jndi-lookup id="signbookFLQueue" jndi-name="WL.mb0_sb.BU" expose-access-context="true">
            <jee:environment>
            java.naming.factory.initial=weblogic.jndi.WLInitialContextFactory
            java.naming.provider.url=t3://bsrpdev0012.dev.b-source.net:7841
            java.naming.security.principal=...
            java.naming.security.credentials=...
            </jee:environment>
            </jee:jndi-lookup>


            But now I got that error:

            09.mag.2012 09:59:14,020 - (LISTENER SERVICE) (org.springframework.jms.listener.DefaultMessageListenerContainer#0-1) [WARN  ]-
            [DefaultMessageListenerContainer    (819 )] - Setup of JMS message listener invoker failed for destination 'mb0_sb!WL.mb0_sb.BU' -
            trying to recover. Cause: [JMSClientExceptions:055142]Foreign destination, mb0_sb!WL.mb0_sb.BU
            weblogic.jms.common.InvalidDestinationException: [JMSClientExceptions:055142]Foreign destination, mb0_sb!WL.mb0_sb.BU
            at weblogic.jms.common.Destination.checkDestinationType(Destination.java:105)
            at weblogic.jms.client.JMSSession.setupConsumer(JMSSession.java:2657)
            at weblogic.jms.client.JMSSession.createConsumer(JMSSession.java:2628)
            at weblogic.jms.client.JMSSession.createConsumer(JMSSession.java:2608)
            at weblogic.jms.client.WLSessionImpl.createConsumer(WLSessionImpl.java:880)
            at org.springframework.jms.listener.AbstractPollingMessageListenerContainer.createConsumer(AbstractPollingMessageListenerContainer.java:501)
            at org.springframework.jms.listener.AbstractPollingMessageListenerContainer.createListenerConsumer(AbstractPollingMessageListenerContainer.java:223)
            at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.initResourcesIfNecessary(DefaultMessageListenerContainer.java:1082)
            at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.invokeListener(DefaultMessageListenerContainer.java:1058)
            at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.executeOngoingLoop(DefaultMessageListenerContainer.java:1051)
            at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.run(DefaultMessageListenerContainer.java:948)
            at java.lang.Thread.run(Thread.java:619)
            09.mag.2012 09:59:14,036 - (LISTENER SERVICE) (org.springframework.jms.listener.DefaultMessageListenerContainer#0-1) [DEBUG ]-[DefaultMessageListenerContainer$AsyncMessageListenerInvoker(997)] - Lowered scheduled invoker count: 0


            Any help ss greatly appreciated!!!

            Regards
            ferp
            • 3. Re: spring message-driven-channel-adapter + weblogic JMSSecurityException
              Akshay Koul
              Are you using any Foreign JMS Provider here?

              -Akshay
              • 4. Re: spring message-driven-channel-adapter + weblogic JMSSecurityException
                Akshay Koul
                Also, can you try below:

                1. Use the flag(expose-access-context) only for Connection Factory and not Destination, see if that helps.

                2. Use flag, proxyInterface="javax.jms.QueueConnectionFactory", hope this helps.

                -Akshay

                Edited by: Akshay Koul on May 9, 2012 5:46 PM
                • 5. Re: spring message-driven-channel-adapter + weblogic JMSSecurityException
                  ferp
                  Hi Akshay,

                  I don't use any Foreign JMS Provider.

                  On WLS the queue is defined as uniform-distributed-queue:

                  <?xml version='1.0' encoding='UTF-8'?>
                  <weblogic-jms xmlns="http://www.bea.com/ns/weblogic/weblogic-jms" xmlns:sec="http://www.bea.com/ns/weblogic/90/security" xmlns:wls="http://www.bea.com/ns/weblogic/90/security/wls" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.bea.com/ns/weblogic/weblogic-jms http://www.bea.com/ns/weblogic/weblogic-jms/1.0/weblogic-jms.xsd">
                  <connection-factory name="WL.mb0_sb.CF">
                  <sub-deployment-name>mb0_sb_sub_deployment</sub-deployment-name>
                  <default-targeting-enabled>false</default-targeting-enabled>
                  <jndi-name>WL.mb0_sb.CF</jndi-name>
                  <client-params>
                  <reconnect-policy>all</reconnect-policy>
                  </client-params>
                  <transaction-params>
                  <xa-connection-factory-enabled>true</xa-connection-factory-enabled>
                  </transaction-params>
                  <security-params>
                  <attach-jmsx-user-id>false</attach-jmsx-user-id>
                  </security-params>
                  </connection-factory>
                  <uniform-distributed-queue name="WL.mb0_sb.BU">
                  <sub-deployment-name>mb0_sb_sub_deployment</sub-deployment-name>
                  <default-targeting-enabled>false</default-targeting-enabled>
                  <delivery-params-overrides>
                  <delivery-mode>Persistent</delivery-mode>
                  <time-to-live>-1</time-to-live>
                  <redelivery-delay>-1</redelivery-delay>
                  </delivery-params-overrides>
                  <jndi-name>WL.mb0_sb.BU</jndi-name>
                  <load-balancing-policy>Round-Robin</load-balancing-policy>
                  </uniform-distributed-queue>
                  </weblogic-jms>

                  We don't have a cluster but simply a domain with one server, the code has been defined as uniform-distributed-queue because it was decided to create uniform-distributed-queue so those queues are ready when we move to a cluster.

                  For adding on WLS a jms security policy we use a WLST script as below:

                  def createSecurityPolicy(objAuthorizer, jmsModule, jmsResourcePattern, jmsUser):
                  print
                  print ' #### Creating JMS security policy ####'

                  policyExpression = '{Grp(Administrators)|Usr(' + jmsUser + ')}'
                  prefixResourceID = 'type=<jms>, application=' + jmsModule + ', destinationType=queue, resource='

                  print " #### looking for JMS resources ..."
                  servers = domainRuntimeService.getServerRuntimes();
                  if (len(servers) > 0):
                  for server in servers:
                  jmsRuntime = server.getJMSRuntime();
                  jmsServers = jmsRuntime.getJMSServers();
                  for jmsServer in jmsServers:
                  destinations = jmsServer.getDestinations();
                  for destination in destinations:
                  # print some runtime info
                  if destination.name.startswith(jmsModule) and destination.name.index(jmsResourcePattern) != -1:
                  print
                  print ' #### found : ' + destination.name
                  pos = destination.name.index('@') + 1
                  resourceID = prefixResourceID + destination.name[pos:]
                  print ' #### resourceID: ' + resourceID
                  if objAuthorizer.policyExists(resourceID):
                  print " #### ... policy already exists"
                  else:
                  objAuthorizer.createPolicy(resourceID, policyExpression)
                  print " #### ... policy created"

                  On WLS console under queue Security Policies tab we have:

                  Providers
                  Authorization Providers ->XACMLAuthorizer
                  Methods
                  Methods = ALL
                  Policy Conditions
                  Combination
                  Group : Administrators
                  Or
                  User : WLS_JMS_USER

                  Coming back on the other tries

                  1. Use the flag(expose-access-context) only for Connection Factory and not Destination

                  FAIL - error:
                  Caused by: weblogic.jms.common.JMSSecurityException: Access denied to resource: type=<jms>, application=mb0_sb, destinationType=queue, resource=WL.mb0_sb.BU, action=receive
                  at weblogic.jms.common.JMSSecurityHelper.checkPermission(JMSSecurityHelper.java:162)
                  at weblogic.jms.backend.BEDestinationSecurityImpl.checkReceivePermission(BEDestinationSecurityImpl.java:87)
                  at weblogic.jms.backend.BEConsumerImpl.init(BEConsumerImpl.java:297)
                  at weblogic.jms.backend.BEConsumerImpl.<init>(BEConsumerImpl.java:259)
                  at weblogic.jms.backend.BEQueueImpl.createConsumer(BEQueueImpl.java:188)
                  at weblogic.jms.backend.BESessionImpl.createBEConsumer(BESessionImpl.java:390)
                  at weblogic.jms.backend.BESessionImpl.createConsumer(BESessionImpl.java:400)
                  at weblogic.jms.backend.BESessionImpl.invoke(BESessionImpl.java:297)
                  at weblogic.messaging.dispatcher.Request.wrappedFiniteStateMachine(Request.java:961)

                  2. Use the flag(expose-access-context) for Connection Factory AND Destination

                  FAIL - error:
                  Setup of JMS message listener invoker failed for destination 'mb0_sb!WL.mb0_sb.BU' - trying to recover. Cause: [JMSClientExceptions:055142]
                  Foreign destination, mb0_sb!WL.mb0_sb.BU
                  weblogic.jms.common.InvalidDestinationException: [JMSClientExceptions:055142]Foreign destination, mb0_sb!WL.mb0_sb.BU
                  at weblogic.jms.common.Destination.checkDestinationType(Destination.java:105)
                  at weblogic.jms.client.JMSSession.setupConsumer(JMSSession.java:2657)
                  at weblogic.jms.client.JMSSession.createConsumer(JMSSession.java:2628)
                  at weblogic.jms.client.JMSSession.createConsumer(JMSSession.java:2608)
                  at weblogic.jms.client.WLSessionImpl.createConsumer(WLSessionImpl.java:880)
                  at org.springframework.jms.listener.AbstractPollingMessageListenerContainer.createConsumer(AbstractPollingMessageListenerContainer.java:501)
                  at org.springframework.jms.listener.AbstractPollingMessageListenerContainer.createListenerConsumer(AbstractPollingMessageListenerContainer.java:223)
                  at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.initResourcesIfNecessary(DefaultMessageListenerContainer.java:1082)
                  at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.invokeListener(DefaultMessageListenerContainer.java:1058)
                  at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.executeOngoingLoop(DefaultMessageListenerContainer.java:1051)
                  at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.run(DefaultMessageListenerContainer.java:948)
                  at java.lang.Thread.run(Thread.java:619)


                  3. AS 2 + proxy-interface="javax.jms.QueueConnectionFactory" only for Connection Factory

                  FAIL - error:
                  Setup of JMS message listener invoker failed for destination 'mb0_sb!WL.mb0_sb.BU' - trying to recover. Cause: [JMSClientExceptions:055142]Foreign destination, mb0_sb!WL.mb0_sb.BU
                  weblogic.jms.common.InvalidDestinationException: [JMSClientExceptions:055142]Foreign destination, mb0_sb!WL.mb0_sb.BU
                  at weblogic.jms.common.Destination.checkDestinationType(Destination.java:105)
                  at weblogic.jms.client.JMSSession.setupConsumer(JMSSession.java:2657)
                  at weblogic.jms.client.JMSSession.createConsumer(JMSSession.java:2628)
                  at weblogic.jms.client.JMSSession.createConsumer(JMSSession.java:2608)
                  at weblogic.jms.client.WLSessionImpl.createConsumer(WLSessionImpl.java:880)
                  at org.springframework.jms.listener.AbstractPollingMessageListenerContainer.createConsumer(AbstractPollingMessageListenerContainer.java:501)
                  at org.springframework.jms.listener.AbstractPollingMessageListenerContainer.createListenerConsumer(AbstractPollingMessageListenerContainer.java:223)
                  at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.initResourcesIfNecessary(DefaultMessageListenerContainer.java:1082)
                  at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.invokeListener(DefaultMessageListenerContainer.java:1058)
                  at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.executeOngoingLoop(DefaultMessageListenerContainer.java:1051)
                  at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.run(DefaultMessageListenerContainer.java:948)
                  at java.lang.Thread.run(Thread.java:619)

                  4. AS 3 + proxy-interface="javax.jms.QueueConnectionFactory" for Connection Factory + proxy-interface="javax.jms.Queue" for the destination

                  FAIL - error:
                  Setup of JMS message listener invoker failed for destination 'mb0_sb!WL.mb0_sb.BU' - trying to recover. Cause: [JMSClientExceptions:055142]Foreign destination, mb0_sb!WL.mb0_sb.BU
                  weblogic.jms.common.InvalidDestinationException: [JMSClientExceptions:055142]Foreign destination, mb0_sb!WL.mb0_sb.BU
                  at weblogic.jms.common.Destination.checkDestinationType(Destination.java:105)
                  at weblogic.jms.client.JMSSession.setupConsumer(JMSSession.java:2657)
                  at weblogic.jms.client.JMSSession.createConsumer(JMSSession.java:2628)
                  at weblogic.jms.client.JMSSession.createConsumer(JMSSession.java:2608)
                  at weblogic.jms.client.WLSessionImpl.createConsumer(WLSessionImpl.java:880)
                  at org.springframework.jms.listener.AbstractPollingMessageListenerContainer.createConsumer(AbstractPollingMessageListenerContainer.java:501)
                  at org.springframework.jms.listener.AbstractPollingMessageListenerContainer.createListenerConsumer(AbstractPollingMessageListenerContainer.java:223)
                  at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.initResourcesIfNecessary(DefaultMessageListenerContainer.java:1082)
                  at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.invokeListener(DefaultMessageListenerContainer.java:1058)
                  at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.executeOngoingLoop(DefaultMessageListenerContainer.java:1051)
                  at org.springframework.jms.listener.DefaultMessageListenerContainer$AsyncMessageListenerInvoker.run(DefaultMessageListenerContainer.java:948)
                  at java.lang.Thread.run(Thread.java:619)

                  regards
                  ferp
                  • 6. Re: spring message-driven-channel-adapter + weblogic JMSSecurityException
                    Akshay Koul
                    Have you tried to connect to a simple JMS queue rather than a uniform Distributed Queue? Does that also give same issue?

                    -Akshay
                    • 7. Re: spring message-driven-channel-adapter + weblogic JMSSecurityException
                      ferp
                      Hi Akshay,

                      yes, I tried yesterday to connect to a simple JMS queue rather than a uniform Distributed Queue ... but unfortunately I got the same error.

                      I'm trying also in my applicationContext.xml to switch from

                      <jee:jndi-lookup id="myConnectionFactory" jndi-name="WL.mb0_sb.CF" expose-access-context="true" ...>
                      <jee:environment>
                      java.naming.factory.initial=weblogic.jndi.WLInitialContextFactory
                      java.naming.provider.url=...
                      java.naming.security.principal=...
                      java.naming.security.credentials=...
                      </jee:environment>
                      </jee:jndi-lookup>
                      <jee:jndi-lookup id="myQueue" jndi-name="WL.mb0_sb.BU">
                      <jee:environment>
                      java.naming.factory.initial=weblogic.jndi.WLInitialContextFactory
                      java.naming.provider.url=...
                      java.naming.security.principal=...
                      java.naming.security.credentials=...
                      </jee:environment>
                      </jee:jndi-lookup>

                      to using a jndiTemplate but I got the same error :-( :

                      <beans:bean id="jndiTemplate" class="org.springframework.jndi.JndiTemplate">
                      <beans:property name="environment">
                      <beans:props>
                      <beans:prop key="java.naming.factory.initial">weblogic.jndi.WLInitialContextFactory</beans:prop>
                      <beans:prop key="java.naming.provider.url">...</beans:prop>
                      <beans:prop key="java.naming.security.principal">...</beans:prop>
                      <beans:prop key="java.naming.security.credentials">...</beans:prop>
                      </beans:props>
                      </beans:property>
                      </beans:bean>
                      <beans:bean id="myConnectionFactory" class="org.springframework.jndi.JndiObjectFactoryBean">
                      <beans:property name="jndiTemplate" ref="jndiTemplate"/>
                      <beans:property name="jndiName" value="WL.mb0_sb.CF"/>
                      <beans:property name="exposeAccessContext" value="true"/>
                      <beans:property name="proxyInterface" value="javax.jms.QueueConnectionFactory"/>
                      </beans:bean>
                      <beans:bean id="myQueue" class="org.springframework.jndi.JndiObjectFactoryBean">
                      <beans:property name="jndiTemplate" ref="jndiTemplate"/>
                      <beans:property name="jndiName" value="WL.mb0_sb.BU"/>
                      <beans:property name="exposeAccessContext" value="true"/>
                      <beans:property name="proxyInterface" value="javax.jms.Queue"/>
                      </beans:bean>

                      Akshay, I'm also trying to see what settings I need to connect to WLS using t3s instead of t3 but also here I got an error.
                      Do you suggest to open a new thread for that in order to avoid to put together this "weblogic JMSSecurityException issue" with "t3s issue" ?
                      Or may I add to this thread also a short description about "t3s issue" I got ?

                      Thanks and regards
                      ferp
                      • 8. Re: spring message-driven-channel-adapter + weblogic JMSSecurityException
                        Akshay Koul
                        I think if you have a reproducer, you should log a ticket with Oracle Support and ask for a fix.