Jboss EAP 6.3: HQ119031: Unable to validate user: USERNAME

2
votes

I'm trying to configure the JBoss EAP 6.3 JMS-Bridge to work in secured environment. It seems that it not possible at all.

My configuraiton consists of two (equal) JBoss EAP installations: call them provider and consumer. Provider defines a queue and consumer uses a netty connection factory to connect it to a local queue. The configuration works fine if security is disabled on both sides using the 

<security-enabled>false</security-enabled>

As soon as I activate security, the consumer is not able to construct the bridge. I'm using the same security domain on both sides by specifying:

<security-domain>myDomain</security-domain>

I also tried to specify a username/password combination during bridge construction:

<jms-bridge name="...">
   <source>
      <connection-factory name="RemoteConnectionFactory" />
      <user>USERNAME</user>
      <password>secret</password>
      <destination>jms/topic/whatever</destination> 
   </source>
...
</jms-bridge>

In case I don't specify the username/password, the behaviour described in Jboss EAP 6.3: HQ119031: Unable to validate user: null is observed. In case I specify the username in the source configuration of the JMS-Bridge, the exception is the same, but I see the specified USERNAME instead of null:

ERROR HQ122010: Failed to connect JMS Bridge: javax.jms.SecurityException: HQ119031: Unable to validate user: USERNAME]
    at org.hornetq.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:399)
    ....
    ....
Caused by: HornetQException[errorType=SECURITY_EXCEPTION message=HQ119031: Unable to validate user: USERNAME]

The security-domain is also configured for usage with EJB3 RMI and the USERNAME is a valid user.

Am I missing something? Disabling security for messaging is not an option for us. So if there are any workarounds, please help!

Kind regards,

Simon

2
securityjbossjmsjboss7.x
Relates to stackoverflow.com/questions/26420490/…Simon Zambrovski

2 Answers

1
votes

When we were running local tests with two JBosses on the same machine, we had the same error (HQ119031: Unable to validate user). In our case, the problem was that we created the user using the add-user script within the "remote" JBoss, but the script actually created the user in the client JBoss. Why? Because we had set the JBOSS_HOME variable and the script uses that variable. We removed the variable and the problem was solved.

So, I suggest double checking that the user you're using is actually listed in the application-users.properties file inside the remote JBoss configuration.

Now we have a JMS bridge working with security. Here's a description:

  • Client (sender) is JBoss EAP 6.3.3. In the messaging subsystem configuration within standalone/domain.xml we have:

    <bridges>
  <bridge name="myBridge">
      <queue-name>jms.queue.MyQueueLocal</queue-name>
      <forwarding-address>jms.queue.MyQueue</forwarding-address>
      <retry-interval>5000</retry-interval>
      <retry-interval-multiplier>2.0</retry-interval-multiplier>
      <failover-on-server-shutdown>false</failover-on-server-shutdown>
      <use-duplicate-detection>true</use-duplicate-detection>
      <confirmation-window-size>10000000</confirmation-window-size>
      <user>myUser</user>
      <password>passwdInClear</password>
      <static-connectors>
          <connector-ref>netty-remote</connector-ref>
      </static-connectors>
  </bridge>
</bridges>

  • One of the <connectors> is:

    <netty-connector name="netty-remote" socket-binding="remote-jms"/>

  • Within <security-realm name="ApplicationRealm"> we have the lines below. The secret value is the Base64 hash you see when you create the user with the add-user script. 

    <server-identities>
    <secret value="cEBzc3cwcmQ="/>
</server-identities>

  • Then within <socket-binding-group> we have:

    <outbound-socket-binding name="remote-jms">
    <remote-destination host="myRemoteHost" port="5445"/>
</outbound-socket-binding>

  • On the remote JBoss (also EAP 6.3.3), standalone/domain.xml shows the usual messaging configuration and declaration of the MyQueue queue.

  • On this server, we created the user account with add-user. The user belongs to ApplicationRealm and to the guest group.

  • Of course, sender applications on the client JBoss send messages to MyQueueLocal.

0
votes

Have you tried adding username and password to your bridge context?

<jms-bridge name="myBridge">
    <source>
        <connection-factory name="jms/RemoteConnectionFactory"/>
        <destination name="jms/queue/bridgeQueue"/>
        <user>guest</user>
        <password>pass</password>
        <context>
            <property key="java.naming.factory.initial" value="org.jboss.naming.remote.client.InitialContextFactory"/>
            <property key="java.naming.provider.url" value="remote://xx.xx.xx.xx:xxxx"/>
            <property key="java.naming.security.principal" value="guest"/>
            <property key="java.naming.security.credentials" value="pass"/>
        </context>
    </source>
    <target>
        <connection-factory name="java:/ConnectionFactory"/>
        <destination name="jms/queue/testQueue"/>
    </target>
    <quality-of-service>AT_MOST_ONCE</quality-of-service>
    <failure-retry-interval>500</failure-retry-interval>
    <max-retries>1</max-retries>
    <max-batch-size>500</max-batch-size>
    <max-batch-time>500</max-batch-time>
    <add-messageID-in-header>true</add-messageID-in-header>
</jms-bridge>