JMS Wrappers can't cache JNDI lookups when using secured queues

Hi All!
We are working on a jms client, inside a webapp(servlets), using Weblogic 9.2 and Weblogic 10.3.
As we want to use secured queues and keep being efficient we tryed to use Weblogic JMS Wrappers, that should work according to the docs:
Enhanced Support for Using WebLogic JMS with EJBs and Servlets
http://download.oracle.com/docs/cd/E12840_01/wls/docs103/jms/j2ee.html
But we are facing a problem:
When we define a JMS Wrapper and try to cache JNDI lookups for the QueueConnectionFactory and Queue, as the docs recommend for efficiency, the connection to the queue is ignoring the user/pwd.
The JMS Wrapper is using <res-auth>Application</res-auth>.
We are creating the connection using createQueueConnection(user, pwd) from QueueConnectionFactory and after several tests it seems that the user and password are ingored unless a jndi lookup is made in the same thread, as if when there are not any thread credentials present user and password are ignored for the connection...
so the question is:
That behaviour goes against Weblogic JMS Wrapper documentation, doesn't it?
Is there then any other way to access efficiently secured queues using a servlet as a client? (iit's not an option for us to use mdbs, or ejbs).
If it helps, this seems related to this still opened spring-weblogic issue: SPR-2941 --> http://jira.springframework.org/browse/SPR-2941 and SPR-4720 --> http://jira.springframework.org/browse/SPR-4720
Thanxs
And here goes our DDs and code to reproduce:
First in pretty format:
web.xml --> http://pastebin.com/f5f85e8d4
weblogic.xml --> http://pastebin.com/f2fbe10cc
Client code --> http://pastebin.com/f586d32d9
And now emmebded in the msg:
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<weblogic-web-app
  xmlns="http://www.bea.com/ns/weblogic/90"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://www.bea.com/ns/weblogic/90
  http://www.bea.com/ns/weblogic/90/weblogic-web-app.xsd">
    <description>WebLogic Descriptor</description>
    <resource-description>
        <res-ref-name>jms/QCF</res-ref-name>
        <jndi-name>weblogic.jms.ConnectionFactory</jndi-name>
    </resource-description>
</weblogic-web-app>weblogic.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
      <display-name> QCFWrapperCredentialsTest </display-name>
      <description> QCFWrapperCredentialsTest  </description>
      <servlet id="Servlet_1">
         <servlet-name>QCFWrapperCredentialsTest</servlet-name>
         <servlet-class>QCFWrapperCredentialsTest</servlet-class>
         <load-on-startup>1</load-on-startup>
      </servlet>
      <servlet-mapping id="ServletMapping_1">
         <servlet-name>QCFWrapperCredentialsTest</servlet-name>
         <url-pattern>/Test</url-pattern>
      </servlet-mapping>
     <resource-ref>
        <res-ref-name>jms/QCF</res-ref-name>
        <res-type>javax.jms.QueueConnectionFactory</res-type>
        <res-auth>Application</res-auth>
        <res-sharing-scope>Shareable</res-sharing-scope>
    </resource-ref>
</web-app>And our test client:
import java.io.*;
import java.util.Properties;
import javax.jms.*;
import javax.naming.*;
import javax.servlet.http.*;
public class QCFWrapperCredentialsTest extends HttpServlet {
    QueueConnectionFactory factory = null;
    Queue queue = null;
    String jndiName = "java:comp/env/jms/QCF";
    String queueName= "jms/ColaEntradaConsultas";
    String user = "usuarioColas";
    String pwd = "12345678";
    String userjndi = "usuarioColas";
    String pwdjndi = "12345678";
    String serverT3URL="t3://127.0.0.1:7007";
    public void init() {
        setupJNDIResources();
    private void setupJNDIResources(){
        try {
            Properties props = new Properties();
            props.put("java.naming.factory.initial",
                    "weblogic.jndi.WLInitialContextFactory");
            props.put("java.naming.provider.url",serverT3URL );
            props.put("java.naming.security.principal", userjndi);// usr
            props.put("java.naming.security.credentials", pwdjndi);// pwd
            InitialContext ic = new InitialContext(props);
            factory = (QueueConnectionFactory) ic.lookup(jndiName);
            queue = (Queue) ic.lookup(queueName);
        } catch (NamingException e) {
            e.printStackTrace();
    public void service(HttpServletRequest req, HttpServletResponse res) {
        res.setContentType("text/html");
        Writer wr = null;
        try {
            wr = res.getWriter();
            //Comment this out, do a lookup for each request and it will work
            //setupJNDIResources();
            String user = this.user;
            String pwd = this.pwd;
            //read users and passwords from the request in case they are present
            if (req.getParameter("user") != null) {
                user = req.getParameter("user");
            if (req.getParameter("pwd") != null) {
                pwd = req.getParameter("pwd");
            wr.write("JNDI  User: *" + userjndi + "* y pwd: *" + pwdjndi + "*<p>");
            wr.write("Queue User: *" + user + "* y pwd: *" + pwd + "*<p>");
            //Obtain a connection using user/pwd
            QueueConnection conn = factory.createQueueConnection(user, pwd);
            QueueSession ses = conn.createQueueSession(true,
                    Session.SESSION_TRANSACTED);
            QueueSender sender = ses.createSender(queue);
            TextMessage msg = ses.createTextMessage();
            msg.setText("Hi there!");
            conn.start();
            sender.send(msg);
            ses.commit();
            sender.close();
            ses.close();
            conn.close();
        } catch (Exception e) {
            e.printStackTrace();
            try {
                wr.write(e.toString());
            } catch (Exception e2) {
                e2.printStackTrace();
        finally{
            try {
                wr.close();
            } catch (IOException e) {
                e.printStackTrace();
}Edited by: user2525402 on Feb 9, 2010 7:14 PM

Thanks Tom,
Quite a useful response .-)
Leaving aside the fact that weblogic behaviour with jms wrappers and secured queues seems to not be working as the docs says...
Talking about workarounds:
Both workarounds you suggest works, but as you already noted, creating a new JNDI context just to inject credentials into the threads is overkill when high performance is needed.
I also found more information about the same issue here: http://sleeplessinslc.blogspot.com/2009/04/weblogic-jms-standalone-multi-threaded.html
And he suggest the same workaround, injecting credentials
So I tried the second approach, successfully, injecting credentials into the thread using the security API.
This way, using JMS wrappers and injecting credentials into the thread we get the best performance available, caching resource using wrappers and using credentials in a somewhat efficient way.
Now the test snippet looks like this:
import java.io.*;
import java.security.PrivilegedAction;
import java.util.Properties;
import javax.jms.*;
import javax.naming.*;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import javax.servlet.http.*;
import weblogic.jndi.Environment;
import weblogic.security.auth.Authenticate;
public class JMSWrapperCredentialsTest extends HttpServlet {
    QueueConnectionFactory factory = null;
    Queue queue = null;
    String jndiName = "java:comp/env/jms/QCF";
    String queueName= "jms/ColaEntradaConsultas";
    String user = "usuarioColas";
    String pwd = "12345678";
    String userjndi = "usuarioColas";
    String pwdjndi = "12345678";
    String serverT3URL="t3://127.0.0.1:7007";
    public void init() {
        setupJNDIResources();
    private void setupJNDIResources(){
        try {
            Properties props = new Properties();
            props.put("java.naming.factory.initial",
                    "weblogic.jndi.WLInitialContextFactory");
            props.put("java.naming.provider.url",serverT3URL );
            props.put("java.naming.security.principal", userjndi);// usr
            props.put("java.naming.security.credentials", pwdjndi);// pwd
            InitialContext ic = new InitialContext(props);
            factory = (QueueConnectionFactory) ic.lookup(jndiName);
            queue = (Queue) ic.lookup(queueName);
        } catch (NamingException e) {
            e.printStackTrace();
    public void service(HttpServletRequest req, HttpServletResponse res) {
        final HttpServletRequest fReq=req;
        final HttpServletResponse fRes=res;
        PrivilegedAction action = new java.security.PrivilegedAction() {
            public java.lang.Object run() {
                performRequest(fReq,fRes);
                return null;
        try {
            Subject subject=createSingleSubject(serverT3URL,user,pwd);
            weblogic.security.Security.runAs(subject, action);
        } catch (Exception e) {
            e.printStackTrace();
    public void performRequest(HttpServletRequest req, HttpServletResponse res) {
        res.setContentType("text/html");
        Writer wr = null;
        try {
            wr = res.getWriter();
            //Comment this out, do a lookup for each request and it will work
            //setupJNDIResources();
            String user = this.user;
            String pwd = this.pwd;
            //read users and passwords from the request in case they are present
            if (req.getParameter("user") != null) {
                user = req.getParameter("user");
            if (req.getParameter("pwd") != null) {
                pwd = req.getParameter("pwd");
            wr.write("JNDI  User: *" + userjndi + "* y pwd: *" + pwdjndi + "*<p>");
            wr.write("Queue User: *" + user + "* y pwd: *" + pwd + "*<p>");
            //Obtain a connection using user/pwd
            QueueConnection conn = factory.createQueueConnection(user, pwd);
            QueueSession ses = conn.createQueueSession(true,
                    Session.SESSION_TRANSACTED);
            QueueSender sender = ses.createSender(queue);
            TextMessage msg = ses.createTextMessage();
            msg.setText("Hi there!");
            conn.start();
            sender.send(msg);
            ses.commit();
            sender.close();
            ses.close();
            conn.close();
        } catch (Exception e) {
            e.printStackTrace();
            try {
                wr.write(e.toString());
            } catch (Exception e2) {
                e2.printStackTrace();
        finally{
            try {
                wr.close();
            } catch (IOException e) {
                e.printStackTrace();
    private Subject createSingleSubject(String providerUrl, String userName, String password) {
        Subject subject = new Subject();
        // Weblogic env class
        Environment env = new Environment();
        if(providerUrl!=null)
            env.setProviderUrl(providerUrl);
        env.setSecurityPrincipal(userName);
        env.setSecurityCredentials(password);
        try {
          // Weblogic Authenticate class will populate and Seal the subject
          Authenticate.authenticate(env, subject);
          return subject;
        catch (LoginException e) {
          throw new RuntimeException("Unable to Authenticate User", e);
        catch (Exception e) {
          throw new RuntimeException("Error authenticating user", e);
}Thanks a lot for the help

Similar Messages

  • How can we get ADFSecurity work when used in OC4J, OID and OAM?

    I am getting error in http server log "mod_oc4j: Response status=499 and reason=Oracle SSO, but failed to get mod_osso global context."
    But I am not using Oracle SSO and my client doesn't want to use it either, I am using OAM SSO(CoreIDSSO) in my configuration. Please read the details below.
    I am using ADFSecurity in an app that is protected by OAM. To migrate ADFSecurity permissions from
    system-jazn-data.xml to OID, I used JAZNMigrationTool to populate OID with Grantees and Permissions. OAM gives login page, and authentication works fine.
    But ADFSecurity is not working. ADFComponent Delete button is enabled even for roles that dont have permissions for the iterator delete.
    - The app works fine when I use without OAM. ADF Security permissions work fine.
    - The app works fine when used with OAM, but with ADFSecurity disabled (enforce=false).
    - When I enforce ADFSecurity alongwith OAM, ADFSecurity is not working.
    In the doc "Oracle Containers for J2EE Security Guide b28957", there is a mention of use of CoreIDPrincipal for permissions. Our OID Permissions entries show
    LDAPRealmRole for attribute orcljaznprincipal. I am not sure if this could be the reason.
    We have configured AccessServerSDK for the SOA instance and have policy for the urls in the policy manager. We have entries in orion-application.xml, orion-web.xml and system-jazn-data.xml as per the documentations.
    How can we get ADFSecurity work when used with OID and OAM?

    Have you been able to successfully integrate OAS with OAM & OID? We have similar requriement and so far we have not been able to get it working.
    We have application specific roles which we map to OID roles using orion-application.xml.
    Any pointers to achieve this would be greatly appreciated.
    thanks,
    Dipal

  • After I installed the recent Apple security patch, I can no longer save PDFs when using Safari. And Firefox no longer can open website PDFs. Any suggestions?

    After I installed the recent Apple security patch, I can no longer save PDFs when using Safari. And Firefox no longer can open website PDFs. Any suggestions?

    Dansyacht wrote:
    If the previous Safari suggestion doesn't work try the following:
    In Finder, go to Macintosh HD/Library/Internet Plug-ins and move AdobePDFViewerNPAPI.plugin to the Disabled Plug-ins Folder.  Restart Safari.  If this works you may just want to delete that FUBAR plug-in.
    Thanks.  This was the solution for me.
    Message was edited by: tvdowntown

  • HT2188 I can hear caller but they can not hear me except when using speaker phone

    I can hear caller but they can not hear me except when using speaker phone

    First of all,  make sure that your iPhone as the most recent iOS available. Check in "Settings>General>Software Update".
    One other problem could be your microphone. Does it work for anything else other than a call?
    Good-Luck!
    kpower28
    Please mark this as "solved my problem" or "helped me"!

  • Why can I only make calls when using speakrphone?

    I can only make phone calls when using the speaker phone or headphones.  The receiver can hear me although I can not hear them.  I have only had the phone since Sat, have checked volume levels and tried adjusting during a phone call too.

    Try making a call and turning the volume up using the buttons on the side of the phone. If that doesn't work, your iPhone is faulty. Take it to the nearest apple store or back where you bought it!

  • What can replace Appleworks Drawing app when using OSX Mountain Lion?

    What can replace Appleworks Drawing app when using OSX Mountain Lion?

    Please see this page which examines the problem:
    http://www.wilmut.webspace.virginmedia.com/notes/aw/page3.html

  • How can I customize the toolbar when using the attribute browser

    In CVI 2012, the toolbar changes depending on the environment, e.g. it is different for the source window and the UI editor. The toolbar can be customized using the menu Options / Toolbar...
    Unfortunately, when using the attribute browser of the UI editor, another toolbar is displayed, i.e. not the UI editor toolbar.... I would have assumed that the attribute browser belongs to the UI editor, obviously it doesn't... So how can I customize the toolbar when using the attribute browser?
    Solved!
    Go to Solution.

    Luis,
    It's nice to have you back 
    Thank you for the clarification, so I'll elaborate a bit more: In the regular workspace toolbar, I have a disk symbol to save the file. This symbol is gone in the attribute browser...
    So I have three different toolbars, for source code (workspace), UI editor, and the UI editor displayed but the attribute browser clicked on (selected)... 
    Thanks
    Wolfgang
    Source code:
    UI editor:
    Attribute browser:

  • Can't get my mail when use the USB Ethernet adapter

    I can't get my mail when use the Apple USB Ethernet Adapter. If I use a wireless connection, there is no problem. The LAN which I'm trying to connect is behind a proxy server but the Internet is working 100%.

    Hi ViK,
    This sounds like a question for the network administrator of the location. Without knowing how the proxy is set it's impossible to know what it's blocking (incoming/outgoing). It sounds like it might be filtering the incoming mail server.

  • Please help. my address bar has vanished. i have no idea how to retrieve it, so can only access bookmarked sites when using firefox.

    please help. my address bar has vanished. i have no idea how to retrieve it, so can only access bookmarked sites when using firefox.

    Make sure that you do not run Firefox in Full Screen mode with all toolbars hidden.
    * Press F11 to toggle full screen mode (Firefox/File > Full Screen)
    If the menu bar is hidden then press the F10 key or hold down the Alt key, that should make the menu bar appear.
    Make sure that toolbars like the "Navigation Toolbar" and the "Bookmarks Toolbar" are visible: "View > Toolbars"
    * If items are missing then open the Customize window via "View > Toolbars > Customize" or via "Firefox > Options > Toolbar Layout" (Linux, Windows)
    * If a missing item is in the toolbar palette then drag it back from the Customize window on the toolbar
    * If you do not see an item on a toolbar and in the toolbar palette then click the "Restore Default Set" button to restore the default toolbar set up.
    See also:
    * http://kb.mozillazine.org/Toolbar_customization

  • [svn] 1720: Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints .

    Revision: 1720
    Author: [email protected]
    Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
    Log Message:
    Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
    QA: Yes
    Doc: No
    Details:
    Update to the TomcatLoginCommand to work correctly with NIO endpoints.
    Ticket Links:
    http://bugs.adobe.com/jira/browse/LCDS-304
    Modified Paths:
    blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. java

    Revision: 1720
    Author: [email protected]
    Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
    Log Message:
    Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
    QA: Yes
    Doc: No
    Details:
    Update to the TomcatLoginCommand to work correctly with NIO endpoints.
    Ticket Links:
    http://bugs.adobe.com/jira/browse/LCDS-304
    Modified Paths:
    blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. java

  • How to cache JNDI Lookup

    I want to cache JNDI Look ups for Datasources/EJBs.
    I am wondering if anyone would have a suggestion for me regarding speeding
    up the time it takes to execute the following code snipplets:
    Context context = new InitialContext();
    Object objectReference = context.lookup("someEJB");
    It appears that the context.lookup is always quite a bit of time, even when
    the client is running local to the EJB server.
    Is there any way to serialize or "save" this lookup information so that
    client apps that are looking for "someEJB" can use the saved information?
    Thanks to all who will respond
    Regards,
    Raju ([email protected])

    Please do not cross-post.
    "Anjaneya Raju" <[email protected]> wrote in message
    news:39994516$[email protected]..
    >
    >
    I want to cache JNDI Look ups for Datasources/EJBs.
    I am wondering if anyone would have a suggestion for me regarding speeding
    up the time it takes to execute the following code snipplets:
    Context context = new InitialContext();
    Object objectReference = context.lookup("someEJB");
    It appears that the context.lookup is always quite a bit of time, evenwhen
    the client is running local to the EJB server.
    Is there any way to serialize or "save" this lookup information so that
    client apps that are looking for "someEJB" can use the saved information?
    Thanks to all who will respond
    Regards,
    Raju ([email protected])

  • Can't access some sites when using Aiport Express, why?

    I'm using Windows 7 and my router is a wireless Apple Airport Express that is approximately two years old. Suddenly I can't access some sites (for example www.sthlm.friskissvettis.se, or www.vegetarian-shoes.co.uk, some streamed tv-shows on svtplay.se, and a number of other random sites) when connecting to internet with my router. It worked good until recently and I'm fairly sure this problem emerged when my ISP upgraded from 10/10mbit to 100/10mbit speed. Most other sites like facebook and google works fine.
    When using my network cable to connect to internet everything works fine and I can access these sites.
    Firmware is current and I've tried reseting the router to factory defaults.
    Tried different browsers, and I can't ping the "blocked" sites either. Tracert www.sthlm.friskissvettis.se starts with 10.0.0.1 and continues through a number of long addresses until it says timeout. The last working address before timeout was sth-tcy-ipcore01-ge-0-2-0.neq.dgcsystems.net [83.241.252.13], if it matters. Tracert www.vegetarian-shoes.co.uk also eventually gives me a timeout.
    When the network cable is plugged in, I still get timeout on tracert www.sthlm.friskissvettis.se even though I can access the site in Chrome. Weird. www.vegetarian-shoes.co.uk doesn't give me a tracert timeout when the cable is plugged in, and I can access the site as usual.
    I've tried changing DNS servers to use opendns servers instead, but to no use.
    I've tried pinging these two sites with a lower MTU packet size (with this method: http://www.richard-slater.co.uk/archives/2009/10/23/change-your-mtu-under-vista- or-windows-7/), but still can't access them through ping...
    I don't know what to do anymore.... any suggestions???
    Thanks

    Hi Punice
    first try to disable JavaScript from : Firefox button (or Tools menu) > Options > Content panel > '''UNcheck''' Enable JavaScript.
    if the above does not help check with a few malware/virus scan programs for virus. You need to use all programs because each detects different malware. Make sure to update each program to get the latest version before doing a scan.
    http://housecall.trendmicro.com/ - Trendmicro online
    http://www.malwarebytes.org/mbam.php - Malwarebytes' Anti-Malware
    http://www.superantispyware.com/ - SuperAntispyware
    http://www.safer-networking.org/en/index.html - Spybot Search & Destroy
    http://www.lavasoft.com/products/ad_aware_free.php - Ad-Aware Free
    http://www.microsoft.com/windows/antivirus-partners/windows-xp.aspx
    check also for a rootkit infection with TDSSKiller.
    http://support.kaspersky.com/viruses/solutions?qid=208280684
    thank you

  • How can i set  "Createdby" attribute  When using Custom JheadStart Security

    Hello
    We do not use JASS for Authentication , please help us how can i set createtby attributes with jhs.username in application for any entity object?
    thanks

    See a similar question at History Attributes when using Custom Authentication Type

  • Can't get speaker sound when using Mophie battery case

    Hello,
    Is there a way to make my phone's speakers enable when using the Mophie?  Just to explain, the Mophie is a batter pack case, that has an apple plug on the bottom.  It works great and all, but my phone speaker's go off.  Similar to using a docking clock/radio and the speaker will go through that device.  The Mophie doesn't have its own speakers though, so I can't use the speakers as I use it.
    Thanks!
    -Rick

    It shouldn't do that. Talk to the manufacturer. If it's shutting down the speakers on the phone, either your dock connector is dirty or the juice pack is defective.

  • Can I assign exchange rate when use MRKO?

    Dear all:
    I have met one question.
    When I use MRKO to settle consignment stock withdraw, how can I assign exchange rate I do really need?
    Thank you.

    Sorry, I am not  meant where to maintian exchange rate .
    I want to assign the exchange rate date  when Use MRKO.
    Ex: when I transfer  the consignment  stock  into our own stock(mvt. 201 K or 411 k) on 4/30 , and the vendor send their invocie on 5/6 .When I use MRKO , the exchange rate is reference to 5/6 , not 4/30 . I want to know where can I configure and let the MRKO's exchange rate date is the stock GI date .
    Thank you.

Maybe you are looking for

  • Touchsmart IQ504 and windows 8 upgrade

    I tried upgrading my IQ504 from Windows 7 to Windows 8 when it was first released and had no luck. Has anyone had any luck upgrading their 504 yet and if so anything specific I should know? Thanks!

  • How do you know what generation ipod you have?

    I was just given an Ipod from my brother because he has updated his. and the battery isn't working so I was going to just replace it butI don't know what generation it is. could any one help me on where to find it. I think it is an early model, becau

  • Mapping exception

    Hi All, I have one mapping exception Here i describe my mapping Descrption:(line break) Text:---- maximum length=132 The above fields are Source fileds. "Full Description" is the target field. Here i mapped Description and Text field mapped UDF and f

  • Text issues...

    HI all, sorry if this has been asked here before: I while back I upgraded my Safari to a newer version. I am now running on 2.0.2 and somewhere along the way I noticed that certain foreign scripts were not showing up correctly in my browser. The main

  • Database changes during pool pairing in lync 2013

    Hi, I am planning for pool pairing.Can anyone tell what all database get copied on bacup pool.Do we need extra storage for pairing. will all previous lcscdr & lcslog get copied to backup pool?