JMS Wrappers can't cache JNDI lookups when using secured queues
Hi All!
We are working on a jms client, inside a webapp(servlets), using Weblogic 9.2 and Weblogic 10.3.
As we want to use secured queues and keep being efficient we tryed to use Weblogic JMS Wrappers, that should work according to the docs:
Enhanced Support for Using WebLogic JMS with EJBs and Servlets
http://download.oracle.com/docs/cd/E12840_01/wls/docs103/jms/j2ee.html
But we are facing a problem:
When we define a JMS Wrapper and try to cache JNDI lookups for the QueueConnectionFactory and Queue, as the docs recommend for efficiency, the connection to the queue is ignoring the user/pwd.
The JMS Wrapper is using <res-auth>Application</res-auth>.
We are creating the connection using createQueueConnection(user, pwd) from QueueConnectionFactory and after several tests it seems that the user and password are ingored unless a jndi lookup is made in the same thread, as if when there are not any thread credentials present user and password are ignored for the connection...
so the question is:
That behaviour goes against Weblogic JMS Wrapper documentation, doesn't it?
Is there then any other way to access efficiently secured queues using a servlet as a client? (iit's not an option for us to use mdbs, or ejbs).
If it helps, this seems related to this still opened spring-weblogic issue: SPR-2941 --> http://jira.springframework.org/browse/SPR-2941 and SPR-4720 --> http://jira.springframework.org/browse/SPR-4720
Thanxs
And here goes our DDs and code to reproduce:
First in pretty format:
web.xml --> http://pastebin.com/f5f85e8d4
weblogic.xml --> http://pastebin.com/f2fbe10cc
Client code --> http://pastebin.com/f586d32d9
And now emmebded in the msg:
web.xml
<?xml version="1.0" encoding="UTF-8"?>
<weblogic-web-app
xmlns="http://www.bea.com/ns/weblogic/90"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.bea.com/ns/weblogic/90
http://www.bea.com/ns/weblogic/90/weblogic-web-app.xsd">
<description>WebLogic Descriptor</description>
<resource-description>
<res-ref-name>jms/QCF</res-ref-name>
<jndi-name>weblogic.jms.ConnectionFactory</jndi-name>
</resource-description>
</weblogic-web-app>weblogic.xml
<?xml version="1.0" encoding="UTF-8"?>
<web-app version="2.4" xmlns="http://java.sun.com/xml/ns/j2ee" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd">
<display-name> QCFWrapperCredentialsTest </display-name>
<description> QCFWrapperCredentialsTest </description>
<servlet id="Servlet_1">
<servlet-name>QCFWrapperCredentialsTest</servlet-name>
<servlet-class>QCFWrapperCredentialsTest</servlet-class>
<load-on-startup>1</load-on-startup>
</servlet>
<servlet-mapping id="ServletMapping_1">
<servlet-name>QCFWrapperCredentialsTest</servlet-name>
<url-pattern>/Test</url-pattern>
</servlet-mapping>
<resource-ref>
<res-ref-name>jms/QCF</res-ref-name>
<res-type>javax.jms.QueueConnectionFactory</res-type>
<res-auth>Application</res-auth>
<res-sharing-scope>Shareable</res-sharing-scope>
</resource-ref>
</web-app>And our test client:
import java.io.*;
import java.util.Properties;
import javax.jms.*;
import javax.naming.*;
import javax.servlet.http.*;
public class QCFWrapperCredentialsTest extends HttpServlet {
QueueConnectionFactory factory = null;
Queue queue = null;
String jndiName = "java:comp/env/jms/QCF";
String queueName= "jms/ColaEntradaConsultas";
String user = "usuarioColas";
String pwd = "12345678";
String userjndi = "usuarioColas";
String pwdjndi = "12345678";
String serverT3URL="t3://127.0.0.1:7007";
public void init() {
setupJNDIResources();
private void setupJNDIResources(){
try {
Properties props = new Properties();
props.put("java.naming.factory.initial",
"weblogic.jndi.WLInitialContextFactory");
props.put("java.naming.provider.url",serverT3URL );
props.put("java.naming.security.principal", userjndi);// usr
props.put("java.naming.security.credentials", pwdjndi);// pwd
InitialContext ic = new InitialContext(props);
factory = (QueueConnectionFactory) ic.lookup(jndiName);
queue = (Queue) ic.lookup(queueName);
} catch (NamingException e) {
e.printStackTrace();
public void service(HttpServletRequest req, HttpServletResponse res) {
res.setContentType("text/html");
Writer wr = null;
try {
wr = res.getWriter();
//Comment this out, do a lookup for each request and it will work
//setupJNDIResources();
String user = this.user;
String pwd = this.pwd;
//read users and passwords from the request in case they are present
if (req.getParameter("user") != null) {
user = req.getParameter("user");
if (req.getParameter("pwd") != null) {
pwd = req.getParameter("pwd");
wr.write("JNDI User: *" + userjndi + "* y pwd: *" + pwdjndi + "*<p>");
wr.write("Queue User: *" + user + "* y pwd: *" + pwd + "*<p>");
//Obtain a connection using user/pwd
QueueConnection conn = factory.createQueueConnection(user, pwd);
QueueSession ses = conn.createQueueSession(true,
Session.SESSION_TRANSACTED);
QueueSender sender = ses.createSender(queue);
TextMessage msg = ses.createTextMessage();
msg.setText("Hi there!");
conn.start();
sender.send(msg);
ses.commit();
sender.close();
ses.close();
conn.close();
} catch (Exception e) {
e.printStackTrace();
try {
wr.write(e.toString());
} catch (Exception e2) {
e2.printStackTrace();
finally{
try {
wr.close();
} catch (IOException e) {
e.printStackTrace();
}Edited by: user2525402 on Feb 9, 2010 7:14 PM
Thanks Tom,
Quite a useful response .-)
Leaving aside the fact that weblogic behaviour with jms wrappers and secured queues seems to not be working as the docs says...
Talking about workarounds:
Both workarounds you suggest works, but as you already noted, creating a new JNDI context just to inject credentials into the threads is overkill when high performance is needed.
I also found more information about the same issue here: http://sleeplessinslc.blogspot.com/2009/04/weblogic-jms-standalone-multi-threaded.html
And he suggest the same workaround, injecting credentials
So I tried the second approach, successfully, injecting credentials into the thread using the security API.
This way, using JMS wrappers and injecting credentials into the thread we get the best performance available, caching resource using wrappers and using credentials in a somewhat efficient way.
Now the test snippet looks like this:
import java.io.*;
import java.security.PrivilegedAction;
import java.util.Properties;
import javax.jms.*;
import javax.naming.*;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import javax.servlet.http.*;
import weblogic.jndi.Environment;
import weblogic.security.auth.Authenticate;
public class JMSWrapperCredentialsTest extends HttpServlet {
QueueConnectionFactory factory = null;
Queue queue = null;
String jndiName = "java:comp/env/jms/QCF";
String queueName= "jms/ColaEntradaConsultas";
String user = "usuarioColas";
String pwd = "12345678";
String userjndi = "usuarioColas";
String pwdjndi = "12345678";
String serverT3URL="t3://127.0.0.1:7007";
public void init() {
setupJNDIResources();
private void setupJNDIResources(){
try {
Properties props = new Properties();
props.put("java.naming.factory.initial",
"weblogic.jndi.WLInitialContextFactory");
props.put("java.naming.provider.url",serverT3URL );
props.put("java.naming.security.principal", userjndi);// usr
props.put("java.naming.security.credentials", pwdjndi);// pwd
InitialContext ic = new InitialContext(props);
factory = (QueueConnectionFactory) ic.lookup(jndiName);
queue = (Queue) ic.lookup(queueName);
} catch (NamingException e) {
e.printStackTrace();
public void service(HttpServletRequest req, HttpServletResponse res) {
final HttpServletRequest fReq=req;
final HttpServletResponse fRes=res;
PrivilegedAction action = new java.security.PrivilegedAction() {
public java.lang.Object run() {
performRequest(fReq,fRes);
return null;
try {
Subject subject=createSingleSubject(serverT3URL,user,pwd);
weblogic.security.Security.runAs(subject, action);
} catch (Exception e) {
e.printStackTrace();
public void performRequest(HttpServletRequest req, HttpServletResponse res) {
res.setContentType("text/html");
Writer wr = null;
try {
wr = res.getWriter();
//Comment this out, do a lookup for each request and it will work
//setupJNDIResources();
String user = this.user;
String pwd = this.pwd;
//read users and passwords from the request in case they are present
if (req.getParameter("user") != null) {
user = req.getParameter("user");
if (req.getParameter("pwd") != null) {
pwd = req.getParameter("pwd");
wr.write("JNDI User: *" + userjndi + "* y pwd: *" + pwdjndi + "*<p>");
wr.write("Queue User: *" + user + "* y pwd: *" + pwd + "*<p>");
//Obtain a connection using user/pwd
QueueConnection conn = factory.createQueueConnection(user, pwd);
QueueSession ses = conn.createQueueSession(true,
Session.SESSION_TRANSACTED);
QueueSender sender = ses.createSender(queue);
TextMessage msg = ses.createTextMessage();
msg.setText("Hi there!");
conn.start();
sender.send(msg);
ses.commit();
sender.close();
ses.close();
conn.close();
} catch (Exception e) {
e.printStackTrace();
try {
wr.write(e.toString());
} catch (Exception e2) {
e2.printStackTrace();
finally{
try {
wr.close();
} catch (IOException e) {
e.printStackTrace();
private Subject createSingleSubject(String providerUrl, String userName, String password) {
Subject subject = new Subject();
// Weblogic env class
Environment env = new Environment();
if(providerUrl!=null)
env.setProviderUrl(providerUrl);
env.setSecurityPrincipal(userName);
env.setSecurityCredentials(password);
try {
// Weblogic Authenticate class will populate and Seal the subject
Authenticate.authenticate(env, subject);
return subject;
catch (LoginException e) {
throw new RuntimeException("Unable to Authenticate User", e);
catch (Exception e) {
throw new RuntimeException("Error authenticating user", e);
}Thanks a lot for the help
Similar Messages
-
How can we get ADFSecurity work when used in OC4J, OID and OAM?
I am getting error in http server log "mod_oc4j: Response status=499 and reason=Oracle SSO, but failed to get mod_osso global context."
But I am not using Oracle SSO and my client doesn't want to use it either, I am using OAM SSO(CoreIDSSO) in my configuration. Please read the details below.
I am using ADFSecurity in an app that is protected by OAM. To migrate ADFSecurity permissions from
system-jazn-data.xml to OID, I used JAZNMigrationTool to populate OID with Grantees and Permissions. OAM gives login page, and authentication works fine.
But ADFSecurity is not working. ADFComponent Delete button is enabled even for roles that dont have permissions for the iterator delete.
- The app works fine when I use without OAM. ADF Security permissions work fine.
- The app works fine when used with OAM, but with ADFSecurity disabled (enforce=false).
- When I enforce ADFSecurity alongwith OAM, ADFSecurity is not working.
In the doc "Oracle Containers for J2EE Security Guide b28957", there is a mention of use of CoreIDPrincipal for permissions. Our OID Permissions entries show
LDAPRealmRole for attribute orcljaznprincipal. I am not sure if this could be the reason.
We have configured AccessServerSDK for the SOA instance and have policy for the urls in the policy manager. We have entries in orion-application.xml, orion-web.xml and system-jazn-data.xml as per the documentations.
How can we get ADFSecurity work when used with OID and OAM?Have you been able to successfully integrate OAS with OAM & OID? We have similar requriement and so far we have not been able to get it working.
We have application specific roles which we map to OID roles using orion-application.xml.
Any pointers to achieve this would be greatly appreciated.
thanks,
Dipal -
After I installed the recent Apple security patch, I can no longer save PDFs when using Safari. And Firefox no longer can open website PDFs. Any suggestions?
Dansyacht wrote:
If the previous Safari suggestion doesn't work try the following:
In Finder, go to Macintosh HD/Library/Internet Plug-ins and move AdobePDFViewerNPAPI.plugin to the Disabled Plug-ins Folder. Restart Safari. If this works you may just want to delete that FUBAR plug-in.
Thanks. This was the solution for me.
Message was edited by: tvdowntown -
HT2188 I can hear caller but they can not hear me except when using speaker phone
I can hear caller but they can not hear me except when using speaker phone
First of all, make sure that your iPhone as the most recent iOS available. Check in "Settings>General>Software Update".
One other problem could be your microphone. Does it work for anything else other than a call?
Good-Luck!
kpower28
Please mark this as "solved my problem" or "helped me"! -
Why can I only make calls when using speakrphone?
I can only make phone calls when using the speaker phone or headphones. The receiver can hear me although I can not hear them. I have only had the phone since Sat, have checked volume levels and tried adjusting during a phone call too.
Try making a call and turning the volume up using the buttons on the side of the phone. If that doesn't work, your iPhone is faulty. Take it to the nearest apple store or back where you bought it!
-
What can replace Appleworks Drawing app when using OSX Mountain Lion?
What can replace Appleworks Drawing app when using OSX Mountain Lion?
Please see this page which examines the problem:
http://www.wilmut.webspace.virginmedia.com/notes/aw/page3.html -
How can I customize the toolbar when using the attribute browser
In CVI 2012, the toolbar changes depending on the environment, e.g. it is different for the source window and the UI editor. The toolbar can be customized using the menu Options / Toolbar...
Unfortunately, when using the attribute browser of the UI editor, another toolbar is displayed, i.e. not the UI editor toolbar.... I would have assumed that the attribute browser belongs to the UI editor, obviously it doesn't... So how can I customize the toolbar when using the attribute browser?
Solved!
Go to Solution.Luis,
It's nice to have you back
Thank you for the clarification, so I'll elaborate a bit more: In the regular workspace toolbar, I have a disk symbol to save the file. This symbol is gone in the attribute browser...
So I have three different toolbars, for source code (workspace), UI editor, and the UI editor displayed but the attribute browser clicked on (selected)...
Thanks
Wolfgang
Source code:
UI editor:
Attribute browser: -
Can't get my mail when use the USB Ethernet adapter
I can't get my mail when use the Apple USB Ethernet Adapter. If I use a wireless connection, there is no problem. The LAN which I'm trying to connect is behind a proxy server but the Internet is working 100%.
Hi ViK,
This sounds like a question for the network administrator of the location. Without knowing how the proxy is set it's impossible to know what it's blocking (incoming/outgoing). It sounds like it might be filtering the incoming mail server. -
please help. my address bar has vanished. i have no idea how to retrieve it, so can only access bookmarked sites when using firefox.
Make sure that you do not run Firefox in Full Screen mode with all toolbars hidden.
* Press F11 to toggle full screen mode (Firefox/File > Full Screen)
If the menu bar is hidden then press the F10 key or hold down the Alt key, that should make the menu bar appear.
Make sure that toolbars like the "Navigation Toolbar" and the "Bookmarks Toolbar" are visible: "View > Toolbars"
* If items are missing then open the Customize window via "View > Toolbars > Customize" or via "Firefox > Options > Toolbar Layout" (Linux, Windows)
* If a missing item is in the toolbar palette then drag it back from the Customize window on the toolbar
* If you do not see an item on a toolbar and in the toolbar palette then click the "Restore Default Set" button to restore the default toolbar set up.
See also:
* http://kb.mozillazine.org/Toolbar_customization -
Revision: 1720
Author: [email protected]
Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
Log Message:
Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
QA: Yes
Doc: No
Details:
Update to the TomcatLoginCommand to work correctly with NIO endpoints.
Ticket Links:
http://bugs.adobe.com/jira/browse/LCDS-304
Modified Paths:
blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. javaRevision: 1720
Author: [email protected]
Date: 2008-05-14 14:50:06 -0700 (Wed, 14 May 2008)
Log Message:
Bugs: LCDS-304 - Authentication not working in all cases when using security constraint with NIO endpoints.
QA: Yes
Doc: No
Details:
Update to the TomcatLoginCommand to work correctly with NIO endpoints.
Ticket Links:
http://bugs.adobe.com/jira/browse/LCDS-304
Modified Paths:
blazeds/branches/3.0.x/modules/opt/src/tomcat/flex/messaging/security/TomcatLoginCommand. java -
I want to cache JNDI Look ups for Datasources/EJBs.
I am wondering if anyone would have a suggestion for me regarding speeding
up the time it takes to execute the following code snipplets:
Context context = new InitialContext();
Object objectReference = context.lookup("someEJB");
It appears that the context.lookup is always quite a bit of time, even when
the client is running local to the EJB server.
Is there any way to serialize or "save" this lookup information so that
client apps that are looking for "someEJB" can use the saved information?
Thanks to all who will respond
Regards,
Raju ([email protected])Please do not cross-post.
"Anjaneya Raju" <[email protected]> wrote in message
news:39994516$[email protected]..
>
>
I want to cache JNDI Look ups for Datasources/EJBs.
I am wondering if anyone would have a suggestion for me regarding speeding
up the time it takes to execute the following code snipplets:
Context context = new InitialContext();
Object objectReference = context.lookup("someEJB");
It appears that the context.lookup is always quite a bit of time, evenwhen
the client is running local to the EJB server.
Is there any way to serialize or "save" this lookup information so that
client apps that are looking for "someEJB" can use the saved information?
Thanks to all who will respond
Regards,
Raju ([email protected]) -
Can't access some sites when using Aiport Express, why?
I'm using Windows 7 and my router is a wireless Apple Airport Express that is approximately two years old. Suddenly I can't access some sites (for example www.sthlm.friskissvettis.se, or www.vegetarian-shoes.co.uk, some streamed tv-shows on svtplay.se, and a number of other random sites) when connecting to internet with my router. It worked good until recently and I'm fairly sure this problem emerged when my ISP upgraded from 10/10mbit to 100/10mbit speed. Most other sites like facebook and google works fine.
When using my network cable to connect to internet everything works fine and I can access these sites.
Firmware is current and I've tried reseting the router to factory defaults.
Tried different browsers, and I can't ping the "blocked" sites either. Tracert www.sthlm.friskissvettis.se starts with 10.0.0.1 and continues through a number of long addresses until it says timeout. The last working address before timeout was sth-tcy-ipcore01-ge-0-2-0.neq.dgcsystems.net [83.241.252.13], if it matters. Tracert www.vegetarian-shoes.co.uk also eventually gives me a timeout.
When the network cable is plugged in, I still get timeout on tracert www.sthlm.friskissvettis.se even though I can access the site in Chrome. Weird. www.vegetarian-shoes.co.uk doesn't give me a tracert timeout when the cable is plugged in, and I can access the site as usual.
I've tried changing DNS servers to use opendns servers instead, but to no use.
I've tried pinging these two sites with a lower MTU packet size (with this method: http://www.richard-slater.co.uk/archives/2009/10/23/change-your-mtu-under-vista- or-windows-7/), but still can't access them through ping...
I don't know what to do anymore.... any suggestions???
ThanksHi Punice
first try to disable JavaScript from : Firefox button (or Tools menu) > Options > Content panel > '''UNcheck''' Enable JavaScript.
if the above does not help check with a few malware/virus scan programs for virus. You need to use all programs because each detects different malware. Make sure to update each program to get the latest version before doing a scan.
http://housecall.trendmicro.com/ - Trendmicro online
http://www.malwarebytes.org/mbam.php - Malwarebytes' Anti-Malware
http://www.superantispyware.com/ - SuperAntispyware
http://www.safer-networking.org/en/index.html - Spybot Search & Destroy
http://www.lavasoft.com/products/ad_aware_free.php - Ad-Aware Free
http://www.microsoft.com/windows/antivirus-partners/windows-xp.aspx
check also for a rootkit infection with TDSSKiller.
http://support.kaspersky.com/viruses/solutions?qid=208280684
thank you -
How can i set "Createdby" attribute When using Custom JheadStart Security
Hello
We do not use JASS for Authentication , please help us how can i set createtby attributes with jhs.username in application for any entity object?
thanksSee a similar question at History Attributes when using Custom Authentication Type
-
Can't get speaker sound when using Mophie battery case
Hello,
Is there a way to make my phone's speakers enable when using the Mophie? Just to explain, the Mophie is a batter pack case, that has an apple plug on the bottom. It works great and all, but my phone speaker's go off. Similar to using a docking clock/radio and the speaker will go through that device. The Mophie doesn't have its own speakers though, so I can't use the speakers as I use it.
Thanks!
-RickIt shouldn't do that. Talk to the manufacturer. If it's shutting down the speakers on the phone, either your dock connector is dirty or the juice pack is defective.
-
Can I assign exchange rate when use MRKO?
Dear all:
I have met one question.
When I use MRKO to settle consignment stock withdraw, how can I assign exchange rate I do really need?
Thank you.Sorry, I am not meant where to maintian exchange rate .
I want to assign the exchange rate date when Use MRKO.
Ex: when I transfer the consignment stock into our own stock(mvt. 201 K or 411 k) on 4/30 , and the vendor send their invocie on 5/6 .When I use MRKO , the exchange rate is reference to 5/6 , not 4/30 . I want to know where can I configure and let the MRKO's exchange rate date is the stock GI date .
Thank you.
Maybe you are looking for
-
Touchsmart IQ504 and windows 8 upgrade
I tried upgrading my IQ504 from Windows 7 to Windows 8 when it was first released and had no luck. Has anyone had any luck upgrading their 504 yet and if so anything specific I should know? Thanks!
-
How do you know what generation ipod you have?
I was just given an Ipod from my brother because he has updated his. and the battery isn't working so I was going to just replace it butI don't know what generation it is. could any one help me on where to find it. I think it is an early model, becau
-
Hi All, I have one mapping exception Here i describe my mapping Descrption:(line break) Text:---- maximum length=132 The above fields are Source fileds. "Full Description" is the target field. Here i mapped Description and Text field mapped UDF and f
-
Text issues...
HI all, sorry if this has been asked here before: I while back I upgraded my Safari to a newer version. I am now running on 2.0.2 and somewhere along the way I noticed that certain foreign scripts were not showing up correctly in my browser. The main
-
Database changes during pool pairing in lync 2013
Hi, I am planning for pool pairing.Can anyone tell what all database get copied on bacup pool.Do we need extra storage for pairing. will all previous lcscdr & lcslog get copied to backup pool?