Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support secure JMS queue access on WebLogic [SPR-2941] #7627

Closed
spring-projects-issues opened this issue Dec 12, 2006 · 9 comments
Closed

Support secure JMS queue access on WebLogic [SPR-2941] #7627

spring-projects-issues opened this issue Dec 12, 2006 · 9 comments
Assignees
Labels
in: messaging Issues in messaging modules (jms, messaging)

Comments

@spring-projects-issues
Copy link
Collaborator

spring-projects-issues commented Dec 12, 2006

sven Gaubert opened SPR-2941 and commented

When a JMS queue is secured in Weblogic 8.1 / 9.1 / 9.2, the Spring JMS framework cannot send a JMS message, even if all security's information are defined in the JNDI Context.

Spring proposes an adapter (org.springframework.jms.connection.UserCredentials ConnectionFactoryAdapter) to fix this issue, but it doesn't work with Weblogic.
This issue has also been described by another user on this topic:
http://forum.springframework.org/showthread.php?p=90141#post90141

The workaround is to reinitialize the JNDI context before calling the JMSTemplate.send method.


Affects: 1.2.7, 1.2.8

Attachments:

Issue Links:

@spring-projects-issues
Copy link
Collaborator Author

spring-projects-issues commented Dec 12, 2006

Juergen Hoeller commented

Why exactly doesn't UserCredentialsConnectionFactoryAdapter work in your scenario? It should simply adapt the specified username and password onto the target ConnectionFactory... The target ConnectionFactory can be a standard JNDI lookup here (without any double lookup or the like).

Juergen

@spring-projects-issues
Copy link
Collaborator Author

spring-projects-issues commented Dec 12, 2006

sven Gaubert commented

Here is the Weblogic error message received to the JMS Sender

@spring-projects-issues
Copy link
Collaborator Author

spring-projects-issues commented Dec 12, 2006

sven Gaubert commented

The Spring config file used.

@spring-projects-issues
Copy link
Collaborator Author

spring-projects-issues commented Dec 12, 2006

sven Gaubert commented

Hi Juergen,

Here is the Weblogic error message received by the client, and the Spring context used. Sorry for the paste files in the mail, but I met firewall issues.

As you can see, when I used UserCredentialsConnectionFactoryAdapter, I've got "weblogic.jms.common.JMSSecurityException: Access denied to resource".
If I don't use the UserCredentialsConnectionFactoryAdapter, and I reinitialize the JNDI Context before calling the jmsTemplate.send methods, it works fine.

I've also tested the JMS Access with a simple JMS Client (without Spring framwork) and everything works fine.

Looking on the forum, I've found this old thread:
http://forum.springframework.org/showthread.php?p=90141#post90141
from a guy who's met the same issue with Weblogic 8.1. and the UserCredentialsConnectionFactoryAdapter workaround doesn't work in his case.

Thanks & Regards,

Sven

@spring-projects-issues
Copy link
Collaborator Author

spring-projects-issues commented Dec 13, 2006

sven Gaubert commented

Hi Juergen,

I have also reproduced this issue with Spring 2.0-rc3.

Thanks & Regards,

Sven

@spring-projects-issues
Copy link
Collaborator Author

spring-projects-issues commented Dec 23, 2006

Juergen Hoeller commented

So this looks like we simply need to create a new InitialContext with credentials right before each JMS operation... not actually use that InitialContext, just create it for some implicit binding to the current thread? That's a bit odd, but well, if it works...

To keep the InitialContext creation effort low, you could simply do this for each "createConnection()" call on the ConnectionFactory. You could build your own ConnectionFactory decorator that does this, similar to the UserCredentialsDataSourceAdapter that we provide out of the box. I'm a bit hesitant to include such a JNDI-initializing decorator in Spring proper, since this workaround really seems to be very specific to WebLogic's JNDI behavior...

FWIW, the WebLogic JMS documentation says that there are different ways of authorization: http://edocs.bea.com/wls/docs92/jms/j2ee.html#wp1309970
It suggests to declare the ConnectionFactory's <resource-ref> with <res-auth> set to "Application", in which case "ConnectionFactory.createConnection(username, password)" is supposed to work, which in turn means that Spring's UserCredentialsDataSourceAdapter should work as well! It would be great if you could give that a try...

If there's anything clean that we can do in Spring to make JMS authorization easier on WebLogic, we'll of course do that. However, it doesn't look like this is necessary, since the WebLogic JMS documentation suggests that the credentials should really be set up in the resource-ref configuration, keeping authorization transparent to the application - which looks like a proper solution to me.

Juergen

@spring-projects-issues
Copy link
Collaborator Author

spring-projects-issues commented Jan 9, 2007

sven Gaubert commented

Hi Juergen and happy New Year !

I've tried the proposed workaround with a simple servlet, without success.

Furthermore, this workaround is not applicable for our JUnit tests, and from my point of view, the fact to put the QCF jndi name into web.xml is against Spring philosophy.

This issue doesn't seem to come from the Spring framework. I will contact Weblogic to see if they can provide me any patch.

I will keep you updated.

Thanks a lot for your help,

Sven

@spring-projects-issues
Copy link
Collaborator Author

spring-projects-issues commented Jan 21, 2007

Juergen Hoeller commented

Closed for the time being, assuming that this needs to be addressed within WLS, through a fix or through corresponding WLS configuration.

To be reopened if there's anything we can do within Spring, in line with how BEA recommend to solve this.

Juergen

@spring-projects-issues
Copy link
Collaborator Author

spring-projects-issues commented Jun 17, 2009

Troy Harris commented

I don't believe this issue is resolved. Another related bug was opened a year later and the flag "exposeAccessContext" was implemented in JndiObjectFactory as a resolution but this produces exceptions outlined at the conclusion of #9397 any by at least one other user in:

http://forum.springsource.org/showthread.php?t=63338

It would be great to get this working through Spring configuration without adding java code (even if the problem does stem from WLS model).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: messaging Issues in messaging modules (jms, messaging)
Projects
None yet
Development

No branches or pull requests

2 participants