I'm trying to get the settings for redelivery of messages to work in a RedHat environment that uses JBoss EAP 6.2, A-MQ 5.9 standalone and a resource adapter between. The connection factory used is XaPooledConnectionFactory. The resource adapter is configured in the EAP standalone-full-ha.xml. The redelivery settings are set on the broker url.
<subsystem xmlns="urn:jboss:domain:resource-adapters:1.1">
<resource-adapters>
<resource-adapter id="activemq-rar-5.9.0.redhat-610379.rar">
<module slot="5.9.0.redhat-610379" id="org.apache.activemq"/>
<transaction-support>XATransaction</transaction-support>
<admin-objects>
<admin-object class-name="org.apache.activemq.pool.XaPooledConnectionFactory" jndi-name="java:jboss/a/ConnectionFactory" enabled="true" use-java-context="true" pool-name="ConnectionFactory1">
<config-property name="brokerUrl">
failover:(tcp://localhost:36616,tcp://localhost:36616)?jms.prefetchPolicy.all=0&jms.rmIdFromConnectionId=true&jms.UserName=xxxxxxxx&jms.Password=xxxxxxxx&jms.redeliveryPolicy.useCollisionAvoidance=true&jms.redeliveryPolicy.collisionAvoidancePercent=50&jms.redeliveryPolicy.useExponentialBackOff=true&jms.redeliveryPolicy.initialRedeliveryDelay=2000
</config-property>
<config-property name="tmFromJndi">
true
</config-property>
</admin-object>
<admin-object class-name="org.apache.activemq.pool.XaPooledConnectionFactory" jndi-name="java:jboss/b/ConnectionFactory" enabled="true" use-java-context="true" pool-name="ConnectionFactory2">
<config-property name="brokerUrl">
failover:(tcp://localhost:36616,tcp://localhost:36616)?jms.prefetchPolicy.all=0&jms.rmIdFromConnectionId=true&jms.UserName=xxxxxxxx&jms.Password=xxxxxxxx&jms.redeliveryPolicy.useCollisionAvoidance=true&jms.redeliveryPolicy.collisionAvoidancePercent=50&jms.redeliveryPolicy.useExponentialBackOff=true&jms.redeliveryPolicy.initialRedeliveryDelay=2000
</config-property>
<config-property name="tmFromJndi">
true
</config-property>
</admin-object>
</admin-objects>
</resource-adapter>
</resource-adapters>
</subsystem>
When testing, messages are redelivered instantly with no regard to the initial 2 second delay or exponential backoff.
When setting up a test project, however, I'm able to get the settings to work using an ordinary ActiveMQManagedConnectionFactory instead, as follows:
<resource-adapter id="activemq-rar-5.9.0.redhat-610379.rar">
<archive>
activemq-rar-5.9.0.redhat-610379.rar
</archive>
<transaction-support>XATransaction</transaction-support>
<config-property name="Password">
xxxxxxxx
</config-property>
<config-property name="UserName">
xxxxxxxx
</config-property>
<config-property name="InitialRedeliveryDelay">
2000
</config-property>
<config-property name="MaximumRedeliveries">
5
</config-property>
<config-property name="RedeliveryUseExponentialBackOff">
true
</config-property>
<config-property name="RedeliveryBackOffMultiplier">
2
</config-property>
<config-property name="ServerUrl">
tcp://localhost:36616?jms.rmIdFromConnectionId=true
</config-property>
<connection-definitions>
<connection-definition class-name="org.apache.activemq.ra.ActiveMQManagedConnectionFactory" jndi-name="java:/ConnectionFactory" enabled="true" pool-name="ConnectionFactory">
<xa-pool>
<min-pool-size>1</min-pool-size>
<max-pool-size>20</max-pool-size>
<prefill>false</prefill>
<is-same-rm-override>false</is-same-rm-override>
</xa-pool>
<recovery>
<recover-credential>
<user-name>xxxxxxxx</user-name>
<password>xxxxxxxx</password>
</recover-credential>
</recovery>
</connection-definition>
</connection-definitions>
<admin-objects>
<admin-object class-name="org.apache.activemq.command.ActiveMQQueue" jndi-name="java:/queue/HELLOWORLDMDBQueue" use-java-context="true" pool-name="HELLOWORLDMDBQueue">
<config-property name="PhysicalName">
HELLOWORLDMDBQueue
</config-property>
</admin-object>
<admin-object class-name="org.apache.activemq.command.ActiveMQTopic" jndi-name="java:/topic/HELLOWORLDMDBTopic" use-java-context="true" pool-name="HELLOWORLDMDBTopic">
<config-property name="PhysicalName">
HELLOWORLDMDBTopic
</config-property>
</admin-object>
</admin-objects>
</resource-adapter>
I'm not setting these settings programmatically anywhere in any of the projects. I need to use the XaPooledConnectionFactory, preferably with a configuration similar to the first if possible, but with redelivery settings that actually get applied. Are there any known issues with the XaPooledConnectionFactory regarding this? Or sending parameters through the amq url in general? Putting the properties from the test project into my XaPooled project makes no difference.
Thanks in advance!
According to the "Passing extra options to the nested URLs." section of http://activemq.apache.org/failover-transport-reference.html, any parameters you want to pass through the failover: transport into the underlying transport URIs should be prefixed with nested.. I haven't done this myself, so I can't say for sure that it's right, but it's definitely a place to start.
Related
What pooling config is used if my standalone.xml is like below? Notice that only pool name is defined, but no <xa-pool> or <pool>. Thanks.
Are there any default values, or no pooling is actually used? What can I search in the logs?
<subsystem xmlns="urn:jboss:domain:resource-adapters:1.1">
<resource-adapters>
<resource-adapter id="activemq-ra.rar">
<archive>activemq-ra.rar</archive>
<transaction-support>XATransaction</transaction-support>
<config-property name="ServerUrl">
${jms.broker.url:tcp://amq:61616?jms.rmIdFromConnectionId=true}
</config-property>
<config-property name="UserName">
${jms.user:foo}
</config-property>
<config-property name="Password">
${jms.password:bar}
</config-property>
<connection-definitions>
<connection-definition class-name="org.apache.activemq.ra.ActiveMQManagedConnectionFactory"
jndi-name="java:/AMQConnectionFactory" pool-name="ActiveMQConnectionFactoryPool">
</connection-definition>
</connection-definitions>
</resource-adapter>
...
I configure a wildfly 20 and i have a problem with the ManagementRealm (security-realm) on ldap SSL.
With LDAP, it's OK, but as soon as i switch to ldaps the authentication no longer works.
The login window opens and whatever account I indicate (even a true or false login) I turn back to the "Connect to Management Interface" screen (practically blank).
And I have no errors in any log.
I tried a WildFly 19 and 20, on centos 8.
The trustore does exist, I added it in the startup variable (as well as its password)
Here is an excerpt from my standalone.xml file
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local" skip-group-loading="true"/>
<ldap connection="ldap_connection" base-dn="OU=Utilisateurs,DC=org">
<advanced-filter filter="(&(sAMAccountName={0})(memberOf=CN=APP-ADMIN,OU=Utilisateurs,DC=org))"/>
</ldap>
<truststore path="truststore.jks" relative-to="jboss.server.config.dir" keystore-password="XXX" />
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
<security-realm name="LdapSSLRealm">
<authentication>
<truststore path="truststore.jks" relative-to="jboss.server.config.dir" keystore-password="XXX" />
</authentication>
</security-realm>
</security-realms>
<outbound-connections>
<ldap name="ldap_connection" url="ldaps://serveurad:636" search-dn="user" search-credential="XXX"/>
</outbound-connections>
If anyone has an idea I would appreciate it.
A little late but I believe you have to also reference the security realm (containing the ref to the trust store) in your <outbound-connection />:
<outbound-connections>
<ldap name="ldap_connection" url="ldaps://serveurad:636" search-dn="user" search-credential="XXX" security-realm="LdapSSLRealm"/>
</outbound-connections>
With WildFly 8.2.1, I am trying to make existing webservice (JAX-WS) use SSL, but I haven't seen any use of SSL in quickstarts and the information I was able to google is limited. So far I've added this to web.xml:
<security-constraint>
<display-name>Foo security</display-name>
<web-resource-collection>
<web-resource-name>FooService</web-resource-name>
<url-pattern>/foo/FooService</url-pattern>
<http-method>POST</http-method>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
and this is in my standalone.xml:
<subsystem xmlns="urn:jboss:domain:webservices:1.2">
<wsdl-host>${jboss.bind.address:127.0.0.1}</wsdl-host>
<endpoint-config name="Standard-Endpoint-Config"/>
<endpoint-config name="Recording-Endpoint-Config">
<pre-handler-chain name="recording-handlers" protocol-bindings="##SOAP11_HTTP ##SOAP11_HTTP_MTOM ##SOAP12_HTTP ##SOAP12_HTTP_MTOM">
<handler name="RecordingHandler" class="org.jboss.ws.common.invocation.RecordingServerHandler"/>
</pre-handler-chain>
</endpoint-config>
<client-config name="Standard-Client-Config"/>
</subsystem>
but apparently that's not enough; when I look into standalone/data/wsdl/foo.ear/foo.war/FooService/Bar.wsdl I see:
<service name="FooService">
<port binding="foowsb:FooBinding" name="FooBinding">
<soap:address location="http://localhost:8080/foo/FooService"/>
</port>
</service>
Note that in the EAR/WAR, the soap:address.location is filled just with a placeholder (I suppose that the value is ignored).
I've found some info about setting up security realm, and creating the self-signed certificate using keytool (which I did), but I completely miss how this should be linked together.
I've also tried to setup wsdl-uri-scheme=https, but this is supported only in later versions of CXF.
Seems that the soap:address.location value is not ignored when it's being replaced, since changing that from REPLACE_WITH_ACTUAL_URL to https://REPLACE_WITH_ACTUAL_URL did the trick - now the service got exposed on https://localhost:8443.
There is a couple of more steps I had to do in standalone.xml: in undertow, add https-listener:
<https-listener name="secure" socket-binding="https" security-realm="SslRealm"/>
define the SslRealm:
<security-realm name="SslRealm">
<server-identities>
<ssl>
<keystore path="foo.keystore" relative-to="jboss.server.config.dir" keystore-password="foo1234" alias="foo" key-password="foo1234"/>
</ssl>
</server-identities>
<authentication>
<truststore path="foo.truststore" relative-to="jboss.server.config.dir" keystore-password="foo1234"/>
</authentication>
</security-realm>
Note that I reuse the same keystore for server and clients here. And since my clients are ATM in the same WF node during development, I had to setup the client-side part there, too:
<system-properties>
<property name="javax.net.ssl.trustStore" value="${jboss.server.config.dir}/foo.keystore"/>
<property name="javax.net.ssl.trustStorePassword" value="foo1234"/>
<property name="org.jboss.security.ignoreHttpsHost" value="true"/>
</system-properties>
The last property should be replaced in WF 9+ with cxf.tls-client.disableCNCheck.
I know we can deploy multiple web applications on JBoss 7 or Wildfly. But how can we access different web application with a different port? Where do we set that port for a web application?
For example,
application1 is accessible on x.x.x.x:8080
application2 is accessible on x.x.x.x:30000
application3 is accessible on x.x.x.x:35000
In your standalone you have to set up a different server and host for each application.
<subsystem xmlns="urn:jboss:domain:undertow:1.2">
<server name="server1">
<http-listener name="default" socket-binding="http-server1"/>
<host name="webapp1" default-web-module="webapp1.war" alias="webapp1.com">
</host>
</server>
<server name="server2">
<http-listener name="default" socket-binding="http-server2"/>
<host name="webapp2" default-web-module="webapp2.war" alias="webapp2.com">
</host>
</server>
<!-- Other Settings -->
</subsystem>
For the socketbinding:
<socket-binding-group name="standard-sockets" default-interface="public" port-offset="${jboss.socket.binding.port-offset:0}">
<socket-binding name="http-server1" port="${jboss.http.port:8080}"/>
<socket-binding name="http-server2" port="${jboss.http.port:8081}"/>
<!-- Other ports -->
</socket-binding-group>
And then finally, you can have your .war files in the deployments directory but for configurations like this I sometimes find it easier to set the runtime names explicitly:
<deployments>
<deployment name="webapp1" runtime-name="webapp1.war">
<fs-archive path="/path/to/webapp1.war" />
</deployment>
<deployment name="webapp2" runtime-name="webapp2.war">
<fs-archive path="/path/to/webapp2.war" />
</deployment>
</deployments>
I have a security domain defined in jboss-web.xml as below
<jboss-web>
<security-domain>java:/jaas/my_ldap_security_domain</security-domain>
<disable-audit>true</disable-audit>
</jboss-web>
I also have defined inside my standalone.xml
<subsystem xmlns="urn:jboss:domain:security:1.2">
<security-domains>
<security-domain name="my_ldap_security_domain" cache-type="default">
<authentication>
<login-module code="LdapExtended" flag="sufficient">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldaps://xxx.xxx.xxx.xxx:yyyy"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="bindDN" value="temp#my.domain"/>
<module-option name="bindCredential" value="mypass"/>
<module-option name="baseCtxDN" value="DC=my,DC=domain"/>
<module-option name="baseFilter" value="(uid={0})"/>
<module-option name="rolesCtxDN" value="DC=my,DC=domain"/>
<module-option name="roleFilter" value="(uniquemember={1})"/>
<module-option name="roleAttributeID" value="cn"/>
<module-option name="searchScope" value="SUBTREE_SCOPE"/>
<module-option name="roleRecursion" value="0"/>
<module-option name="allowEmptyPasswords" value="true"/>
</login-module>
</authentication>
</security-domain>
</security-domains>
</subsystem>
My only realms present on my standalone.xml are
<security-realms>
<security-realm name="ManagementRealm">
<authentication>
<local default-user="$local" skip-group-loading="true"/>
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization map-groups-to-roles="false">
<properties path="mgmt-groups.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
<security-realm name="ApplicationRealm">
<authentication>
<local default-user="$local" allowed-users="*" skip-group-loading="true"/>
<properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
</authentication>
<authorization>
<properties path="application-roles.properties" relative-to="jboss.server.config.dir"/>
</authorization>
</security-realm>
</security-realms>
I did not mention it before because i presumed that this security realms were meant to authenticate the application server console access. Sorry for that.
My doubt is how to create a jsf2 login page to authenticate against what is defined above. I read a lot of articles about but still in the same place beacause most articles use a fake authentication as example (comparing with static strings instead of showing how to consult LDAP server).
Can anyone help me?
i presumed that this security realms were meant to authenticate the application server console access
You're partially correct there. The name="ManagementRealm" does indeed specify a realm config for accessing admin functions. name="ApplicationRealm" would be the attribute to specify for securing a web application
Your current realm config is missing some things necessary for LDAP authentication. I presume you're already familiar with the login-form configuration in web.xml. Your realm configuration should look something like the following, an excerpt from the Wildfly 8 Realm Configuration Manual:
<management>
<security-realms>
<security-realm name="ApplicationRealm">
<authentication>
<ldap connection="EC2" base-dn="CN=Users,DC=darranl,DC=jboss,DC=org">
<username-filter attribute="sAMAccountName" />
</ldap>
</authentication>
</security-realm>
</security-realms>
</management>
Where the <ldap> tag specifies that your lookup is against an LDAP server. Beyond this, you only need follow the standard auth methods for a JavaEE application.
The takeaway from this should be that web application security within JavaEE generally takes the same approach of
Setting up a realm (App-server specific)
Setting up security constraints in web.xml (uniform across all JavaEE applications)
Implementing a login method (Configuration or Programmatic)
Related
Java EE 6 Programmatic security, glassfish and JDBC realm
How to properly logout of a Java EE 6 Web Application after logging in
Performing user authentication in Java EE / JSF using j_security_check