Bug 1100818 - Using Vaulted Password in MDB annotation causes repeating ERROR/WARN messages with "HQ119031: Unable to validate user"
Summary: Using Vaulted Password in MDB annotation causes repeating ERROR/WARN messages...
Keywords:
Status: CLOSED EOL
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: EJB
Version: 6.2.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: ---
Assignee: Jeff Mesnil
QA Contact: Jan Martiska
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-05-23 14:05 UTC by Masafumi Miura
Modified: 2019-08-19 12:49 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2019-08-19 12:49:32 UTC
Type: Enhancement
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker WFLY-3447 0 Major Closed Support vaulted attribute in MDB activation config property 2018-02-15 03:10:13 UTC

Description Masafumi Miura 2014-05-23 14:05:08 UTC 
### Description of problem:

When using Vaulted Password in @MessageDriven annotation to encrypt JMS user's password, HornetQ repeats throwing ERROR and WARN messages with "HQ119031: Unable to validate user".

I followed the security guide[1] to configure keystore and standalone-full.xml for vaule password. And I modified helloworld-mdb in quickstarts like [2]. Then, I saw repeating the following ERROR[3] and WARN[4] messages in server.log.


[1] https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/Security_Guide/index.html#sect-Password_Vaults_for_Sensitive_Strings

[2] Sepcify vault to @MessageDriven annotation of HelloWorldQueueMDB and HelloWorldTopicMDB in JBoss EAP 6.2 QuickStarts "helloworld-mdb":
@MessageDriven(name = "HelloWorldQueueMDB", activationConfig = { 
        @ActivationConfigProperty(propertyName = "destinationType", propertyValue = "javax.jms.Queue"),
        @ActivationConfigProperty(propertyName = "destination", propertyValue = "queue/HELLOWORLDMDBQueue"),
        @ActivationConfigProperty(propertyName = "user", propertyValue = "quickstartUser"),
        //@ActivationConfigProperty(propertyName = "password", propertyValue = "quickstartPwd1!"),
        @ActivationConfigProperty(propertyName = "password", propertyValue = "VAULT::quickstartUser::password::1"),
        @ActivationConfigProperty(propertyName = "acknowledgeMode", propertyValue = "Auto-acknowledge") })
public class HelloWorldQueueMDB implements MessageListener {
...

[3] ERROR [org.hornetq.core.server] (Thread-3 (HornetQ-remoting-threads-HornetQServerImpl::serverUUID=4af9c131-e280-11e3-96bf-a1212111030e-818218119-1454134292)) HQ224018: Failed to create session: HornetQException[errorType=SECURITY_EXCEPTION message=HQ119031: Unable to validate user: quickstartUser]
	at org.hornetq.core.security.impl.SecurityStoreImpl.authenticate(SecurityStoreImpl.java:146) [hornetq-server-2.3.12.Final-redhat-1.jar:2.3.12.Final-redhat-1]
	at org.hornetq.core.server.impl.HornetQServerImpl.createSession(HornetQServerImpl.java:964) [hornetq-server-2.3.12.Final-redhat-1.jar:2.3.12.Final-redhat-1]
	at org.hornetq.core.protocol.core.impl.HornetQPacketHandler.handleCreateSession(HornetQPacketHandler.java:151) [hornetq-server-2.3.12.Final-redhat-1.jar:2.3.12.Final-redhat-1]
	at org.hornetq.core.protocol.core.impl.HornetQPacketHandler.handlePacket(HornetQPacketHandler.java:78) [hornetq-server-2.3.12.Final-redhat-1.jar:2.3.12.Final-redhat-1]
	at org.hornetq.core.protocol.core.impl.ChannelImpl.handlePacket(ChannelImpl.java:631) [hornetq-core-client-2.3.12.Final-redhat-1.jar:2.3.12.Final-redhat-1]
	at org.hornetq.core.protocol.core.impl.RemotingConnectionImpl.doBufferReceived(RemotingConnectionImpl.java:547) [hornetq-core-client-2.3.12.Final-redhat-1.jar:2.3.12.Final-redhat-1]
	at org.hornetq.core.protocol.core.impl.RemotingConnectionImpl.bufferReceived(RemotingConnectionImpl.java:523) [hornetq-core-client-2.3.12.Final-redhat-1.jar:2.3.12.Final-redhat-1]
	at org.hornetq.core.remoting.server.impl.RemotingServiceImpl$DelegatingBufferHandler.bufferReceived(RemotingServiceImpl.java:564) [hornetq-server-2.3.12.Final-redhat-1.jar:2.3.12.Final-redhat-1]
	at org.hornetq.core.remoting.impl.invm.InVMConnection$1.run(InVMConnection.java:160) [hornetq-server-2.3.12.Final-redhat-1.jar:2.3.12.Final-redhat-1]
	at org.hornetq.utils.OrderedExecutorFactory$OrderedExecutor$1.run(OrderedExecutorFactory.java:107) [hornetq-core-client-2.3.12.Final-redhat-1.jar:2.3.12.Final-redhat-1]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_55]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_55]
	at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_55]


[4] WARN  [org.hornetq.ra] (default-threads - 2) HQ152005: Failure in HornetQ activation org.hornetq.ra.inflow.HornetQActivationSpec(ra=org.hornetq.ra.HornetQResourceAdapter@2c47c342 destination=queue/HELLOWORLDMDBQueue destinationType=javax.jms.Queue ack=Auto-acknowledge durable=false clientID=null user=quickstartUser password=**** maxSession=15): HornetQException[errorType=SECURITY_EXCEPTION message=HQ119031: Unable to validate user: quickstartUser]
	at org.hornetq.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:388) [hornetq-core-client-2.3.12.Final-redhat-1.jar:2.3.12.Final-redhat-1]
	at org.hornetq.core.client.impl.ClientSessionFactoryImpl.createSessionInternal(ClientSessionFactoryImpl.java:839) [hornetq-core-client-2.3.12.Final-redhat-1.jar:2.3.12.Final-redhat-1]
	at org.hornetq.core.client.impl.ClientSessionFactoryImpl.createSession(ClientSessionFactoryImpl.java:317) [hornetq-core-client-2.3.12.Final-redhat-1.jar:2.3.12.Final-redhat-1]
	at org.hornetq.ra.HornetQResourceAdapter.createSession(HornetQResourceAdapter.java:1689) [hornetq-ra-2.3.12.Final-redhat-1.jar:2.3.12.Final-redhat-1]
	at org.hornetq.ra.inflow.HornetQActivation.setupSession(HornetQActivation.java:486) [hornetq-ra-2.3.12.Final-redhat-1.jar:2.3.12.Final-redhat-1]
	at org.hornetq.ra.inflow.HornetQActivation.setup(HornetQActivation.java:334) [hornetq-ra-2.3.12.Final-redhat-1.jar:2.3.12.Final-redhat-1]
	at org.hornetq.ra.inflow.HornetQActivation$SetupActivation.run(HornetQActivation.java:753) [hornetq-ra-2.3.12.Final-redhat-1.jar:2.3.12.Final-redhat-1]
	at org.jboss.jca.core.workmanager.WorkWrapper.run(WorkWrapper.java:218)
	at org.jboss.threads.SimpleDirectExecutor.execute(SimpleDirectExecutor.java:33)
	at org.jboss.threads.QueueExecutor.runTask(QueueExecutor.java:808)
	at org.jboss.threads.QueueExecutor.access$100(QueueExecutor.java:45)
	at org.jboss.threads.QueueExecutor$Worker.run(QueueExecutor.java:828)
	at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_55]
	at org.jboss.threads.JBossThread.run(JBossThread.java:122)



### How reproducible:
Anytime when specifying vault password.


### Steps to Reproduce:
1. Follow the security guide[1] to configure vault
2. Deploy modified "helloworld-mdb" in quickstarts
3. Start EAP 6


### Actual results:
Got repeating the ERROR[3] and WARN[4] messages in server.log.


### Expected results:
No ERROR/WARN messages.
Comment 5 Jeff Mesnil 2014-06-04 13:32:15 UTC 
I confirm this does not work.

MDB ActivationConfigProperty only supports property substitution (using System properties to resolve their values).

To use vaulted passwords, this would need to be enhance to support full expressions that also resolves using a VaultReader.
Note You need to log in before you can comment on or make changes to this bug.