[JBoss-user] RE: Deploying scheduler after EAR deployment
An alternate approach which has worked well for us is to add a element to the scheduler mbean's *-service.xml. For example, in our application, this scheduled task uses the PackageExpireSession EJB: jboss.j2ee:service=EJB,jndiName=PackageExpireSession ... You can get the precise JMX name of a particular EJB by looking at the jmx-console. This approach has several advantages: + you can depend directly on the deployment of bean(s) you require, instead of relying on startup ordering + you can use standard names for your files FWIW, we also put the scheduler inside our EAR, wrapped in a SAR. -- Randy From: Krishnakumar N <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: RE: [JBoss-user] Deploying scheduler after EAR deployment Date: Wed, 19 Mar 2003 19:42:36 +0530 Reply-To: [EMAIL PROTECTED] Hi, You can do this by using the deployment sorters specified in /conf/jboss-service.xml. For example, you can use the PrefixDeploymentSorter and call your scheduler service xml 1blahblah.xml. Cheers, Krishna -Original Message- From: Marek Lange [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 19, 2003 3:24 PM To: JBoss User Subject: [JBoss-user] Deploying scheduler after EAR deployment Hi all, what is the best way to configure JBoss to deploy the scheduler service after the deployment of the application during startup? The problem is that the scheduler uses classes which are included in the EAR. That is why JBoss throws a deployment error when starting: [ServiceConfigurator] Problem configuring service jboss:service=ModuleScheduler org.jboss.deployment.DeploymentException: Exception setting attribute javax.management.Attribute: name=SchedulableClass value=mypackage.MySchedulableImpl on mbean jboss:service=ModuleScheduler; - nested throwable: (java.security.InvalidParameterException: Given class mypackage.MySchedulableImpl is not valid or not found) Thanks for the hints, -marek --- This SF.net email is sponsored by: Does your code think in ink? You could win a Tablet PC. Get a free Tablet PC hat just for playing. What are you waiting for? http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user --- This SF.net email is sponsored by: Does your code think in ink? You could win a Tablet PC. Get a free Tablet PC hat just for playing. What are you waiting for? http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] Cascade-delete using database?
In JBoss 3.0.x, deletes child entities one at a time. This makes sense when an in-memory cache needs to be maintained -- you need to know which entities to remove from the cache. But when there is no cache (e.g., commit option C), there are several more efficient approaches: a. delete all children in a single step DELETE FROM Child WHERE ParentId = DELETE FROM Parent WHERE Id = (Others have suggested this one as well) b. leverage the database's own ON DELETE CASCADE CREATE TABLE Child ... ParentId FOREIGN KEY REFERENCES Parent(Id) ON DELETE CASCADE DELETE FROM Parent WHERE Id = One nice property of (b), for the databases which support it and for applications without caching, is that the CMP code needs to do very little! :-) ON DELETE CASCADE is supported by at least Oracle and SqlServer. BTW, I would not expect the element to create this FOREIGN KEY (that is a bit much, given the slightly different SQL syntaxes involved), but it would be ideal if there were a configuration option to tell CMP that such a DB constraint existed. I have searched jboss-user, jboss-development, the forums, and the task list, and I am not sure whether this is a planned feature or not. It sounds like there are tons of CMP improvements in the works for 4.0 -- is a configuration option to use the database's ON DELETE CASCADE one of them? Thanks, -- Randy _____ Randy Shoup Tumbleweed Communications Corporation --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] MBeans, local EJBs and Authentication
Well, I tried adding 'unauthenticatedIdentity' back to my login-config, and it worked! Clearly it must have been pilot error in building or deploying the first time. Thanks for the help, and sorry for the noise. Randy Shoup wrote: Thanks for the response. The code in my LdapLoginModule is the same as the code I submitted as a patch to JBoss (to support using LDAP to get user/role information from Active Directory users/groups), and so I extend the JBoss UsernamePasswordLoginModule as the JBoss LdapLoginModule does. Your response implies that I should expect 'unauthenticatedIdentity' to do what I want, though. So I will take a look to see if there is anything I have done to screw that up. Scott M Stark wrote: From: "Scott M Stark" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Re: [JBoss-user] MBeans, local EJBs and Authentication Date: Tue, 17 Dec 2002 15:33:45 -0800 Organization: JBoss Group, LLC Reply-To: [EMAIL PROTECTED] You are using your own LdapLoginModule. How is this recognizing the unauthenticatedIdentity you are configuring? Its your login module that has to support this. Scott Stark Chief Technology Officer JBoss Group, LLC - Original Message - From: "Randy Shoup" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, December 16, 2002 3:22 PM Subject: [JBoss-user] MBeans, local EJBs and Authentication JBoss gurus -- I am using JBoss 3.0.4 - Tomcat 4.1.12 on Win2K. I want to get unauthenticated access to a local SLSB from an MBean, while still requiring authenticated access to my remote EJBs. I am trying to add to my application a scheduled "batch" operation which does some periodic cleanup. The scheduling part was straightforward to set up, thanks to the docs and the list. However, I am having some trouble with the authentication part. All of my remote session facades require authentication, with user/role information in an LDAP. The scheduled operation is a "system" operation, though, and so I would like to avoid requiring it to do any explicit authentication. I don't, for example, want to put a "system" or "internal" entry in the LDAP, which is intended to be just for real users. And I would like to avoid hard-coding any password anywhere. I have done the following: + created a local SLSB which does the real work + added a scheduler MBean, which periodically calls the local SLSB + added an 'unauthenticatedIdentity' entry in the login-config.xml: flag = "required"> ... system 15:05:43,446 ERROR [SecurityInterceptor] Authentication exception, principal=null 15:05:43,446 ERROR [LogInterceptor] EJBException, causedBy: java.lang.SecurityException: Authentication exception, principal=null at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:173) --__--__-- Message: 4 Date: Tue, 17 Dec 2002 18:55:57 -0500 (EST) From: Brett Sealey <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: [JBoss-user] Using Apache web server - yes or no? Reply-To: [EMAIL PROTECTED] http://jetty.mortbay.com/jetty/doc/User80.html You want packet filtering anyway if you are security conscious. On Tue, 17 Dec 2002, Dan Christopherson wrote: Another thing to remember is that JBoss must run as root to listen on port 80 or 443. That would be something that security conscious people might not want to do on a public server. -danch Larry O wrote: I would suggest another criteria. If your application is on an intranet or private network and traffic is low, by all means omit apache. However, many of us put apache on or outside a firewall, and keep our application server safely inside. The fewer services running on the exposed server, the better. My 2 cents. Larry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Pete Beck Sent: Tuesday, December 17, 2002 11:17 AM To: [EMAIL PROTECTED] Subject: Re: [JBoss-user] Using Apache web server - yes or no? Just to throw my 2 cents worth in, My app uses mostly dynamic content and I have tried using apache as a front end, tomcat 4 and Jetty. In my tests, using apache as a front end added a significant latency to serving the content from JBoss. So I would say yes, you may get benefits on your static content if you use apache, but you will also lose performance on your dynamic content. In my app I dropped apache as a front end as I was getting noticeably better performance with tomcat standalone. Eventually I switched to using to Jetty as it is shipped by default with JBoss now, and it seems snappier than tomcat. A good deciding factor therefore seems to be the ratio of static vs. dynamic content on your site. On Tue, 2002-12-10 at 14:18, Joao Ped
Re: [JBoss-user] MBeans, local EJBs and Authentication
Thanks for the response. The code in my LdapLoginModule is the same as the code I submitted as a patch to JBoss (to support using LDAP to get user/role information from Active Directory users/groups), and so I extend the JBoss UsernamePasswordLoginModule as the JBoss LdapLoginModule does. Your response implies that I should expect 'unauthenticatedIdentity' to do what I want, though. So I will take a look to see if there is anything I have done to screw that up. Scott M Stark wrote: From: "Scott M Stark" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: Re: [JBoss-user] MBeans, local EJBs and Authentication Date: Tue, 17 Dec 2002 15:33:45 -0800 Organization: JBoss Group, LLC Reply-To: [EMAIL PROTECTED] You are using your own LdapLoginModule. How is this recognizing the unauthenticatedIdentity you are configuring? Its your login module that has to support this. Scott Stark Chief Technology Officer JBoss Group, LLC - Original Message - From: "Randy Shoup" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, December 16, 2002 3:22 PM Subject: [JBoss-user] MBeans, local EJBs and Authentication JBoss gurus -- I am using JBoss 3.0.4 - Tomcat 4.1.12 on Win2K. I want to get unauthenticated access to a local SLSB from an MBean, while still requiring authenticated access to my remote EJBs. I am trying to add to my application a scheduled "batch" operation which does some periodic cleanup. The scheduling part was straightforward to set up, thanks to the docs and the list. However, I am having some trouble with the authentication part. All of my remote session facades require authentication, with user/role information in an LDAP. The scheduled operation is a "system" operation, though, and so I would like to avoid requiring it to do any explicit authentication. I don't, for example, want to put a "system" or "internal" entry in the LDAP, which is intended to be just for real users. And I would like to avoid hard-coding any password anywhere. I have done the following: + created a local SLSB which does the real work + added a scheduler MBean, which periodically calls the local SLSB + added an 'unauthenticatedIdentity' entry in the login-config.xml: flag = "required"> ... system 15:05:43,446 ERROR [SecurityInterceptor] Authentication exception, principal=null 15:05:43,446 ERROR [LogInterceptor] EJBException, causedBy: java.lang.SecurityException: Authentication exception, principal=null at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:173) --__--__-- Message: 4 Date: Tue, 17 Dec 2002 18:55:57 -0500 (EST) From: Brett Sealey <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: [JBoss-user] Using Apache web server - yes or no? Reply-To: [EMAIL PROTECTED] http://jetty.mortbay.com/jetty/doc/User80.html You want packet filtering anyway if you are security conscious. On Tue, 17 Dec 2002, Dan Christopherson wrote: Another thing to remember is that JBoss must run as root to listen on port 80 or 443. That would be something that security conscious people might not want to do on a public server. -danch Larry O wrote: I would suggest another criteria. If your application is on an intranet or private network and traffic is low, by all means omit apache. However, many of us put apache on or outside a firewall, and keep our application server safely inside. The fewer services running on the exposed server, the better. My 2 cents. Larry -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Pete Beck Sent: Tuesday, December 17, 2002 11:17 AM To: [EMAIL PROTECTED] Subject: Re: [JBoss-user] Using Apache web server - yes or no? Just to throw my 2 cents worth in, My app uses mostly dynamic content and I have tried using apache as a front end, tomcat 4 and Jetty. In my tests, using apache as a front end added a significant latency to serving the content from JBoss. So I would say yes, you may get benefits on your static content if you use apache, but you will also lose performance on your dynamic content. In my app I dropped apache as a front end as I was getting noticeably better performance with tomcat standalone. Eventually I switched to using to Jetty as it is shipped by default with JBoss now, and it seems snappier than tomcat. A good deciding factor therefore seems to be the ratio of static vs. dynamic content on your site. On Tue, 2002-12-10 at 14:18, Joao Pedro Clemente wrote: Andreas, please explain a little bit better where will we get more performance. I can be (and surely am) wrong in my reasoning, but the original message says explicitly "ONLY dynamic applications". So, you say apa
RE: [JBoss-user] MBeans, local EJBs and Authentication
John Fawcett wrote: To: [EMAIL PROTECTED] Subject: RE: [JBoss-user] MBeans, local EJBs and Authentication Date: Mon, 16 Dec 2002 18:38:53 -0500 Organization: Tamale Software, LLC Reply-To: [EMAIL PROTECTED] Just curious -- is it particularly bad form to have your automated beans also log in? Perhaps create an account for these automated functions? I don't claim to speak for others, but I would like to avoid having to create account(s) in the user directory for system functions. There are several security problems with this, not least of which is that I would have to hard-code the password for this user into a config file (or somehow force an admin to provide the password upon deploy/redeploy and lose the ability to do this automatically). A priori, I guess I don't see why I should have to create a user, authenticate, etc., to use a local, non-secured EJB. I see why I would need this if I were accessing a secured EJB, but I am only trying to access a local, non-secured EJB. What am I missing? :-) For now, I am working around this by doing exactly as you suggest: I temporarily created a 'system' user in my LDAP, and I am authenticating with this user in the scheduler task. But this just does not "feel" right. -- Randy -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Randy Shoup Sent: Monday, December 16, 2002 6:23 PM To: [EMAIL PROTECTED] Subject: [JBoss-user] MBeans, local EJBs and Authentication JBoss gurus -- I am using JBoss 3.0.4 - Tomcat 4.1.12 on Win2K. I want to get unauthenticated access to a local SLSB from an MBean, while still requiring authenticated access to my remote EJBs. I am trying to add to my application a scheduled "batch" operation which does some periodic cleanup. The scheduling part was straightforward to set up, thanks to the docs and the list. However, I am having some trouble with the authentication part. All of my remote session facades require authentication, with user/role information in an LDAP. The scheduled operation is a "system" operation, though, and so I would like to avoid requiring it to do any explicit authentication. I don't, for example, want to put a "system" or "internal" entry in the LDAP, which is intended to be just for real users. And I would like to avoid hard-coding any password anywhere. I have done the following: + created a local SLSB which does the real work + added a scheduler MBean, which periodically calls the local SLSB + added an 'unauthenticatedIdentity' entry in the login-config.xml: flag = "required"> ... system + made all methods of the local SLSB 'unchecked': PackageExpireSession * + added no authentication calls in the MBean Still, whenever I call the SLSB from within the scheduler MBean, I get the famous "principal=null" exception: 15:05:43,431 INFO [PackageExpireTask] expirePackages(Mon Dec 16 15:05:40 PST 2002) 15:05:43,446 ERROR [SecurityInterceptor] Authentication exception, principal=null 15:05:43,446 ERROR [LogInterceptor] EJBException, causedBy: java.lang.SecurityException: Authentication exception, principal=null at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(Secur ityInterceptor.java:173) at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor .java:94) at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:129) at org.jboss.ejb.StatelessSessionContainer.invokeHome(StatelessSessionConta iner.java:300) at org.jboss.ejb.plugins.local.BaseLocalContainerInvoker.invokeHome(BaseLoc alContainerInvoker.java:230) at org.jboss.ejb.plugins.local.LocalHomeProxy.invoke(LocalHomeProxy.java:11 0) at $Proxy38.create(Unknown Source) at com.tumbleweed.ime.ejb.scheduler.jboss3.PackageExpireTask.expirePackages (Unknown Source) at com.tumbleweed.ime.ejb.scheduler.jboss3.PackageExpireTask.perform(Unknow n Source) at org.jboss.varia.scheduler.Scheduler$Listener.handleNotification(Schedule r.java:1046) at org.jboss.mx.server.NotificationListenerProxy.handleNotification(Notific ationListenerProxy.java:71) at javax.management.NotificationBroadcasterSupport.sendNotification(Notific ationBroadcasterSupport.java:84) at javax.management.timer.Timer.sendNotifications(Timer.java:441) at javax.management.timer.Timer.access$000(Timer.java:31) at javax.management.timer.Timer$RegisteredNotification.doRun(Timer.java:612 ) at org.jboss.mx.util.SchedulableRunnable.run(SchedulableRunnable.java:164) at org.jboss.mx.util.ThreadPool$Worker.run(ThreadPool.java:225) 15:05:43,446 ERROR [Pa
Re: [JBoss-user] Scheduler
(changing the subject back to the original; sorry for incorrectly changing it earlier) Our scheduler .sar depends on the EJB mbean for the SLSB it uses, as David explains. From the jboss-service.xml of the scheduler .sar: name="com.tumbleweed.ime.ejb.scheduler.jboss3:service=PackageExpireScheduler"> jboss.j2ee:service=EJB,jndiName=PackageSession true ... The dependency works fine for us. The .sar is not deployed until the SLSB is deployed. So when the scheduler task fires, the SLSB is available. David Jencks wrote: Date: Mon, 16 Dec 2002 23:25:18 -0500 From: David Jencks <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: [JBoss-user] Re: JBoss-user digest, Vol 1 #3502 - 5 msgs Reply-To: [EMAIL PROTECTED] On 2002.12.16 20:56:59 -0500 JD Brennan wrote: So does JBoss guarantee that if an .ear has both an ejb .jar and a .sar then the .jar will get deployed first so the .sar can assume that all the .jar's beans are available? No, but you can make mbeans depend on the ejb container mbeans (NOT the jsr77 mbeans) and then the mbeans won't be started until the ejbs are started. I think in jboss 4 you can also make an mbean depend on the DeploymentInfo mbean gor a package. david jencks Tx! JD -Original Message- From: Randy Shoup [mailto:[EMAIL PROTECTED]] Sent: Monday, December 16, 2002 5:18 PM To: [EMAIL PROTECTED] Subject: [JBoss-user] Re: JBoss-user digest, Vol 1 #3502 - 5 msgs Thanks! I of course did not have this file :-). Adding 'jboss-app.xml' to my EAR's META-INF, and moving the .sar to the top level of the EAR worked like a charm. I had to hunt around in the JBoss source distribution to find an example of jboss-app.xml (no examples or dtd in the binary distribution), but the syntax was exactly what you have below. David Jencks wrote: Date: Mon, 16 Dec 2002 15:36:45 -0500 From: David Jencks <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: [JBoss-user] Scheduler Reply-To: [EMAIL PROTECTED] When you had the .sar in the .ear, did you include a jboss-app.xml file to make he ear deployer deploy it? mystuff.sar if I remember correctly david jencks On 2002.12.16 14:47:52 -0500 Randy Shoup wrote: I was not able to get a scheduler .sar to work if I deployed it directly in the EAR. However, it does work if I deploy it inside the *ejb-jar*, which is itself inside the EAR. My working theory is that there is some subtle difference between the EAR deployer and the JAR deployer (maybe the EAR deployer only deploys modules mentioned in the application.xml or in the classpaths of the modules?). But I have not investigated further. For now, I am OK with this structure. But I would be interested to understand why it behaves like this :-). JD Brennan wrote: From: JD Brennan <[EMAIL PROTECTED]> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> Subject: RE: [JBoss-user] Scheduler Date: Mon, 16 Dec 2002 09:57:56 -0800 Reply-To: [EMAIL PROTECTED] This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --_=_NextPart_001_01C2A52C.A9F142A0 Content-Type: text/plain; charset="iso-8859-1" Yep, we have the same problem. Your original post said you needed your scheduler to access a class in your .ear. If you need to access a bean, then you can't just put the .sar in the .ear - We solved this by just sleeping for 60 seconds and then starting - not ideal, but I couldn't find the MBean for the bean container to make the depends stuff work. If you get it working could you post a follow-up to the list? Tx! JD -Original Message- From: Glenn Lewis [mailto:[EMAIL PROTECTED]] Sent: Sunday, December 15, 2002 4:39 PM To: [EMAIL PROTECTED] Subject: Re: [JBoss-user] Scheduler Thanks for the advice. We can deploy the scheduler MBean by putting it inside a .sar, but we get a similar problem: the first time the scheduler is invoked it does a findAll on a bean that is not deployed. An error message is printed by the loginterceptor (so I'm not sure we can catch it). The next time the scheduler is invoked it works fine, since by that time everything is deployed. Any suggestions? JD Brennan wrote: We deploy our MBean by putting it inside a .sar inside our ejb .jar inside our .ear - there are probably other better ways, but this works for us. JD -Original Message- From: Glenn Lewis [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 12, 2002 8:45 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [JBoss-user] Scheduler Hi all, Using the online docs at http://www.jboss.org/online-manual/HTML/ch11s58.html#scheduler-usage and JBoss3.0.3 we have created a scheduler mbean. We deploy it via a timer service.xml file. The scheduler mbean refers to a class (au.com.xcomp.xvs.serve
[JBoss-user] Re: JBoss-user digest, Vol 1 #3502 - 5 msgs
Thanks! I of course did not have this file :-). Adding 'jboss-app.xml' to my EAR's META-INF, and moving the .sar to the top level of the EAR worked like a charm. I had to hunt around in the JBoss source distribution to find an example of jboss-app.xml (no examples or dtd in the binary distribution), but the syntax was exactly what you have below. David Jencks wrote: Date: Mon, 16 Dec 2002 15:36:45 -0500 From: David Jencks <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Re: [JBoss-user] Scheduler Reply-To: [EMAIL PROTECTED] When you had the .sar in the .ear, did you include a jboss-app.xml file to make he ear deployer deploy it? mystuff.sar if I remember correctly david jencks On 2002.12.16 14:47:52 -0500 Randy Shoup wrote: I was not able to get a scheduler .sar to work if I deployed it directly in the EAR. However, it does work if I deploy it inside the *ejb-jar*, which is itself inside the EAR. My working theory is that there is some subtle difference between the EAR deployer and the JAR deployer (maybe the EAR deployer only deploys modules mentioned in the application.xml or in the classpaths of the modules?). But I have not investigated further. For now, I am OK with this structure. But I would be interested to understand why it behaves like this :-). JD Brennan wrote: From: JD Brennan <[EMAIL PROTECTED]> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> Subject: RE: [JBoss-user] Scheduler Date: Mon, 16 Dec 2002 09:57:56 -0800 Reply-To: [EMAIL PROTECTED] This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --_=_NextPart_001_01C2A52C.A9F142A0 Content-Type: text/plain; charset="iso-8859-1" Yep, we have the same problem. Your original post said you needed your scheduler to access a class in your .ear. If you need to access a bean, then you can't just put the .sar in the .ear - We solved this by just sleeping for 60 seconds and then starting - not ideal, but I couldn't find the MBean for the bean container to make the depends stuff work. If you get it working could you post a follow-up to the list? Tx! JD -Original Message- From: Glenn Lewis [mailto:[EMAIL PROTECTED]] Sent: Sunday, December 15, 2002 4:39 PM To: [EMAIL PROTECTED] Subject: Re: [JBoss-user] Scheduler Thanks for the advice. We can deploy the scheduler MBean by putting it inside a .sar, but we get a similar problem: the first time the scheduler is invoked it does a findAll on a bean that is not deployed. An error message is printed by the loginterceptor (so I'm not sure we can catch it). The next time the scheduler is invoked it works fine, since by that time everything is deployed. Any suggestions? JD Brennan wrote: We deploy our MBean by putting it inside a .sar inside our ejb .jar inside our .ear - there are probably other better ways, but this works for us. JD -Original Message- From: Glenn Lewis [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 12, 2002 8:45 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [JBoss-user] Scheduler Hi all, Using the online docs at http://www.jboss.org/online-manual/HTML/ch11s58.html#scheduler-usage and JBoss3.0.3 we have created a scheduler mbean. We deploy it via a timer service.xml file. The scheduler mbean refers to a class (au.com.xcomp.xvs.server.TimedObjectSchedulable) in our ear. The scheduler deploys fine provided we manually make sure the ear is deployed before the service.xml. However, when we try to deploy the service.xml file and ear file in the one ant task, the scheduler deploys first and gives the error below. Someone else also reported this problem a while ago (http://www.mail-archive.com/jboss-user@lists.sourceforge.net/msg23230.html) . Any suggestions??? Cause: Incomplete Deployment listing: Packages waiting for a deployer: Incompletely deployed packages: MBeans waiting for classes: MBeans waiting for other MBeans: [ObjectName: jboss:schedule=CheckTimeoutDaemon,service=Scheduler state: FAILED I Depend On: Depends On Me: org.jboss.deployment.DeploymentException: Exception setting attribute javax.management.Attribute@250ff2 on mbean jboss:schedule=CheckTimeoutDaemon,service=Scheduler; - nested throwable: (java.security.InvalidParameterException: Given class au.com.xcomp.xvs.server.TimedObjectSchedulable is not valid or not found)] Thanks -- Glenn --- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user --- Thi
[JBoss-user] MBeans, local EJBs and Authentication
JBoss gurus -- I am using JBoss 3.0.4 - Tomcat 4.1.12 on Win2K. I want to get unauthenticated access to a local SLSB from an MBean, while still requiring authenticated access to my remote EJBs. I am trying to add to my application a scheduled "batch" operation which does some periodic cleanup. The scheduling part was straightforward to set up, thanks to the docs and the list. However, I am having some trouble with the authentication part. All of my remote session facades require authentication, with user/role information in an LDAP. The scheduled operation is a "system" operation, though, and so I would like to avoid requiring it to do any explicit authentication. I don't, for example, want to put a "system" or "internal" entry in the LDAP, which is intended to be just for real users. And I would like to avoid hard-coding any password anywhere. I have done the following: + created a local SLSB which does the real work + added a scheduler MBean, which periodically calls the local SLSB + added an 'unauthenticatedIdentity' entry in the login-config.xml: flag = "required"> ... system + made all methods of the local SLSB 'unchecked': PackageExpireSession * + added no authentication calls in the MBean Still, whenever I call the SLSB from within the scheduler MBean, I get the famous "principal=null" exception: 15:05:43,431 INFO [PackageExpireTask] expirePackages(Mon Dec 16 15:05:40 PST 2002) 15:05:43,446 ERROR [SecurityInterceptor] Authentication exception, principal=null 15:05:43,446 ERROR [LogInterceptor] EJBException, causedBy: java.lang.SecurityException: Authentication exception, principal=null at org.jboss.ejb.plugins.SecurityInterceptor.checkSecurityAssociation(SecurityInterceptor.java:173) at org.jboss.ejb.plugins.SecurityInterceptor.invokeHome(SecurityInterceptor.java:94) at org.jboss.ejb.plugins.LogInterceptor.invokeHome(LogInterceptor.java:129) at org.jboss.ejb.StatelessSessionContainer.invokeHome(StatelessSessionContainer.java:300) at org.jboss.ejb.plugins.local.BaseLocalContainerInvoker.invokeHome(BaseLocalContainerInvoker.java:230) at org.jboss.ejb.plugins.local.LocalHomeProxy.invoke(LocalHomeProxy.java:110) at $Proxy38.create(Unknown Source) at com.tumbleweed.ime.ejb.scheduler.jboss3.PackageExpireTask.expirePackages(Unknown Source) at com.tumbleweed.ime.ejb.scheduler.jboss3.PackageExpireTask.perform(Unknown Source) at org.jboss.varia.scheduler.Scheduler$Listener.handleNotification(Scheduler.java:1046) at org.jboss.mx.server.NotificationListenerProxy.handleNotification(NotificationListenerProxy.java:71) at javax.management.NotificationBroadcasterSupport.sendNotification(NotificationBroadcasterSupport.java:84) at javax.management.timer.Timer.sendNotifications(Timer.java:441) at javax.management.timer.Timer.access$000(Timer.java:31) at javax.management.timer.Timer$RegisteredNotification.doRun(Timer.java:612) at org.jboss.mx.util.SchedulableRunnable.run(SchedulableRunnable.java:164) at org.jboss.mx.util.ThreadPool$Worker.run(ThreadPool.java:225) 15:05:43,446 ERROR [PackageExpireTask] Exception in PackageExpireTask: javax.ejb .EJBException: checkSecurityAssociation; CausedByException is: Authentication exception, principal=null BTW, if I do make an explicit login call to one of my (secured) remote facades from within the scheduler MBean, and use a valid user in my LDAP, it works fine. I have searched on the list, and taken a look at the JBoss security test cases, but I can't figure out how to get the results I want. Probably I have missed something. Any suggestions? -- Randy _ Randy Shoup (650)216-2038 Tumbleweed Communications Corporation [EMAIL PROTECTED] --- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] Scheduler
I was not able to get a scheduler .sar to work if I deployed it directly in the EAR. However, it does work if I deploy it inside the *ejb-jar*, which is itself inside the EAR. My working theory is that there is some subtle difference between the EAR deployer and the JAR deployer (maybe the EAR deployer only deploys modules mentioned in the application.xml or in the classpaths of the modules?). But I have not investigated further. For now, I am OK with this structure. But I would be interested to understand why it behaves like this :-). JD Brennan wrote: From: JD Brennan <[EMAIL PROTECTED]> To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> Subject: RE: [JBoss-user] Scheduler Date: Mon, 16 Dec 2002 09:57:56 -0800 Reply-To: [EMAIL PROTECTED] This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --_=_NextPart_001_01C2A52C.A9F142A0 Content-Type: text/plain; charset="iso-8859-1" Yep, we have the same problem. Your original post said you needed your scheduler to access a class in your .ear. If you need to access a bean, then you can't just put the .sar in the .ear - We solved this by just sleeping for 60 seconds and then starting - not ideal, but I couldn't find the MBean for the bean container to make the depends stuff work. If you get it working could you post a follow-up to the list? Tx! JD -Original Message- From: Glenn Lewis [mailto:[EMAIL PROTECTED]] Sent: Sunday, December 15, 2002 4:39 PM To: [EMAIL PROTECTED] Subject: Re: [JBoss-user] Scheduler Thanks for the advice. We can deploy the scheduler MBean by putting it inside a .sar, but we get a similar problem: the first time the scheduler is invoked it does a findAll on a bean that is not deployed. An error message is printed by the loginterceptor (so I'm not sure we can catch it). The next time the scheduler is invoked it works fine, since by that time everything is deployed. Any suggestions? JD Brennan wrote: We deploy our MBean by putting it inside a .sar inside our ejb .jar inside our .ear - there are probably other better ways, but this works for us. JD -Original Message- From: Glenn Lewis [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 12, 2002 8:45 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: [JBoss-user] Scheduler Hi all, Using the online docs at http://www.jboss.org/online-manual/HTML/ch11s58.html#scheduler-usage and JBoss3.0.3 we have created a scheduler mbean. We deploy it via a timer service.xml file. The scheduler mbean refers to a class (au.com.xcomp.xvs.server.TimedObjectSchedulable) in our ear. The scheduler deploys fine provided we manually make sure the ear is deployed before the service.xml. However, when we try to deploy the service.xml file and ear file in the one ant task, the scheduler deploys first and gives the error below. Someone else also reported this problem a while ago (http://www.mail-archive.com/jboss-user@lists.sourceforge.net/msg23230.html) . Any suggestions??? Cause: Incomplete Deployment listing: Packages waiting for a deployer: Incompletely deployed packages: MBeans waiting for classes: MBeans waiting for other MBeans: [ObjectName: jboss:schedule=CheckTimeoutDaemon,service=Scheduler state: FAILED I Depend On: Depends On Me: org.jboss.deployment.DeploymentException: Exception setting attribute javax.management.Attribute@250ff2 on mbean jboss:schedule=CheckTimeoutDaemon,service=Scheduler; - nested throwable: (java.security.InvalidParameterException: Given class au.com.xcomp.xvs.server.TimedObjectSchedulable is not valid or not found)] Thanks -- Glenn --- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user --- This sf.net email is sponsored by: With Great Power, Comes Great Responsibility Learn to use your power at OSDN's High Performance Computing Channel http://hpc.devchannel.org/ ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user --_=_NextPart_001_01C2A52C.A9F142A0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable charset=3Diso-8859-1"> 5.5.2653.12"> RE: [JBoss-user] Scheduler Yep, we have the same problem. Your original = post said you needed your scheduler to access a class in your = .ear. If you need to access a bean, then you can't just put the = .sar in the .ear - We solved this by just sleeping for 60 = seconds and then starting - not ideal, but I couldn't find the MBean = for the bean container to make the depen
[JBoss-user] Re: configuring security if web and ejbs on different machines
Dain wrote: There is no reason you have to separate the web container from the EJB container. The only reason this ever came up in J2EE is the other vendors charge so much for a CPU license you wanted to maximize the CMP utilization of the EJB boxes. The only good reasons I have heard is security. For security I don't believe that you can get the same benefit by using a proxy process in front. Just out of curiosity, why would it be less secure to use a reverse-proxy? You ought to be able to put the reverse-proxy in the DMZ, and the J2EE container (with web + EJB components) behind the internal firewall. Now there is no application code of any kind in the DMZ (so there is nothing to lose if this machine is compromised), and you only have to open the single HTTP port to the backend machine. (I realize I am asking you to explain a position you don't believe, but I am curious what you have heard :-) -dain On Wednesday, November 20, 2002, at 12:09 PM, Pavel Kolesnikov wrote: Hello, I've configured my security realm on my JBoss 3.0.2 server. Everything works fine, but now I'd like to separate web container and EJB container to different machines. Is there any way how to configure it to make a web container to authenticate users against realm configured on different machine and above all to propagate the security context to EJBs running on different machine? I tried to find the answer in forums, but I found just unanswered questions :) Thanks a lot Pavel, -- Randy _____ Randy Shoup Tumbleweed Communications Corporation --- This sf.net email is sponsored by: Battle your brains against the best in the Thawte Crypto Challenge. Be the first to crack the code - register now: http://www.gothawte.com/rd521.html ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] LdapLoginModule support for ActiveDirectory Groups
Several people, including me, have tried to get LDAP authentication to
work with Microsoft Active Directory. I searched on the lists and the
forums, and the approaches people have come up with for working with
Active Directory don't seem to be able to do the user-role mapping. In
particular, it seems that we ought to be able to create JBoss roles
based on Active Directory Groups.
I did a little digging, and LdapLoginModule in JBoss 3.0.3 does not seem
to have sufficient flexibility to support reading user-role information
from user-Group assignments in ActiveDirectory.
In the user record, ActiveDirectory stores the DNs of
the Groups to which the user has been assigned.
LdapLoginModule in JBoss 3.0.3 assumes that the role
attribute of a user record would be the role name
instead of a DN to a role object.
In the spirit of open-source, I submitted patch #638718 to SourceForge
which adds this capability to the 3.0.3 source, and filed the
corresponding bug #638724.
This patch adds two additional config parameters:
+ roleAttributeIsDN: whether role attribute is a DN or a role name
+ roleNameAttributeId: the name of the role name attribute of the role
object
If `roleAttributeIsDN` is true, the patch looks up the
object corresponding to the role DN, then gets the
attribute named by `roleNameAttributeId` to provide the
role name.
For ActiveDirectory, the appropriate login-module
config settings would look like:
testLdapToActiveDirectory {
org.jboss.security.auth.spi.LdapLoginModule required
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
java.naming.provider.url="ldap://ldaphost.jboss.org:1389/";
java.naming.security.authentication=simple
rolesCtxDN=cn=Users,dc=ldaphost,dc=jboss,dc=org
uidAttributeID=userPrincipalName
roleAttributeID=memberOf
roleAttributeIsDN=true
roleNameAttributeID=name
};
Thanks for a great product.
-- Randy
_________
Randy Shoup (650)216-2038
Tumbleweed Communications Corporation [EMAIL PROTECTED]
---
This sf.net email is sponsored by: To learn the basics of securing
your web site with SSL, click here to get a FREE TRIAL of a Thawte
Server Certificate: http://www.gothawte.com/rd524.html
___
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] (SOLVED) JBoss3.0 Alpha and Oracle
eployerMBeanSupport.deploy(DeployerMBeanSupport.java:107) > > > > at java.lang.reflect.Method.invoke(Native Method) > > > > at > > > > com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1628) > > > > at > > > > com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523) > > > > at org.jboss.deployment.AutoDeployer.deploy(AutoDeployer.java:654) > > > > at org.jboss.deployment.AutoDeployer.run(AutoDeployer.java:327) > > > > at java.lang.Thread.run(Unknown Source) > > > > > > > > I assume I am doing something stupid; I just don't know what it is. > > > > Following the example of the Hypersonic service file in the > > > > distribution, I created a similar simplified Oracle version: > > > > > > > > > > > > > > > > > > > > > > > > > > > > !-- > > > > = > > > > --> > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > >> > >name="JBOSS-SYSTEM:service=ConnectionFactoryLoader,name=DefaultDS"> > > > > > > > >name="ManagedConnectionFactoryProperties">ConnectionURL=jdbc:oracle:thin:@myserver.tumbleweed.com:1521:SID > > > > DriverClass=oracle.jdbc.driver.OracleDriver > > > > UserName=username > > > > Password=password > > > > DefaultDS > > > > > > > name="TransactionManagerName">java:/TransactionManager > > > > > > > > > > > name="ResourceAdapterName">JCA:service=RARDeployment,name=Minerva > > JDBC > > > > LocalTransaction ResourceAdapter > > > > > > > >name="ConnectionManagerFactoryLoaderName">JCA:service=ConnectionManagerFactoryLoader,name=MinervaSharedLocalCMFactory > > > > > > > > org.jboss.resource.security.ManyToOnePrincipalMapping > > > > > > > > > > > name="PrincipalMappingProperties">UserName=username > > > > > > > > > > > > > > > > > > > > Perhaps this is missing something crucial? > > > > -- Randy _ Randy Shoup (650)216-2038 Tumbleweed Communications Corporation [EMAIL PROTECTED] ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
Re: [JBoss-user] JBoss3.0 Alpha and Oracle
1-11-27 18:07:00,515,Configurator,DEBUG] considering
> > ResourceAdapterName with object name
> > JCA:service=RARDeployment,name=Minerva JDBC LocalTransaction
> > ResourceAdapter
> > [2001-11-27 18:07:00,515,Configurator,DEBUG] ResourceAdapterName set to
> > JCA:service=RARDeployment,name=Minerva JDBC LocalTransaction
> > ResourceAdapter in
> > JBOSS-SYSTEM:service=ConnectionFactoryLoader,name=DefaultDS
> > [2001-11-27 18:07:00,531,Configurator,DEBUG] considering
> > ConnectionManagerFactoryLoaderName with object name
> > JCA:service=ConnectionManagerFactoryLoader,name=MinervaSharedLocalCMFactory
> > [2001-11-27 18:07:00,531,Configurator,DEBUG]
> > ConnectionManagerFactoryLoaderName set to
> > JCA:service=ConnectionManagerFactoryLoader,name=MinervaSharedLocalCMFactory
> > in JBOSS-SYSTEM:service=ConnectionFactoryLoader,name=DefaultDS
> > [2001-11-27 18:07:00,531,ServiceController,DEBUG] waiting to start
> > JBOSS-SYSTEM:service=ConnectionFactoryLoader,name=DefaultDS until
> > dependencies are resolved
> > [2001-11-27 18:07:00,531,AutoDeployer,INFO] Started
> > [2001-11-27 18:07:00,531,Default,INFO] JBoss 3.0.0alpha(200111202304)
> > [RABBIT-HOLE] Started in 0m:5s:63ms
> >
> > ...
> >
> > [2001-11-27 18:07:03,640,ServiceController,DEBUG] missing mbeans now
> > present, finishing deployment of
> > JBOSS-SYSTEM:service=ConnectionFactoryLoader,name=DefaultDS
> > [2001-11-27 18:07:03,640,ConnectionFactoryLoader,INFO] Starting
> > [2001-11-27 18:07:03,687,DefaultDS,WARN] Not setting config property
> > 'TransactionIsolation'
> > [2001-11-27 18:07:03,687,DefaultDS,DEBUG] set property ConnectionURL to
> > value jdbc:oracle:thin:@myserver.tumbleweed.com:1521:SID
> > [2001-11-27 18:07:03,687,DefaultDS,DEBUG] set property Password to value
> > password
> > [2001-11-27 18:07:03,687,DefaultDS,DEBUG] set property DriverClass to
> > value oracle.jdbc.driver.OracleDriver
> > [2001-11-27 18:07:03,687,DefaultDS,WARN] Not setting config property
> > 'AutoCommit'
> > [2001-11-27 18:07:03,687,DefaultDS,DEBUG] set property UserName to value
> > username
> > [2001-11-27 18:07:03,703,DefaultDS,INFO] PrincipalMapping properties set
> > to: {UserName=username}
> > [2001-11-27 18:07:03,718,DefaultDS,ERROR] Stopped
> > java.lang.NullPointerException
> > at
> >
>org.jboss.resource.ConnectionFactoryLoader.loadConnectionFactory(ConnectionFactoryLoader.java:685)
> > at
> >
>org.jboss.resource.ConnectionFactoryLoader.startService(ConnectionFactoryLoader.java:406)
> > at
> > org.jboss.system.ServiceMBeanSupport.start(ServiceMBeanSupport.java:117)
> > at java.lang.reflect.Method.invoke(Native Method)
> > at
> > com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1628)
> > at
> > com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
> > at
> > org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:775)
> > at $Proxy0.start(Unknown Source)
> > at org.jboss.system.ServiceController.start(ServiceController.java:479)
> > at org.jboss.system.ServiceController.start(ServiceController.java:507)
> > at
> >
>org.jboss.system.ServiceController.registerAndStartService(ServiceController.java:273)
> > at java.lang.reflect.Method.invoke(Native Method)
> > at
> > com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1628)
> > at
> > com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
> > at org.jboss.resource.RARDeployer.deploy(RARDeployer.java:203)
> > at
> > org.jboss.deployment.DeployerMBeanSupport.deploy(DeployerMBeanSupport.java:107)
> > at java.lang.reflect.Method.invoke(Native Method)
> > at
> > com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1628)
> > at
> > com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523)
> > at org.jboss.deployment.AutoDeployer.deploy(AutoDeployer.java:654)
> > at org.jboss.deployment.AutoDeployer.run(AutoDeployer.java:327)
> > at java.lang.Thread.run(Unknown Source)
> >
> >
> > I have tried:
> > + removing one or both of the mbean-ref's: I get different errors
> > + searching on the mail lists and the forums for similar problems
> >
> > Any suggestions would be appreciated.
> >
> > -- Randy
> > _
> > Randy Shoup (650)216-2038
> > Tumbleweed Communications Corporation [EMAIL PROTECTED]
> >
> >
> > ___
> > JBoss-user mailing list
> > [EMAIL PROTECTED]
> > https://lists.sourceforge.net/lists/listinfo/jboss-user
> >
> >
--
-- Randy
_
Randy Shoup (650)216-2038
Tumbleweed Communications Corporation [EMAIL PROTECTED]
___
JBoss-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-user
[JBoss-user] JBoss3.0 Alpha and Oracle
mpl.invoke(MBeanServerImpl.java:1628) at com.sun.management.jmx.MBeanServerImpl.invoke(MBeanServerImpl.java:1523) at org.jboss.deployment.AutoDeployer.deploy(AutoDeployer.java:654) at org.jboss.deployment.AutoDeployer.run(AutoDeployer.java:327) at java.lang.Thread.run(Unknown Source) I have tried: + removing one or both of the mbean-ref's: I get different errors + searching on the mail lists and the forums for similar problems Any suggestions would be appreciated. -- Randy _________ Randy Shoup (650)216-2038 Tumbleweed Communications Corporation [EMAIL PROTECTED] ___ JBoss-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-user
