Spring JmsTemplate +安全

发布于 2024-09-08 12:18:23 字数 4060 浏览 12 评论 0 原文

我刚刚重构了一些发布到 JMS 主题的代码以使用 Spring 的 JmsTemplate 类,现在我收到一个异常,表明我未经身份验证。

之前我创建了工厂,建立了连接,然后创建了会话等,如下所示:

MQTopicConnectionFactory factory = new MQTopicConnectionFactory();
factory.setQueueManager(qMgr);   
factory.setTransportType(JMSC.MQJMS_TP_CLIENT_MQ_TCPIP);
factory.setHostName(hostname);
factory.setPort(listenerPort);
factory.setChannel(channel);
// setting username and password to be empty string ==> no authentication
connection = factory.createConnection("", "");   
...
connection.start();

我在 JmsTemplate 中没有看到将用户名和密码设置为空字符串的任何位置。我的配置如下所示:

<bean id="jmsFactory" class="com.ibm.mq.jms.MQTopicConnectionFactory">
    <property name="queueManager">
        <value>ACT01</value>
    </property>
    <property name="hostName">
        <value>xx.xx.xx.xx</value>
    </property>
    <property name="port">
        <value>15004</value>
    </property>
    <property name="transportType">
        <value>1</value>
    </property>
    <property name="channel">
        <value>CONDUCTOR.ACT01</value>
    </property>
</bean>

<bean id="impactJmsTemplate" class="org.springframework.jms.core.JmsTemplate">
    <property name="connectionFactory">
        <bean class="org.springframework.jms.connection.SingleConnectionFactory">
            <property name="targetConnectionFactory">
                <ref local="jmsFactory" />
            </property>
        </bean>
    </property>
</bean>

我还尝试将 jmsFactory 包装在 UserCredentialsConnectionFactoryAdapter 对象中,但无济于事:

<bean id="jmsConnectionFactory" class="org.springframework.jms.connection.UserCredentialsConnectionFactoryAdapter">
    <property name="targetConnectionFactory" ref="jmsFactory"/>
    <property name="username" value=""/>
    <property name="password" value=""/>
</bean> 

堆栈跟踪:

Caused by: com.ibm.msg.client.jms.DetailedJMSSecurityException: JMSWMQ2013: The security authentication was not valid that was supplied for QueueManager 'LOROL' with connection mode 'Client' and host name 'xx.xx.xx.xx'. Please check if the supplied username and password are correct on the QueueManager you are connecting to
at com.ibm.msg.client.wmq.common.internal.Reason.reasonToException(Reason.java:531)
at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:219)
at com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnection.java:410)
at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createV7ProviderConnection(WMQConnectionFactory.java:7855)
at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createProviderConnection(WMQConnectionFactory.java:7331)
at com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createConnection(JmsConnectionFactoryImpl.java:276)
at com.ibm.mq.jms.MQConnectionFactory.createCommonConnection(MQConnectionFactory.java:6055)
at com.ibm.mq.jms.MQTopicConnectionFactory.createTopicConnection(MQTopicConnectionFactory.java:114)
at com.ibm.mq.jms.MQTopicConnectionFactory.createConnection(MQTopicConnectionFactory.java:197)
at org.springframework.jms.connection.SingleConnectionFactory.doCreateConnection(SingleConnectionFactory.java:343)
at org.springframework.jms.connection.SingleConnectionFactory.initConnection(SingleConnectionFactory.java:290)
at org.springframework.jms.connection.SingleConnectionFactory.createConnection(SingleConnectionFactory.java:227)
at org.springframework.jms.support.JmsAccessor.createConnection(JmsAccessor.java:184)
at org.springframework.jms.core.JmsTemplate.execute(JmsTemplate.java:461)
... 25 more
Caused by: com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2035' ('MQRC_NOT_AUTHORIZED').
at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:206)
... 37 more

I've just refactored some code that published to a JMS topic to use Spring's JmsTemplate class and now I'm receiving an exception stating I'm not authenticated.

Previously I created the factory, made a connection, then session etc as follows:

MQTopicConnectionFactory factory = new MQTopicConnectionFactory();
factory.setQueueManager(qMgr);   
factory.setTransportType(JMSC.MQJMS_TP_CLIENT_MQ_TCPIP);
factory.setHostName(hostname);
factory.setPort(listenerPort);
factory.setChannel(channel);
// setting username and password to be empty string ==> no authentication
connection = factory.createConnection("", "");   
...
connection.start();

I don't see anywhere in the JmsTemplate to set the username and password to empty strings. My config looks like this:

<bean id="jmsFactory" class="com.ibm.mq.jms.MQTopicConnectionFactory">
    <property name="queueManager">
        <value>ACT01</value>
    </property>
    <property name="hostName">
        <value>xx.xx.xx.xx</value>
    </property>
    <property name="port">
        <value>15004</value>
    </property>
    <property name="transportType">
        <value>1</value>
    </property>
    <property name="channel">
        <value>CONDUCTOR.ACT01</value>
    </property>
</bean>

<bean id="impactJmsTemplate" class="org.springframework.jms.core.JmsTemplate">
    <property name="connectionFactory">
        <bean class="org.springframework.jms.connection.SingleConnectionFactory">
            <property name="targetConnectionFactory">
                <ref local="jmsFactory" />
            </property>
        </bean>
    </property>
</bean>

I have also tried wrapping the jmsFactory in a UserCredentialsConnectionFactoryAdapter object to no avail:

<bean id="jmsConnectionFactory" class="org.springframework.jms.connection.UserCredentialsConnectionFactoryAdapter">
    <property name="targetConnectionFactory" ref="jmsFactory"/>
    <property name="username" value=""/>
    <property name="password" value=""/>
</bean> 

Stack trace:

Caused by: com.ibm.msg.client.jms.DetailedJMSSecurityException: JMSWMQ2013: The security authentication was not valid that was supplied for QueueManager 'LOROL' with connection mode 'Client' and host name 'xx.xx.xx.xx'. Please check if the supplied username and password are correct on the QueueManager you are connecting to
at com.ibm.msg.client.wmq.common.internal.Reason.reasonToException(Reason.java:531)
at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:219)
at com.ibm.msg.client.wmq.internal.WMQConnection.<init>(WMQConnection.java:410)
at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createV7ProviderConnection(WMQConnectionFactory.java:7855)
at com.ibm.msg.client.wmq.factories.WMQConnectionFactory.createProviderConnection(WMQConnectionFactory.java:7331)
at com.ibm.msg.client.jms.admin.JmsConnectionFactoryImpl.createConnection(JmsConnectionFactoryImpl.java:276)
at com.ibm.mq.jms.MQConnectionFactory.createCommonConnection(MQConnectionFactory.java:6055)
at com.ibm.mq.jms.MQTopicConnectionFactory.createTopicConnection(MQTopicConnectionFactory.java:114)
at com.ibm.mq.jms.MQTopicConnectionFactory.createConnection(MQTopicConnectionFactory.java:197)
at org.springframework.jms.connection.SingleConnectionFactory.doCreateConnection(SingleConnectionFactory.java:343)
at org.springframework.jms.connection.SingleConnectionFactory.initConnection(SingleConnectionFactory.java:290)
at org.springframework.jms.connection.SingleConnectionFactory.createConnection(SingleConnectionFactory.java:227)
at org.springframework.jms.support.JmsAccessor.createConnection(JmsAccessor.java:184)
at org.springframework.jms.core.JmsTemplate.execute(JmsTemplate.java:461)
... 25 more
Caused by: com.ibm.mq.MQException: JMSCMQ0001: WebSphere MQ call failed with compcode '2' ('MQCC_FAILED') reason '2035' ('MQRC_NOT_AUTHORIZED').
at com.ibm.msg.client.wmq.common.internal.Reason.createException(Reason.java:206)
... 37 more

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

愚人国度 2024-09-15 12:18:23

这里有几个选项...

  • 您之前设置的属性导致通道以管理员身份运行。要获得相同的功能,您可以将通道的 MCAUSER 设置为 QMgr 运行时使用的任何 ID(对于 UNIX,通常为 mqm,对于 Windows,通常为 MUSR_MQADMIN)。繁荣。完毕。鲍勃是你叔叔。
  • 是的,这确实意味着连接到该频道的任何人都是管理员。另一方面,这并不比以前更糟糕,正如您之前的代码按其方式工作所证明的那样。
  • 您仍然可以使用 Spring 并传递 ID 和密码,如 this 中所述论坛帖子。请记住,密码实际上并未被检查。无论您传入什么 ID,除非您使用通道出口来验证它,否则都会按面值接受。

有关客户端连接上的 WMQ 安全性的更多信息,请参阅强化 WebSphere MQ 演示文稿。如果您想真正保护对 QMgr 的访问,您需要将 MCAUSER 设置为低特权用户 ID,执行 setmqaut 命令来授权该 ID 的组,然后锁定所有其他通道,如 SYSTEM.AUTO.* 和 SYSTEM。 DEF.* 所以他们无法运行。

A few options here...

  • The properties you were setting before resulted in the channel running as an administrator. To get the same functionality you can set the channel's MCAUSER to whatever ID the QMgr is running as (commonly mqm for UNIX and MUSR_MQADMIN on Windows). Boom. Done. Bob's yer uncle.
  • Yes, this does mean that anyone connecting to that channel is an administrator. On the other hand, this is no worse than it was before as demonstrated by your previous code working the way it did.
  • You can still use Spring and pass in the ID and password as described in this forum post. Just keep in mind the password is not actually checked. Whatever ID you pass in is accepted at face value unless you use a channel exit to validate it.

For more on WMQ security over client connections, see the Hardening WebSphere MQ presentation. If you wanted to actually secure access to the QMgr you'd want to set MCAUSER to a low-privileged user ID, perform setmqaut commands to authorize that ID's group and then lock down all the other channels like SYSTEM.AUTO.* and SYSTEM.DEF.* so they could not run.

北音执念 2024-09-15 12:18:23

我正在本地 Windows 计算机上运行 Websphere,并连接到 Unix 计算机中的 MQ 服务器。对我来说只有第三种选择有效。从控制台设置 userID 不起作用。我尝试了 mqm 和 MUSR_MQADMIN。

//使用用户名和密码创建连接
QueueConnection 连接=factory.createQueueConnection("mqm","mqm");

I am running Websphere in my local windows machine and connecting to MQ server in Unix machine . For me only the third option worked. Setting the userID from console didn't work.I tried both mqm and MUSR_MQADMIN.

//connection created using username and password
QueueConnection connection = factory.createQueueConnection("mqm","mqm");

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文