JMS bridge between WildFly instances

I was recently trying to set up JMS bridge between two standalone WildFly instances, each running on different machine. The whole experience turned out to be less straightforward than I had anticipated and I decided I should share the solution here to hopefully help others.

The solution

It turns out that to configure JMS bridge for remote servers credentials need to be specified twice. The username and password must be added to the context to allow JNDI registry lookup and then again in destination configuration. The user referred in <user> tag must be registered in ApplicationRealm with permission to consume/send messages (depending on whether source or target is remote endpoint)

The problem

Before connection to JMS queue can be established , JMS bridge must first  lookup remote objects  (queues and connection factories) by their JDNI names. When both bridge and remote broker are running on the same machine no authentication is required, but for truly remote  lookup to succeed valid credentials are needed. It’s worth mentioning that the user used for JDNI lookup can be different from the one used for creating the JMS connection and doesn’t need permission to modify queue.

Failure to provide credentials in context definition will result in rather cryptic error

javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed:
JBOSS-LOCAL-USER: javax.security.sasl.SaslException: Failed to read server challenge [Caused by java.io.FileNotFoundException: /Users/Jarek/dev/wildfly-8.2.0.Final/standalone/tmp/auth/local2330515126078615287.challenge (System nie może odnaleźć określonej ścieżki)]
DIGEST-MD5: javax.security.sasl.SaslException: DIGEST-MD5: Cannot perform callback to acquire realm, authentication ID or password [Caused by javax.security.auth.callback.UnsupportedCallbackException]

When user name or password are present but invalid the error message is a little more useful

javax.security.sasl.SaslException: Authentication failed: all available authentication mechanisms failed:
JBOSS-LOCAL-USER: javax.security.sasl.SaslException: Failed to read server challenge [Caused by java.io.FileNotFoundException: /Users/Jarek/dev/wildfly-8.2.0.Final/standalone\tmp\auth\local6004500283609774891.challenge (System nie może odnaleźć określonej ścieżki)]
DIGEST-MD5: Server rejected authentication

Only components that are registered within the java:jboss/exported/ namespace are remote accessible via the naming service.

Recipe

In WildFly, JMS bridge between local and remote destinations  jms/queue/sourceQ ⇒ jms/queue/targetQ with ONCE_AND_ONLY_ONCE QoS can be created with following CLI command

/subsystem=messaging/jms-bridge=jms-bridge-name/:add(source-destination="jms/queue/sourceQ", \ 
    source-connection-factory="ConnectionFactory", \
    target-destination="jms/queue/targetQ", \
    target-connection-factory="jms/RemoteConnectionFactory", \
    target-user="jmsuser", \
    target-password="pass", \
    target-context=[\
        "java.naming.factory.initial"="org.jboss.naming.remote.client.InitialContextFactory", \
        "java.naming.provider.url"="http-remoting://localhost:8080", \
        "java.naming.security.principal"="jmsuser", \
        "java.naming.security.credentials"="pass"], \
    quality-of-service=ONCE_AND_ONLY_ONCE, \
    failure-retry-interval=10000, \
    max-retries=10, \
    max-batch-size=500, \
    max-batch-time=50, \
    add-messageID-in-header=true)

Skomentuj

Wprowadź swoje dane lub kliknij jedną z tych ikon, aby się zalogować:

Logo WordPress.com

Komentujesz korzystając z konta WordPress.com. Log Out / Zmień )

Zdjęcie z Twittera

Komentujesz korzystając z konta Twitter. Log Out / Zmień )

Facebook photo

Komentujesz korzystając z konta Facebook. Log Out / Zmień )

Google+ photo

Komentujesz korzystając z konta Google+. Log Out / Zmień )

Connecting to %s