WLS JMS connector - Should use Object-Based Security with thin JMS client

[danielkec]

New WLS connector initializes InitialContextFactory within different thread than the one which creates destination. This makes WLS Thread-Based Security unusable. We need to switch to Object-Based Security.

2023.01.12 09:38:05 SEVERE io.helidon.messaging.connectors.jms.JmsConnector Thread[jms-1,5,jms-thread-pool-4]: Error intercepted from channel to-wls
java.util.concurrent.CompletionException: java.lang.RuntimeException: javax.jms.JMSSecurityException: Access denied to resource: type=<jms>, application=osm_oss_jms_module, destinationType=queue, resource=testQueue, action=send
    at java.base/java.util.concurrent.CompletableFuture.encodeThrowable(CompletableFuture.java:315)
    at java.base/java.util.concurrent.CompletableFuture.completeThrowable(CompletableFuture.java:320)
    at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1770)
    at io.helidon.common.context.Contexts.runInContext(Contexts.java:117)
    at io.helidon.common.context.ContextAwareExecutorImpl.lambda$wrap$7(ContextAwareExecutorImpl.java:154)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1136)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:635)
    at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: java.lang.RuntimeException: javax.jms.JMSSecurityException: Access denied to resource: type=<jms>, application=osm_oss_jms_module, destinationType=queue, resource=testQueue, action=send
    at io.helidon.messaging.connectors.wls.ThinClientClassLoader.executeInIsolation(ThinClientClassLoader.java:103)
    at io.helidon.messaging.connectors.wls.WeblogicConnector.consumeAsync(WeblogicConnector.java:165)
    at io.helidon.messaging.connectors.jms.JmsConnector.lambda$consume$17(JmsConnector.java:574)
    at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1768)
    ... 5 more
Caused by: javax.jms.JMSSecurityException: Access denied to resource: type=<jms>, application=osm_oss_jms_module, destinationType=queue, resource=testQueue, action=send
    at thinClientClassLoader//weblogic.jms.dispatcher.DispatcherAdapter.convertToJMSExceptionAndThrow(DispatcherAdapter.java:127)
    at thinClientClassLoader//weblogic.jms.dispatcher.DispatcherAdapter.dispatchSyncTran(DispatcherAdapter.java:60)
    at thinClientClassLoader//weblogic.jms.client.JMSProducer.toFEProducer(JMSProducer.java:1559)
    at thinClientClassLoader//weblogic.jms.client.JMSProducer.deliveryInternalUnified(JMSProducer.java:953)
    at thinClientClassLoader//weblogic.jms.client.JMSProducer.sendInternal(JMSProducer.java:618)
    at thinClientClassLoader//weblogic.jms.client.JMSProducer.sendWithListenerUnified(JMSProducer.java:437)
    at thinClientClassLoader//weblogic.jms.client.JMSProducer.sendWithListener(JMSProducer.java:425)
    at thinClientClassLoader//weblogic.jms.client.JMSProducer.send(JMSProducer.java:418)
    at thinClientClassLoader//weblogic.jms.client.WLProducerImpl.send(WLProducerImpl.java:974)
    at io.helidon.messaging.connectors.jms.shim.JakartaMessageProducer.lambda$send$6(JakartaMessageProducer.java:106)
    at io.helidon.messaging.connectors.jms.shim.ShimUtil.run(ShimUtil.java:40)
    at io.helidon.messaging.connectors.jms.shim.JakartaMessageProducer.send(JakartaMessageProducer.java:106)
    at io.helidon.messaging.connectors.jms.JmsConnector.consumeAsync(JmsConnector.java:594)
    at io.helidon.messaging.connectors.wls.WeblogicConnector.lambda$consumeAsync$4(WeblogicConnector.java:165)
    at io.helidon.messaging.connectors.wls.ThinClientClassLoader.executeInIsolation(ThinClientClassLoader.java:101)
    ... 8 more

PR's

• [x] #5852
• [x] #5854

[danielkec]

Workaround

1. Add this class to your project:

   
   package my.package;

import io.helidon.messaging.connectors.wls.IsolatedContextFactory; import javax.naming.Context; import javax.naming.NamingException; import javax.naming.spi.InitialContextFactory; import java.lang.reflect.*; import java.util.Hashtable;

/**

• Workaround for https://github.com/helidon-io/helidon/issues/5838
• Use weblogic.jms.WLInitialContextFactory instead of weblogic.jndi.WLInitialContextFactory

• to switch from WLS Thread-Based Security to Object-Based Security. */ public class Workaround5838 extends IsolatedContextFactory {

  static String WLS_INIT_CTX_FACTORY = "weblogic.jms.WLInitialContextFactory";

  @Override public Context getInitialContext(Hashtable<?, ?> env) throws NamingException { ClassLoader originalCl = Thread.currentThread().getContextClassLoader(); try { Class<?> clClass = Class.forName("io.helidon.messaging.connectors.wls.ThinClientClassLoader"); Method getInstanceMethod = clClass.getDeclaredMethod("getInstance"); getInstanceMethod.setAccessible(true); ClassLoader thinClientCl = (ClassLoader) getInstanceMethod.invoke(null); Thread.currentThread().setContextClassLoader(thinClientCl); Class<?> wlInitialContextFactory = thinClientCl.loadClass(WLS_INIT_CTX_FACTORY); Constructor<?> contextFactoryConstructor = wlInitialContextFactory.getConstructor(); InitialContextFactory contextFactoryInstance = (InitialContextFactory) contextFactoryConstructor.newInstance(); return contextFactoryInstance.getInitialContext(env); } catch (ClassNotFoundException e) { throw new RuntimeException("Cannot find " + WLS_INIT_CTX_FACTORY, e); } catch (NoSuchMethodException | InvocationTargetException | InstantiationException | IllegalAccessException e) { throw new RuntimeException("Cannot instantiate " + WLS_INIT_CTX_FACTORY, e); } finally { Thread.currentThread().setContextClassLoader(originalCl); } } }

  3. Use it as context factory with following setting:
  ```yaml
  mp:
  messaging:
  connector:
    helidon-weblogic-jms:
      jndi.env-properties.java.naming.factory.initial: my.package.Workaround5838