SINotAuthorizedException when a JMS application attempts to access Websphere Application Server Service Integration Bus

Technote (troubleshooting)


Problem(Abstract)

Your JMS application fails to connect to WebSphere Application Server (WAS) Service Integration Bus (SIBus) and throws CWSII0212W errors when security is configured for WAS SIBus with the user added to the bus connector role and a connection factory configured with "container-managed" authentication alias.

Symptom

The following errors are written to WAS SystemOut.log:

CWSII0212W: The bus XXX.Bus denied an anonymous user access to the bus.

javax.jms.JMSSecurityException: CWSIA0006E: The authorization for the supplied user name was not successful.
Caused by: javax.jms.JMSSecurityException: CWSIA0006E: The authorization for the supplied user name was not successful.
at com.ibm.ws.sib.api.jms.impl.JmsManagedConnectionFactoryImpl.createConnection(JmsManagedConnectionFactoryImpl.java:183)
at com.ibm.ws.sib.api.jms.impl.JmsManagedConnectionFactoryImpl.createConnection(JmsManagedConnectionFactoryImpl.java:135)
.......

Caused by: com.ibm.wsspi.sib.core.exception.SINotAuthorizedException: CONTAINER_AUTHORIZATION_EXCEPTION_1071
at com.ibm.ws.sib.api.jmsra.impl.JmsJcaConnectionFactoryImpl.createConnection(JmsJcaConnectionFactoryImpl.java:429)
at com.ibm.ws.sib.api.jms.impl.JmsManagedConnectionFactoryImpl.createConnection(JmsManagedConnectionFactoryImpl.java:162)

FFDC shows:
FFDC Exception:com.ibm.wsspi.sib.core.exception.SINotAuthorizedException
SourceId:com.ibm.ws.sib.api.jmsra.impl.JmsJcaManagedConnectionFactoryImpl.createManagedConnection
ProbeId:1
Reporter:com.ibm.ws.sib.api.jmsra.impl.JmsJcaManagedQueueConnectionFactoryImpl@56365636
com.ibm.wsspi.sib.core.exception.SINotAuthorizedException: CWSIP0303E: No user specified when creating a connection to secure messaging engine AAA-XXX.Bus on bus XXX.Bus.

at
com.ibm.ws.sib.processor.impl.MessageProcessor.createConnection(MessageProcessor.java:789)
at
com.ibm.ws.sib.trm.client.TrmSICoreConnectionFactoryImpl.localAttach(TrmSICoreConnectionFactoryImpl.java:451)
at
com.ibm.ws.sib.trm.client.TrmSICoreConnectionFactoryImpl.connectFromInsideServer(TrmSICoreConnectionFactoryImpl.java:406)
at
com.ibm.ws.sib.trm.client.TrmSICoreConnectionFactoryImpl.localBootstrap(TrmSICoreConnectionFactoryImpl.java:323)
at
com.ibm.ws.sib.trm.client.TrmSICoreConnectionFactoryImpl.createConnection(TrmSICoreConnectionFactoryImpl.java:304)
at
com.ibm.ws.sib.trm.client.TrmSICoreConnectionFactoryImpl.createConnection(TrmSICoreConnectionFactoryImpl.java:222)

Cause

Even though container- managed authentication alias was set on the connection factory and the resource reference was created for the application (that is, res-auth being set to CONTAINER in the application deployment descriptor) a direct JNDI lookup on the connection factory was performed .

Resolving the problem

Perform an indirect JNDI lookup on the connection factory


Important Notes:
1. If the application does a direct JNDI lookup of the connection factory then by default res-auth gets set to "APPLICATION" even though it is set to "CONTAINER" in the application deployment descriptor. When res-auth is set to "APPLICATION", the authentication data is picked up in the following order:

    1) The user ID and password that are passed to the getConnection method
    2) The component-managed authentication alias in the connection factory or the data source
      Note: component-managed authentication alias is no longer available for the default messaging provider(SIB) in WAS adminconsole for WAS 7.0 and later versions .
    3) The custom properties user name and password in the data source

2.  If the application does indirect JNDI lookup then resource references for the application must be created and the res-auth must be set to "CONTAINER" in the application deployment descriptor and container-managed authentication alias must be set on the connection factory.

Example for direct jndi lookup:                                          
javax.jms.QueueConnectionFactory qcf =                                    
    (javax.jms.QueueConnectionFactory)                                    
initCtx.lookup("jms/MyJMSQueueConnectionFactory");                    
                         
Example for indirect jndi lookup:
javax.jms.QueueConnectionFactory qcf =                                    
    (javax.jms.QueueConnectionFactory)                                        
initCtx.lookup("java:comp/env/jms/MyJMSQueueConnectionFactory");    
 

Related information

Component managed authentication alias unavailable
Creating or changing a resource reference

Cross reference information
Segment Product Component Platform Version Edition
Business Integration IBM Business Process Manager Express
Business Integration WebSphere Enterprise Service Bus
Business Integration WebSphere MQ
Business Integration WebSphere Service Registry and Repository
Business Integration WebSphere Process Server
Business Integration WebSphere Partner Gateway - Express

Historical Number

14478 021 724
10385 003 756
61099 999 738
75314 000 738

Product Alias/Synonym

WebSphere Application Server WAS SIB SIBUS SI BUS

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere Application Server
Service Integration Technology

Software version:

7.0, 8.0, 8.5

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

1625948

Modified date:

2013-04-11

Translate my page

Machine Translation

Content navigation