Summary
activemq-ra advertises BasicPassword authentication with jakarta.resource.spi.security.PasswordCredential, but ActiveMQManagedConnectionFactory does not extract credentials from the Subject provided by the application server.
Because of that, when a JCA container such as JBoss / WildFly passes username and password via Subject instead of ActiveMQConnectionRequestInfo, the adapter ignores them and falls back to CRI or factory defaults.
Relevant code
activemq-ra/src/main/java/org/apache/activemq/ra/ActiveMQManagedConnectionFactory.java
@Override
public ManagedConnection createManagedConnection(Subject subject, ConnectionRequestInfo connectionRequestInfo) throws ResourceException {
ActiveMQConnectionRequestInfo amqInfo = getInfo();
if (connectionRequestInfo instanceof ActiveMQConnectionRequestInfo) {
amqInfo = (ActiveMQConnectionRequestInfo) connectionRequestInfo;
}
try {
return new ActiveMQManagedConnection(subject, makeConnection(amqInfo), amqInfo);
} catch (JMSException e) {
throw new ResourceException("Could not create connection.", e);
}
}
makeConnection(...) uses only ActiveMQConnectionRequestInfo.getUserName() / getPassword(), and there appears to be no PasswordCredential handling anywhere in activemq-ra.
Spec reference
Jakarta Connectors 2.1, “Contract for the Application Server”:
https://jakarta.ee/specifications/connectors/2.1/jakarta-connectors-spec-2.1#contract-for-the-application-server
Given the declared authentication mechanism, the adapter should honor credentials supplied by the application server through Subject / PasswordCredential.
Expected behavior
When Subject contains a matching PasswordCredential, the adapter should use it when creating and matching managed connections.
Summary
activemq-raadvertisesBasicPasswordauthentication withjakarta.resource.spi.security.PasswordCredential, butActiveMQManagedConnectionFactorydoes not extract credentials from theSubjectprovided by the application server.Because of that, when a JCA container such as JBoss / WildFly passes username and password via
Subjectinstead ofActiveMQConnectionRequestInfo, the adapter ignores them and falls back to CRI or factory defaults.Relevant code
activemq-ra/src/main/java/org/apache/activemq/ra/ActiveMQManagedConnectionFactory.javamakeConnection(...)uses onlyActiveMQConnectionRequestInfo.getUserName()/getPassword(), and there appears to be noPasswordCredentialhandling anywhere inactivemq-ra.Spec reference
Jakarta Connectors 2.1, “Contract for the Application Server”:
https://jakarta.ee/specifications/connectors/2.1/jakarta-connectors-spec-2.1#contract-for-the-application-server
Given the declared authentication mechanism, the adapter should honor credentials supplied by the application server through
Subject/PasswordCredential.Expected behavior
When
Subjectcontains a matchingPasswordCredential, the adapter should use it when creating and matching managed connections.