JBossMQ Security Configuration
To configure security on JBoss MQ there are a few steps you need to take. These involve the following:
Identify a security domain to use for messaging.
Configure your MDB:s to use security credentials when reading from the message queues / topics.
Use the authenticated connection methods when connecting to the messaging service from your clients.
Configure security on the topics and queues.
Identify a security domain
Security domains are configured in the conf/login-config.xml file. The sample file that comes with the distribution is pretty well commented with examples. By default there is a security domain configured with the name "jbossmq".
To tell JBoss MQ which security domain to use when checking credentials, edit the file deploy/jms/jbossmq-service.xml. In this file you will have an entry that looks something like this:
<mbean code="org.jboss.mq.security.SecurityManager" name="jboss.mq:service=SecurityManager"> <attribute name="DefaultSecurityConfig"> <security> <role name="guest" read="true" write="true" create="true"></role> </security> </attribute> <attribute name="SecurityDomain">java:/jaas/jbossmq</attribute> <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager</depends> </mbean>
To change security domain to use, change the attribute called "SecurityDomain".
Notice the DefaultSecurityConfig. To enable non-authenticated messaging make sure that the role name, in this case "guest" is the same as the "unauthenticatedIdentity" in the definition of the security domain in login-config.xml.
Configure MDB:s to use security
Your message driven beans "log in" to the queues / topics that "drive" them. If you enable security in JMS the beans will have to identify themselves.
What identity the should use you specify in the jboss.xml file for the given beans. See below example:
<message-driven> <ejb-name>CMyMessageBean</ejb-name> <destination-jndi-name>queue/myQueue</destination-jndi-name> <mdb-user>scott</mdb-user> <mdb-passwd>tiger</mdb-passwd> <resource-ref> <res-ref-name>jdbc/base</res-ref-name> <jndi-name>java:/jdbc/myconnection</jndi-name> </resource-ref> </message-driven>
The mdb-user and mdb-passwd should match a user that exists in your security domain.
Use authenticated connections in client code
If you have clients connecting to your security enabled messaging service they will have to supply user credentials. It is not enough to login using the client-login you normally use when calling JBoss EJB:s, in fact it's not even related, so you don't have to login using that client-login.
What you have to do is use these methods when creating the jms-connections:
QueueConnectionFactory connectionFactory =
(QueueConnectionFactory) ctx.lookup("ConnectionFactory");
try {
destination =
(javax.jms.Queue) ctx.lookup(QUEUENAME);
} catch (javax.naming.NameNotFoundException nne) {
m_log.fatal("Could not find recipent queue: " + QUEUENAME);
System.exit(1);
}
QueueConnection connection = connectionFactory.createQueueConnection(JMSUSER, JMSPASS);
And for topics:
TopicConnectionFactory connectionFactory =
(TopicConnectionFactory) ctx.lookup("ConnectionFactory");
try {
destination =
(javax.jms.Topic) ctx.lookup(TOPICNAME);
} catch (javax.naming.NameNotFoundException nne) {
m_log.fatal("Could not find topic: " + TOPICNAME);
System.exit(1);
}
TopicConnection connection = connectionFactory.createTopicConnection(JMSUSER, JMSPASS);
Configure security on the topics and queues
In the deploy/jms/jbossmq-destinations-service.xml file you can configure the topics, queues and who can access them and how. The default file that comes with JBoss contains comments and examples that describes how this step is done.
Make sure that the user that you supplied in your jboss.xml file for your MDB:s match the roles that you specify here.
Disable Security
As of JBoss 4.2.3, edit server/xxx/deploy/jms/jbossmq-service.xml. Find
<mbean code="org.jboss.mq.server.jmx.Invoker" name="jboss.mq:service=Invoker">
And change 2 lines down from:
<depends optional-attribute-name="NextInterceptor">jboss.mq:service=SecurityManager</depends>
To:
<depends optional-attribute-name="NextInterceptor">jboss.mq:service=TracingInterceptor</depends>
This will eliminate principal=null errors for unauthenticated Message Driven Bean (MDB) by removing the SecurityManager interceptor that checks for them. The errors look like this:
javax.jms.JMSSecurityException: User: null is NOT authenticated at org.jboss.mq.security.SecurityManager.authenticate(SecurityManager.java:230) at org.jboss.mq.security.ServerSecurityInterceptor.authenticate(ServerSecurityInterceptor.java:66) at org.jboss.mq.server.TracingInterceptor.authenticate(TracingInterceptor.java:613) at org.jboss.mq.server.JMSServerInvoker.authenticate(JMSServerInvoker.java:172) at org.jboss.mq.il.jvm.JVMServerIL.authenticate(JVMServerIL.java:165) at org.jboss.mq.Connection.authenticate(Connection.java:1067) ... 13:54:17,255 INFO [JMSContainerInvoker] Waiting for reconnect internal 10000ms for RandomClientMessageBean 13:54:27,256 INFO [JMSContainerInvoker] Trying to reconnect to JMS provider for RandomClientMessageBean 13:54:27,257 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files java.io.IOException: No properties file: props/jbossmq-users.properties or defaults: defaultUsers.properties found 13:56:18,725 INFO [JMSContainerInvoker] Waiting for reconnect internal 10000ms for RandomClientMessageBean .. 2008-12-28 13:53:42,806 DEBUG [org.jboss.ejb.plugins.jms.DLQHandler] Initialization failed DLQHandler
Additional information
SecurityManager - the main controller
Login Module - the authentication policy
SecurityConf - defines the roles and their authorities
Comments