Any answers yet?.
I'm stumbling into the same problem...

Yes, you can put the same login-module you used for your EJB-login under the <application-policy name="jbossmq">...
This works for non-durable subscriptions and queues but not for durable topics, beacuse the StateManager creates a new ClientID like "ID:15" for every connection. Perhaps anyone knows, how you could bring the StateManager to create an unique ID wich stays the same, e.g. login:topicName.

You shouldn't use an anonymous connection
for durable subscriptions.

A durable subscription is keyed by the user
and subscription name.

Regards,
Adrian

I used login/password when connecting to JMS but StateManager generated new ClientID every time I connected because the StateManager didn't find the user in its xml-configuration.

Now I've written a own StateManager which relies on a database. I don't know if this is correct, but a mapped ClientID direct to the user-login.

Perhaps you are interested in it. I attached the source.

Regards,
Thomas

That's interesting.

I just committed an "unfinished" jdbc state manager
into 3.2.
unifinished means I haven't fully tested it yet.
I also need to add the jmx methods to maintain
the user/role database.

With the data in the db, you can override the
sql to retrieve the data from where you like
in a db.

http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/jboss/jbossmq/src/main/org/jboss/mq/sm/jdbc/Attic/JDBCStateManager.java

You can configure it with some like the following
(remove the file state manager):

<depends optional-attribute-name="ConnectionManager">jboss.jca:service=LocalTxCM,name=DefaultDS

<!-- Override whatever sql statements you like -->



The jbossmq login config is just the
DatabaseServerLoginModule.

Regards,
Adrian

Can you elaborate on how to use the JDBC state manager? We are facing the same issue in authentication - we already have a cutomized JAAS login module and I need to integrate it into JMS security. A previous user suggested that it is possible, by defining the login module under <application-policy name="jbossmq">, but he failed to mention which configuration file to modify...

Your help is appreciated!!

conf/login-config.xml

Regards,
Adrian

Thanks for your reply. I have put in our login module in place of the default login module for JMS (which was org.jboss.mq.sm.file.DynamicLoginModule). For some reason, I don't think my login module is being called, since it always return authentication failure. Is there anything else I need do to hook up JMS authentication with my login module?

Another question that has been in my mind is that which CallbackHandler is being used in the JMS authentication. Do I have access to that, and do I need to override that, if so, how?

Thanks again for your time!

Xibin

Do you want to post your config
and perhaps your login module snippet,
or should I just guess what is wrong with it?

Regards,
Adrian

Sorry I was pulled away by another nasty problem. Now back to JMS security. Here is the configuration:

login-config.xml

<application-policy name = "jbossmq">

<login-module code="com.cnnxn.shared.security.server.jboss.blah" flag = "required">
<module-option name="assertIdentity">true</module-option>
<module-option name="datasource">aDatasource</module-option>
</login-module>

</application-policy>

<application-policy name = "connexn">

<login-module code="com.cnnxn.shared.security.server.jboss.blah" flag = "required">
<module-option name="assertIdentity">true</module-option>
<module-option name="datasource">aDatasource</module-option>
</login-module>

</application-policy>


The classes for the login module is deployed on to the lib directory of the jboss server instance.

IN addition to the above changes, I also tried to add roles in the security configuration of my topics and queues. An example is:


<depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager
<depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager







I also tried to add the matching user name and password in to the jbossmq-state.xml file, thinking jboss mq may fall back to that file. It never worked.

Please advise how I could integrate JMS with JAAS. It's OK if your answer is yes or impossible. I need to either abandone this and move on to other things, or solve it in a reasonable time frame.

Thansk ahead for any help you can offer!

Xibin

The jbossmq-state.xml is used to configure the
the jbossmq state manager.
This is used by jbossmq's dynamic login module
configured by default under policy "jbossmq"

I would guess your module only provides authenication
and does nothing with roles (authorization)?

Take a look at the jboss versions to see what is going on.
They are in
org.jboss.mq.sm.file (the default)
org.jboss.mq.sm.jbdc (an experimental jdbc version
that can be used with jboss's database login module)

Regards,
Adrian

Instead of duplicating things in the login config, can I just change the domain in "jbossmq-service.xml"?

Example:






NOTjbossmq
<depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager


Seems like that would be the best way to go.

Also, would it be possible to make a sar file or any other file that can be deployed easily seperate from the main JMS definitions (so I won't squash anyone else's files) that defines queues and topics for a project? (Also has to survive just a plain reboot, so JMX scripts probably aren't a good idea.)

Finally, can you think of any harm that may be caused by using my own role names instead of the defaults? Ex. Change subscriber->user in the "jboss-destinations-service.xml".

Sorry to ask so many questions. (but you may be happy I've been spreading the knowledge of JBoss by volunteering to teach half a semester at a local university, and it went well! ... thanks to the hard work of JBoss developers making the world of J2EE more accesable.)

The name of the security name can be anything it you like.
It just identifies the login configuration.

The configuration can be anywhere you like.
There is nothing special about jbossmq-destination-service.xml
my-destinations-service.xml would work just as well.
You can even put it in the root of an ejb jar.

You can aslo choose your own role names.

Regards,
Adrian

Wow, fast responce.

I'm loving Jboss more every day, that's so cool.

Basically, what you are saying is that in order to deploy my application, I could make it as simple as
1) modify login-config.xml in JBoss to add my security domain
2) copy my ear file to the deploy directory.

Possibly, I may need to modify jbossmq-service.xml to change the SecurityDomain.

On that, I was thinking... can I deploy a second security manager with a different name and link queue's to that security manager so my app plays happily alongside others? If so, would I just put a file in the root of me ejb-jar file like so:

jbossmq-is-cool.xml:


<!--my security manager-->






myapp
<!--I don't need another DestinationManager? -->
<depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager


<!--My topic-->

<depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager
<!--Depends on my security manager-->
<depends optional-attribute-name="SecurityManager">jboss.mq:service=MyAppsSecurityManager








<!-- likewise a queue -->

<depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager
<depends optional-attribute-name="SecurityManager">jboss.mq:service=MyAppsSecurityManager












I guess I really don't understand the whole depends tag works. I'm probably emphasizing the wrong part of the line. If I understand what I read properly, I think the option-attribute-name is more important than the depends :). Would that set up a queue and a topic that used my security manager that is seperate than the main config? In fact, the only config file needed to be messed with would be login-config.xml. I'm trying to make my software easy to use by other people, and I have a really hard time actually bending my mind around all the neat features of JBoss. There is just so many features that one person just can't keep track of them all.

(I understand that the depends makes sure that the other MBean is running first, but does the optional-attribute-name actually do something other than look pretty?)

Thanks so much for your help and hard work.