5 Replies Latest reply on Jan 23, 2008 1:33 AM by anupamkakade

    Queue-Security

    schachi
    schachi Aug 2, 2005 3:52 PM

      i try to add a access-control to a queue (only authenticated users should have read/write/create rights. other users should be blocked).
      i read the jboss-documentation (jms, jaas) and i searched in the forum, but i didn't found the answer.

      try:
      ecollector-docImport-service.xml:

      <server>
 <mbean code="org.jboss.mq.server.jmx.Queue"
 name="jboss.mq.destination:service=Queue,name=eManager-DocImportQueue">
 <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
 <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends>
 <attribute name="SecurityConf">
 <security>
 <role name="ecollector" read="true" write="true" create="true"/>
 </security>
 </attribute>
 </mbean>
<server>


      deploy-exception: 
      org.jboss.deployment.DeploymentException: Error during queue setup; - nested throwable:
(javax.jms.JMSSecurityException: Connection not authorized to subscribe to destination: eManager-DocImportQueue)
 at org.jboss.deployment.DeploymentException.rethrowAsDeploymentException(DeploymentException.java:39)
 at org.jboss.ejb.plugins.jms.JMSContainerInvoker.innerCreate(JMSContainerInvoker.java:898)
 at org.jboss.ejb.plugins.jms.JMSContainerInvoker.startService(JMSContainerInvoker.java:922)
 at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:272)
 at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:222)
 at sun.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
 at java.lang.reflect.Method.invoke(Method.java:585)
 at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
 at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
 at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
 at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:249)
 at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
 at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:897)
 at $Proxy66.start(Unknown Source)
 at org.jboss.system.ServiceController.start(ServiceController.java:418)
 at sun.reflect.GeneratedMethodAccessor9.invoke(Unknown Source)



      the following is working, but im not happy because unauthenticated users have read-rights 
      <server>
 <mbean code="org.jboss.mq.server.jmx.Queue"
 name="jboss.mq.destination:service=Queue,name=eManager-DocImportQueue">
 <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
 <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends>
 <attribute name="SecurityConf">
 <security>
 <role name="guest" read="true" write="false" create="false"/>
 <role name="ecollector" read="true" write="true" create="true"/>
 </security>
 </attribute>
 </mbean>
<server>



      what would be the correct solution?

      THANK YOU for all hints in advance
      marc

      i'm using jboss-4.0.2

      • 7073 Views
      • Tags:
        • 1. Re: Queue-Security
          schachi
          schachi Aug 3, 2005 12:07 PM (in response to schachi)

          i thought i found the solution with the run-as tag (but it's still not working)

          <enterprise-beans>
 <message-driven>
 <ejb-name>DocImportProcessorEJB</ejb-name>
 <ejb-class>ch.e_act.e_archive.server.emanager.ejb.DocImportProcessorBean</ejb-class>
 <transaction-type>Container</transaction-type>
 <message-selector>MessageFormat = 'Version 3.4'</message-selector>
 <acknowledge-mode>auto-acknowledge</acknowledge-mode>
 <message-driven-destination>
 <destination-type>javax.jms.Queue</destination-type>
 </message-driven-destination>
 <security-identity>
 <run-as>
 <role-name>ecollector</role-name>
 <use-caller-identity>false</use-caller-identity>
 </run-as>
 </security-identity>
 <resource-ref>
 <res-ref-name>jms/QueueFactory</res-ref-name>
 <res-type>javax.jms.QueueConnectionFactory</res-type>
 <res-auth>Container</res-auth>
 </resource-ref>
 </message-driven>
</enterprise-beans>

          is there an other way to give the mdb-bean a role?

          or is the "run-as tag" the right way, and i missed something?

            • Actions
          • 2. Re: Queue-Security
            starksm64
            starksm64 Aug 3, 2005 12:46 PM (in response to schachi)

            The mdb also needs to be authenticated. To allow a guest user with the assumed run-as role see the unauthenticatedIdentity option for the login module used to secure the target.

              • Actions
            • 3. Re: Queue-Security
              schachi
              schachi Aug 4, 2005 11:12 AM (in response to schachi)

              thank you for the reply.

              <jboss>
 <enterprise-beans>
 <secure>false</secure>
 <message-driven>
 <ejb-name>DocImportProcessorEJB</ejb-name>
 <destination-jndi-name>queue/eManager-DocImportQueue
 </destination-jndi-name>

 <mdb-user>abc</mdb-user>
 <mdb-passwd>xyz</mdb-passwd>

 <resource-ref>
 <res-ref-name>jms/QueueFactory</res-ref-name>
 <jndi-name>java:/JmsXA</jndi-name>
 </resource-ref>
 </message-driven>
 </enterprise-beans>
</jboss>




                • Actions
              • 4. Re: Queue-Security
                ushirshah
                ushirshah Sep 6, 2005 5:20 PM (in response to schachi)

                Hi, I am using Jboss and have configured JAAS authentication. When I try to create a Receiver for the temporary queue I am getting follwoing exception:

                javax.jms.JMSSecurityException: Connection not authorized to subscribe to destination: JMS_TQ8


                When I try to create queue and Topic, my user/passwod gets authenticated and successfully creates queue/topic. Under jbossmq-destinations-service.xml I have my queues and topics configured correctly with the security role. I am not using Message Driven Beans.

                I am having this error for temporaray queue when I tried to createReceiver for the temporary queue. Any idea what might be happening? Without implementing MDB can I use JAAS security for the temporary queue ?

                part of my code: 

                try
{
 Context jndiContext = getInitialContext();
 QueueConnectionFactory ref =
 (QueueConnectionFactory)jndiContext.lookup("ConnectionFactory");

 Queue queue = (Queue)jndiContext.lookup("queue/testQueue");
 queueConnection = ref.createQueueConnection();
 QueueSession queueSession = queueConnection.createQueueSession(false, Session.AUTO_ACKNOWLEDGE);
 // The temporary queue,
 TemporaryQueue tq = queueSession.createTemporaryQueue();
 queueSender = queueSession.createSender(queue);
 QueueReceiver qr = queueSession.createReceiver(tq);
}
catch (Exception e) {
 System.out.println(e.getMessage());
 e.printStackTrace();
}


                I am using Jboss 4.0.2.

                Thanks for your help in advance,
                Ushir

                  • Actions
                • 5. Re: Queue-Security
                  anupamkakade Jan 23, 2008 1:33 AM (in response to schachi)

                  Hi all,

                  Will u please help me to send a code for the Message sender and MDB for secure queues .
                  thanks in advance .

                    • Actions