12 Replies Latest reply on May 30, 2007 5:32 PM by timfox

Queue/Topic Security Config

brentshikoski May 30, 2007 12:45 PM

Sorry for the large post, but I wanted to provide all the relevant information.

I'm seeing the same problem as detailed in Thread 107745 (http://www.jboss.com/index.html?module=bb&op=viewtopic&t=107745). Basically it doesn't seem like the Security Configuration on the queue/topic level is working properly (or my configuration is wrong). The solution in that thread doesn't seem much like a solution at all.

My configuration looks like:

<server>
 <loader-repository>jboss.messaging:loader=ScopedLoaderRepository
 <loader-repository-config>java2ParentDelegation=false</loader-repository-config>
 </loader-repository>

 <mbean code="org.jboss.jms.server.destination.QueueService"
 name="jboss.messaging.destination:service=Queue,name=NotifyQueue"
 xmbean-dd="xmdesc/Queue-xmbean.xml">
 <depends optional-attribute-name="ServerPeer">jboss.messaging:service=ServerPeer</depends>
 <depends>jboss.messaging:service=PostOffice</depends>
 <attribute name="SecurityConfig">
 <security>
 <role name="commonPublisher" read="false" write="true"/>
 <role name="commonSubscriber" read="true" write="true"/>
 </security>
 </attribute>
 <attribute name="MessageCounterHistoryDayLimit">-1</attribute>
 <attribute name="Clustered">true</attribute>
 </mbean>
</server>

The client error I see is:
javax.jms.JMSSecurityException: User: commonuser is not authorized to read from destination NotifyQueue
at org.jboss.jms.server.container.SecurityAspect.check(SecurityAspect.java:260)

Here are some interesting bits from the server log:

2007-05-30 10:07:42,536 DEBUG [org.jboss.jms.server.destination.QueueService] Starting jboss.messaging.destination:name=NotifyQueue,service=Queue
2007-05-30 10:07:42,552 DEBUG [org.jboss.jms.server.DestinationJNDIMapper] queue NotifyQueue registered
2007-05-30 10:07:42,552 DEBUG [org.jboss.jms.server.DestinationJNDIMapper] queue bound in JNDI as /queue/NotifyQueue
2007-05-30 10:07:42,552 DEBUG [org.jboss.jms.server.destination.QueueService] Queue[/queue/NotifyQueue] security configuration:
<security>
<role name="guest" read="true" write="true"/>
<role name="commonPublisher" read="false" write="true"/>
<role name="commonSubscriber" read="true" write="true"/>
</security>
2007-05-30 10:07:42,552 INFO [org.jboss.jms.server.destination.QueueService] Queue[/queue/NotifyQueue] started, fullSize=200000, pageSize=2000, downCacheSize=2000
2007-05-30 10:07:42,552 DEBUG [org.jboss.jms.server.destination.QueueService] Started jboss.messaging.destination:name=NotifyQueue,service=Queue
....
....
2007-05-30 10:08:11,704 DEBUG [org.jboss.jms.server.security.SecurityMetadataStore] No SecurityMetadadata was available for NotifyQueue, using default security config
2007-05-30 10:08:11,704 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] authenticating user commonuser
....
2007-05-30 10:08:11,704 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] authorizing user commonuser for role(s) [guest]
2007-05-30 10:08:11,704 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] doesUserHaveRole(Set), subject: Subject:
 Principal: commonuser
 Principal: Roles(members:commonSubscriber,statPublisher)

2007-05-30 10:08:11,704 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] roles=Roles(members:commonSubscriber,statPublisher)
2007-05-30 10:08:11,719 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] hasRole(guest)=false
2007-05-30 10:08:11,719 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] hasRole=false
2007-05-30 10:08:11,719 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] user commonuser is NOT authorized

Notice the line that contains 'No SecurityMetadadata was available for NotifyQueue, using default security config'.

I downloaded the source code to try and figure out what the problem with my configuration.

I added the following to the log4j.xml file to see if I could see a log statement like 'adding security configuration for queue'.

<category name="org.jboss.jms.server.security.SecurityMetadataStore">
 <priority value="TRACE" class="org.jboss.logging.XLevel"/>
 </category>

That didn't help. It seemed to me that that the queue security configuration was never being registered with the SecurityMetadataStore class.
In the DestinationServiceSupport class I found the following method.

public void setSecurityConfig(Element securityConfig) throws Exception
 {
 try
 {
 if (started)
 {
 // push security update to the server
 sm.setSecurityConfig(isQueue(), destination.getName(), securityConfig);
 }

 destination.setSecurityConfig(securityConfig);
 }
 catch (Throwable t)
 {
 ExceptionUtil.handleJMXInvocation(t, this + " setSecurityConfig");
 }
 }

It seems to me that this method is called before the queue is started and so the security configuration is never registered with the SecurityManager.

I added the following line to the startService() method in the org.jboss.jms.server.destination.QueueService class, right after the 'started = true;' statement:

serverPeer.getSecurityManager().setSecurityConfig(true, destination.getName(), destination.getSecurityConfig());

I rebuilt the jboss-messaging.jar jar with the change and it seemed to work. This is what I found in the server log after the code change:

2007-05-30 10:34:13,976 DEBUG [org.jboss.jms.server.DestinationJNDIMapper] queue NotifyQueue registered
2007-05-30 10:34:13,976 DEBUG [org.jboss.jms.server.DestinationJNDIMapper] queue bound in JNDI as /queue/NotifyQueue
2007-05-30 10:34:13,976 DEBUG [org.jboss.jms.server.destination.QueueService] Queue[/queue/NotifyQueue] security configuration:
<security>
<role name="guest" read="true" write="true"/>
<role name="commonPublisher" read="false" write="true"/>
<role name="commonSubscriber" read="true" write="true"/>
</security>
2007-05-30 10:34:13,976 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] adding security configuration for queue NotifyQueue
2007-05-30 10:34:13,976 INFO [org.jboss.jms.server.destination.QueueService] Queue[/queue/NotifyQueue] started, fullSize=200000, pageSize=2000, downCacheSize=2000
2007-05-30 10:34:13,976 DEBUG [org.jboss.jms.server.destination.QueueService] Started jboss.messaging.destination:name=NotifyQueue,service=Queue
...
...
2007-05-30 11:03:41,279 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] authenticating user commonuser
...
2007-05-30 11:03:41,279 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] authorizing user commonuser for role(s) [commonSubscriber, guest]
2007-05-30 11:03:41,279 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] doesUserHaveRole(Set), subject: Subject:
 Principal: commonuser
 Principal: Roles(members:commonSubscriber,statPublisher)

2007-05-30 11:03:41,279 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] roles=Roles(members:commonSubscriber,statPublisher)
2007-05-30 11:03:41,279 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] hasRole(commonSubscriber)=true
2007-05-30 11:03:41,279 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] hasRole=true
2007-05-30 11:03:41,279 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] user commonuser is authorized

Notice the new line from the SecurityMetadataStore class that wasn't there before ('adding security configuration for queue NotifyQueue').

I can provide more information from my other configuration files if necessary.

1. Re: Queue/Topic Security Config

timfox May 30, 2007 1:04 PM (in response to brentshikoski)

Good catch :)

The fix is pretty trivial so I'll see if I can get it in the next release.
Actions
2. Re: Queue/Topic Security Config

timfox May 30, 2007 1:15 PM (in response to brentshikoski)

http://jira.jboss.com/jira/browse/JBMESSAGING-976
Actions
3. Re: Queue/Topic Security Config

brentshikoski May 30, 2007 1:16 PM (in response to brentshikoski)

I don't know if the org.jboss.jms.server.destination.QueueService class is the correct place for the change, but if it is, then a similar change would need to be made to org.jboss.jms.server.destination.TopicService. I'm sure this is painfully obvious, but thought I would mention it.
Actions
4. Re: Queue/Topic Security Config

timfox May 30, 2007 1:18 PM (in response to brentshikoski)

The fix is to remove the if (started) {} clause.
Actions

5. Re: Queue/Topic Security Config

timfox May 30, 2007 1:29 PM (in response to brentshikoski)

Brent-

Can you verify the alternate fix of removing the if works for you?

I.e.

public void setSecurityConfig(Element securityConfig) throws Exception
 {
 try
 {
 // push security update to the server
 sm.setSecurityConfig(isQueue(), destination.getName(), securityConfig);

 destination.setSecurityConfig(securityConfig);
 }
 catch (Throwable t)
 {
 ExceptionUtil.handleJMXInvocation(t, this + " setSecurityConfig");
 }
 }

Works for you

6. Re: Queue/Topic Security Config

brentshikoski May 30, 2007 2:02 PM (in response to brentshikoski)

Tim,

I afraid that doesn't work. The SecurityManager (sm) and the ServerPeer have a null value when the setSecurityConfig(...) method is invoked. They are assigned values in the startService() method which is invoked later.
Actions
7. Re: Queue/Topic Security Config

timfox May 30, 2007 2:11 PM (in response to brentshikoski)

Duh. You're right.

This is what happens when you try and handle several threads simultaneously, plus prepare a release at the same time :)

In any case, we'll make sure whatever the fix is goes through our QA.
Actions
8. Re: Queue/Topic Security Config

brentshikoski May 30, 2007 2:26 PM (in response to brentshikoski)

Thanks for the update.

When is SP2 going to be released?
Actions
9. Re: Queue/Topic Security Config

timfox May 30, 2007 2:36 PM (in response to brentshikoski)

ASAP.

I need to make some changes to the documentation which will take a few hours, then run through the QA process which can take 12 hours or more.

So tomorrow or the next day.
Actions
10. Re: Queue/Topic Security Config

brentshikoski May 30, 2007 4:42 PM (in response to brentshikoski)
Tim,

I looked at the changes you made for this fix and I think you'll want to change what you did in the TopicService class.

It looks like you used the same code from the QueueService class:
serverPeer.getSecurityManager().setSecurityConfig(true, destination.getName(), destination.getSecurityConfig());

The first argument denotes whether or not the destination is a queue or a topic, so for the TopicService class it should be:
serverPeer.getSecurityManager().setSecurityConfig(false, destination.getName(), destination.getSecurityConfig());

Or you could change the code in both places to be:
serverPeer.getSecurityManager().setSecurityConfig(isQueue(), destination.getName(), destination.getSecurityConfig());

Sorry, that probably should have been my suggested solution in the first place.
Actions
11. Re: Queue/Topic Security Config

brentshikoski May 30, 2007 4:56 PM (in response to brentshikoski)

I thought of a better solution. Instead of having the last statement from my last post in both the QueueService and TopicService classes, it could just be inserted at the end of startService() method in the org.jboss.jms.server.destination.DestinationServiceSupport class. I made the modifications in my deployment and it looked like it worked.
Actions
12. Re: Queue/Topic Security Config

timfox May 30, 2007 5:32 PM (in response to brentshikoski)

Yes indeed :)

OK, I am going to sleep before I make any more stupid mistakes :)
Actions

Go to original post