9 Replies Latest reply on Jun 28, 2012 2:35 PM by jbertram

    Enabling security for HornetQ

    stianst

      I'm trying to enable security for HornetQ in AS7. I've changed the security constraints as documented in https://docs.jboss.org/author/display/AS7/Messaging+configuration, but this has made no difference and I'm still able to send/receive messages without supplying a username/password.

       

      Snippet from server config:

                  <security-settings>
                      <security-setting match="#">
                          <permission type="send" roles="myrole"/>
                          <permission type="consume" roles="myrole"/>
                          <permission type="createNonDurableQueue" roles="myrole"/>
                          <permission type="deleteNonDurableQueue" roles="myrole"/>
                      </security-setting>
                  </security-settings>
      

       

      I couldn't find any documentation on how to specify roles and users for HornetQ in AS7 so I tried the same approach as I used in AS6. By adding hornetq-roles.properties and hornetq-users.properties.

       

      standalone/configuration/hornetq-roles.properties:

      myrole=myuser
      

       

      standalone/configuration/hornetq-users.properties:

      myuser=mypassword
      
        • 1. Re: Enabling security for HornetQ
          stianst

          Bump.. Does no one know the answer to this?

          • 2. Re: Enabling security for HornetQ
            fabrizio.benedetti

            Try adding a security-domain in standalone.xml or domain.xml:

             

            <subsystem xmlns="urn:jboss:domain:security:1.0">

                <security-domains>

                    <security-domain name="hornetq">

                        <authentication>

                            <login-module code="UsersRoles " flag="required">

                                <module-option name="usersProperties" value="file:///path/to/props/hornetq-users.properties"/>

                                <module-option name="rolesProperties" value="file:///path/to/props/hornetq-roles.properties"/>

                            </login-module>

                        </authentication>

                    </security-domain>

                </security-domains>

            </subsystem>

            • 3. Re: Enabling security for HornetQ
              stianst

              Tried that. I've tried to add the following:

               

                      <subsystem xmlns="urn:jboss:domain:security:1.0">

                          <security-domains>

                              <security-domain name="other" cache-type="default">

                                  <authentication>

                                      <login-module code="UsersRoles" flag="required">

                                                   <module-option name="usersProperties" value="file:///tmp/hornetq-users.properties"/>

                                  <module-option name="rolesProperties" value="file:///tmp/hornetq-roles.properties"/>

                                                  </login-module>

                                  </authentication>

                              </security-domain>

                                  <security-domain name="messaging">

                                              <authentication>

                                                  <login-module code="UsersRoles " flag="required">

                                                      <module-option name="usersProperties" value="file:///tmp/hornetq-users.properties"/>

                                                      <module-option name="rolesProperties" value="file:///tmp/hornetq-roles.properties"/>

                                                  </login-module>

                                              </authentication>

                                </security-domain>

                                  <security-domain name="hornetq">

                                              <authentication>

                                                  <login-module code="UsersRoles " flag="required">

                                                      <module-option name="usersProperties" value="file:///tmp/hornetq-users.properties"/>

                                                      <module-option name="rolesProperties" value="file:///tmp/hornetq-roles.properties"/>

                                                  </login-module>

                                              </authentication>

                                </security-domain>

                          </security-domains>

                      </subsystem>

               

               

              Still able to send messages without supplying a username/password. You would also think that something would complain if the security-domain was missing? Instead of simply bypassing security?

              • 4. Re: Enabling security for HornetQ
                fabrizio.benedetti

                You're right, the security-domain is not sufficient. Messages can be sent without authentication.

                 

                I think that it is missing a mapping between messaging subsystem and the security domain "hornetq".

                 

                HornetQ in 7.0.1 does not yet support security?

                • 5. Re: Enabling security for HornetQ
                  stianst

                  Either there are some missing steps in the documentation (https://docs.jboss.org/author/display/AS7/Messaging+configuration) or its simply not working. Not much response on this issue though :|

                  • 6. Re: Enabling security for HornetQ
                    jaikiran

                    I'm not sure if this has been integrated in AS7, yet. Please bring this up in the as7 dev list https://lists.jboss.org/mailman/listinfo/jboss-as7-dev

                    • 7. Re: Enabling security for HornetQ
                      stianst
                      • 8. Re: Enabling security for HornetQ
                        ohmygod

                        It seems I am having just the opposite issue: authenticate with null user error.

                         

                        https://community.jboss.org/message/744809#744809

                         

                        I am wondering how to disable this in JBoss7..

                        • 9. Re: Enabling security for HornetQ
                          jbertram

                          HornetQ is secured by default in the latest versions of JBoss AS7 (i.e. 7.1.1.Final and 7.2.0.Alpha1-SNAPSHOT from Git).  My guess is that the security integration wasn't available in the version you were using.