4 Replies Latest reply on Mar 17, 2012 5:56 AM by fcosfc

Securing the HornetQ REST Interface

fcosfc Jan 30, 2012 8:42 AM

Hi there,

I'm using HornetQ 2.2.5 as the default JMS provider of a JBoss 6.0.0 application server and I've succesfully deployed a Web archive (.WAR) running the HornetQ REST Interface, now I trying to secure it. I've read on the chapter 8 of the HornetQ REST Interface Guide:

"... You turn on authentication for all URLs within your WAR's web.xml, and let the user Principal to propagate to HornetQ. This only works if you are using the JBossSecurityManager with HornetQ ..."

So, I've added the following configuration to my web.xml file:

<security-constraint>

<display-name>HornetQRESTConstraint</display-name>

<web-resource-collection>

<web-resource-name>HornetQREST</web-resource-name>

<url-pattern>/*</url-pattern>

</web-resource-collection>

<auth-constraint>

<description>Authorized role</description>

<role-name>test_role</role-name>

</auth-constraint>

</security-constraint>

<login-config>

<auth-method>BASIC</auth-method>

<realm-name>hornetq</realm-name>

</login-config>

<security-role>

<role-name>test_role</role-name>

</security-role>

Here you have my jboss-web.xml configuration:

<?xml version="1.0" encoding="UTF-8"?>

<jboss-web>

<context-root>/HornetQRESTInterface</context-root>

<security-domain>hornetq</security-domain>

</jboss-web>

It works ok, only the users belonging to the test_role can access to the queues through the REST interface. But when I add a security setting to the hornetq-configuration.xml , in order to prevent unathorized access through the JMS interface, I got the following exception:

14:12:54,745 WARN [org.jboss.resteasy.core.SynchronousDispatcher] failed to execute: javax.ws.rs.WebApplicationException: HornetQException[errorCode=105 message=User: null doesn't have permission='SEND' on address jms.queue.REST.TestQueue]

The security setting is:

<security-setting match="jms.queue.REST.#">

</security-setting>

My question is: how to propagate the user Principal?

Thank you very much in advance.

Regards,

Paco.

1. Re: Securing the HornetQ REST Interface

ataylor Jan 30, 2012 8:45 AM (in response to fcosfc)

you will need to set allowClientLogin and authoriseOnClientLogin to true on the JBossASSecurityManager in the hornetq-jboss-beans.xml
Actions
2. Re: Securing the HornetQ REST Interface

fcosfc Mar 16, 2012 4:00 PM (in response to ataylor)

Hi Andy,

Thank you very much for your response. How could I achieve the same result with a JBoss 4.2.1 server, where doesn't exists the file hornetq-jboss-beans.xml?

Regards,

Paco.
Actions
3. Re: Securing the HornetQ REST Interface

jbertram Mar 16, 2012 4:56 PM (in response to fcosfc)

There doesn't appear to be any way to set these via the org.hornetq.service.JBossASSecurityManagerService MBean. You could open a JIRA and contribute a patch for this functionality (doesn't look like it would be very hard) or move to a newer version of JBoss AS. I would recommend the latter since AS 4.2.1 is almost 5 years old now and AS 7.1.2.Final was just released.
Actions
4. Re: Securing the HornetQ REST Interface

fcosfc Mar 17, 2012 5:56 AM (in response to jbertram)

Hi Justin,

Unfortunately, moving to newer version of JBoss AS is out of my scope, although I'll recommend it, so I'm going to opt for the first option. Thank you very much for your response.

Regards,

Paco.
Actions

Go to original post