AS7.1 ActiveDirectory security on JMS, problem looking up roles
ned233 Feb 10, 2012 4:48 PMJBoss distribution: as of 2/10/2012
I have been trying to get Active Directory integrated as a login-module to secure my JMS queues. Here is what I have configured so far:
1. Created a login-module:
<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
<module-option name="java.naming.provider.url" value="ldap://mycompany.com:389/"/>
<module-option name="java.naming.security.authentication" value="simple"/>
<module-option name="allowEmptyPasswords" value="false"/>
<module-option name="baseCtxDN" value="DC=mycompany,DC=com"/>
<module-option name="baseFilter" value="(sAMAccountName={0})"/>
<module-option name="uidAttributeID" value="sAMAccountName"/>
<module-option name="rolesCtxDN" value="DC=mycompany,DC=com"/>
<module-option name="roleAttributeIsDN" value="true"/>
<module-option name="roleAttributeID" value="memberOf"/>
<module-option name="roleNameAttributeID" value="name"/>
</login-module>
2. Secure the queue
<security-setting match="jms.queue.testQueue">
<permission type="send" roles="My_Role"/>
<permission type="consume" roles="My_Role"/>
<permission type="createNonDurableQueue" roles="My_Role"/>
<permission type="deleteNonDurableQueue" roles="My_Role"/>
</security-setting>
When I run my test, I create my ConnectionFactory like this:
ConnectionFactory conn = factory.createConnection("testuser@mycompany.com", "password");
I have confirmed that the user actually gets authenticated, because if I pass an invalid password, I get an error back stating that the password is invalid (and the "badPwdCount" goes up by 1). When I enter the correct password, though, I get the following error:
javax.jms.JMSSecurityException: User: testuser@mycompany.com doesn't have permission='SEND' on address jms.queue.testQueue
at org.hornetq.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:286)
at org.hornetq.core.client.impl.ClientProducerImpl.doSend(ClientProducerImpl.java:287)
at org.hornetq.core.client.impl.ClientProducerImpl.send(ClientProducerImpl.java:142)
at org.hornetq.jms.client.HornetQMessageProducer.doSend(HornetQMessageProducer.java:451)
at org.hornetq.jms.client.HornetQMessageProducer.send(HornetQMessageProducer.java:199)
This leads me to believe that I have not configured my login-module correctly, so that it is not finding the user's roles. Here is how things appear in AD:
1. Lookup the user account under DC=mycompany,DC=com
User has a memberOf attribute that consists of several DN's (which is why I set roleAttributeIsDN to "true"). Here is the role that I am going after:
CN=My_Role,OU=Sharepoint,OU=Groups,DC=mycompany,DC=com
2. Lookup this role entry
When I go to this role in my AD Browser utility, I see a "name" attribute belonging to the record and its value is "My_Role" (which is why I set roleNameAttributeID to "name").
Is there something I am missing?
Thanks,
Ed