6 Replies Latest reply on May 25, 2012 11:28 AM by jmesnil

Securing HornetQ does not work with multiple roles

osnetwork Mar 20, 2012 5:54 AM

Hello everybody,

I have been using HornetQ for a while and I still couldn't manage to fix an issue with the permission.

I'm using JBAS 7.1, but also HornetQ as standalone gives the same results.

Here is the problem, I want multiple roles (in this case only 2) to being able to interact with HornetQ. According to the user manual of HornetQ that should be sufficient

<security-settings>
    <security-setting match="jms.#">
        <permission type="send" roles="user, agent"/>
        <permission type="consume" roles="user, agent"/>
        <permission type="createDurableQueue" roles="user, agent"/>
        <permission type="deleteDurableQueue" roles="user, agent"/>
        <permission type="createNonDurableQueue" roles="user, agent"/>
        <permission type="deleteNonDurableQueue" roles="user, agent"/>
    </security-setting>
</security-settings>

but I keep getting error like this (prova has user role)

Caused by: HornetQException[errorCode=105 message=User: prova doesn't have permission='CONSUME' on address jms.topic.replyTableTopic]
    ... 13 more

Caused by: HornetQException[errorCode=105 message=User: prova doesn't have permission='SEND' on address jms.queue.requestTableQueue]
    ... 11 more

Caused by: HornetQException[errorCode=105 message=User: prova2 doesn't have permission='CREATE_NON_DURABLE_QUEUE' on address jms.topic.replyTableTopic]
    ... 12 more

Instead if I put everything like that, it works but obviously only for user roles and no agent

<security-settings>
    <security-setting match="jms.#">
        <permission type="send" roles="user"/>
        <permission type="consume" roles="user"/>
        <permission type="createDurableQueue" roles="user"/>
        <permission type="deleteDurableQueue" roles="user"/>
        <permission type="createNonDurableQueue" roles="user"/>
        <permission type="deleteNonDurableQueue" roles="user"/>
    </security-setting>
</security-settings>

I have been trying removing blank spaces after the commas (like reported in this jira issue https://issues.jboss.org/browse/HORNETQ-501) but it didn't help.

Any idea?

Thanks in advance,

1. Re: Securing HornetQ does not work with multiple roles

ataylor Mar 20, 2012 5:56 AM (in response to osnetwork)

can you provide a test please
Actions
2. Re: Securing HornetQ does not work with multiple roles

osnetwork Mar 20, 2012 6:35 AM (in response to ataylor)
Here it is a very quick test. I'm using JBAS 7.1.1 as standalone-full profile. I have attached the profile configuration file and application roles and users properties with 2 users prova (user role) and prova2 (agent role).

Here is the main class to run the test
import java.util.HashMap;
import java.util.Map;

import javax.jms.Connection;
import javax.jms.ConnectionFactory;
import javax.jms.JMSException;
import javax.jms.Message;
import javax.jms.MessageConsumer;
import javax.jms.MessageListener;
import javax.jms.Session;
import javax.jms.Topic;

import org.hornetq.api.core.TransportConfiguration;
import org.hornetq.api.jms.HornetQJMSClient;
import org.hornetq.api.jms.JMSFactoryType;
import org.hornetq.core.remoting.impl.netty.NettyConnectorFactory;
import org.hornetq.core.remoting.impl.netty.TransportConstants;

/**
* @author luca
*
*/
public class MainJMS {

    protected static Topic replyTopic;
    protected static MessageConsumer replyConsumer;
    protected static Connection connection = null;
    protected static Session session;

    /**
     * @param args
     * @throws Exception
     */
    public static void main(String[] args) throws Exception {
        establishJMSConnectionToServer();
    }

    private static void establishJMSConnectionToServer() throws JMSException {
        Map<String, Object> connectionParams = new HashMap<String, Object>();
        connectionParams.put(TransportConstants.PORT_PROP_NAME, 5445);

        TransportConfiguration transportConfiguration = new TransportConfiguration(
                NettyConnectorFactory.class.getName(), connectionParams);

        ConnectionFactory connectionFactory = (ConnectionFactory) HornetQJMSClient
                .createConnectionFactoryWithoutHA(JMSFactoryType.CF,
                        transportConfiguration);

        connection = connectionFactory.createConnection("prova2", "test");

        replyTopic = HornetQJMSClient.createTopic("testTopic");

        session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);

        replyConsumer = session.createConsumer(replyTopic, "ok", false);

        replyConsumer.setMessageListener(new MessageListener() {

            @Override
            public void onMessage(Message message) {
                System.out.println("got message");

            }
        });

        connection.start();
    }
}
To change user, you can change prova2 to prova while creating the connection.

This test is for a remote connection, but even on server side I have the same issue, so I guess this is not the problem.

Hope this helps to figure it out what is the problem

application-roles.properties.zip 544 bytes

application-users.properties.zip 692 bytes

standalone-full.xml 20.3 KB
Actions
3. Re: Securing HornetQ does not work with multiple roles

osnetwork Mar 27, 2012 2:00 AM (in response to osnetwork)

Can somebody confirm that HornetQ has this issue?
If so, is it possible to have it tracked in Jira?
Instead, if it's not an issue, but a missing functionality, why do we have the HornetQ User Manual saying that this functionality is supported?

Regards,
LM
Actions
4. Re: Securing HornetQ does not work with multiple roles

ataylor Mar 27, 2012 4:06 AM (in response to osnetwork)

when i get time i will take a proper look, although im pretty tied up at the moment.
Actions
5. Re: Securing HornetQ does not work with multiple roles

qtm May 25, 2012 2:22 AM (in response to osnetwork)

Hello,

any news on this issue? I'm having the same problem.

Regards
Actions
6. Re: Securing HornetQ does not work with multiple roles

jmesnil May 25, 2012 11:28 AM (in response to osnetwork)

Luca Merolla wrote:

Here is the problem, I want multiple roles (in this case only 2) to being able to interact with HornetQ. According to the user manual of HornetQ that should be sufficient
<security-settings>
    <security-setting match="jms.#">
        <permission type="send" roles="user, agent"/>
        <permission type="consume" roles="user, agent"/>
        <permission type="createDurableQueue" roles="user, agent"/>
        <permission type="deleteDurableQueue" roles="user, agent"/>
        <permission type="createNonDurableQueue" roles="user, agent"/>
        <permission type="deleteNonDurableQueue" roles="user, agent"/>
    </security-setting>
</security-settings>
If you are using HornetQ directly (and this snippet is in hornetq-configuration.xml), the configuration is correct afaict

If you are using AS7, the roles must be *separated by spaces, not by commas*, e.g. roles="user agent"

Sorry about this, this difference between the 2 XML configurations is not properly documented...
Actions

Go to original post