5 Replies Latest reply on Oct 3, 2016 10:58 AM by Bernard H

    Can't set permission to send message (JMS)

    Brian D Newbie

      I'm trying to use a remote client to send a message via a producer to one of my defined JMS queues.  The error message says:

       

      Exception in thread "main" javax.jms.JMSSecurityException: User: admin doesn't have permission='SEND' on address jms.queue.testQueue

       

      I created the user "admin" on both realms using the add-user script. 

       

      I don't know if I have my security settings correct.  Do I need to define roles for "admin" in the standalone application-roles.properties file?

       

      My Security setting looks like this:

       

       

      <security-setting match="#">
                              <permission type="send" roles="admin"/>
                              <permission type="consume" roles="guest"/>
                              <permission type="createNonDurableQueue" roles="guest"/>
                              <permission type="deleteNonDurableQueue" roles="guest"/>
                          </security-setting>
      
      

       

       

      My client code looks like:

       

      Context ic;
                    String JBOSS_CONTEXT="org.jboss.naming.remote.client.InitialContextFactory";;
                    Properties props = new Properties();
                    props.put(Context.INITIAL_CONTEXT_FACTORY, JBOSS_CONTEXT);
                    props.put(Context.PROVIDER_URL, "remote://localhost:4447");
                    props.put(Context.SECURITY_PRINCIPAL, "admin");
                    props.put(Context.SECURITY_CREDENTIALS, "adminadmin");
                    ic = new InitialContext(props);
           
                    ConnectionFactory connectionFactory = (ConnectionFactory)ic.lookup("jms/RemoteConnectionFactory");
                    Queue queue = (Queue) ic.lookup("jms/queue/test");
           
                    Session session = null;
                    Connection conn = null;
                    MessageProducer producer = null;
           
                    conn = connectionFactory.createConnection("admin","adminadmin");
                    session = conn.createSession(false, Session.AUTO_ACKNOWLEDGE);
                    producer = session.createProducer(queue);
           
                    Message msg = null;
          
                    msg = session.createMessage();
                    msg.setJMSMessageID("ID:test");
                    producer.send(msg);
           
                    conn.close();
      
      
        • 1. Re: Can't set permission to send message (JMS)
          Brian D Newbie

          Update:

           

          I'm able to send and recieve now by disabling security for JMS.  I go to the app console, click on the default JMS link and edit to disable it.

           

          I would still really like to know why the roles weren't recognized when security is enabled

          • 2. Re: Can't set permission to send message (JMS)
            Simon Cigoj Newbie

            maybe your roles are not bound correctly to the user, go to the file ..standalone\configuration\application-roles.properties

             

            I have a user "jmsUser2" rith the role guuest and in application-roles.properties I have a line "jmsUser2=guest"

             

            then in standalone xml I have the default setting

             

            {code:xml}<security-setting match="#">

                     <permission type="send" roles="guest"/>

                      <permission type="consume" roles="guest"/>

                      <permission type="createNonDurableQueue" roles="guest"/>

                      <permission type="deleteNonDurableQueue" roles="guest"/>

            </security-setting>{code}

            • 3. Re: Can't set permission to send message (JMS)
              Shekhar p Newbie

              can you please tell  to which realm you added the user to ?

               

              the user needs to be added to the realm which is mentioned in the standalone.xml

               

               

              <subsystem xmlns="urn:jboss:domain:remoting:1.1">

                          <connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>

              </subsystem>

              • 4. Re: Can't set permission to send message (JMS)
                Erik Torp Newbie

                Hi,

                 

                Following the posts above works.

                 

                Although it's written in the application-roles.properties header that changes are automatically picked up, I had to bounce the server. Not sure that's because I did not wait long enough...

                • 5. Re: Can't set permission to send message (JMS)
                  Bernard H Newbie

                  Roles will not be visible (even if defined with add-user command) by ActiveMQ when your server is configured to use simple access control (default at installation). You need to activate 'Role Based Access Controls' in the JBoss server (cf. CLI command /core-service=management/access=authorization:write-attribute(name=provider,value=rbac)) and then only ActiveMQ will become able to validate role settings/permissions and grant/deny access to queues from remote clients.

                  So if you want to keep the default "simple access control", you shall deactivate security in ActiveMQ (cf JBoss console > Configuration > subsystems > ... ActiveMQ > .. provider Settings ...