14 Replies Latest reply on Oct 23, 2012 7:01 AM by ybxiang.china

    messaging does NOT support many roles?

    ybxiang.china

      Dear guys,

       

      I have a user named 'xiang', it has a JAAS role 'admin'. And I configured messaging:

       

          <subsystem xmlns="urn:jboss:domain:messaging:1.3">
              <hornetq-server>
                  <persistence-enabled>true</persistence-enabled>
                  <security-domain>nms-jaas-security-domain</security-domain>
                  <journal-file-size>102400</journal-file-size>
                  <journal-min-files>2</journal-min-files>

       

                  <connectors>
                      ...
                  </connectors>

       

                  <acceptors>
                      ...
                  </acceptors>

       

                  <security-settings>
                      <security-setting match="#">
                          <permission type="send" roles="admin"/>
                          <permission type="consume" roles="admin"/>
                          <permission type="createDurableQueue" roles="admin"/>
                          <permission type="deleteDurableQueue" roles="admin"/>
                          <permission type="createNonDurableQueue" roles="admin"/>
                          <permission type="deleteNonDurableQueue" roles="admin"/>
                      </security-setting>
                  </security-settings>
      ...
      ...
                  <jms-destinations>
                      <jms-queue name="testQueue">
                          <entry name="queue/test"/>
                          <entry name="java:jboss/exported/jms/queue/test"/>
                      </jms-queue>
                      <jms-topic name="testTopic">
                          <entry name="topic/test"/>
                          <entry name="java:jboss/exported/jms/topic/test"/>
                      </jms-topic>
                      <jms-topic name="nmsSOETopic">
                          <entry name="topic/nmsSOE"/>
                          <entry name="java:jboss/exported/jms/topic/nmsSOE"/>
                      </jms-topic>
                  </jms-destinations>
              </hornetq-server>
          </subsystem>

       

      Everything works well.

       

       

       

       

       

       

       

      But after I added one more role in <permission> element:

          <subsystem xmlns="urn:jboss:domain:messaging:1.3">
              <hornetq-server>
                  <persistence-enabled>true</persistence-enabled>
                  <security-domain>nms-jaas-security-domain</security-domain>
                  <journal-file-size>102400</journal-file-size>
                  <journal-min-files>2</journal-min-files>

       

                  <connectors>
                      ...
                  </connectors>

       

                  <acceptors>
                      ...
                  </acceptors>

       

                  <security-settings>
                      <security-setting match="#">
                          <permission type="send" roles="admin, jms_sender"/>
                          <permission type="consume" roles="admin, jms_consumer"/>
                          <permission type="createDurableQueue" roles="admin"/>
                          <permission type="deleteDurableQueue" roles="admin"/>
                          <permission type="createNonDurableQueue" roles="admin"/>
                          <permission type="deleteNonDurableQueue" roles="admin"/>
                      </security-setting>
                  </security-settings>
      ...
      ...
      </subsystem>

       

       

      My client throw bellow exception:

      javax.jms.JMSSecurityException: User: xiang doesn't have permission='CONSUME' on address jms.topic.nmsSOETopic

          at org.hornetq.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:312)

          at org.hornetq.core.client.impl.ClientSessionImpl.internalCreateConsumer(ClientSessionImpl.java:1826)

          at org.hornetq.core.client.impl.ClientSessionImpl.createConsumer(ClientSessionImpl.java:479)

          at org.hornetq.core.client.impl.ClientSessionImpl.createConsumer(ClientSessionImpl.java:445)

          at org.hornetq.core.client.impl.DelegatingSession.createConsumer(DelegatingSession.java:189)

          at org.hornetq.jms.client.HornetQSession.createConsumer(HornetQSession.java:558)

          at org.hornetq.jms.client.HornetQSession.createConsumer(HornetQSession.java:383)

          at org.hornetq.jms.client.HornetQSession.createConsumer(HornetQSession.java:353)

          at com.ybxiang.nms.gui.platform.connection.ServerLink.initJmsResource(ServerLink.java:1060)

          at com.ybxiang.nms.gui.platform.connection.ServerLink.connectToServer(ServerLink.java:279)

          at com.ybxiang.nms.gui.platform.login.LoginWizard$2.run(LoginWizard.java:113)

          at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)

      Caused by: HornetQException[errorCode=105 message=User: admin doesn't have permission='CONSUME' on address jms.topic.nmsSOETopic]

          ... 12 more"

       

       

       

       

      My jboss server version: 7.2.0 alpha1:

                      19:42:57,250 INFO  [org.jboss.as] (Controller Boot Thread) JBAS015874: JBoss AS 7.2.0.Alpha1-SNAPSHOT "Steropes" started in 12297ms - Started 630 of 718 services (86 services are passive or on-demand)

       

       

       

      Is there something wrong with my configuration?

        • 1. Re: messaging does NOT support many roles?
          ybxiang.china

          Now, I assgin user 'xiang' with two more JAAS roles 'jms_sender' and 'jms_consumer', my client works well.

          • 2. Re: messaging does NOT support many roles?
            ybxiang.china

            I tested it many times and get the same result.

            • 3. Re: messaging does NOT support many roles?
              ybxiang.china

              I test many many times, now I find a rule to reproduce this bug:

               

              1. Case 1

              (a) messaging configuration in standalong.xml


              <permission type="send" roles="jmsadmin, tester"/>

              <permission type="consume" roles="jmsadmin, tester"/>

              <permission type="createDurableQueue" roles="jmsadmin, tester"/>

              <permission type="deleteDurableQueue" roles="jmsadmin, tester"/>

              <permission type="createNonDurableQueue" roles="jmsadmin, tester"/>

              <permission type="deleteNonDurableQueue" roles="jmsadmin, tester"/>

               

              (b) User 'xiang' is configured with only one role 'tester' in DB.

               

              everything works well.

               

               

               

              2. Case 2

              (a) messaging configuration in standalong.xml

                     same as case 1.

               

               

              (b) User 'xiang' is configured with only one role 'jmsadmin' in DB.

               

              Then the client throws bellow Exception:

                                 javax.jms.JMSSecurityException: User: xiang doesn't have permission='CREATE_NON_DURABLE_QUEUE' on address jms.topic.nmsSOETopic.

               

               

               

               

               

               

               

              3. Case 3

              (a) messaging configuration in standalong.xml

               


              <permission type="send" roles="tester, jmsadmin"/>

              <permission type="consume" roles="tester, jmsadmin"/>

              <permission type="createDurableQueue" roles="tester, jmsadmin"/>

              <permission type="deleteDurableQueue" roles="tester, jmsadmin"/>

              <permission type="createNonDurableQueue" roles="tester, jmsadmin"/>

              <permission type="deleteNonDurableQueue" roles="tester, jmsadmin"/>

               

              NOTE: position of jmsadmin and tester is exchanged.

               

              (b) User 'xiang' is configured with only one role 'jmsadmin' in DB.(same as case 2).

               

              everything works well.

               

               

               

              4. Case 4

              (a) messaging configuration in standalong.xml

                   same as case 3

               

               

              (b) User 'xiang' is configured with two role 'tester' in DB,

               

              Then the client throws bellow Exception:

                                 javax.jms.JMSSecurityException: User: xiang doesn't have permission='CREATE_NON_DURABLE_QUEUE' on address jms.topic.nmsSOETopic.

               

               

               

               

               

               

              5 Case 5

              (a) If ONLY one role is configured in above <permission /> elements and the user 'xiang' is configured with this role in DB, then every thing is OK.

               

               

              6 Case 6 -- summary

               

              I test case1~case4 with bellow configuration:

              <permission type="send" roles="role1, role2, role3, role4, role5"/>

              <permission type="consume" roles="role1, role2, role3, role4, role5"/>

              <permission type="createDurableQueue" roles="role1, role2, role3, role4, role5"/>

              <permission type="deleteDurableQueue" roles="role1, role2, role3, role4, role5"/>

              <permission type="createNonDurableQueue" roles="role1, role2, role3, role4, role5"/>

              <permission type="deleteNonDurableQueue" roles="role1, role2, role3, role4, role5"/>

               

               

              If the user 'xiang' is NOT configured with the LAST role 'role5' in DB, then exception is thrown!

               

              Namely, only the last role in <permission roles="role1, role2, role3,..." /> elements takes effect!!!

              • 4. Re: messaging does NOT support many roles?
                ybxiang.china

                One night is wasted to find out this bug!

                I hate such bug!

                 

                • 5. Re: messaging does NOT support many roles?
                  jbertram

                  Try just separating the roles with a space instead of a comma and space.  For example:

                   

                  <permission type="send" roles="role1 role2 role3 role4 role5"/>
                  <permission type="consume" roles="role1 role2 role3 role4 role5"/>
                  <permission type="createDurableQueue" roles="role1 role2 role3 role4 role5"/>
                  <permission type="deleteDurableQueue" roles="role1 role2 role3 role4 role5"/>
                  <permission type="createNonDurableQueue" roles="role1 role2 role3 role4 role5"/>
                  <permission type="deleteNonDurableQueue" roles="role1 role2 role3 role4 role5"/>
                  
                  • 6. Re: messaging does NOT support many roles?
                    ybxiang.china

                    Yes!

                    It works!

                    Thank you sir!

                     

                     

                    But why official document use <permission type="deleteNonDurableQueue" roles="admin, guest, europe-users"/> in http://docs.jboss.org/hornetq/2.2.5.Final/user-manual/en/html/security.html???

                     

                    I have found at least two mistakes/bugs in jboss official documents.

                    I had trusted those documents deeply!

                    • 7. Re: messaging does NOT support many roles?
                      ybxiang.china

                      Why NOT use comma?

                      Many Many configuration file use comma, for example application-roles.properties and mgmt-roles.properties.

                       

                      If space is used, then "xiang yingbing" will be treated as two roles "xiang" and "yingbing".

                      I think space is NOT good enough.

                       

                       

                       

                      Anyway, thank you VERY much!

                       

                      • 8. Re: messaging does NOT support many roles?
                        jbertram

                        But why official document use <permission type="deleteNonDurableQueue" roles="admin, guest, europe-users"/> in http://docs.jboss.org/hornetq/2.2.5.Final/user-manual/en/html/security.html???

                        That documentation is correct.  If you were configuring HornetQ directly (i.e. using hornetq-configuration.xml) then you would use a comma.

                         

                        However, you are not actually configuring HornetQ directly when you use the messaging subsystem of AS7.  You are configuring AS7 which is, in turn, configuring HornetQ programmatically.  You should refer to the documentation for the messaging subsystem before going to the HornetQ docs.

                        1 of 1 people found this helpful
                        • 9. Re: messaging does NOT support many roles?
                          jbertram

                          Why NOT use comma?

                          I can't say since I didn't implement it. 

                           

                           

                          If space is used, then "xiang yingbing" will be treated as two roles "xiang" and "yingbing".

                          I think space is NOT good enough.

                          Are you in the habit of using role names with a space?  I can't say I've ever seen that done before.

                           

                          As always, patches are welcome.

                          • 10. Re: messaging does NOT support many roles?
                            ybxiang.china

                            Yes, you are right.

                            I had thought JBoss AS and HornetQ use same rule (I think it would be better to do so.).

                             

                            Alought I met many problems during switching my application from jboss 5 to jboss 7, I can always find solution here. That is why I love JBoss more than Glassfish.

                            Thank you very much.

                            • 11. Re: messaging does NOT support many roles?
                              jbertram

                              For what it's worth, I've opened https://issues.jboss.org/browse/AS7-5808 to add ',' as a delimiter.

                              1 of 1 people found this helpful
                              • 12. Re: messaging does NOT support many roles?
                                sfcoy

                                A rolename in the java ee schema is an (extension of an) xsd:token type, so it may contain whitespace that is "collapsed" when parsed.

                                • 13. Re: messaging does NOT support many roles?
                                  ybxiang.china

                                  Great!

                                   

                                  • 14. Re: messaging does NOT support many roles?
                                    ybxiang.china

                                    From now on, I will NOT use space ' ' in any name.