14 Replies Latest reply on Oct 23, 2012 7:01 AM by ybxiang.china

messaging does NOT support many roles?

ybxiang.china Oct 22, 2012 7:46 AM

Dear guys,

I have a user named 'xiang', it has a JAAS role 'admin'. And I configured messaging:

	<subsystem xmlns="urn:jboss:domain:messaging:1.3">
	<hornetq-server>
	<persistence-enabled>true</persistence-enabled>
	<security-domain>nms-jaas-security-domain</security-domain>
	<journal-file-size>102400</journal-file-size>
	<journal-min-files>2</journal-min-files>

	<connectors>
	...
	</connectors>

	<acceptors>
	...
	</acceptors>

<security-settings>
<security-setting match="#">
<permission type="send" roles="admin"/>
<permission type="consume" roles="admin"/>
<permission type="createDurableQueue" roles="admin"/>
<permission type="deleteDurableQueue" roles="admin"/>
<permission type="createNonDurableQueue" roles="admin"/>
<permission type="deleteNonDurableQueue" roles="admin"/>
</security-setting>
</security-settings>
		...
	...

	<jms-destinations>
	<jms-queue name="testQueue">
	<entry name="queue/test"/>
	<entry name="java:jboss/exported/jms/queue/test"/>
	</jms-queue>
	<jms-topic name="testTopic">
	<entry name="topic/test"/>
	<entry name="java:jboss/exported/jms/topic/test"/>
	</jms-topic>
	<jms-topic name="nmsSOETopic">
	<entry name="topic/nmsSOE"/>
	<entry name="java:jboss/exported/jms/topic/nmsSOE"/>
	</jms-topic>
	</jms-destinations>
	</hornetq-server>
	</subsystem>

Everything works well.

But after I added one more role in <permission> element:

	<subsystem xmlns="urn:jboss:domain:messaging:1.3">
	<hornetq-server>
	<persistence-enabled>true</persistence-enabled>
	<security-domain>nms-jaas-security-domain</security-domain>
	<journal-file-size>102400</journal-file-size>
	<journal-min-files>2</journal-min-files>

	<connectors>
	...
	</connectors>

	<acceptors>
	...
	</acceptors>

<security-settings>
<security-setting match="#">
<permission type="send" roles="admin, jms_sender"/>
<permission type="consume" roles="admin, jms_consumer"/>
<permission type="createDurableQueue" roles="admin"/>
<permission type="deleteDurableQueue" roles="admin"/>
<permission type="createNonDurableQueue" roles="admin"/>
<permission type="deleteNonDurableQueue" roles="admin"/>
</security-setting>
</security-settings>
			...
		...
	</subsystem>

My client throw bellow exception:

javax.jms.JMSSecurityException: User: xiang doesn't have permission='CONSUME' on address jms.topic.nmsSOETopic

at org.hornetq.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:312)

at org.hornetq.core.client.impl.ClientSessionImpl.internalCreateConsumer(ClientSessionImpl.java:1826)

at org.hornetq.core.client.impl.ClientSessionImpl.createConsumer(ClientSessionImpl.java:479)

at org.hornetq.core.client.impl.ClientSessionImpl.createConsumer(ClientSessionImpl.java:445)

at org.hornetq.core.client.impl.DelegatingSession.createConsumer(DelegatingSession.java:189)

at org.hornetq.jms.client.HornetQSession.createConsumer(HornetQSession.java:558)

at org.hornetq.jms.client.HornetQSession.createConsumer(HornetQSession.java:383)

at org.hornetq.jms.client.HornetQSession.createConsumer(HornetQSession.java:353)

at com.ybxiang.nms.gui.platform.connection.ServerLink.initJmsResource(ServerLink.java:1060)

at com.ybxiang.nms.gui.platform.connection.ServerLink.connectToServer(ServerLink.java:279)

at com.ybxiang.nms.gui.platform.login.LoginWizard$2.run(LoginWizard.java:113)

at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)

Caused by: HornetQException[errorCode=105 message=User: admin doesn't have permission='CONSUME' on address jms.topic.nmsSOETopic]

... 12 more"

My jboss server version: 7.2.0 alpha1:

19:42:57,250 INFO [org.jboss.as] (Controller Boot Thread) JBAS015874: JBoss AS 7.2.0.Alpha1-SNAPSHOT "Steropes" started in 12297ms - Started 630 of 718 services (86 services are passive or on-demand)

Is there something wrong with my configuration?

1. Re: messaging does NOT support many roles?

ybxiang.china Oct 22, 2012 7:54 AM (in response to ybxiang.china)

Now, I assgin user 'xiang' with two more JAAS roles 'jms_sender' and 'jms_consumer', my client works well.
Actions
2. Re: messaging does NOT support many roles?

ybxiang.china Oct 22, 2012 8:39 AM (in response to ybxiang.china)

I tested it many times and get the same result.
Actions

3. Re: messaging does NOT support many roles?

ybxiang.china Oct 22, 2012 9:22 AM (in response to ybxiang.china)

I test many many times, now I find a rule to reproduce this bug:

1. Case 1

(a) messaging configuration in standalong.xml

	<permission type="send" roles="jmsadmin, tester"/>
	<permission type="consume" roles="jmsadmin, tester"/>
	<permission type="createDurableQueue" roles="jmsadmin, tester"/>
	<permission type="deleteDurableQueue" roles="jmsadmin, tester"/>
	<permission type="createNonDurableQueue" roles="jmsadmin, tester"/>
	<permission type="deleteNonDurableQueue" roles="jmsadmin, tester"/>

(b) User 'xiang' is configured with only one role 'tester' in DB.

everything works well.

2. Case 2

(a) messaging configuration in standalong.xml

same as case 1.

(b) User 'xiang' is configured with only one role 'jmsadmin' in DB.

Then the client throws bellow Exception:

javax.jms.JMSSecurityException: User: xiang doesn't have permission='CREATE_NON_DURABLE_QUEUE' on address jms.topic.nmsSOETopic.

3. Case 3

(a) messaging configuration in standalong.xml

	<permission type="send" roles="tester, jmsadmin"/>
	<permission type="consume" roles="tester, jmsadmin"/>
	<permission type="createDurableQueue" roles="tester, jmsadmin"/>
	<permission type="deleteDurableQueue" roles="tester, jmsadmin"/>
	<permission type="createNonDurableQueue" roles="tester, jmsadmin"/>
	<permission type="deleteNonDurableQueue" roles="tester, jmsadmin"/>

NOTE: position of jmsadmin and tester is exchanged.

(b) User 'xiang' is configured with only one role 'jmsadmin' in DB.(same as case 2).

everything works well.

4. Case 4

(a) messaging configuration in standalong.xml

same as case 3

(b) User 'xiang' is configured with two role 'tester' in DB,

Then the client throws bellow Exception:

javax.jms.JMSSecurityException: User: xiang doesn't have permission='CREATE_NON_DURABLE_QUEUE' on address jms.topic.nmsSOETopic.

5 Case 5

(a) If ONLY one role is configured in above <permission /> elements and the user 'xiang' is configured with this role in DB, then every thing is OK.

6 Case 6 -- summary

I test case1~case4 with bellow configuration:

If the user 'xiang' is NOT configured with the LAST role 'role5' in DB, then exception is thrown!

Namely, only the last role in <permission roles="role1, role2, role3,..." /> elements takes effect!!!

4. Re: messaging does NOT support many roles?

ybxiang.china Oct 22, 2012 9:16 AM (in response to ybxiang.china)

One night is wasted to find out this bug!
I hate such bug!
Actions

5. Re: messaging does NOT support many roles?

jbertram Oct 22, 2012 9:46 AM (in response to ybxiang.china)

Try just separating the roles with a space instead of a comma and space. For example:

<permission type="send" roles="role1 role2 role3 role4 role5"/>
<permission type="consume" roles="role1 role2 role3 role4 role5"/>
<permission type="createDurableQueue" roles="role1 role2 role3 role4 role5"/>
<permission type="deleteDurableQueue" roles="role1 role2 role3 role4 role5"/>
<permission type="createNonDurableQueue" roles="role1 role2 role3 role4 role5"/>
<permission type="deleteNonDurableQueue" roles="role1 role2 role3 role4 role5"/>

6. Re: messaging does NOT support many roles?

ybxiang.china Oct 22, 2012 10:43 AM (in response to jbertram)

Yes!
It works!
Thank you sir!

But why official document use <permission type="deleteNonDurableQueue" roles="admin, guest, europe-users"/> in http://docs.jboss.org/hornetq/2.2.5.Final/user-manual/en/html/security.html???

I have found at least two mistakes/bugs in jboss official documents.
I had trusted those documents deeply!
Actions
7. Re: messaging does NOT support many roles?

ybxiang.china Oct 22, 2012 10:48 AM (in response to ybxiang.china)

Why NOT use comma?
Many Many configuration file use comma, for example application-roles.properties and mgmt-roles.properties.

If space is used, then "xiang yingbing" will be treated as two roles "xiang" and "yingbing".
I think space is NOT good enough.

Anyway, thank you VERY much!
Actions
8. Re: messaging does NOT support many roles?

jbertram Oct 22, 2012 11:03 AM (in response to ybxiang.china)

But why official document use <permission type="deleteNonDurableQueue" roles="admin, guest, europe-users"/> in http://docs.jboss.org/hornetq/2.2.5.Final/user-manual/en/html/security.html???
That documentation is correct. If you were configuring HornetQ directly (i.e. using hornetq-configuration.xml) then you would use a comma.

However, you are not actually configuring HornetQ directly when you use the messaging subsystem of AS7. You are configuring AS7 which is, in turn, configuring HornetQ programmatically. You should refer to the documentation for the messaging subsystem before going to the HornetQ docs.
1 of 1 people found this helpful
Actions
9. Re: messaging does NOT support many roles?

jbertram Oct 22, 2012 11:11 AM (in response to ybxiang.china)

Why NOT use comma?
I can't say since I didn't implement it.

If space is used, then "xiang yingbing" will be treated as two roles "xiang" and "yingbing".
I think space is NOT good enough.
Are you in the habit of using role names with a space? I can't say I've ever seen that done before.

As always, patches are welcome.
Actions
10. Re: messaging does NOT support many roles?

ybxiang.china Oct 22, 2012 8:35 PM (in response to jbertram)

Yes, you are right.
I had thought JBoss AS and HornetQ use same rule (I think it would be better to do so.).

Alought I met many problems during switching my application from jboss 5 to jboss 7, I can always find solution here. That is why I love JBoss more than Glassfish.
Thank you very much.
Actions
11. Re: messaging does NOT support many roles?

jbertram Oct 22, 2012 9:44 PM (in response to ybxiang.china)

For what it's worth, I've opened https://issues.jboss.org/browse/AS7-5808 to add ',' as a delimiter.
1 of 1 people found this helpful
Actions
12. Re: messaging does NOT support many roles?

sfcoy Oct 23, 2012 12:14 AM (in response to jbertram)

A rolename in the java ee schema is an (extension of an) xsd:token type, so it may contain whitespace that is "collapsed" when parsed.
Actions
13. Re: messaging does NOT support many roles?

ybxiang.china Oct 23, 2012 6:57 AM (in response to jbertram)

Great!
Actions
14. Re: messaging does NOT support many roles?

ybxiang.china Oct 23, 2012 7:01 AM (in response to sfcoy)

From now on, I will NOT use space ' ' in any name.
Actions

Go to original post