Can HornetQ use JAAS role?
Dear jboss guys,
Can HornetQ use JAAS role?
My standalone-full.xml
| <subsystem xmlns="urn:jboss:domain:messaging:1.3"> | ||||||
| <hornetq-server> | ||||||
| <persistence-enabled>true</persistence-enabled> | ||||||
| <journal-file-size>102400</journal-file-size> | ||||||
| <journal-min-files>2</journal-min-files> | ||||||
| <connectors> | ||||||
| <netty-connector name="netty-ssl-connector" socket-binding="messaging"> | ||||||
| <param key="ssl-enabled" value="true"/> | ||||||
| <param key="key-store-path" value="D:\\java\\jboss-as-7.2.0.Alpha1\\standalone\\configuration\\server.keystore"/> | ||||||
| <param key="key-store-password" value="ybxiang_keystore_password"/> | ||||||
| </netty-connector> | ||||||
| <netty-connector name="netty-throughput" socket-binding="messaging-throughput"> | ||||||
| <param key="batch-delay" value="50"/> | ||||||
| </netty-connector> | ||||||
| <in-vm-connector name="in-vm" server-id="0"/> | ||||||
| </connectors> | ||||||
| <acceptors> | ||||||
| <netty-acceptor name="netty-ssl-acceptor" socket-binding="messaging"> | ||||||
| <param key="ssl-enabled" value="true"/> | ||||||
| <param key="key-store-path" value="D:\\java\\jboss-as-7.2.0.Alpha1\\standalone\\configuration\\server.keystore"/> | ||||||
| <param key="key-store-password" value="ybxiang_keystore_password"/> | ||||||
| <param key="trust-store-path" value="D:\\java\\jboss-as-7.2.0.Alpha1\\standalone\\configuration\\client.truststore"/> | ||||||
| <param key="trust-store-password" value="ybxiang_truststore_password"/> | ||||||
| </netty-acceptor> | ||||||
| <netty-acceptor name="netty-throughput" socket-binding="messaging-throughput"> | ||||||
| <param key="batch-delay" value="50"/> | ||||||
| <param key="direct-deliver" value="false"/> | ||||||
| </netty-acceptor> | ||||||
| <in-vm-acceptor name="in-vm" server-id="0"/> | ||||||
| </acceptors> | ||||||
| <security-settings> |
| </security-settings> | ||||||
| <address-settings> | ||||||
| <!--default for catch all--> | ||||||
| <address-setting match="#"> | ||||||
| <dead-letter-address>jms.queue.DLQ</dead-letter-address> | ||||||
| <expiry-address>jms.queue.ExpiryQueue</expiry-address> | ||||||
| <redelivery-delay>0</redelivery-delay> | ||||||
| <max-size-bytes>10485760</max-size-bytes> | ||||||
| <address-full-policy>BLOCK</address-full-policy> | ||||||
| <message-counter-history-day-limit>10</message-counter-history-day-limit> | ||||||
| </address-setting> | ||||||
| </address-settings> | ||||||
| <jms-connection-factories> | ||||||
| <connection-factory name="InVmConnectionFactory"> | ||||||
| <connectors> | ||||||
| <connector-ref connector-name="in-vm"/> | ||||||
| </connectors> | ||||||
| <entries> | ||||||
| <entry name="java:/ConnectionFactory"/> | ||||||
| </entries> | ||||||
| </connection-factory> | ||||||
| <connection-factory name="RemoteConnectionFactory"> | ||||||
| <connectors> | ||||||
| <connector-ref connector-name="netty-ssl-connector"/> | ||||||
| </connectors> | ||||||
| <entries> | ||||||
| <entry name="java:jboss/exported/jms/RemoteConnectionFactory"/> | ||||||
| </entries> | ||||||
| </connection-factory> | ||||||
| <pooled-connection-factory name="hornetq-ra"> | ||||||
| <transaction mode="xa"/> | ||||||
| <connectors> | ||||||
| <connector-ref connector-name="in-vm"/> | ||||||
| </connectors> | ||||||
| <entries> | ||||||
| <entry name="java:/JmsXA"/> | ||||||
| </entries> | ||||||
| </pooled-connection-factory> | ||||||
| </jms-connection-factories> | ||||||
| <jms-destinations> | ||||||
| <jms-queue name="testQueue"> | ||||||
| <entry name="queue/test"/> | ||||||
| <entry name="java:jboss/exported/jms/queue/test"/> | ||||||
| </jms-queue> | ||||||
| <jms-topic name="testTopic"> | ||||||
| <entry name="topic/test"/> | ||||||
| <entry name="java:jboss/exported/jms/topic/test"/> | ||||||
| </jms-topic> | ||||||
| </jms-destinations> | ||||||
| </hornetq-server> | ||||||
| </subsystem> | ||||||
| <security-realms> | |
| <security-realm name="ManagementRealm"> | |
| <authentication> | |
| <local default-user="$local"/> | |
| <properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/> | |
| </authentication> | |
| </security-realm> | |
| <security-realm name="ApplicationRealm"> | |
| <server-identities> | |
| <ssl> | |
| <keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="ybxiang_keystore_password"/> | |
| </ssl> | |
| </server-identities> | |
| <authentication> | |
| <jaas name="nms-jaas-security-domain"/> | |
| </authentication> | |
| </security-realm> | |
| </security-realms> |
| <security-domain name="nms-jaas-security-domain" cache-type="default"> | |
| <authentication> | |
| <login-module code="Remoting" flag="optional"> | |
| <module-option name="password-stacking" value="useFirstPass"/> | |
| </login-module> | |
| <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> | |
| <module-option name="password-stacking" value="useFirstPass"/> | |
| <module-option name="dsJndiName" value="java:jboss/datasources/NmsMySqlDS"/> | |
| <module-option name="principalsQuery" value="SELECT hashedPassword FROM User WHERE username=?"/> | |
| <module-option name="rolesQuery" value="SELECT DISTINCT r.name, 'Roles' FROM User u, User_UserGroup ug, UserGroup_JaasRole gr, JaasRole r WHERE u.id=ug.user_id AND ug.usergroup_id=gr.usergroup_id AND gr.jaasrole_id=r.id AND u.rowStatus=0 AND u.username=?"/> | |
| <module-option name="hashAlgorithm" value="SHA-256"/> | |
| <module-option name="hashEncoding" value="Base64"/> | |
| <module-option name="hashCharset" value="UTF-8"/> | |
| <module-option name="unauthenticatedIdentity" value="guest"/> | |
| </login-module> | |
| </authentication> | |
| </security-domain> |
NOTE: I remvoed all elements in <security-settings>.
My client code:
NOTE: my ejb client works well.
public class MyClient{
public void connectToServer(String serverIP, String username, String password) throws Exception{
this.username = username;
this.serverIP = serverIP;
InitialContext context;
try{
Properties p = new Properties();
p.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "true");
p.put("remote.connections", "default");
p.put("remote.connection.default.host", serverIP);
p.put("remote.connection.default.port", "4447");
p.put("remote.connection.default.username", username);
p.put("remote.connection.default.password", password);
p.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "false");
p.put("remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER");
p.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false");
p.put("remote.connection.default.connect.options.org.xnio.Options.SSL_STARTTLS", "true");
p.put("remote.connection.default.connect.timeout", "30000");//for xnio
EJBClientConfiguration cc = new PropertiesBasedEJBClientConfiguration(p);
ContextSelector<EJBClientContext> selector = new ConfigBasedEJBClientContextSelector(cc);
EJBClientContext.setSelector(selector);
EJBClientContext.getCurrent().registerInterceptor(0,new ClientSessionTokenInterceptor());
EJBClientContext.getCurrent().registerInterceptor(1,new ClientExceptionInterceptor());
Properties props = new Properties();
props.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
context = new InitialContext(props);
securedRemoteSessionProxy = (ISecuredRemoteSession)context.lookup(jndiName);
}catch(Exception e){
throw ConnectionToServerFailedException.INSTANCE;
}
//
shakeHands(username, password);
//
testJms2(serverIP, username, password);
}
public static void testJms2(String serverIP, String username, String password) throws Exception {
Properties props = new Properties();
props.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming");
//参见:https://community.jboss.org/message/729801#729801
props.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory");
props.put(Context.PROVIDER_URL, System.getProperty(Context.PROVIDER_URL, "remote://"+serverIP+":4447"));
props.put(Context.SECURITY_PRINCIPAL, username);
props.put(Context.SECURITY_CREDENTIALS, password);
props.put("jboss.naming.client.connect.options.org.xnio.Options.SSL_STARTTLS", "true");
props.put("jboss.naming.client.remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "true");
InitialContext context = new InitialContext(props);
ConnectionFactory connectionFactory = null;
Destination destination = null;
try {
connectionFactory = (ConnectionFactory) context.lookup("jms/RemoteConnectionFactory");
destination = (Destination) context.lookup("jms/queue/test");
//
sendJmsMessage(connectionFactory,destination,username,password);
} catch (Exception e) {
log.error(e);
}
}
/**
* https://community.jboss.org/message/721270
* Like everything else in JBoss AS 7.1.0.Final, JMS is secured by default.
* It uses the same security domain as JNDI so you can use the same username and password (i.e. appuser2 and passw0rd respectively)
*
in your call to javax.jms.ConnectionFactory.createConnection(String, String).
*/
public static void sendJmsMessage(ConnectionFactory connectionFactory, Destination destination, String username, String password){
Connection connection = null;
Session session = null;
MessageProducer producer = null;
MessageConsumer consumer = null;
TextMessage message = null;
try {
// Create the JMS connection, session, producer, and consumer
connection = connectionFactory.createConnection(username,password);//User: admin doesn't have permission='CONSUME' on address jms.queue.testQueue"
//connection = connectionFactory.createConnection();//"javax.jms.JMSSecurityException: Unable to validate user: null"
session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
producer = session.createProducer(destination);
consumer = session.createConsumer(destination);
connection.start();
int count = 1;
String content = "Hellow World!";
log.info("Sending " + count + " messages with content: " + content);
// Send the specified number of messages
for (int i = 0; i < count; i++) {
message = session.createTextMessage(content);
producer.send(message);
}
// Then receive the same number of messaes that were sent
for (int i = 0; i < count; i++) {
message = (TextMessage) consumer.receive(5000);
log.info("Received message with content " + message.getText());
}
} catch (Exception e) {
log.error(e);
} finally {
if (connection != null) {
try{
connection.close();
}catch(Exception e){
log.error(e);
}
}
}
}
}
Above username and password is JAAS account:
if above consumer = session.createConsumer(destination); is excecuted, client print bellow exception:
"javax.jms.JMSSecurityException: User: admin doesn't have permission='CONSUME' on address jms.queue.testQueue"
Would you pleaes help me?
-
standalone.xml 26.5 KB
