-
1. Re: How to use custom security with JMS destination rule in WildFly
jbertram Jun 19, 2017 11:56 AM (in response to valsaraj007)The message broker can only be configured with one security domain.
However, you can define an arbitrary number of roles and maps those roles to specific permission and address combinations. For example, given the "testQ" and "testQDLQ" queues and "testQWriteRole" and "testQReadRole" roles you have defined you can have the following:
<security-settings> <security-setting match="jms.queue.testQ"> <permission type="send" roles="testQWriteRole"/> </security-setting> <security-setting match="jms.queue.testQDLQ"> <permission type="consume" roles="testQReadRole"/> </security-setting> </security-settings>
Does that answer your question?
-
2. Re: How to use custom security with JMS destination rule in WildFly
valsaraj007 Jun 26, 2017 5:41 AM (in response to jbertram)I added the above configuration:
- <security-settings>
- <security-setting match="jms.queue.testQ">
- <permission type="send" roles="testQWriteRole testQRole"/>
- </security-setting>
- <security-setting match="jms.queue.testQDLQ">
- <permission type="consume" roles="testQRole"/>
- </security-setting>
- </security-settings>
I needed multiple roles to allow sending messages, so added them separate by <space>.
-
3. Re: How to use custom security with JMS destination rule in WildFly
jbertram Jun 21, 2017 1:39 PM (in response to valsaraj007)Permissions and roles are part of authorization. Usernames are passwords are part of authentication. These two things are related but separate.
If you're receiving "Unable to validate user" then my first thought is that you're submitting the wrong username and/or password. Can you confirm that your credentials in jboss-ejb3.xml are correct? Are you able to successfully use those credentials from other messaging clients?
-
4. Re: How to use custom security with JMS destination rule in WildFly
valsaraj007 Jun 22, 2017 2:02 AM (in response to jbertram)Yes, it is working from others. I wonder whether the username/password is correct but referring wrong security domain?
It is referred in HornetQ as <security-domain>appLDAP</security-domain>. It is the configured name, should I use JNDI path instead like java:/../appLDAP?
-
5. Re: How to use custom security with JMS destination rule in WildFly
jbertram Jun 23, 2017 8:21 PM (in response to valsaraj007)I think that if it couldn't find the security domain then it would throw a different kind of error as the broker wouldn't even be able to complete authentication. Try using the default security domain configuration to see if that works.
-
6. Re: How to use custom security with JMS destination rule in WildFly
valsaraj007 Jun 26, 2017 5:40 AM (in response to jbertram)Yes, it worked.
-
7. Re: How to use custom security with JMS destination rule in WildFly
jbertram Jun 29, 2017 8:51 AM (in response to valsaraj007)I'm not sure what else to tell you at this point. You have a configuration that works, and when you change the configuration it doesn't work. That suggests to me that something is broken in the new configuration that doesn't work. The broken piece could be in the configuration of "appLDAP" on Wildfly or on the LDAP server itself. Either way, those pieces are outside my realm of expertise.