12 Replies Latest reply on May 30, 2007 5:32 PM by Tim Fox

    Queue/Topic Security Config

    Brent Shikoski Newbie

      Sorry for the large post, but I wanted to provide all the relevant information.

      I'm seeing the same problem as detailed in Thread 107745 (http://www.jboss.com/index.html?module=bb&op=viewtopic&t=107745). Basically it doesn't seem like the Security Configuration on the queue/topic level is working properly (or my configuration is wrong). The solution in that thread doesn't seem much like a solution at all.


      My configuration looks like:

      <server>
       <loader-repository>jboss.messaging:loader=ScopedLoaderRepository
       <loader-repository-config>java2ParentDelegation=false</loader-repository-config>
       </loader-repository>
      
       <mbean code="org.jboss.jms.server.destination.QueueService"
       name="jboss.messaging.destination:service=Queue,name=NotifyQueue"
       xmbean-dd="xmdesc/Queue-xmbean.xml">
       <depends optional-attribute-name="ServerPeer">jboss.messaging:service=ServerPeer</depends>
       <depends>jboss.messaging:service=PostOffice</depends>
       <attribute name="SecurityConfig">
       <security>
       <role name="commonPublisher" read="false" write="true"/>
       <role name="commonSubscriber" read="true" write="true"/>
       </security>
       </attribute>
       <attribute name="MessageCounterHistoryDayLimit">-1</attribute>
       <attribute name="Clustered">true</attribute>
       </mbean>
      </server>



      The client error I see is:
      javax.jms.JMSSecurityException: User: commonuser is not authorized to read from destination NotifyQueue
      at org.jboss.jms.server.container.SecurityAspect.check(SecurityAspect.java:260)



      Here are some interesting bits from the server log:

      2007-05-30 10:07:42,536 DEBUG [org.jboss.jms.server.destination.QueueService] Starting jboss.messaging.destination:name=NotifyQueue,service=Queue
      2007-05-30 10:07:42,552 DEBUG [org.jboss.jms.server.DestinationJNDIMapper] queue NotifyQueue registered
      2007-05-30 10:07:42,552 DEBUG [org.jboss.jms.server.DestinationJNDIMapper] queue bound in JNDI as /queue/NotifyQueue
      2007-05-30 10:07:42,552 DEBUG [org.jboss.jms.server.destination.QueueService] Queue[/queue/NotifyQueue] security configuration:
      <security>
      <role name="guest" read="true" write="true"/>
      <role name="commonPublisher" read="false" write="true"/>
      <role name="commonSubscriber" read="true" write="true"/>
      </security>
      2007-05-30 10:07:42,552 INFO [org.jboss.jms.server.destination.QueueService] Queue[/queue/NotifyQueue] started, fullSize=200000, pageSize=2000, downCacheSize=2000
      2007-05-30 10:07:42,552 DEBUG [org.jboss.jms.server.destination.QueueService] Started jboss.messaging.destination:name=NotifyQueue,service=Queue
      ....
      ....
      2007-05-30 10:08:11,704 DEBUG [org.jboss.jms.server.security.SecurityMetadataStore] No SecurityMetadadata was available for NotifyQueue, using default security config
      2007-05-30 10:08:11,704 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] authenticating user commonuser
      ....
      2007-05-30 10:08:11,704 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] authorizing user commonuser for role(s) [guest]
      2007-05-30 10:08:11,704 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] doesUserHaveRole(Set), subject: Subject:
       Principal: commonuser
       Principal: Roles(members:commonSubscriber,statPublisher)
      
      2007-05-30 10:08:11,704 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] roles=Roles(members:commonSubscriber,statPublisher)
      2007-05-30 10:08:11,719 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] hasRole(guest)=false
      2007-05-30 10:08:11,719 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] hasRole=false
      2007-05-30 10:08:11,719 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] user commonuser is NOT authorized
      


      Notice the line that contains 'No SecurityMetadadata was available for NotifyQueue, using default security config'.


      I downloaded the source code to try and figure out what the problem with my configuration.

      I added the following to the log4j.xml file to see if I could see a log statement like 'adding security configuration for queue'.
      <category name="org.jboss.jms.server.security.SecurityMetadataStore">
       <priority value="TRACE" class="org.jboss.logging.XLevel"/>
       </category>
      



      That didn't help. It seemed to me that that the queue security configuration was never being registered with the SecurityMetadataStore class.
      In the DestinationServiceSupport class I found the following method.
      public void setSecurityConfig(Element securityConfig) throws Exception
       {
       try
       {
       if (started)
       {
       // push security update to the server
       sm.setSecurityConfig(isQueue(), destination.getName(), securityConfig);
       }
      
       destination.setSecurityConfig(securityConfig);
       }
       catch (Throwable t)
       {
       ExceptionUtil.handleJMXInvocation(t, this + " setSecurityConfig");
       }
       }
      


      It seems to me that this method is called before the queue is started and so the security configuration is never registered with the SecurityManager.

      I added the following line to the startService() method in the org.jboss.jms.server.destination.QueueService class, right after the 'started = true;' statement:
      serverPeer.getSecurityManager().setSecurityConfig(true, destination.getName(), destination.getSecurityConfig());
      


      I rebuilt the jboss-messaging.jar jar with the change and it seemed to work. This is what I found in the server log after the code change:

      2007-05-30 10:34:13,976 DEBUG [org.jboss.jms.server.DestinationJNDIMapper] queue NotifyQueue registered
      2007-05-30 10:34:13,976 DEBUG [org.jboss.jms.server.DestinationJNDIMapper] queue bound in JNDI as /queue/NotifyQueue
      2007-05-30 10:34:13,976 DEBUG [org.jboss.jms.server.destination.QueueService] Queue[/queue/NotifyQueue] security configuration:
      <security>
      <role name="guest" read="true" write="true"/>
      <role name="commonPublisher" read="false" write="true"/>
      <role name="commonSubscriber" read="true" write="true"/>
      </security>
      2007-05-30 10:34:13,976 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] adding security configuration for queue NotifyQueue
      2007-05-30 10:34:13,976 INFO [org.jboss.jms.server.destination.QueueService] Queue[/queue/NotifyQueue] started, fullSize=200000, pageSize=2000, downCacheSize=2000
      2007-05-30 10:34:13,976 DEBUG [org.jboss.jms.server.destination.QueueService] Started jboss.messaging.destination:name=NotifyQueue,service=Queue
      ...
      ...
      2007-05-30 11:03:41,279 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] authenticating user commonuser
      ...
      2007-05-30 11:03:41,279 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] authorizing user commonuser for role(s) [commonSubscriber, guest]
      2007-05-30 11:03:41,279 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] doesUserHaveRole(Set), subject: Subject:
       Principal: commonuser
       Principal: Roles(members:commonSubscriber,statPublisher)
      
      2007-05-30 11:03:41,279 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] roles=Roles(members:commonSubscriber,statPublisher)
      2007-05-30 11:03:41,279 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] hasRole(commonSubscriber)=true
      2007-05-30 11:03:41,279 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] hasRole=true
      2007-05-30 11:03:41,279 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] user commonuser is authorized
      


      Notice the new line from the SecurityMetadataStore class that wasn't there before ('adding security configuration for queue NotifyQueue').


      I can provide more information from my other configuration files if necessary.