3 Replies Latest reply on Mar 17, 2010 10:20 AM by Yong Hao Gao

    Principal Propagation and Messaging

    Michael Gerlinger Newbie

      Hello,

       

      I've the following situation. In a WebApplication not deployed in jBoss we need remote acces to MessageDrivenBeans deployed in jBoss 5.1.0 GA. Deploying the MDB in jBoss and defining a Queue to call the MDB remote is not the problem. But we have the requirement, that the MDB must know the identity of its caller.

       

      To call stateless EJBs we use the pricipal propagation from client to Server with a custom principal and our own LoginModul and it works fine.

       

      Has anyone a idea how to get the same for calling a Message queue?

      The following code doesn't work. It is just to point out how I would like o be able to code it :-)

       

      In the Web Application:

       

                     //JAAS Login

                [...]
                LoginContext lc = new LoginContext("test", myCustomCallbackHandler);
                lc.login();


                // Do some Stuff

                [...]

                // call the queue

                [...] 

                QueueConnection connect = factory.createQueueConnection();
                QueueSession session = connect.createQueueSession(...);
                Object lObject = ctx.lookup("/queue/myAppQueue");
                Queue queue = (Queue) lObject;
                QueueSender sender = session.createSender(queue);
                TextMessage textMsg = session.createTextMessage();
                textMsg.setText("abc");
                sender.send(queue, textMsg);

      In MDB:

       

                        @RolesAllowed(value={"admin"} )
                public void onMessage(Message message) {
         
                     System.out.println("got message: " + message +

                                         "from: "+SecurityAssociation.getCallerPrincipal());
               }

       

      and befor the queue I can use the propagated principal for authorization to write into the queue.

      Is it possible to get an implementation as previously described? If yes pleas give me some hints how to get it.

      If not: why? :-)

       

      Thanks for answering

       

       

      Michael

        • 1. Re: Principal Propagation and Messaging
          Yong Hao Gao Master

          Not sure what your problem is. If you want to know how to configure authorization for queues, please have a look at JBoss Messaging user's manual.

           

          Find it at jboss.org.

          • 2. Re: Principal Propagation and Messaging
            Michael Gerlinger Newbie

            Tahks for your answer,

             

            to get my code snippets work I've some problems to solve.

             

            For example

             

            • how to customize authentication mechanism for one of several queues in one server without affecting all other queues.
            • how to use customized principal / Login modul to autorize writing into the queue (for example to enable ticket based authentication and don't use username password)
            • how to get the caller principal propagated througt the queue to make it accessible for the message consuming MessageDrivenBean

             

            I really tried to finde answeres in the userguide of the messaging server (and in several other pdf, wiki sides, blogs and books too)

             

            http://labs.jboss.com/file-access/default/members/jbossmessaging/freezone/docs/userguide-1.4.3.GA/html/index.html

             

            But I'm not able t find some usefull hints. Could you give me some please?

             

             

            Cheers

             

             

            Michael

            • 3. Re: Principal Propagation and Messaging
              Yong Hao Gao Master
              • how to customize authentication mechanism for one of several queues in one server without affecting all other queues.


              With JBoss Messaging, authentication happens only in connection time. You can configure destinations for which role have what rights. You can find details in the user document.

               

              • how to use customized principal / Login modul to autorize writing into the queue (for example to enable ticket based authentication and don't use username password)
              • how to get the caller principal propagated througt the queue to make it accessible for the message consuming MessageDrivenBean

               

              I think the above two questions belongs to AS configuration. I don't know much about the details, you should ask the AS forum for help. Take a look at messaging-jboss-beans.xml for some clue. I think it's possible to configure to use a different login module other than the DatabaseServerLoginModule.