3 Replies Latest reply on Mar 26, 2010 7:27 AM by jaikiran pai

    Migrating JBoss Messaging security roles to HornetQ

    jaikiran pai Master

      I am trying to map the JBoss Messaging security roles with the Hornetq ones. The JBoss Messaging security roles said this:

       

      If the read attribute is true then that role               will be able to read (create consumers, receive messaages  or browse) this destination.

      If the write attribute is true then that role               will be able to write (create producers or send messages)  to this destination.

      If the create attribute is true then that role               will be able to create durable subscriptions on this  destination.

      So the "create" attribute controlled the permissions for durable  subscriptions. But what about non-durable subscriptions? I don't see any  security attribute to control the permissions for that. Does that mean  JBoss Messaging (and JBoss MQ) did not do any security checks for  non-durable subscriptions?

       

      Hornetq on the other hand has this:

       



      • createDurableQueue.  This permission allows the user to                     create a durable queue under matching addresses.


      • deleteDurableQueue. This permission allows the  user to                     delete a durable queue under matching addresses.


      • createTempQueue. This permission allows the user  to create                     a temporary queue under matching addresses.


      • deleteTempQueue. This permission allows the user  to delete                     a temporarry queue under matching addresses.


      • send. This permission allows the user to send a  message to                     matching addresses.


      • consume. This permission allows the user to consume  a                     message from a queue bound to matching addresses.


      • manage. This permission allows the user to invoke                     management operations by sending management messages  to the management                     address.

       

      The "createDurableQueue" effectively is a permission for creating  durable subscriptions. The "createTempQueue" is for non-durable  subscriptions.

       

      So if in a JBoss Messaging config, I had this role:

       

      <role name="guest" read="true" write="true"/>

       

      would it map to the following in HornetQ:

       

      Role name="guest", send = true, consume = true,
      createDurableQueue = false, deleteDurableQueue = false,
      createTempQueue = true, deleteTempQueue = true,
      manage=false
      (Especially  the createTempQueue and deleteTempQueue permissions)