4 Replies Latest reply on Mar 17, 2012 5:56 AM by fcosfc

    Securing the HornetQ REST Interface

    fcosfc Newbie

      Hi there,

       

         I'm using HornetQ 2.2.5 as the default JMS provider of a JBoss 6.0.0 application server and I've succesfully deployed a Web archive (.WAR) running the HornetQ REST Interface, now I trying to secure it. I've read on the chapter 8 of the HornetQ REST Interface Guide:

       

      "... You turn on authentication for all URLs within your WAR's web.xml, and let the user Principal to propagate to HornetQ. This only works if you are using the JBossSecurityManager with HornetQ ..."

       

         So, I've added the following configuration to my web.xml file:

       

          <security-constraint>

              <display-name>HornetQRESTConstraint</display-name>

              <web-resource-collection>

                  <web-resource-name>HornetQREST</web-resource-name>

                  <description/>

                  <url-pattern>/*</url-pattern>

              </web-resource-collection>

              <auth-constraint>

                  <description>Authorized role</description>

                  <role-name>test_role</role-name>

              </auth-constraint>

          </security-constraint>

          <login-config>

              <auth-method>BASIC</auth-method>

              <realm-name>hornetq</realm-name>

          </login-config>

          <security-role>

              <description/>

              <role-name>test_role</role-name>

          </security-role>

       

         Here you have my jboss-web.xml configuration:

       

      <?xml version="1.0" encoding="UTF-8"?>

      <jboss-web>

        <context-root>/HornetQRESTInterface</context-root>

        <security-domain>hornetq</security-domain>

      </jboss-web>

       

         It works ok, only the users belonging to the test_role can access to the queues through the REST interface. But when I add a security setting to the hornetq-configuration.xml , in order to prevent unathorized access through the JMS interface, I got the following exception:

       

      14:12:54,745 WARN  [org.jboss.resteasy.core.SynchronousDispatcher] failed to execute: javax.ws.rs.WebApplicationException: HornetQException[errorCode=105 message=User: null doesn't have permission='SEND' on address jms.queue.REST.TestQueue]

       

         The security setting is:

       

           <security-setting match="jms.queue.REST.#">

               <permission type="consume" roles="test_role"/>

               <permission type="send" roles="test_role"/>

            </security-setting>

       

         My question is: how to propagate the user Principal?

       

         Thank you very much in advance.

       

      Regards,

       

      Paco.