1 Reply Latest reply on Feb 13, 2012 12:20 PM by Ed Keen

    AS7.1 ActiveDirectory security on JMS, problem looking up roles

    Ed Keen Newbie

      JBoss distribution:  as of 2/10/2012

       

      I have been trying to get Active Directory integrated as a login-module to secure my JMS queues.  Here is what I have configured so far:

       

      1.  Created a login-module:

       

      <login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">

        <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

        <module-option name="java.naming.provider.url" value="ldap://mycompany.com:389/"/>

        <module-option name="java.naming.security.authentication" value="simple"/>

        <module-option name="allowEmptyPasswords" value="false"/>

        <module-option name="baseCtxDN" value="DC=mycompany,DC=com"/>

        <module-option name="baseFilter" value="(sAMAccountName={0})"/>

        <module-option name="uidAttributeID" value="sAMAccountName"/>

        <module-option name="rolesCtxDN" value="DC=mycompany,DC=com"/>

        <module-option name="roleAttributeIsDN" value="true"/>

        <module-option name="roleAttributeID"          value="memberOf"/>

        <module-option name="roleNameAttributeID" value="name"/>

      </login-module>

       

       

      2.  Secure the queue

       

      <security-setting match="jms.queue.testQueue">

        <permission type="send" roles="My_Role"/>

        <permission type="consume" roles="My_Role"/>

        <permission type="createNonDurableQueue" roles="My_Role"/>

        <permission type="deleteNonDurableQueue" roles="My_Role"/>

      </security-setting>

       

       

      When I run my test, I create my ConnectionFactory like this:

       

              ConnectionFactory conn = factory.createConnection("testuser@mycompany.com", "password");

       

      I have confirmed that the user actually gets authenticated, because if I pass an invalid password, I get an error back stating that the password is invalid (and the "badPwdCount" goes up by 1).  When I enter the correct password, though, I get the following error:

       

      javax.jms.JMSSecurityException: User: testuser@mycompany.com doesn't have permission='SEND' on address jms.queue.testQueue

                at org.hornetq.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:286)

                at org.hornetq.core.client.impl.ClientProducerImpl.doSend(ClientProducerImpl.java:287)

                at org.hornetq.core.client.impl.ClientProducerImpl.send(ClientProducerImpl.java:142)

                at org.hornetq.jms.client.HornetQMessageProducer.doSend(HornetQMessageProducer.java:451)

                at org.hornetq.jms.client.HornetQMessageProducer.send(HornetQMessageProducer.java:199)

       

      This leads me to believe that I have not configured my login-module correctly, so that it is not finding the user's roles.  Here is how things appear in AD:

       

      1.  Lookup the user account under DC=mycompany,DC=com

      User has a memberOf attribute that consists of several DN's (which is why I set roleAttributeIsDN to "true").  Here is the role that I am going after:

       

            CN=My_Role,OU=Sharepoint,OU=Groups,DC=mycompany,DC=com

       

      2.  Lookup this role entry

      When I go to this role in my AD Browser utility, I see a "name" attribute belonging to the record and its value is "My_Role" (which is why I set roleNameAttributeID to "name").

       

       

      Is there something I am missing? 

       

      Thanks,

      Ed

        • 1. Re: AS7.1 ActiveDirectory security on JMS, problem looking up roles
          Ed Keen Newbie

          I thought I would answer my own question, in case anyone else has this problem.  For some reason, it didn't like it when I authenticated like this:

           

                ConnectionFactory conn = factory.createConnection("testuser@mycompany.com", "password");


          So instead, I authenticated like this:

           

                ConnectionFactory conn = factory.createConnection("testuser", "password");

           

          And then I had to add the following module-option to my login-module:

           

                <module-option name="principalDNSuffix" value="@mycompany.com"/>

           

           

          I am not sure why this is necessary, but it worked!