Like everything else in JBoss AS 7.1.0.Final, JMS is secured by default. It uses the same security domain as JNDI so you can use the same username and password (i.e. appuser2 and passw0rd respectively) in your call to javax.jms.ConnectionFactory.createConnection(String, String). For example:
final Properties env = new Properties();
Context context = new InitialContext(env);
ConnectionFactory cf = (ConnectionFactory) context.lookup("jms/RemoteConnectionFactory");
Destination destination = (Destination) context.lookup("jms/queue/test");
Connection connection = cf.createConnection("guest", "pass");
Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
MessageProducer producer = session.createProducer(destination);
Message msg = session.createTextMessage("example text");
How do i configure the user and the roles they are supposed to have?
For the current test i created a user using add-user with the following properties
roles : ApplicationRealm
When i run it, it complains that appuser2 doesn't have permission to 'SEND'.
javax.jms.JMSSecurityException: User: appuser2 doesn't have permission='SEND' on address jms.queue.testQueue
I am also confused as to the relationship between the permissions for JNDI/JMS and HornetQ. The standalone-full.xml has user permissions configuration for HornetQ and the application-user.properties and application-user.role.properties has some more user privileges configuration.
Here's the default <security-settings> in standalone-full.xml for AS 7.1.0.Final:
<permission type="send" roles="guest"/>
<permission type="consume" roles="guest"/>
<permission type="createNonDurableQueue" roles="guest"/>
<permission type="deleteNonDurableQueue" roles="guest"/>
My guess is that the user you're connecting with doesn't belong to the "guest" role. You either need to your user to the role "guest", connect with a different user that already belongs to the role "guest", or create a new user that belongs to the role "guest" and connect with it. These security settings are discussed more in the HornetQ documentation here.
As far as the permissions for JNDI and JMS go...The first thing to remember is that there is no necessary link between JNDI and JMS. JNDI authentication and JMS authentication/authorization are usually 100% independent of one another. It just so happens that by default both the JNDI and JMS subsystems use the "other" security domain defined in standalone*.xml which means they share the same data for authorization and authentication for the sake of convenience. Of course, this can be changed if desired and the two can use different security domains.
To be clear, JNDI security only involves authentication (at least, at this point) whereas JMS security involves both authentication and authorization.
I have just managed to send a JMS message from a remote client to a MDB using JBoss 7.1 and the built in HornetQ. After a lot of playing around my last problem was also the send permission JMSSecurityException.
I had created a user with the guest role using add-user.bat.
The problem was that the script didn't put the new entry on a new line so my application-roles.properties looked like this:
# The following illustrates how an admin user could be defined, this
# is for illustration only and does not correspond to a usable password.
I had to manually put my entry (jmsuser=guest) on a new line to make it work.