6 Replies Latest reply on May 25, 2012 11:28 AM by Jeff Mesnil

    Securing HornetQ does not work with multiple roles

    Luca Merolla Newbie

      Hello everybody,

       

      I have been using HornetQ for a while and I still couldn't manage to fix an issue with the permission.

      I'm using JBAS 7.1, but also HornetQ as standalone gives the same results.

       

      Here is the problem, I want multiple roles (in this case only 2) to being able to interact with HornetQ. According to the user manual of HornetQ that should be sufficient

      <security-settings>

          <security-setting match="jms.#">

              <permission type="send" roles="user, agent"/>

              <permission type="consume" roles="user, agent"/>

              <permission type="createDurableQueue" roles="user, agent"/>

              <permission type="deleteDurableQueue" roles="user, agent"/>

              <permission type="createNonDurableQueue" roles="user, agent"/>

              <permission type="deleteNonDurableQueue" roles="user, agent"/>

          </security-setting>

      </security-settings>

       

      but I keep getting error like this (prova has user role)

      Caused by: HornetQException[errorCode=105 message=User: prova doesn't have permission='CONSUME' on address jms.topic.replyTableTopic]

          ... 13 more

       

      Caused by: HornetQException[errorCode=105 message=User: prova doesn't have permission='SEND' on address jms.queue.requestTableQueue]

          ... 11 more

       

      Caused by: HornetQException[errorCode=105 message=User: prova2 doesn't have permission='CREATE_NON_DURABLE_QUEUE' on address jms.topic.replyTableTopic]

          ... 12 more

      Instead if I put everything like that, it works but obviously only for user roles and no agent

      <security-settings>

          <security-setting match="jms.#">

              <permission type="send" roles="user"/>

              <permission type="consume" roles="user"/>

              <permission type="createDurableQueue" roles="user"/>

              <permission type="deleteDurableQueue" roles="user"/>

              <permission type="createNonDurableQueue" roles="user"/>

              <permission type="deleteNonDurableQueue" roles="user"/>

          </security-setting>

      </security-settings>

      I have been trying removing blank spaces after the commas (like reported in this jira issue https://issues.jboss.org/browse/HORNETQ-501) but it didn't help.

       

      Any idea?

       

      Thanks in advance,

      LM

        • 2. Re: Securing HornetQ does not work with multiple roles
          Luca Merolla Newbie

          Here it is a very quick test. I'm using JBAS 7.1.1 as standalone-full profile. I have attached the profile configuration  file and application roles and users properties with 2 users prova (user role) and prova2 (agent role).

           

          Here is the main class to run the test

          import java.util.HashMap;

          import java.util.Map;

           

          import javax.jms.Connection;

          import javax.jms.ConnectionFactory;

          import javax.jms.JMSException;

          import javax.jms.Message;

          import javax.jms.MessageConsumer;

          import javax.jms.MessageListener;

          import javax.jms.Session;

          import javax.jms.Topic;

           

          import org.hornetq.api.core.TransportConfiguration;

          import org.hornetq.api.jms.HornetQJMSClient;

          import org.hornetq.api.jms.JMSFactoryType;

          import org.hornetq.core.remoting.impl.netty.NettyConnectorFactory;

          import org.hornetq.core.remoting.impl.netty.TransportConstants;

           

          /**

          * @author luca

          *

          */

          public class MainJMS {

           

              protected static Topic replyTopic;

              protected static MessageConsumer replyConsumer;

              protected static Connection connection = null;

              protected static Session session;

           

              /**

               * @param args

               * @throws Exception

               */

              public static void main(String[] args) throws Exception {

                  establishJMSConnectionToServer();

              }

           

              private static void establishJMSConnectionToServer() throws JMSException {

                  Map<String, Object> connectionParams = new HashMap<String, Object>();

                  connectionParams.put(TransportConstants.PORT_PROP_NAME, 5445);

           

                  TransportConfiguration transportConfiguration = new TransportConfiguration(

                          NettyConnectorFactory.class.getName(), connectionParams);

           

                  ConnectionFactory connectionFactory = (ConnectionFactory) HornetQJMSClient

                          .createConnectionFactoryWithoutHA(JMSFactoryType.CF,

                                  transportConfiguration);

           

                  connection = connectionFactory.createConnection("prova2", "test");

           

                  replyTopic = HornetQJMSClient.createTopic("testTopic");

           

                  session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);

           

                  replyConsumer = session.createConsumer(replyTopic, "ok", false);

           

                  replyConsumer.setMessageListener(new MessageListener() {

           

                      @Override

                      public void onMessage(Message message) {

                          System.out.println("got message");

           

                      }

                  });

           

                  connection.start();

              }

          }

          To change user, you can change prova2 to prova while creating the connection.

           

          This test is for a remote connection, but even on server side I have the same issue, so I guess this is not the problem.

           

          Hope this helps to figure it out what is the problem

          • 3. Re: Securing HornetQ does not work with multiple roles
            Luca Merolla Newbie

            Can somebody confirm that HornetQ has this issue?

            If so, is it possible to have it tracked in Jira?

            Instead, if it's not an issue, but a missing functionality, why do we have the HornetQ User Manual saying that this functionality is supported?

             

            Regards,

            LM

            • 4. Re: Securing HornetQ does not work with multiple roles
              Andy Taylor Master

              when i get time i will take a proper look, although im pretty tied up at the moment.

              • 5. Re: Securing HornetQ does not work with multiple roles
                qtm Newbie

                Hello,

                 

                any news on this issue? I'm having the same problem.

                 

                Regards

                • 6. Re: Securing HornetQ does not work with multiple roles
                  Jeff Mesnil Master

                  Luca Merolla wrote:

                   

                  Here is the problem, I want multiple roles (in this case only 2) to being able to interact with HornetQ. According to the user manual of HornetQ that should be sufficient

                  <security-settings>

                      <security-setting match="jms.#">

                          <permission type="send" roles="user, agent"/>

                          <permission type="consume" roles="user, agent"/>

                          <permission type="createDurableQueue" roles="user, agent"/>

                          <permission type="deleteDurableQueue" roles="user, agent"/>

                          <permission type="createNonDurableQueue" roles="user, agent"/>

                          <permission type="deleteNonDurableQueue" roles="user, agent"/>

                      </security-setting>

                  </security-settings>

                  If you are using HornetQ directly (and this snippet is in hornetq-configuration.xml), the configuration is correct afaict

                   

                  If you are using AS7, the roles must be *separated by spaces, not by commas*, e.g. roles="user agent"

                   

                  Sorry about this, this difference between the 2 XML configurations is not properly documented...