Can HornetQ use JAAS role?
ybxiang.china Oct 5, 2012 8:59 AMDear jboss guys,
Can HornetQ use JAAS role?
My standalone-full.xml
<subsystem xmlns="urn:jboss:domain:messaging:1.3"> | ||||||
<hornetq-server> | ||||||
<persistence-enabled>true</persistence-enabled> | ||||||
<journal-file-size>102400</journal-file-size> | ||||||
<journal-min-files>2</journal-min-files> | ||||||
<connectors> | ||||||
<netty-connector name="netty-ssl-connector" socket-binding="messaging"> | ||||||
<param key="ssl-enabled" value="true"/> | ||||||
<param key="key-store-path" value="D:\\java\\jboss-as-7.2.0.Alpha1\\standalone\\configuration\\server.keystore"/> | ||||||
<param key="key-store-password" value="ybxiang_keystore_password"/> | ||||||
</netty-connector> | ||||||
<netty-connector name="netty-throughput" socket-binding="messaging-throughput"> | ||||||
<param key="batch-delay" value="50"/> | ||||||
</netty-connector> | ||||||
<in-vm-connector name="in-vm" server-id="0"/> | ||||||
</connectors> | ||||||
<acceptors> | ||||||
<netty-acceptor name="netty-ssl-acceptor" socket-binding="messaging"> | ||||||
<param key="ssl-enabled" value="true"/> | ||||||
<param key="key-store-path" value="D:\\java\\jboss-as-7.2.0.Alpha1\\standalone\\configuration\\server.keystore"/> | ||||||
<param key="key-store-password" value="ybxiang_keystore_password"/> | ||||||
<param key="trust-store-path" value="D:\\java\\jboss-as-7.2.0.Alpha1\\standalone\\configuration\\client.truststore"/> | ||||||
<param key="trust-store-password" value="ybxiang_truststore_password"/> | ||||||
</netty-acceptor> | ||||||
<netty-acceptor name="netty-throughput" socket-binding="messaging-throughput"> | ||||||
<param key="batch-delay" value="50"/> | ||||||
<param key="direct-deliver" value="false"/> | ||||||
</netty-acceptor> | ||||||
<in-vm-acceptor name="in-vm" server-id="0"/> | ||||||
</acceptors> | ||||||
<security-settings> |
</security-settings> | ||||||
<address-settings> | ||||||
<!--default for catch all--> | ||||||
<address-setting match="#"> | ||||||
<dead-letter-address>jms.queue.DLQ</dead-letter-address> | ||||||
<expiry-address>jms.queue.ExpiryQueue</expiry-address> | ||||||
<redelivery-delay>0</redelivery-delay> | ||||||
<max-size-bytes>10485760</max-size-bytes> | ||||||
<address-full-policy>BLOCK</address-full-policy> | ||||||
<message-counter-history-day-limit>10</message-counter-history-day-limit> | ||||||
</address-setting> | ||||||
</address-settings> | ||||||
<jms-connection-factories> | ||||||
<connection-factory name="InVmConnectionFactory"> | ||||||
<connectors> | ||||||
<connector-ref connector-name="in-vm"/> | ||||||
</connectors> | ||||||
<entries> | ||||||
<entry name="java:/ConnectionFactory"/> | ||||||
</entries> | ||||||
</connection-factory> | ||||||
<connection-factory name="RemoteConnectionFactory"> | ||||||
<connectors> | ||||||
<connector-ref connector-name="netty-ssl-connector"/> | ||||||
</connectors> | ||||||
<entries> | ||||||
<entry name="java:jboss/exported/jms/RemoteConnectionFactory"/> | ||||||
</entries> | ||||||
</connection-factory> | ||||||
<pooled-connection-factory name="hornetq-ra"> | ||||||
<transaction mode="xa"/> | ||||||
<connectors> | ||||||
<connector-ref connector-name="in-vm"/> | ||||||
</connectors> | ||||||
<entries> | ||||||
<entry name="java:/JmsXA"/> | ||||||
</entries> | ||||||
</pooled-connection-factory> | ||||||
</jms-connection-factories> | ||||||
<jms-destinations> | ||||||
<jms-queue name="testQueue"> | ||||||
<entry name="queue/test"/> | ||||||
<entry name="java:jboss/exported/jms/queue/test"/> | ||||||
</jms-queue> | ||||||
<jms-topic name="testTopic"> | ||||||
<entry name="topic/test"/> | ||||||
<entry name="java:jboss/exported/jms/topic/test"/> | ||||||
</jms-topic> | ||||||
</jms-destinations> | ||||||
</hornetq-server> | ||||||
</subsystem> | ||||||
<security-realms> | |
<security-realm name="ManagementRealm"> | |
<authentication> | |
<local default-user="$local"/> | |
<properties path="mgmt-users.properties" relative-to="jboss.server.config.dir"/> | |
</authentication> | |
</security-realm> | |
<security-realm name="ApplicationRealm"> | |
<server-identities> | |
<ssl> | |
<keystore path="server.keystore" relative-to="jboss.server.config.dir" keystore-password="ybxiang_keystore_password"/> | |
</ssl> | |
</server-identities> | |
<authentication> | |
<jaas name="nms-jaas-security-domain"/> | |
</authentication> | |
</security-realm> | |
</security-realms> |
<security-domain name="nms-jaas-security-domain" cache-type="default"> | |
<authentication> | |
<login-module code="Remoting" flag="optional"> | |
<module-option name="password-stacking" value="useFirstPass"/> | |
</login-module> | |
<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> | |
<module-option name="password-stacking" value="useFirstPass"/> | |
<module-option name="dsJndiName" value="java:jboss/datasources/NmsMySqlDS"/> | |
<module-option name="principalsQuery" value="SELECT hashedPassword FROM User WHERE username=?"/> | |
<module-option name="rolesQuery" value="SELECT DISTINCT r.name, 'Roles' FROM User u, User_UserGroup ug, UserGroup_JaasRole gr, JaasRole r WHERE u.id=ug.user_id AND ug.usergroup_id=gr.usergroup_id AND gr.jaasrole_id=r.id AND u.rowStatus=0 AND u.username=?"/> | |
<module-option name="hashAlgorithm" value="SHA-256"/> | |
<module-option name="hashEncoding" value="Base64"/> | |
<module-option name="hashCharset" value="UTF-8"/> | |
<module-option name="unauthenticatedIdentity" value="guest"/> | |
</login-module> | |
</authentication> | |
</security-domain> |
NOTE: I remvoed all elements in <security-settings>.
My client code:
NOTE: my ejb client works well.
public class MyClient{ public void connectToServer(String serverIP, String username, String password) throws Exception{ this.username = username; this.serverIP = serverIP; InitialContext context; try{ Properties p = new Properties(); p.put("remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "true"); p.put("remote.connections", "default"); p.put("remote.connection.default.host", serverIP); p.put("remote.connection.default.port", "4447"); p.put("remote.connection.default.username", username); p.put("remote.connection.default.password", password); p.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOANONYMOUS", "false"); p.put("remote.connection.default.connect.options.org.xnio.Options.SASL_DISALLOWED_MECHANISMS", "JBOSS-LOCAL-USER"); p.put("remote.connection.default.connect.options.org.xnio.Options.SASL_POLICY_NOPLAINTEXT", "false"); p.put("remote.connection.default.connect.options.org.xnio.Options.SSL_STARTTLS", "true"); p.put("remote.connection.default.connect.timeout", "30000");//for xnio EJBClientConfiguration cc = new PropertiesBasedEJBClientConfiguration(p); ContextSelector<EJBClientContext> selector = new ConfigBasedEJBClientContextSelector(cc); EJBClientContext.setSelector(selector); EJBClientContext.getCurrent().registerInterceptor(0,new ClientSessionTokenInterceptor()); EJBClientContext.getCurrent().registerInterceptor(1,new ClientExceptionInterceptor()); Properties props = new Properties(); props.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming"); context = new InitialContext(props); securedRemoteSessionProxy = (ISecuredRemoteSession)context.lookup(jndiName); }catch(Exception e){ throw ConnectionToServerFailedException.INSTANCE; } // shakeHands(username, password); // testJms2(serverIP, username, password); } public static void testJms2(String serverIP, String username, String password) throws Exception { Properties props = new Properties(); props.put(Context.URL_PKG_PREFIXES, "org.jboss.ejb.client.naming"); //参见:https://community.jboss.org/message/729801#729801 props.put(Context.INITIAL_CONTEXT_FACTORY, "org.jboss.naming.remote.client.InitialContextFactory"); props.put(Context.PROVIDER_URL, System.getProperty(Context.PROVIDER_URL, "remote://"+serverIP+":4447")); props.put(Context.SECURITY_PRINCIPAL, username); props.put(Context.SECURITY_CREDENTIALS, password); props.put("jboss.naming.client.connect.options.org.xnio.Options.SSL_STARTTLS", "true"); props.put("jboss.naming.client.remote.connectionprovider.create.options.org.xnio.Options.SSL_ENABLED", "true"); InitialContext context = new InitialContext(props); ConnectionFactory connectionFactory = null; Destination destination = null; try { connectionFactory = (ConnectionFactory) context.lookup("jms/RemoteConnectionFactory"); destination = (Destination) context.lookup("jms/queue/test"); // sendJmsMessage(connectionFactory,destination,username,password); } catch (Exception e) { log.error(e); } } /** * https://community.jboss.org/message/721270 * Like everything else in JBoss AS 7.1.0.Final, JMS is secured by default. * It uses the same security domain as JNDI so you can use the same username and password (i.e. appuser2 and passw0rd respectively) * in your call to javax.jms.ConnectionFactory.createConnection(String, String). */ public static void sendJmsMessage(ConnectionFactory connectionFactory, Destination destination, String username, String password){ Connection connection = null; Session session = null; MessageProducer producer = null; MessageConsumer consumer = null; TextMessage message = null; try { // Create the JMS connection, session, producer, and consumer connection = connectionFactory.createConnection(username,password);//User: admin doesn't have permission='CONSUME' on address jms.queue.testQueue" //connection = connectionFactory.createConnection();//"javax.jms.JMSSecurityException: Unable to validate user: null" session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE); producer = session.createProducer(destination); consumer = session.createConsumer(destination); connection.start(); int count = 1; String content = "Hellow World!"; log.info("Sending " + count + " messages with content: " + content); // Send the specified number of messages for (int i = 0; i < count; i++) { message = session.createTextMessage(content); producer.send(message); } // Then receive the same number of messaes that were sent for (int i = 0; i < count; i++) { message = (TextMessage) consumer.receive(5000); log.info("Received message with content " + message.getText()); } } catch (Exception e) { log.error(e); } finally { if (connection != null) { try{ connection.close(); }catch(Exception e){ log.error(e); } } } } }
Above username and password is JAAS account:
if above consumer = session.createConsumer(destination); is excecuted, client print bellow exception:
"javax.jms.JMSSecurityException: User: admin doesn't have permission='CONSUME' on address jms.queue.testQueue"
Would you pleaes help me?
-
standalone.xml 26.5 KB