The message broker can only be configured with one security domain.
However, you can define an arbitrary number of roles and maps those roles to specific permission and address combinations. For example, given the "testQ" and "testQDLQ" queues and "testQWriteRole" and "testQReadRole" roles you have defined you can have the following:
<security-settings> <security-setting match="jms.queue.testQ"> <permission type="send" roles="testQWriteRole"/> </security-setting> <security-setting match="jms.queue.testQDLQ"> <permission type="consume" roles="testQReadRole"/> </security-setting> </security-settings>
Does that answer your question?
I added the above configuration:
- <security-setting match="jms.queue.testQ">
- <permission type="send" roles="testQWriteRole testQRole"/>
- <security-setting match="jms.queue.testQDLQ">
- <permission type="consume" roles="testQRole"/>
I needed multiple roles to allow sending messages, so added them separate by <space>.
Permissions and roles are part of authorization. Usernames are passwords are part of authentication. These two things are related but separate.
If you're receiving "Unable to validate user" then my first thought is that you're submitting the wrong username and/or password. Can you confirm that your credentials in jboss-ejb3.xml are correct? Are you able to successfully use those credentials from other messaging clients?
Yes, it is working from others. I wonder whether the username/password is correct but referring wrong security domain?
It is referred in HornetQ as <security-domain>appLDAP</security-domain>. It is the configured name, should I use JNDI path instead like java:/../appLDAP?
I think that if it couldn't find the security domain then it would throw a different kind of error as the broker wouldn't even be able to complete authentication. Try using the default security domain configuration to see if that works.
Yes, it worked.
I'm not sure what else to tell you at this point. You have a configuration that works, and when you change the configuration it doesn't work. That suggests to me that something is broken in the new configuration that doesn't work. The broken piece could be in the configuration of "appLDAP" on Wildfly or on the LDAP server itself. Either way, those pieces are outside my realm of expertise.