5 Replies Latest reply on Jun 23, 2017 8:21 PM by Justin Bertram

    How to use custom security with JMS destination rule in WildFly

    valsaraj viswanathan Master

      How to use custom security with JMS destination rule in WildFly.

      By default:

      <security-settings>

                              <security-setting match="#">

                                  <permission type="send" roles="guest"/>

                                  <permission type="consume" roles="guest"/>

                                  <permission type="createNonDurableQueue" roles="guest"/>

                                  <permission type="deleteNonDurableQueue" roles="guest"/>

                              </security-setting>

                          </security-settings>

       

       

                          <address-settings>

                              <address-setting match="#">

                                  <dead-letter-address>jms.queue.DLQ</dead-letter-address>

                                  <expiry-address>jms.queue.ExpiryQueue</expiry-address>

                                  <max-delivery-attempts>6</max-delivery-attempts>

                                  <max-size-bytes>10485760</max-size-bytes>

                                  <page-size-bytes>2097152</page-size-bytes>

                                  <message-counter-history-day-limit>10</message-counter-history-day-limit>

                                  <redistribution-delay>1000</redistribution-delay>

                              </address-setting>

                          </address-settings>

       

                              ....   Added queue

                          <jms-queue name="testQ">

                                  <entry name="queue/testQ"/>

                                  <entry name="java:/jms/queue/testQ"/>

                              </jms-queue>

                          <jms-queue name="testQDLQ">

                                  <entry name="queue/testQDLQ"/>

                                  <entry name="java:/jms/queue/testQDLQ"/>

                              </jms-queue>

       

       

      I want ti use separate security domain & role for a queue and separate DLQ for that.

      eg: Queue names testQ & DLQ named testQDLQ. They are restricted by security domain named appSecDom & role testQWriteRole& testQReadRole.

        • 1. Re: How to use custom security with JMS destination rule in WildFly
          Justin Bertram Master

          The message broker can only be configured with one security domain.

           

          However, you can define an arbitrary number of roles and maps those roles to specific permission and address combinations.  For example, given the "testQ" and "testQDLQ" queues and "testQWriteRole" and "testQReadRole" roles you have defined you can have the following:

           

          <security-settings>
              <security-setting match="jms.queue.testQ">
                  <permission type="send" roles="testQWriteRole"/>
              </security-setting>
              <security-setting match="jms.queue.testQDLQ">
                  <permission type="consume" roles="testQReadRole"/>
              </security-setting>
          </security-settings>
          

           

          Does that answer your question?

          • 2. Re: How to use custom security with JMS destination rule in WildFly
            valsaraj viswanathan Master

            I added the above configuration:

            1. <security-settings> 
            2.     <security-setting match="jms.queue.testQ"> 
            3.         <permission type="send" roles="testQWriteRole  testQRole"/> 
            4.     </security-setting> 
            5.     <security-setting match="jms.queue.testQDLQ"> 
            6.         <permission type="consume" roles="testQRole"/> 
            7.     </security-setting> 
            8. </security-settings> 

             

            I needed multiple roles to allow sending messages, so added them separate by <space>.

            But when I added following in jboss-ejb3.xml got error during startup.

            <activation-config-property>

            <activation-config-property-name>user</activation-config-property-name>

            <activation-config-property-value>testQ</activation-config-property-value>

            </activation-config-property>

            <activation-config-property>

            <activation-config-property-name>password</activation-config-property-name>

            <activation-config-property-value>testQ</activation-config-property-value>

            </activation-config-property>

            Error:

            HQ224018: Failed to create session: HornetQSecurityException[errorType=SECURITY_EXCEPTION message=HQ119031: Unable to validate user: testQ]

             

            <security-domain name="appLDAP" cache-type="default"> is configured with lookup as java:global/app/ldap.

            It is referred in HornetQ as <security-domain>appLDAP</security-domain>.

            • 3. Re: How to use custom security with JMS destination rule in WildFly
              Justin Bertram Master

              Permissions and roles are part of authorization.  Usernames are passwords are part of authentication.  These two things are related but separate.

               

              If you're receiving "Unable to validate user" then my first thought is that you're submitting the wrong username and/or password.  Can you confirm that your credentials in jboss-ejb3.xml are correct?  Are you able to successfully use those credentials from other messaging clients?

              • 4. Re: How to use custom security with JMS destination rule in WildFly
                valsaraj viswanathan Master

                Yes, it is working from others. I wonder whether the username/password is correct but referring wrong security domain?

                It is referred in HornetQ as <security-domain>appLDAP</security-domain>. It is the configured name, should I use JNDI path instead like java:/../appLDAP?

                 

                 

                • 5. Re: How to use custom security with JMS destination rule in WildFly
                  Justin Bertram Master

                  I think that if it couldn't find the security domain then it would throw a different kind of error as the broker wouldn't even be able to complete authentication.  Try using the default security domain configuration to see if that works.