1 Reply Latest reply on Aug 28, 2005 2:22 PM by starksm64

    JMS over HTTPS Login not propagated to Queue ConnectionFacto

    greyfairer Aug 18, 2005 12:02 PM

      Hi all,

      We are setting up a secured JMS communication channel over https with CLIENT-CERT authentication. To post to the different Queue's, we also need different roles, and we want to reuse the client certificate mapping to get the required roles.

      We manage to get through the HTTPIL Layer to get the ConnectionFactory, but when posting to the secured Queue, the role we got for the HTTPIL seems not to be propagated to JMS, and we get:

      javax.jms.JMSSecurityException: Connection not authorized to addMessages to destination: private

      Client Code:

      -Djavax.net.ssl.trustStore=c:/server-truststore.jks -Djavax.net.ssl.trustStorePassword=xxx -Djavax.net.ssl.keyStore=c:/client-keystore.jks -Djavax.net.ssl.keyStorePassword=xxx

 System.setProperty( "java.naming.factory.initial", "org.jboss.naming.HttpNamingContextFactory" );
 System.setProperty( "java.naming.provider.url", "https://localhost/invoker/JNDIFactory" );
 System.setProperty( "java.naming.factory.url.pkgs", "org.jboss.naming:org.jnp.interfaces;java.protocol.handler.pkgs" );
 InitialContext iniCtx = new InitialContext();
 QueueConnectionFactory qcf = (QueueConnectionFactory)iniCtx.lookup( "ConnectionFactory" );

 QueueConnection conn = qcf.createQueueConnection();
 QueueSession session = conn.createQueueSession( false, QueueSession.AUTO_ACKNOWLEDGE );
 Queue queue = (Queue)iniCtx.lookup( "queue/" + queueName );
 conn.start();
 QueueSender send = session.createSender( queue );
 TextMessage tm = session.createTextMessage( text );
 send.send( tm );send.close();
 conn.stop();session.close();conn.close();


      jboss-destinations-service.xml 
      <mbean code="org.jboss.mq.server.jmx.Queue"
 name="jboss.mq.destination:service=Queue,name=private">
 <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
 <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends>
 <attribute name="SecurityConf">
 <security>
 <role name="registered" read="true" write="true"/>
 </security>
 </attribute>
 </mbean>

      login-config.xml 
      <application-policy name = "jbossmq">
 <authentication>
 <login-module code="org.jboss.security.auth.spi.CertRolesLoginModule" flag = "required">
 <module-option name="securityDomain">java:/jaas/jbossmq</module-option>
 <module-option name="rolesProperties">props/jbossmq-roles.properties</module-option>
 <module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option>
 </login-module>
 </authentication>
 </application-policy>

      jbossmq-httpil.war web.xml 
      <security-constraint>
 <web-resource-collection>
 <web-resource-name>HttpInvokers</web-resource-name>
 <url-pattern>/*</url-pattern>
 <http-method>GET</http-method>
 <http-method>POST</http-method>
 </web-resource-collection>
 <auth-constraint>
 <role-name>guest</role-name>
 <role-name>registered</role-name>
 </auth-constraint>
 </security-constraint>
 <login-config>
 <auth-method>CLIENT-CERT</auth-method>
 </login-config>
 <security-role>
 <role-name>guest</role-name>
 </security-role>
 <security-role>
 <role-name>registered</role-name>
 </security-role>

      jbossmq-roles.properties 
      registered-client=registered

      jbossweb-tomcat55.sar 
      <Connector port="443" address="${jboss.bind.address}"
 maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
 emptySessionPath="true"
 scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
 keystoreFile="c:/server-keystore.jks" keystorePass="barcot3st"
 truststoreFile="c:/server-truststore.jks" truststorePass="barcot3st"/>
 <Engine name="jboss.web" defaultHost="localhost">
 <Realm className="org.jboss.web.tomcat.security.JBossSecurityMgrRealm"
 certificatePrincipal="org.jboss.security.auth.certs.SubjectCNMapping"/>
 <Host name="localhost" autoDeploy="false" deployOnStartup="false" deployXML="false"></Host>
 </Engine>


      It works fine if we use a separate JAAS policy for the JMS Layer, using the UsersRolesLoginModule for the destination Queue, and send username and password from the client, and doing an explicit login to connect to the queue: 
      QueueConnection conn = qcf.createQueueConnection("registered-client","password");


      Is it possible somehow to propagate the JAAS role used to login at the HTTPIL Layer to the JMS layer, so we don't need to use an extra password?
      Or is it possible that the JMS Layer can use the Client Cert used to log in at the HTTPIL Layer to authenticate for the Queue?

      May thanks in advance, Geert.

      • 5217 Views
      • Tags:
        • 1. Re: JMS over HTTPS Login not propagated to Queue ConnectionF
          starksm64
          starksm64 Aug 28, 2005 2:22 PM (in response to greyfairer)

          The only connection factory that may work in this scenario of the jca resource adaptor for jms bound under java:/JmsXA. You are basically just introducing transport level security that the jms layer knows nothing about. The only jms api for authentication is to pass in the credentials via the connection factory. The jca resource adaptor for jms allows for the caller identity to be obtained in different ways. If you can't get the JmsXA connection factory to work, create a bug report with an test example in jira.

          http://jira.jboss.com/jira/browse/JBAS

            • Actions