1 Reply Latest reply on Aug 28, 2005 2:22 PM by Scott Stark

    JMS over HTTPS Login not propagated to Queue ConnectionFacto

    Geert Pante Newbie

      Hi all,

      We are setting up a secured JMS communication channel over https with CLIENT-CERT authentication. To post to the different Queue's, we also need different roles, and we want to reuse the client certificate mapping to get the required roles.

      We manage to get through the HTTPIL Layer to get the ConnectionFactory, but when posting to the secured Queue, the role we got for the HTTPIL seems not to be propagated to JMS, and we get:

      javax.jms.JMSSecurityException: Connection not authorized to addMessages to destination: private

      Client Code:

      -Djavax.net.ssl.trustStore=c:/server-truststore.jks -Djavax.net.ssl.trustStorePassword=xxx -Djavax.net.ssl.keyStore=c:/client-keystore.jks -Djavax.net.ssl.keyStorePassword=xxx
      
       System.setProperty( "java.naming.factory.initial", "org.jboss.naming.HttpNamingContextFactory" );
       System.setProperty( "java.naming.provider.url", "https://localhost/invoker/JNDIFactory" );
       System.setProperty( "java.naming.factory.url.pkgs", "org.jboss.naming:org.jnp.interfaces;java.protocol.handler.pkgs" );
       InitialContext iniCtx = new InitialContext();
       QueueConnectionFactory qcf = (QueueConnectionFactory)iniCtx.lookup( "ConnectionFactory" );
      
       QueueConnection conn = qcf.createQueueConnection();
       QueueSession session = conn.createQueueSession( false, QueueSession.AUTO_ACKNOWLEDGE );
       Queue queue = (Queue)iniCtx.lookup( "queue/" + queueName );
       conn.start();
       QueueSender send = session.createSender( queue );
       TextMessage tm = session.createTextMessage( text );
       send.send( tm );send.close();
       conn.stop();session.close();conn.close();


      jboss-destinations-service.xml
      <mbean code="org.jboss.mq.server.jmx.Queue"
       name="jboss.mq.destination:service=Queue,name=private">
       <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
       <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends>
       <attribute name="SecurityConf">
       <security>
       <role name="registered" read="true" write="true"/>
       </security>
       </attribute>
       </mbean>

      login-config.xml
      <application-policy name = "jbossmq">
       <authentication>
       <login-module code="org.jboss.security.auth.spi.CertRolesLoginModule" flag = "required">
       <module-option name="securityDomain">java:/jaas/jbossmq</module-option>
       <module-option name="rolesProperties">props/jbossmq-roles.properties</module-option>
       <module-option name="verifier">org.jboss.security.auth.certs.AnyCertVerifier</module-option>
       </login-module>
       </authentication>
       </application-policy>

      jbossmq-httpil.war web.xml
      <security-constraint>
       <web-resource-collection>
       <web-resource-name>HttpInvokers</web-resource-name>
       <url-pattern>/*</url-pattern>
       <http-method>GET</http-method>
       <http-method>POST</http-method>
       </web-resource-collection>
       <auth-constraint>
       <role-name>guest</role-name>
       <role-name>registered</role-name>
       </auth-constraint>
       </security-constraint>
       <login-config>
       <auth-method>CLIENT-CERT</auth-method>
       </login-config>
       <security-role>
       <role-name>guest</role-name>
       </security-role>
       <security-role>
       <role-name>registered</role-name>
       </security-role>

      jbossmq-roles.properties
      registered-client=registered

      jbossweb-tomcat55.sar
      <Connector port="443" address="${jboss.bind.address}"
       maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
       emptySessionPath="true"
       scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
       keystoreFile="c:/server-keystore.jks" keystorePass="barcot3st"
       truststoreFile="c:/server-truststore.jks" truststorePass="barcot3st"/>
       <Engine name="jboss.web" defaultHost="localhost">
       <Realm className="org.jboss.web.tomcat.security.JBossSecurityMgrRealm"
       certificatePrincipal="org.jboss.security.auth.certs.SubjectCNMapping"/>
       <Host name="localhost" autoDeploy="false" deployOnStartup="false" deployXML="false"></Host>
       </Engine>


      It works fine if we use a separate JAAS policy for the JMS Layer, using the UsersRolesLoginModule for the destination Queue, and send username and password from the client, and doing an explicit login to connect to the queue:
      QueueConnection conn = qcf.createQueueConnection("registered-client","password");


      Is it possible somehow to propagate the JAAS role used to login at the HTTPIL Layer to the JMS layer, so we don't need to use an extra password?
      Or is it possible that the JMS Layer can use the Client Cert used to log in at the HTTPIL Layer to authenticate for the Queue?

      May thanks in advance, Geert.