1 2 Previous Next 15 Replies Latest reply on Oct 30, 2003 12:06 AM by Adrian Brock

    JBossMQ authentication question?

    John Baker Newbie

      How do I point the JBossMQ user authentication at the same JAAS service that authenticates the EJB users as I need durable subscribers and JBossMQ is complaining. The users are updated dynamically by application admin tools so using the config file is not viable. The EJBs use the JDBC table module to authenticate users as this allows easy administration from the app admin panels. Thanks in advance.

        • 1. Re: JBossMQ authentication question?
          gabbyk Newbie

          Any answers yet?.
          I'm stumbling into the same problem...

          • 2. Re: JBossMQ authentication question?
            Thomas Louis Newbie

            Yes, you can put the same login-module you used for your EJB-login under the <application-policy name="jbossmq">...
            This works for non-durable subscriptions and queues but not for durable topics, beacuse the StateManager creates a new ClientID like "ID:15" for every connection. Perhaps anyone knows, how you could bring the StateManager to create an unique ID wich stays the same, e.g. login:topicName.

            • 3. Re: JBossMQ authentication question?
              Adrian Brock Master

              You shouldn't use an anonymous connection
              for durable subscriptions.

              A durable subscription is keyed by the user
              and subscription name.


              • 4. Re: JBossMQ authentication question?
                Thomas Louis Newbie

                I used login/password when connecting to JMS but StateManager generated new ClientID every time I connected because the StateManager didn't find the user in its xml-configuration.

                Now I've written a own StateManager which relies on a database. I don't know if this is correct, but a mapped ClientID direct to the user-login.

                Perhaps you are interested in it. I attached the source.


                • 5. Re: JBossMQ authentication question?
                  Adrian Brock Master

                  That's interesting.

                  I just committed an "unfinished" jdbc state manager
                  into 3.2.
                  unifinished means I haven't fully tested it yet.
                  I also need to add the jmx methods to maintain
                  the user/role database.

                  With the data in the db, you can override the
                  sql to retrieve the data from where you like
                  in a db.


                  You can configure it with some like the following
                  (remove the file state manager):

                  <depends optional-attribute-name="ConnectionManager">jboss.jca:service=LocalTxCM,name=DefaultDS

                  <!-- Override whatever sql statements you like -->

                  The jbossmq login config is just the


                  • 6. Re: JBossMQ authentication question?
                    Xibin Zeng Newbie

                    Can you elaborate on how to use the JDBC state manager? We are facing the same issue in authentication - we already have a cutomized JAAS login module and I need to integrate it into JMS security. A previous user suggested that it is possible, by defining the login module under <application-policy name="jbossmq">, but he failed to mention which configuration file to modify...

                    Your help is appreciated!!

                    • 7. Re: JBossMQ authentication question?
                      Adrian Brock Master



                      • 8. Re: JBossMQ authentication question?
                        Xibin Zeng Newbie

                        Thanks for your reply. I have put in our login module in place of the default login module for JMS (which was org.jboss.mq.sm.file.DynamicLoginModule). For some reason, I don't think my login module is being called, since it always return authentication failure. Is there anything else I need do to hook up JMS authentication with my login module?

                        Another question that has been in my mind is that which CallbackHandler is being used in the JMS authentication. Do I have access to that, and do I need to override that, if so, how?

                        Thanks again for your time!


                        • 9. Re: JBossMQ authentication question?
                          Adrian Brock Master

                          Do you want to post your config
                          and perhaps your login module snippet,
                          or should I just guess what is wrong with it?


                          • 10. Re: JBossMQ authentication question?
                            Xibin Zeng Newbie

                            Sorry I was pulled away by another nasty problem. Now back to JMS security. Here is the configuration:


                            <application-policy name = "jbossmq">

                            <login-module code="com.cnnxn.shared.security.server.jboss.blah" flag = "required">
                            <module-option name="assertIdentity">true</module-option>
                            <module-option name="datasource">aDatasource</module-option>


                            <application-policy name = "connexn">

                            <login-module code="com.cnnxn.shared.security.server.jboss.blah" flag = "required">
                            <module-option name="assertIdentity">true</module-option>
                            <module-option name="datasource">aDatasource</module-option>


                            The classes for the login module is deployed on to the lib directory of the jboss server instance.

                            IN addition to the above changes, I also tried to add roles in the security configuration of my topics and queues. An example is:

                            <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager
                            <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager

                            I also tried to add the matching user name and password in to the jbossmq-state.xml file, thinking jboss mq may fall back to that file. It never worked.

                            Please advise how I could integrate JMS with JAAS. It's OK if your answer is yes or impossible. I need to either abandone this and move on to other things, or solve it in a reasonable time frame.

                            Thansk ahead for any help you can offer!


                            • 11. Re: JBossMQ authentication question?
                              Adrian Brock Master

                              The jbossmq-state.xml is used to configure the
                              the jbossmq state manager.
                              This is used by jbossmq's dynamic login module
                              configured by default under policy "jbossmq"

                              I would guess your module only provides authenication
                              and does nothing with roles (authorization)?

                              Take a look at the jboss versions to see what is going on.
                              They are in
                              org.jboss.mq.sm.file (the default)
                              org.jboss.mq.sm.jbdc (an experimental jdbc version
                              that can be used with jboss's database login module)


                              • 12. Re: JBossMQ authentication question?
                                Sam Terrell Newbie

                                Instead of duplicating things in the login config, can I just change the domain in "jbossmq-service.xml"?


                                <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager

                                Seems like that would be the best way to go.

                                Also, would it be possible to make a sar file or any other file that can be deployed easily seperate from the main JMS definitions (so I won't squash anyone else's files) that defines queues and topics for a project? (Also has to survive just a plain reboot, so JMX scripts probably aren't a good idea.)

                                Finally, can you think of any harm that may be caused by using my own role names instead of the defaults? Ex. Change subscriber->user in the "jboss-destinations-service.xml".

                                Sorry to ask so many questions. (but you may be happy I've been spreading the knowledge of JBoss by volunteering to teach half a semester at a local university, and it went well! ... thanks to the hard work of JBoss developers making the world of J2EE more accesable.)

                                • 13. Re: JBossMQ authentication question?
                                  Adrian Brock Master

                                  The name of the security name can be anything it you like.
                                  It just identifies the login configuration.

                                  The configuration can be anywhere you like.
                                  There is nothing special about jbossmq-destination-service.xml
                                  my-destinations-service.xml would work just as well.
                                  You can even put it in the root of an ejb jar.

                                  You can aslo choose your own role names.


                                  • 14. Re: JBossMQ authentication question?
                                    Sam Terrell Newbie

                                    Wow, fast responce.

                                    I'm loving Jboss more every day, that's so cool.

                                    Basically, what you are saying is that in order to deploy my application, I could make it as simple as
                                    1) modify login-config.xml in JBoss to add my security domain
                                    2) copy my ear file to the deploy directory.

                                    Possibly, I may need to modify jbossmq-service.xml to change the SecurityDomain.

                                    On that, I was thinking... can I deploy a second security manager with a different name and link queue's to that security manager so my app plays happily alongside others? If so, would I just put a file in the root of me ejb-jar file like so:


                                    <!--my security manager-->

                                    <!--I don't need another DestinationManager? -->
                                    <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager

                                    <!--My topic-->

                                    <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager
                                    <!--Depends on my security manager-->
                                    <depends optional-attribute-name="SecurityManager">jboss.mq:service=MyAppsSecurityManager

                                    <!-- likewise a queue -->

                                    <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager
                                    <depends optional-attribute-name="SecurityManager">jboss.mq:service=MyAppsSecurityManager

                                    I guess I really don't understand the whole depends tag works. I'm probably emphasizing the wrong part of the line. If I understand what I read properly, I think the option-attribute-name is more important than the depends :). Would that set up a queue and a topic that used my security manager that is seperate than the main config? In fact, the only config file needed to be messed with would be login-config.xml. I'm trying to make my software easy to use by other people, and I have a really hard time actually bending my mind around all the neat features of JBoss. There is just so many features that one person just can't keep track of them all.

                                    (I understand that the depends makes sure that the other MBean is running first, but does the optional-attribute-name actually do something other than look pretty?)

                                    Thanks so much for your help and hard work.

                                    1 2 Previous Next