2 Replies Latest reply on Mar 25, 2005 7:03 PM by Marco Schulze

    Protect a queue from remote accesses and replace DLQ

    Marco Schulze Newbie

      Hello *!

      I'm using a message queue to asynchronously execute time consuming tasks: A client connects to a stateless session bean which puts a task "envelope" into a queue. This task is then executed by a message driven bean.

      It all works fine, now, but is unsecure as everyone (even remotely) could write into (and read from) my task queue.

      How can I prevent anyone (except my session bean) from writing into this queue? At least, I must prevent any remote accesses to this queue (if possible, read and write). Is that possible? If so, how? I've already searched hours for a solution but unfortunately didn't find any helping howto.

      I tried the following declaration in my *-service.xml:

      <mbean code="org.jboss.mq.server.jmx.Queue"
       name="jboss.mq.destination:service=Queue,name=test/TaskQueue">
       <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
       <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends>
       <attribute name="SecurityConf">
       <security>
       <role name="_System_" read="true" write="true"/>
       </security>
       </attribute>
      </mbean>
      With this declaration, noone is able to access the queue, even if the role "_System_" is present. Hence, I guess that the security domain is the problem. How can I specify a security domain for a certain queue?

      And how can I give the necessary role to my message driven bean? Currently, the MDB is working anonymously and I've no clue how to authenticate an MDB.

      The following question was already asked by me a few days ago, but unfortunately noone answered (maybe because I wrote it into an old topic instead of starting a new one?):

      How can I replace the DLQ by another queue for one MDB? I tried to add the following into the jboss.xml of my deployed module, but it had NO effect:
      <container-configurations>
       <container-configuration>
       <container-name>Standard Message Driven Bean</container-name>
       <container-invoker-conf>
       <MDBConfig>
       <ReconnectIntervalSec>30</ReconnectIntervalSec>
       <DLQConfig>
       <DestinationQueue>queue/my/FailQueue</DestinationQueue>
       <MaxTimesRedelivered>3</MaxTimesRedelivered>
       <TimeToLive>0</TimeToLive>
       </DLQConfig>
       </MDBConfig>
       </container-invoker-conf>
       </container-configuration>
      </container-configurations>


      What am I doing wrong?

      I either need to define this on a per-queue-basis or on a per-MDB-basis. To set the redeliveryDelay and redeliveryLimit on a per-queue-basis (in the xxx-service.xml) works fine, but how can I overwrite the "queue/DLQ" coming from standardjboss.xml?

      Best regards, Marco :-)

        • 1. Re: Protect a queue from remote accesses and replace DLQ
          Adrian Brock Master

           

          "nlmarco" wrote:

          What am I doing wrong?


          1) Asking questions about security in the JMS forum?
          2) Not reading the documentation/wiki/using search before posting?
          3) Hijacking other people's threads?
          http://www.jboss.org/index.html?module=bb&op=viewtopic&t=47026
          etc.

          • 2. Re: Protect a queue from remote accesses and replace DLQ
            Marco Schulze Newbie

            Hello Adrian,

            first: Thanks a lot for the quick reply!

            "adrian@jboss.org" wrote:
            1) Asking questions about security in the JMS forum?

            My first question is about both, messaging and security, thus, I thought it would fit into either forum. Sorry.

            ...and the DLQ related question is purely JMS, isn't it?

            "adrian@jboss.org" wrote:
            2) Not reading the documentation/wiki/using search before posting?

            I have read uncountable documents - as well on jboss.org as many other sources found by google. They all show only simple configurations, but I could neither find any "full blown" example nor any elaborate explaination about how bean, queue and security interact. But maybe I only read the wrong docs...

            There's certainly not a lack of documentation, but IMHO a complete tutorial (not ending where it begins to get interesting) is hard to find.

            If I was just too unlucky or too clumsy to find the right docs, could you please provide a link to a Howto explaining the correct set up and usage of an MDB + Queue with customized authentication? Thanks a lot in advance!

            About the question on how to authenticate the MDB, you're indeed right - I could have taken a deeper look into the jboss_3_0.dtd earlier. Sorry.

            "adrian@jboss.org" wrote:
            3) Hijacking other people's threads?
            I'm very sorry - didn't know that people "own" threads here. I promise to start new threads for my questions in the future!

            Best regards and happy easter!

            Marco ;-)