5 Replies Latest reply on Jan 23, 2008 1:33 AM by Anupam Kakade

    Queue-Security

    Schacher Newbie

      i try to add a access-control to a queue (only authenticated users should have read/write/create rights. other users should be blocked).
      i read the jboss-documentation (jms, jaas) and i searched in the forum, but i didn't found the answer.

      try:
      ecollector-docImport-service.xml:

      <server>
       <mbean code="org.jboss.mq.server.jmx.Queue"
       name="jboss.mq.destination:service=Queue,name=eManager-DocImportQueue">
       <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
       <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends>
       <attribute name="SecurityConf">
       <security>
       <role name="ecollector" read="true" write="true" create="true"/>
       </security>
       </attribute>
       </mbean>
      <server>
      


      deploy-exception:
      org.jboss.deployment.DeploymentException: Error during queue setup; - nested throwable:
      (javax.jms.JMSSecurityException: Connection not authorized to subscribe to destination: eManager-DocImportQueue)
       at org.jboss.deployment.DeploymentException.rethrowAsDeploymentException(DeploymentException.java:39)
       at org.jboss.ejb.plugins.jms.JMSContainerInvoker.innerCreate(JMSContainerInvoker.java:898)
       at org.jboss.ejb.plugins.jms.JMSContainerInvoker.startService(JMSContainerInvoker.java:922)
       at org.jboss.system.ServiceMBeanSupport.jbossInternalStart(ServiceMBeanSupport.java:272)
       at org.jboss.system.ServiceMBeanSupport.jbossInternalLifecycle(ServiceMBeanSupport.java:222)
       at sun.reflect.GeneratedMethodAccessor2.invoke(Unknown Source)
       at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
       at java.lang.reflect.Method.invoke(Method.java:585)
       at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:141)
       at org.jboss.mx.server.Invocation.dispatch(Invocation.java:80)
       at org.jboss.mx.server.Invocation.invoke(Invocation.java:72)
       at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:249)
       at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:644)
       at org.jboss.system.ServiceController$ServiceProxy.invoke(ServiceController.java:897)
       at $Proxy66.start(Unknown Source)
       at org.jboss.system.ServiceController.start(ServiceController.java:418)
       at sun.reflect.GeneratedMethodAccessor9.invoke(Unknown Source)
      



      the following is working, but im not happy because unauthenticated users have read-rights
      <server>
       <mbean code="org.jboss.mq.server.jmx.Queue"
       name="jboss.mq.destination:service=Queue,name=eManager-DocImportQueue">
       <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
       <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends>
       <attribute name="SecurityConf">
       <security>
       <role name="guest" read="true" write="false" create="false"/>
       <role name="ecollector" read="true" write="true" create="true"/>
       </security>
       </attribute>
       </mbean>
      <server>
      



      what would be the correct solution?

      THANK YOU for all hints in advance
      marc

      i'm using jboss-4.0.2

        • 1. Re: Queue-Security
          Schacher Newbie

          i thought i found the solution with the run-as tag (but it's still not working)

          <enterprise-beans>
           <message-driven>
           <ejb-name>DocImportProcessorEJB</ejb-name>
           <ejb-class>ch.e_act.e_archive.server.emanager.ejb.DocImportProcessorBean</ejb-class>
           <transaction-type>Container</transaction-type>
           <message-selector>MessageFormat = 'Version 3.4'</message-selector>
           <acknowledge-mode>auto-acknowledge</acknowledge-mode>
           <message-driven-destination>
           <destination-type>javax.jms.Queue</destination-type>
           </message-driven-destination>
           <security-identity>
           <run-as>
           <role-name>ecollector</role-name>
           <use-caller-identity>false</use-caller-identity>
           </run-as>
           </security-identity>
           <resource-ref>
           <res-ref-name>jms/QueueFactory</res-ref-name>
           <res-type>javax.jms.QueueConnectionFactory</res-type>
           <res-auth>Container</res-auth>
           </resource-ref>
           </message-driven>
          </enterprise-beans>
          

          is there an other way to give the mdb-bean a role?

          or is the "run-as tag" the right way, and i missed something?

          • 2. Re: Queue-Security
            Scott Stark Master

            The mdb also needs to be authenticated. To allow a guest user with the assumed run-as role see the unauthenticatedIdentity option for the login module used to secure the target.

            • 3. Re: Queue-Security
              Schacher Newbie

              thank you for the reply.

              <jboss>
               <enterprise-beans>
               <secure>false</secure>
               <message-driven>
               <ejb-name>DocImportProcessorEJB</ejb-name>
               <destination-jndi-name>queue/eManager-DocImportQueue
               </destination-jndi-name>
              
               <mdb-user>abc</mdb-user>
               <mdb-passwd>xyz</mdb-passwd>
              
               <resource-ref>
               <res-ref-name>jms/QueueFactory</res-ref-name>
               <jndi-name>java:/JmsXA</jndi-name>
               </resource-ref>
               </message-driven>
               </enterprise-beans>
              </jboss>
              




              • 4. Re: Queue-Security
                Ushir Shah Newbie

                Hi, I am using Jboss and have configured JAAS authentication. When I try to create a Receiver for the temporary queue I am getting follwoing exception:

                javax.jms.JMSSecurityException: Connection not authorized to subscribe to destination: JMS_TQ8


                When I try to create queue and Topic, my user/passwod gets authenticated and successfully creates queue/topic. Under jbossmq-destinations-service.xml I have my queues and topics configured correctly with the security role. I am not using Message Driven Beans.

                I am having this error for temporaray queue when I tried to createReceiver for the temporary queue. Any idea what might be happening? Without implementing MDB can I use JAAS security for the temporary queue ?

                part of my code:

                try
                {
                 Context jndiContext = getInitialContext();
                 QueueConnectionFactory ref =
                 (QueueConnectionFactory)jndiContext.lookup("ConnectionFactory");
                
                 Queue queue = (Queue)jndiContext.lookup("queue/testQueue");
                 queueConnection = ref.createQueueConnection();
                 QueueSession queueSession = queueConnection.createQueueSession(false, Session.AUTO_ACKNOWLEDGE);
                 // The temporary queue,
                 TemporaryQueue tq = queueSession.createTemporaryQueue();
                 queueSender = queueSession.createSender(queue);
                 QueueReceiver qr = queueSession.createReceiver(tq);
                }
                catch (Exception e) {
                 System.out.println(e.getMessage());
                 e.printStackTrace();
                }
                
                


                I am using Jboss 4.0.2.

                Thanks for your help in advance,
                Ushir

                • 5. Re: Queue-Security
                  Anupam Kakade Newbie

                  Hi all,

                  Will u please help me to send a code for the Message sender and MDB for secure queues .
                  thanks in advance .