-
1. Re: Is there a way to prevent JBossMQ from using the jbossmq
jaikiran Jun 28, 2006 1:38 AM (in response to drpizza)I am not clear on what exactly is your requirement, but the place where the jbossmq security domain is specified is in jbossmq-service.xml file in the %JBOSS_HOME%/server/default/deploy/jms directory. Here's the extract:
<mbean code="org.jboss.mq.security.SecurityManager" name="jboss.mq:service=SecurityManager"> <attribute name="DefaultSecurityConfig"> <security> <role name="guest" read="true" write="true" create="true"/> </security> </attribute> <attribute name="SecurityDomain">jbossmq</attribute> <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager</depends> </mbean>
-
2. Re: Is there a way to prevent JBossMQ from using the jbossmq
drpizza Jun 28, 2006 5:56 AM (in response to drpizza)I am not clear on what exactly is your requirement
I wish to have multiple queues, each with its own security-domain. -
3. Re: Is there a way to prevent JBossMQ from using the jbossmq
jaikiran Jun 28, 2006 8:16 AM (in response to drpizza)I wish to have multiple queues, each with its own security-domain.
Interesting. I think this is what you might have to do, in that case:
For configuring your queues, you use something like:<mbean code="org.jboss.mq.server.jmx.Queue" name="jboss.mq.destination:service=Queue,name=testQueue"> <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends> <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends> <attribute name="SecurityConf"> <security> <role name="guest" read="true" write="true"/> <role name="publisher" read="true" write="true" create="false"/> <role name="noacc" read="false" write="false" create="false"/> </security> </attribute> </mbean>
In the above configuration, you will see the following attribute:
<depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends>
The jboss.mq:service=SecurityManager service is inturn configured in the jbossmq-service.xml file through:
<mbean code="org.jboss.mq.security.SecurityManager" name="jboss.mq:service=SecurityManager"> <attribute name="DefaultSecurityConfig"> <security> <role name="guest" read="true" write="true" create="true"/> </security> </attribute> <attribute name="SecurityDomain">jbossmq</attribute> <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager</depends> </mbean>
For implementing your requirement, you might have to configure your own security managers and let them use 2 different security domains. Something like:
In jbossmq-service.xml:
<mbean code="org.jboss.mq.security.SecurityManager" name="myApp:service=SecurityManagerForQueue1"> <attribute name="DefaultSecurityConfig"> <security> <role name="guest" read="true" write="true" create="true"/> </security> </attribute> <attribute name="SecurityDomain">someSecurityDomain1</attribute> <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager</depends> </mbean>
<mbean code="org.jboss.mq.security.SecurityManager" name="myApp:service=SecurityManagerForQueue2"> <attribute name="DefaultSecurityConfig"> <security> <role name="guest" read="true" write="true" create="true"/> </security> </attribute> <attribute name="SecurityDomain">someSecurityDomain2</attribute> <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager</depends> </mbean>
Then in the configuration of your queues(may be through jbossmq-destinations-service.xml file), you will use this security managers for the individual queues. Something like:
<mbean code="org.jboss.mq.server.jmx.Queue" name="jboss.mq.destination:service=Queue,name=myQueue1"> <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends> <depends optional-attribute-name="SecurityManager">myApp:service=SecurityManagerForQueue1</depends> <attribute name="SecurityConf"> <security> <role name="guest" read="true" write="true"/> <role name="publisher" read="true" write="true" create="false"/> <role name="noacc" read="false" write="false" create="false"/> </security> </attribute> </mbean>
<mbean code="org.jboss.mq.server.jmx.Queue" name="jboss.mq.destination:service=Queue,name=myQueue2"> <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends> <depends optional-attribute-name="SecurityManager">myApp:service=SecurityManagerForQueue2</depends> <attribute name="SecurityConf"> <security> <role name="guest" read="true" write="true"/> <role name="publisher" read="true" write="true" create="false"/> <role name="noacc" read="false" write="false" create="false"/> </security> </attribute> </mbean>
Try it out.
P.S.: I have never tried this before. This is just from what i understand about how the current configurations work. -
4. Re: Is there a way to prevent JBossMQ from using the jbossmq
drpizza Jun 28, 2006 9:00 AM (in response to drpizza)I've done that, though I think you need to do the Queues like this:
<mbean code="org.jboss.mq.server.jmx.Queue" name="jboss.mq.destination:service=Queue,name=myQueue1"> <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends> <depends optional-attribute-name="SecurityManager">myApp:service=SecurityManagerForQueue1</depends> <attribute name="SecurityManager">myApp:service=SecurityManagerForQueue1</attribute> <attribute name="SecurityConf"> <security> <role name="guest" read="true" write="true"/> <role name="publisher" read="true" write="true" create="false"/> <role name="noacc" read="false" write="false" create="false"/> </security> </attribute> </mbean>
(notice that it doesn't just depend on the custom SecurityManager--it actually specifies that it uses it)
Unfortunately this does not appear to work. I see stack traces like this when the system starts up:2006-06-27 16:43:43,498 WARN [org.jboss.ejb.plugins.jms.JMSContainerInvoker] JMS provider failure detected for Queue1Consumer javax.jms.JMSSecurityException: User: null is NOT authenticated at org.jboss.mq.security.SecurityManager.authenticate(SecurityManager.java:230) at org.jboss.mq.security.ServerSecurityInterceptor.authenticate(ServerSecurityInterceptor.java:66) at org.jboss.mq.server.TracingInterceptor.authenticate(TracingInterceptor.java:744) at org.jboss.mq.server.JMSServerInvoker.authenticate(JMSServerInvoker.java:302) at org.jboss.mq.il.uil2.ServerSocketManagerHandler.handleMsg(ServerSocketManagerHandler.java:220) at org.jboss.mq.il.uil2.SocketManager$ReadTask.handleMsg(SocketManager.java:396) at org.jboss.mq.il.uil2.msgs.BaseMsg.run(BaseMsg.java:392) at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:743) at java.lang.Thread.run(Thread.java:595)
Setting breakpoints and stepping through code, it's trying to use the jbossmq security-domain, which isn't the one I want it to use. -
5. Re: Is there a way to prevent JBossMQ from using the jbossmq
jaikiran Jun 28, 2006 9:17 AM (in response to drpizza)notice that it doesn't just depend on the custom SecurityManager--it actually specifies that it uses it
You are right.Unfortunately this does not appear to work
I suggest, you enable TRACE level logging of jboss security and post the logs here. Here's how you can enable the TRACE logging:
Have a look at Q4: How do i debug security layer at:
http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQ -
6. Re: Is there a way to prevent JBossMQ from using the jbossmq
drpizza Jun 29, 2006 6:03 AM (in response to drpizza)I don't see anything particularly useful from doing that, although to be honest I get swamped in data, so I may be missing something.
-
7. Re: Is there a way to prevent JBossMQ from using the jbossmq
gohip Jul 3, 2006 9:58 PM (in response to drpizza)I am also having some issues with JBoss Collaboration server MQ's. I am trying to "lock down" the queues, and context but am a little lost.
I am using the user roles properties file
It has two users
there roles are listed as such...
user1=calendaruser,adminuser
user2=calendaruser,adminuser
and they have the reqd password/user file
so now I see I can change this...<mbean code="org.jboss.mq.server.jmx.Queue" name="jboss.mq.destination:service=Queue,name=testQueue"> <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends> <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends> <attribute name="MessageCounterHistoryDayLimit">-1</attribute> <attribute name="SecurityConf"> <security> <!-- <role name="guest" read="true" write="true"/> --> <role name="publisher" read="true" write="true" create="false"/> <role name="noacc" read="false" write="false" create="false"/> <!-- <role name="user2" read="true" write="false" create="false"/> --> <!-- <role name="user1" read="true" write="false" create="false"/> --> </security> </attribute> </mbean>
I got rid of guest, which I imagine is almost as bad as the "guest" user account in Windows XP.
From what I interpret, whomever publishes the messages to the queue, can do whatever they want, someone that "noacc" (?no account?) can do nothing whatsoever, so how do I add access say to user1 or user2 as mentioned earlier?
I tried the above, dont laugh, but didnt work...Any insight would be greatly appreciated, I just would like to ensure that users have to auth if visiting the queues or context.
i'm trying roles of "acc", "username", etc but nothing is working, and trying to google "Jboss roles", didnt come up with much
And I see, as well as you stated, that in "jbossmsq-service.xml" i could change<mbean code="org.jboss.mq.security.SecurityManager" name="jboss.mq:service=SecurityManager"> <attribute name="DefaultSecurityConfig"> <security> <role name="guest" read="true" write="true" create="true"/> </security> </attribute> <attribute name="SecurityDomain">java:/jaas/jbossmq</attribute> <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager</depends> </mbean>
would this mean, that no one could browse, search, etc the actual context itself? This would be very nice. Is the means of locking down this also the same as locking down a queue?
Any insight is extremely appreciated -
8. Re: Is there a way to prevent JBossMQ from using the jbossmq
gohip Jul 11, 2006 1:20 PM (in response to drpizza)help?
Please! -
9. Re: Is there a way to prevent JBossMQ from using the jbossmq
drpizza Aug 14, 2006 9:02 AM (in response to drpizza)I would still like input to help with my query, as I have no idea.