9 Replies Latest reply on Aug 14, 2006 9:02 AM by drpizza

    Is there a way to prevent JBossMQ from using the jbossmq jaa

    drpizza Newbie

      Hi,

      It uses the jbossmq domain by default, which we do not really want it to do. The jboss.xml of the MDBs themselves names a different security-domain, and we define a SecurityManager using this security-domain which our Queues use. However, on deploying the application an attempt is made to authenticate by SpyConnection (whatever that is) using null credentials, and that authentication attempt gets serviced by the jbossmq security-domain. Is there some way to change this? Am I neglecting to include some piece of configuration somewhere (I can post config files if necessary, though I am not sure which ones would be of interest) or is it simply not going to work how I want it to work?

      We are using 4.0.4 with JBossMQ. If switching to JBoss Messaging would be helpful and simple then I suppose we could do that.

        • 1. Re: Is there a way to prevent JBossMQ from using the jbossmq
          jaikiran pai Master

          I am not clear on what exactly is your requirement, but the place where the jbossmq security domain is specified is in jbossmq-service.xml file in the %JBOSS_HOME%/server/default/deploy/jms directory. Here's the extract:

          <mbean code="org.jboss.mq.security.SecurityManager" name="jboss.mq:service=SecurityManager">
           <attribute name="DefaultSecurityConfig">
           <security>
           <role name="guest" read="true" write="true" create="true"/>
           </security>
           </attribute>
           <attribute name="SecurityDomain">jbossmq</attribute>
           <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager</depends>
           </mbean>




          • 2. Re: Is there a way to prevent JBossMQ from using the jbossmq
            drpizza Newbie

             

            I am not clear on what exactly is your requirement

            I wish to have multiple queues, each with its own security-domain.


            • 3. Re: Is there a way to prevent JBossMQ from using the jbossmq
              jaikiran pai Master

               

              I wish to have multiple queues, each with its own security-domain.


              Interesting. I think this is what you might have to do, in that case:

              For configuring your queues, you use something like:

              <mbean code="org.jboss.mq.server.jmx.Queue"
               name="jboss.mq.destination:service=Queue,name=testQueue">
               <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
               <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends>
               <attribute name="SecurityConf">
               <security>
               <role name="guest" read="true" write="true"/>
               <role name="publisher" read="true" write="true" create="false"/>
               <role name="noacc" read="false" write="false" create="false"/>
               </security>
               </attribute>
               </mbean>


              In the above configuration, you will see the following attribute:

              <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends>
              


              The jboss.mq:service=SecurityManager service is inturn configured in the jbossmq-service.xml file through:

              <mbean code="org.jboss.mq.security.SecurityManager" name="jboss.mq:service=SecurityManager">
               <attribute name="DefaultSecurityConfig">
               <security>
               <role name="guest" read="true" write="true" create="true"/>
               </security>
               </attribute>
               <attribute name="SecurityDomain">jbossmq</attribute>
               <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager</depends>
               </mbean>


              For implementing your requirement, you might have to configure your own security managers and let them use 2 different security domains. Something like:

              In jbossmq-service.xml:


              <mbean code="org.jboss.mq.security.SecurityManager" name="myApp:service=SecurityManagerForQueue1">
               <attribute name="DefaultSecurityConfig">
               <security>
               <role name="guest" read="true" write="true" create="true"/>
               </security>
               </attribute>
               <attribute name="SecurityDomain">someSecurityDomain1</attribute>
               <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager</depends>
               </mbean>


              <mbean code="org.jboss.mq.security.SecurityManager" name="myApp:service=SecurityManagerForQueue2">
               <attribute name="DefaultSecurityConfig">
               <security>
               <role name="guest" read="true" write="true" create="true"/>
               </security>
               </attribute>
               <attribute name="SecurityDomain">someSecurityDomain2</attribute> <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager</depends>
               </mbean>


              Then in the configuration of your queues(may be through jbossmq-destinations-service.xml file), you will use this security managers for the individual queues. Something like:

              <mbean code="org.jboss.mq.server.jmx.Queue"
               name="jboss.mq.destination:service=Queue,name=myQueue1">
               <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
               <depends optional-attribute-name="SecurityManager">myApp:service=SecurityManagerForQueue1</depends>
               <attribute name="SecurityConf">
               <security>
               <role name="guest" read="true" write="true"/>
               <role name="publisher" read="true" write="true" create="false"/>
               <role name="noacc" read="false" write="false" create="false"/>
               </security>
               </attribute>
               </mbean>


              <mbean code="org.jboss.mq.server.jmx.Queue"
               name="jboss.mq.destination:service=Queue,name=myQueue2">
               <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
               <depends optional-attribute-name="SecurityManager">myApp:service=SecurityManagerForQueue2</depends>
               <attribute name="SecurityConf">
               <security>
               <role name="guest" read="true" write="true"/>
               <role name="publisher" read="true" write="true" create="false"/>
               <role name="noacc" read="false" write="false" create="false"/>
               </security>
               </attribute>
               </mbean>


              Try it out.

              P.S.: I have never tried this before. This is just from what i understand about how the current configurations work.



              • 4. Re: Is there a way to prevent JBossMQ from using the jbossmq
                drpizza Newbie

                I've done that, though I think you need to do the Queues like this:

                <mbean code="org.jboss.mq.server.jmx.Queue" name="jboss.mq.destination:service=Queue,name=myQueue1">
                 <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
                 <depends optional-attribute-name="SecurityManager">myApp:service=SecurityManagerForQueue1</depends>
                 <attribute name="SecurityManager">myApp:service=SecurityManagerForQueue1</attribute>
                 <attribute name="SecurityConf">
                 <security>
                 <role name="guest" read="true" write="true"/>
                 <role name="publisher" read="true" write="true" create="false"/>
                 <role name="noacc" read="false" write="false" create="false"/>
                 </security>
                 </attribute>
                </mbean>
                
                

                (notice that it doesn't just depend on the custom SecurityManager--it actually specifies that it uses it)

                Unfortunately this does not appear to work. I see stack traces like this when the system starts up:
                2006-06-27 16:43:43,498 WARN [org.jboss.ejb.plugins.jms.JMSContainerInvoker] JMS provider failure detected for Queue1Consumer
                javax.jms.JMSSecurityException: User: null is NOT authenticated
                 at org.jboss.mq.security.SecurityManager.authenticate(SecurityManager.java:230)
                 at org.jboss.mq.security.ServerSecurityInterceptor.authenticate(ServerSecurityInterceptor.java:66)
                 at org.jboss.mq.server.TracingInterceptor.authenticate(TracingInterceptor.java:744)
                 at org.jboss.mq.server.JMSServerInvoker.authenticate(JMSServerInvoker.java:302)
                 at org.jboss.mq.il.uil2.ServerSocketManagerHandler.handleMsg(ServerSocketManagerHandler.java:220)
                 at org.jboss.mq.il.uil2.SocketManager$ReadTask.handleMsg(SocketManager.java:396)
                 at org.jboss.mq.il.uil2.msgs.BaseMsg.run(BaseMsg.java:392)
                 at EDU.oswego.cs.dl.util.concurrent.PooledExecutor$Worker.run(PooledExecutor.java:743)
                 at java.lang.Thread.run(Thread.java:595)
                

                Setting breakpoints and stepping through code, it's trying to use the jbossmq security-domain, which isn't the one I want it to use.


                • 5. Re: Is there a way to prevent JBossMQ from using the jbossmq
                  jaikiran pai Master

                   

                  notice that it doesn't just depend on the custom SecurityManager--it actually specifies that it uses it


                  You are right.

                  Unfortunately this does not appear to work


                  I suggest, you enable TRACE level logging of jboss security and post the logs here. Here's how you can enable the TRACE logging:

                  Have a look at Q4: How do i debug security layer at:

                  http://wiki.jboss.org/wiki/Wiki.jsp?page=SecurityFAQ



                  • 6. Re: Is there a way to prevent JBossMQ from using the jbossmq
                    drpizza Newbie

                    I don't see anything particularly useful from doing that, although to be honest I get swamped in data, so I may be missing something.

                    • 7. Re: Is there a way to prevent JBossMQ from using the jbossmq
                      Jay Glass Novice

                      I am also having some issues with JBoss Collaboration server MQ's. I am trying to "lock down" the queues, and context but am a little lost.

                      I am using the user roles properties file

                      It has two users

                      there roles are listed as such...
                      user1=calendaruser,adminuser
                      user2=calendaruser,adminuser

                      and they have the reqd password/user file

                      so now I see I can change this...

                      <mbean code="org.jboss.mq.server.jmx.Queue"
                       name="jboss.mq.destination:service=Queue,name=testQueue">
                       <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
                       <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends>
                       <attribute name="MessageCounterHistoryDayLimit">-1</attribute>
                       <attribute name="SecurityConf">
                       <security>
                       <!-- <role name="guest" read="true" write="true"/> -->
                       <role name="publisher" read="true" write="true" create="false"/>
                       <role name="noacc" read="false" write="false" create="false"/>
                       <!-- <role name="user2" read="true" write="false" create="false"/> -->
                       <!-- <role name="user1" read="true" write="false" create="false"/> -->
                       </security>
                       </attribute>
                       </mbean>


                      I got rid of guest, which I imagine is almost as bad as the "guest" user account in Windows XP.

                      From what I interpret, whomever publishes the messages to the queue, can do whatever they want, someone that "noacc" (?no account?) can do nothing whatsoever, so how do I add access say to user1 or user2 as mentioned earlier?

                      I tried the above, dont laugh, but didnt work...Any insight would be greatly appreciated, I just would like to ensure that users have to auth if visiting the queues or context.

                      i'm trying roles of "acc", "username", etc but nothing is working, and trying to google "Jboss roles", didnt come up with much

                      And I see, as well as you stated, that in "jbossmsq-service.xml" i could change
                      <mbean code="org.jboss.mq.security.SecurityManager" name="jboss.mq:service=SecurityManager">
                       <attribute name="DefaultSecurityConfig">
                       <security>
                       <role name="guest" read="true" write="true" create="true"/>
                       </security>
                       </attribute>
                       <attribute name="SecurityDomain">java:/jaas/jbossmq</attribute>
                       <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager</depends>
                       </mbean>


                      would this mean, that no one could browse, search, etc the actual context itself? This would be very nice. Is the means of locking down this also the same as locking down a queue?

                      Any insight is extremely appreciated


                      • 9. Re: Is there a way to prevent JBossMQ from using the jbossmq
                        drpizza Newbie

                        I would still like input to help with my query, as I have no idea.