6 Replies Latest reply on Oct 2, 2007 8:11 AM by Adrian Brock

    cant control security in a jms queue

    Anders Lindén Newbie

      Hello!

      I am running jboss-4.2.1.GA and I have a jms queue which I want clients to listen at and the server to send to. The clients uses flex and the server java (of course). I have managed to do all this without any security constraints so both clients and the server are able to read and write to and from the jms queue.

      I have tried to manipulate these files:
      jboss/server/default/deploy/jms/jbossmq-destinations-service.xml
      jboss/server/default/data/hypersonic/localDB.script
      jboss/server/all/deploy-hasingleton/jms/jbossmq-service.xml
      jboss/server/all/deploy-hasingleton/jms/jbossmq-destinations-service.xml
      jboss/server/all/deploy-hasingleton/jms/hsqldb-jdbc-state-service.xml

      without getting anywhere, either everyone is able to both read and write or noone is able to read/write.

      How do I setup this user database? I have tried to find anything about it, but without luck.

      Actually, I would like to have a security model thats not password based, but based on which ip thats connected to the jms queue. I would like to setup a solution where only connections from localhost can write to the queue, in other words the server. Is that possible?

        • 1. Re: cant control security in a jms queue
          Tim Fox Master

          Moving to JBoss MQ forum

          • 2. Re: cant control security in a jms queue
            Adrian Brock Master

            And ignored here because the question is unanwserable.
            "I have tried to find anything about it, but without luck."
            RTFM? perhaps.

            • 3. Re: cant control security in a jms queue
              Anders Lindén Newbie

              Adrian, I wouldnt make postings here if I thought the manual was useful. Posting in this forum was an act of desperation. Its obvious that it was in desperation if you only think about it. I mean, this forums are the forums in where the questions/answers ratio are the highest I have ever seen. Just face it, people are only here for asking, not answering. And why is that? Its because useful information about java on the server side is so hard to get. And just face it, information about java on the serverside is so buzzword driven that it hard to extract useful information about it. This forums are plain useless and should not be able to exist. People in this forums can place a question which is not answered within a year or so.
              Example:
              http://www.jboss.com/index.html?module=bb&op=viewtopic&t=96413

              adrian, you begged for it

              • 4. Re: cant control security in a jms queue
                jaikiran pai Master

                 

                "anderslinden" wrote:
                Hello!

                How do I setup this user database?


                See if http://wiki.jboss.org/wiki/Wiki.jsp?page=ConfigJBossMQDB helps. Once you have successfully done that, you can specify security restrictions on the Queue as follows (just an example):

                <mbean code="org.jboss.mq.server.jmx.Queue"
                 name="jboss.mq.destination:service=Queue,name=testQueue">
                 <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
                 <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends>
                
                 <attribute name="SecurityConf">
                 <security>
                 <role name="guest" read="true" write="true"/>
                 <role name="publisher" read="true" write="true" create="false"/>
                 <role name="noacc" read="false" write="false" create="false"/>
                 </security>
                 </attribute>
                 </mbean>


                The above configuration can be done in "jbossmq-destinations-service.xml" file present in server/< serverName>/deploy/jms folder. The name of the queue in this example is "testQueue", change it to the name of your queue.

                As you can see, the above configuration uses a SecurityManager (=jboss.mq:service=SecurityManager) which is configured in the jbossmq-service.xml file present in server/< serverName>/deploy/jms folder. The SecurityManager config in that jbossmq-service.xml mentions the following:

                <mbean code="org.jboss.mq.security.SecurityManager" name="jboss.mq:service=SecurityManager">
                 <attribute name="DefaultSecurityConfig">
                 <security>
                 <role name="guest" read="true" write="true" create="true"/>
                 </security>
                 </attribute>
                 <attribute name="SecurityDomain">java:/jaas/jbossmq</attribute>
                 <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager</depends>
                 </mbean>


                As can be seen, this configuration uses the java:/jaas/jbossmq security domain to do the authentication. The login module is configured in login-config.xml file in server/< serverName>/conf folder (search for jbossmq in that file). All you have to do is configure that application policy to use your login module (similar to what's been mentioned in the link, above).


                I have tried to manipulate these files:
                jboss/server/default/deploy/jms/jbossmq-destinations-service.xml
                jboss/server/default/data/hypersonic/localDB.script
                jboss/server/all/deploy-hasingleton/jms/jbossmq-service.xml
                jboss/server/all/deploy-hasingleton/jms/jbossmq-destinations-service.xml
                jboss/server/all/deploy-hasingleton/jms/hsqldb-jdbc-state-service.xml


                Which server are you using, is it "default" or "all". Depending on that, you either have to change files in "default" or "all", but not both.


                Actually, I would like to have a security model thats not password based, but based on which ip thats connected to the jms queue. I would like to setup a solution where only connections from localhost can write to the queue, in other words the server. Is that possible?


                Once you get the security configurations done as mentioned above (and get working it with users stored in DB), this step should be simple enough. Just a change to the login-config.xml file to use a different login module instead of DB login module. As far as creating a login module for checking the IP address is concerned, i believe there was one, but was deprecated in recent releases of JBoss.

                P.S: I havent tried anything of these. This is just based on the documents i could find, so you are sure to run into some issues, in which case just post it in the forums here. Maybe someone will be able to help.



                • 5. Re: cant control security in a jms queue
                  Adrian Brock Master

                   

                  "anderslinden" wrote:
                  Adrian, I wouldnt make postings here if I thought the manual was useful.


                  So explain what your problem is, "IT DOES NOT WORK" is not a problem
                  its just an incompetent question.

                  Or better yet, explain which part you read and why it is not useful.

                  -- snipped rest of useless rant --

                  NOTE: You couldn't even post the original question in the correct forum
                  so I doubt you have any ability in reading documentation.


                  People in this forums can place a question which is not answered within a year or so.
                  Example:
                  http://www.jboss.com/index.html?module=bb&op=viewtopic&t=96413

                  adrian, you begged for it


                  Why post a link to a problem that is less than one day old (and answered in the spec :-)
                  to make your point?

                  SUMMARY: Make a real effort on your question and you'll get a real answer.

                  • 6. Re: cant control security in a jms queue
                    Adrian Brock Master

                     

                    "jaikiran" wrote:

                    P.S: I havent tried anything of these. This is just based on the documents i could find, so you are sure to run into some issues, in which case just post it in the forums here. Maybe someone will be able to help.


                    Nice try, but guessing what the problem is (we don't know from his post)
                    and repeating documentation (the one thing we do know is that he thinks the docs
                    are uesless!) is pointless.

                    Guessing usually leads people in the wrong direction and confuses other users
                    that read the thread later.

                    Let him learn to ask questions that are anwerable. It's better for him in the long run.