[jboss-user] [JBoss Messaging] - Queue/Topic Security Config
BrentShikoski
do-not-reply at jboss.com
Wed May 30 12:45:36 EDT 2007
Sorry for the large post, but I wanted to provide all the relevant information.
I'm seeing the same problem as detailed in Thread 107745 (http://www.jboss.com/index.html?module=bb&op=viewtopic&t=107745). Basically it doesn't seem like the Security Configuration on the queue/topic level is working properly (or my configuration is wrong). The solution in that thread doesn't seem much like a solution at all.
My configuration looks like:
<server>
| <loader-repository>jboss.messaging:loader=ScopedLoaderRepository
| <loader-repository-config>java2ParentDelegation=false</loader-repository-config>
| </loader-repository>
|
| <mbean code="org.jboss.jms.server.destination.QueueService"
| name="jboss.messaging.destination:service=Queue,name=NotifyQueue"
| xmbean-dd="xmdesc/Queue-xmbean.xml">
| <depends optional-attribute-name="ServerPeer">jboss.messaging:service=ServerPeer</depends>
| <depends>jboss.messaging:service=PostOffice</depends>
| <attribute name="SecurityConfig">
| <security>
| <role name="commonPublisher" read="false" write="true"/>
| <role name="commonSubscriber" read="true" write="true"/>
| </security>
| </attribute>
| <attribute name="MessageCounterHistoryDayLimit">-1</attribute>
| <attribute name="Clustered">true</attribute>
| </mbean>
| </server>
The client error I see is:
javax.jms.JMSSecurityException: User: commonuser is not authorized to read from destination NotifyQueue
at org.jboss.jms.server.container.SecurityAspect.check(SecurityAspect.java:260)
Here are some interesting bits from the server log:
2007-05-30 10:07:42,536 DEBUG [org.jboss.jms.server.destination.QueueService] Starting jboss.messaging.destination:name=NotifyQueue,service=Queue
| 2007-05-30 10:07:42,552 DEBUG [org.jboss.jms.server.DestinationJNDIMapper] queue NotifyQueue registered
| 2007-05-30 10:07:42,552 DEBUG [org.jboss.jms.server.DestinationJNDIMapper] queue bound in JNDI as /queue/NotifyQueue
| 2007-05-30 10:07:42,552 DEBUG [org.jboss.jms.server.destination.QueueService] Queue[/queue/NotifyQueue] security configuration:
| <security>
| <role name="guest" read="true" write="true"/>
| <role name="commonPublisher" read="false" write="true"/>
| <role name="commonSubscriber" read="true" write="true"/>
| </security>
| 2007-05-30 10:07:42,552 INFO [org.jboss.jms.server.destination.QueueService] Queue[/queue/NotifyQueue] started, fullSize=200000, pageSize=2000, downCacheSize=2000
| 2007-05-30 10:07:42,552 DEBUG [org.jboss.jms.server.destination.QueueService] Started jboss.messaging.destination:name=NotifyQueue,service=Queue
| ....
| ....
| 2007-05-30 10:08:11,704 DEBUG [org.jboss.jms.server.security.SecurityMetadataStore] No SecurityMetadadata was available for NotifyQueue, using default security config
| 2007-05-30 10:08:11,704 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] authenticating user commonuser
| ....
| 2007-05-30 10:08:11,704 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] authorizing user commonuser for role(s) [guest]
| 2007-05-30 10:08:11,704 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] doesUserHaveRole(Set), subject: Subject:
| Principal: commonuser
| Principal: Roles(members:commonSubscriber,statPublisher)
|
| 2007-05-30 10:08:11,704 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] roles=Roles(members:commonSubscriber,statPublisher)
| 2007-05-30 10:08:11,719 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] hasRole(guest)=false
| 2007-05-30 10:08:11,719 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] hasRole=false
| 2007-05-30 10:08:11,719 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] user commonuser is NOT authorized
|
Notice the line that contains 'No SecurityMetadadata was available for NotifyQueue, using default security config'.
I downloaded the source code to try and figure out what the problem with my configuration.
I added the following to the log4j.xml file to see if I could see a log statement like 'adding security configuration for queue'.
<category name="org.jboss.jms.server.security.SecurityMetadataStore">
| <priority value="TRACE" class="org.jboss.logging.XLevel"/>
| </category>
|
That didn't help. It seemed to me that that the queue security configuration was never being registered with the SecurityMetadataStore class.
In the DestinationServiceSupport class I found the following method.
| public void setSecurityConfig(Element securityConfig) throws Exception
| {
| try
| {
| if (started)
| {
| // push security update to the server
| sm.setSecurityConfig(isQueue(), destination.getName(), securityConfig);
| }
|
| destination.setSecurityConfig(securityConfig);
| }
| catch (Throwable t)
| {
| ExceptionUtil.handleJMXInvocation(t, this + " setSecurityConfig");
| }
| }
|
It seems to me that this method is called before the queue is started and so the security configuration is never registered with the SecurityManager.
I added the following line to the startService() method in the org.jboss.jms.server.destination.QueueService class, right after the 'started = true;' statement:
| serverPeer.getSecurityManager().setSecurityConfig(true, destination.getName(), destination.getSecurityConfig());
|
I rebuilt the jboss-messaging.jar jar with the change and it seemed to work. This is what I found in the server log after the code change:
| 2007-05-30 10:34:13,976 DEBUG [org.jboss.jms.server.DestinationJNDIMapper] queue NotifyQueue registered
| 2007-05-30 10:34:13,976 DEBUG [org.jboss.jms.server.DestinationJNDIMapper] queue bound in JNDI as /queue/NotifyQueue
| 2007-05-30 10:34:13,976 DEBUG [org.jboss.jms.server.destination.QueueService] Queue[/queue/NotifyQueue] security configuration:
| <security>
| <role name="guest" read="true" write="true"/>
| <role name="commonPublisher" read="false" write="true"/>
| <role name="commonSubscriber" read="true" write="true"/>
| </security>
| 2007-05-30 10:34:13,976 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] adding security configuration for queue NotifyQueue
| 2007-05-30 10:34:13,976 INFO [org.jboss.jms.server.destination.QueueService] Queue[/queue/NotifyQueue] started, fullSize=200000, pageSize=2000, downCacheSize=2000
| 2007-05-30 10:34:13,976 DEBUG [org.jboss.jms.server.destination.QueueService] Started jboss.messaging.destination:name=NotifyQueue,service=Queue
| ...
| ...
| 2007-05-30 11:03:41,279 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] authenticating user commonuser
| ...
| 2007-05-30 11:03:41,279 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] authorizing user commonuser for role(s) [commonSubscriber, guest]
| 2007-05-30 11:03:41,279 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] doesUserHaveRole(Set), subject: Subject:
| Principal: commonuser
| Principal: Roles(members:commonSubscriber,statPublisher)
|
| 2007-05-30 11:03:41,279 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] roles=Roles(members:commonSubscriber,statPublisher)
| 2007-05-30 11:03:41,279 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] hasRole(commonSubscriber)=true
| 2007-05-30 11:03:41,279 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] hasRole=true
| 2007-05-30 11:03:41,279 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] user commonuser is authorized
|
Notice the new line from the SecurityMetadataStore class that wasn't there before ('adding security configuration for queue NotifyQueue').
I can provide more information from my other configuration files if necessary.
View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4049812#4049812
Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4049812
More information about the jboss-user
mailing list