[jboss-user] [Messaging, JMS & JBossMQ] - Re: cant control security in a jms queue
"anderslinden" wrote : Hello!
|
| How do I setup this user database?
See if http://wiki.jboss.org/wiki/Wiki.jsp?page=ConfigJBossMQDB helps. Once you have
successfully done that, you can specify security restrictions on the Queue as follows
(just an example):
<mbean code="org.jboss.mq.server.jmx.Queue"
| name="jboss.mq.destination:service=Queue,name=testQueue">
| <depends
optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
| <depends
optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends>
|
| <attribute name="SecurityConf">
| <security>
| <role name="guest" read="true"
write="true"/>
| <role name="publisher" read="true"
write="true" create="false"/>
| <role name="noacc" read="false" write="false"
create="false"/>
| </security>
| </attribute>
| </mbean>
The above configuration can be done in "jbossmq-destinations-service.xml" file
present in server/< serverName>/deploy/jms folder. The name of the queue in this
example is "testQueue", change it to the name of your queue.
As you can see, the above configuration uses a SecurityManager
(=jboss.mq:service=SecurityManager) which is configured in the jbossmq-service.xml file
present in server/< serverName>/deploy/jms folder. The SecurityManager config in
that jbossmq-service.xml mentions the following:
<mbean code="org.jboss.mq.security.SecurityManager"
name="jboss.mq:service=SecurityManager">
| <attribute name="DefaultSecurityConfig">
| <security>
| <role name="guest" read="true" write="true"
create="true"/>
| </security>
| </attribute>
| <attribute
name="SecurityDomain">java:/jaas/jbossmq</attribute>
| <depends
optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager</depends>
| </mbean>
As can be seen, this configuration uses the java:/jaas/jbossmq security domain to do the
authentication. The login module is configured in login-config.xml file in server/<
serverName>/conf folder (search for jbossmq in that file). All you have to do is
configure that application policy to use your login module (similar to what's been
mentioned in the link, above).
anonymous wrote : I have tried to manipulate these files:
| jboss/server/default/deploy/jms/jbossmq-destinations-service.xml
| jboss/server/default/data/hypersonic/localDB.script
| jboss/server/all/deploy-hasingleton/jms/jbossmq-service.xml
| jboss/server/all/deploy-hasingleton/jms/jbossmq-destinations-service.xml
| jboss/server/all/deploy-hasingleton/jms/hsqldb-jdbc-state-service.xml
|
Which server are you using, is it "default" or "all". Depending on
that, you either have to change files in "default" or "all", but not
both.
anonymous wrote :
| Actually, I would like to have a security model thats not password based, but based on
which ip thats connected to the jms queue. I would like to setup a solution where only
connections from localhost can write to the queue, in other words the server. Is that
possible?
Once you get the security configurations done as mentioned above (and get working it with
users stored in DB), this step should be simple enough. Just a change to the
login-config.xml file to use a different login module instead of DB login module. As far
as creating a login module for checking the IP address is concerned, i believe there was
one, but was deprecated in recent releases of JBoss.
P.S: I havent tried anything of these. This is just based on the documents i could find,
so you are sure to run into some issues, in which case just post it in the forums here.
Maybe someone will be able to help.
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4087756#...
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&a...