[jboss-cvs] JBoss Messaging SVN: r6629 - in trunk/examples/jms/security: server0 and 1 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Thu Apr 30 04:41:49 EDT 2009
Author: gaohoward
Date: 2009-04-30 04:41:49 -0400 (Thu, 30 Apr 2009)
New Revision: 6629
Modified:
trunk/examples/jms/security/readme.html
trunk/examples/jms/security/server0/jbm-queues.xml
trunk/examples/jms/security/src/org/jboss/jms/example/SecurityExample.java
Log:
finalize readme and minor code/config changes for security example.
Modified: trunk/examples/jms/security/readme.html
===================================================================
--- trunk/examples/jms/security/readme.html 2009-04-30 05:19:43 UTC (rev 6628)
+++ trunk/examples/jms/security/readme.html 2009-04-30 08:41:49 UTC (rev 6629)
@@ -26,29 +26,32 @@
<pre>
<code>
- <user name="bill" password="jbossmessaging">
- <role name="user"/>
- </user>
-
- <user name="andrew" password="jbossmessaging1">
- <role name="europe-user"/>
- </user>
-
- <user name="frank" password="jbossmessaging2">
- <role name="us-user"/>
- <role name="news-user"/>
- </user>
-
- <user name="sam" password="jbossmessaging3">
- <role name="news-user"/>
- </user>
+ <user name="bill" password="jbossmessaging">
+ <role name="user"/>
+ </user>
+
+ <user name="andrew" password="jbossmessaging1">
+ <role name="europe-user"/>
+ <role name="user"/>
+ </user>
+
+ <user name="frank" password="jbossmessaging2">
+ <role name="us-user"/>
+ <role name="news-user"/>
+ <role name="user"/>
+ </user>
+
+ <user name="sam" password="jbossmessaging3">
+ <role name="news-user"/>
+ <role name="user"/>
+ </user>
</code>
</pre>
<p>
Each user has three properties available: user name, password, and roles it belongs to. It should be noticed that
- a user can belong to more than one roles. In the above configuration, user 'bill' belongs to role 'user', user 'andrew'
- belongs to role 'europe-user', user 'frank' belongs to 'us-user' and 'news-user', and user 'sam' belongs to 'news-user'.
+ a user can belong to more than one roles. In the above configuration, all users belong to role 'user'. User 'andrew' also
+ belongs to role 'europe-user', user 'frank' also belongs to 'us-user' and 'news-user', and user 'sam' also belongs to 'news-user'.
</p>
<p>
User name and password consists of a valid account that can be used to establish connections to a JBoss Messaging server, while
@@ -56,38 +59,33 @@
configuring proper permissions in <code>jbm-queues.xml</code>, like in the following
</p>
<pre><code>
- <!-- any user can have full control of generic topics -->
- <security match="jms.topic.#">
- <permission type="createDurableQueue" roles="#"/>
- <permission type="deleteDurableQueue" roles="#"/>
- <permission type="createTempQueue" roles="#"/>
- <permission type="deleteTempQueue" roles="#"/>
- <permission type="consume" roles="#"/>
- <permission type="send" roles="#"/>
- </security>
-
- <!-- only news-user can subscribe to news topic -->
- <security match="jms.topic.news.#">
- <permission type="consume" roles="news-user"/>
- </security>
-
- <!-- only europe-user can create/delete any news.europe topics and pulish news to it. -->
- <security match="jms.topic.news.europe.#">
- <permission type="createDurableQueue" roles="europe-user"/>
- <permission type="deleteDurableQueue" roles="europe-user"/>
- <permission type="createTempQueue" roles="europe-user"/>
- <permission type="deleteTempQueue" roles="europe-user"/>
- <permission type="send" roles="europe-user"/>
- </security>
-
- <!-- only us-user can create/delete any news.us topics and pulish news to it. -->
- <security match="jms.topic.news.us.#">
- <permission type="createDurableQueue" roles="us-user"/>
- <permission type="deleteDurableQueue" roles="us-user"/>
- <permission type="createTempQueue" roles="us-user"/>
- <permission type="deleteTempQueue" roles="us-user"/>
- <permission type="send" roles="us-user"/>
- </security>
+ <!-- any user can have full control of generic topics -->
+ <security match="jms.topic.#">
+ <permission type="createDurableQueue" roles="user"/>
+ <permission type="deleteDurableQueue" roles="user"/>
+ <permission type="createTempQueue" roles="user"/>
+ <permission type="deleteTempQueue" roles="user"/>
+ <permission type="send" roles="user"/>
+ <permission type="consume" roles="user"/>
+ </security>
+
+ <security match="jms.topic.news.europe.#">
+ <permission type="createDurableQueue" roles="user"/>
+ <permission type="deleteDurableQueue" roles="user"/>
+ <permission type="createTempQueue" roles="user"/>
+ <permission type="deleteTempQueue" roles="user"/>
+ <permission type="send" roles="europe-user"/>
+ <permission type="consume" roles="news-user"/>
+ </security>
+
+ <security match="jms.topic.news.us.#">
+ <permission type="createDurableQueue" roles="user"/>
+ <permission type="deleteDurableQueue" roles="user"/>
+ <permission type="createTempQueue" roles="user"/>
+ <permission type="deleteTempQueue" roles="user"/>
+ <permission type="send" roles="us-user"/>
+ <permission type="consume" roles="news-user"/>
+ </security>
</code></pre>
<p>Permissions can be defined on any group of queues, by using a wildcard. You can easily specify
@@ -98,12 +96,12 @@
over specific topics. By the above we define the following access rules:</p>
<li>Only role 'us-user' can create/delete and pulish messages to topics whose names match wild-card pattern 'news.us.#'.</li>
- <li>Only role 'europe-user' can create/delete and publish messages to topics whose names match wild-card pattern 'news.europe'.</li>
- <li>Only role 'news-user' can subscribe messages to topics whose names match wild-card pattern 'news.#'. These enables users of 'news-user' can subscribe both news.us and news.europe topics.</li>
- <li>For any other topics that don't match any of the above wild-card patterns, all permissions are granted to any users.</li>
+ <li>Only role 'europe-user' can create/delete and publish messages to topics whose names match wild-card pattern 'news.europe.#'.</li>
+ <li>Only role 'news-user' can subscribe messages to topics whose names match wild-card pattern 'news.us.#' and 'news.europe.#'.</li>
+ <li>For any other topics that don't match any of the above wild-card patterns, permissions are granted to users of role 'user'.</li>
- <p>To illustrate the effect of permissions, three topics are deployed. Topic 'genericTopic' matches 'jms.topic.#' wild-card, topic 'news.europe.europeTopic' matches 'jms.topic.news.#' and
- jms.topic.news.europe.#' wild-cards, and topic 'news.us.usTopic' matches 'jms.topic.news.#' as well as 'jms.topic.news.us.#'.</p>
+ <p>To illustrate the effect of permissions, three topics are deployed. Topic 'genericTopic' matches 'jms.topic.#' wild-card, topic 'news.europe.europeTopic' matches
+ jms.topic.news.europe.#' wild-cards, and topic 'news.us.usTopic' matches 'jms.topic.news.us.#'.</p>
<p>With JBoss Messaging, the security manager is also configurable. You can use JAASSecurityManager or JBossASSecurityManager based on you need. Please
check out the jbm-standalone-beans.xml for how to do. In this example we just use the basic JBMSecurityManagerImpl which reads users/roles/passwords from the xml
@@ -116,153 +114,187 @@
<ol>
<li>First we need to get an initial context so we can look-up the JMS connection factory and destination objects from JNDI. This initial context will get it's properties from the <code>client-jndi.properties</code> file in the directory <code>../common/config</code></li>
<pre>
- <code>InitialContext initialContext = getContext(0);</code>
+ <code>
+ InitialContext initialContext = getContext(0);
+ </code>
</pre>
- <li>We look-up the JMS topic object from JNDI</li>
+ <li>We perform lookup on the topics</li>
<pre>
- <code>Topic topic = (Topic) initialContext.lookup("/topic/exampleTopic");</code>
+ <code>
+ Topic genericTopic = (Topic) initialContext.lookup("/topic/genericTopic");
+ Topic europeTopic = (Topic) initialContext.lookup("/topic/europeTopic");
+ Topic usTopic = (Topic) initialContext.lookup("/topic/usTopic");
+ </code>
</pre>
- <li>We look-up the JMS connection factory object from JNDI</li>
+ <li>We perform a lookup on the Connection Factory</li>
<pre>
- <code>ConnectionFactory cf = (ConnectionFactory) initialContext.lookup("/ConnectionFactory");</code>
+ <code>
+ ConnectionFactory cf = (ConnectionFactory) initialContext.lookup("/ConnectionFactory");
+ </code>
</pre>
<li>We try to create a JMS Connection without user/password. It will fail.</li>
<pre>
<code>
- try
- {
- connection1 = cf.createConnection();
- result = false;
- }
- catch (JMSSecurityException e)
- {
- System.out.println("Error creating connection, detail: " + e.getMessage());
- }
+ try
+ {
+ cf.createConnection();
+ result = false;
+ }
+ catch (JMSSecurityException e)
+ {
+ System.out.println("Default user cannot get a connection. Details: " + e.getMessage());
+ }
</code>
</pre>
- <li>We create a Connection using wrong password, it will fail again.</li>
+ <li>Bill tries to make a connection using wrong password</li>
<pre>
<code>
- try
- {
- connection1 = cf.createConnection("jbm-sender", "wrong-password");
- result = false;
- }
- catch (JMSSecurityException e)
- {
- System.out.println("Error creating connection, detail: " + e.getMessage());
- }
+ billConnection = null;
+ try
+ {
+ billConnection = createConnection("bill", "jbossmessaging1", cf);
+ result = false;
+ }
+ catch (JMSException e)
+ {
+ System.out.println("User bill failed to connect. Details: " + e.getMessage());
+ }
</code>
</pre>
- <li>We now create two connections with correct credentials. connection1 is used for sending, and connection2 receiving.</li>
+ <li>Bill makes a good connection.</li>
<pre>
<code>
- connection1 = cf.createConnection("jbm-sender", "jbossmessaging1");
- connection2 = cf.createConnection("jbm-consumer", "jbossmessaging2");
+ billConnection = createConnection("bill", "jbossmessaging", cf);
+ billConnection.start();
</code>
</pre>
- <li>We create 2 JMS Sessions.</li>
+ <li>Andrew makes a good connection</li>
<pre>
<code>
- Session session1 = connection1.createSession(false, Session.AUTO_ACKNOWLEDGE);
- Session session2 = connection2.createSession(false, Session.AUTO_ACKNOWLEDGE);
+ andrewConnection = createConnection("andrew", "jbossmessaging1", cf);
+ andrewConnection.start();
</code>
</pre>
- <li>We create 2 Message Producers, where producer2 has no right to send.</li>
+ <li>Frank makes a good connection</li>
<pre>
- <code>
- MessageProducer producer1 = session1.createProducer(topic);
- MessageProducer producer2 = session2.createProducer(topic);
- </code>
+ <code>
+ frankConnection = createConnection("frank", "jbossmessaging2", cf);
+ frankConnection.start();
+ </code>
</pre>
- <li>We create 2 JMS Message Consumers.</li>
+ <li>Sam makes a good connection</li>
<pre>
<code>
- MessageConsumer messageConsumer1 = session2.createConsumer(topic);
- MessageConsumer messageConsumer2 = session2.createConsumer(topic);
+ samConnection = createConnection("sam", "jbossmessaging3", cf);
+ samConnection.start();
</code>
</pre>
- <li>We start the connections</li>
+ <li>We check every user can publish/subscribe genericTopics</li>
<pre>
<code>
- connection1.start();
- connection2.start();
+ checkUserSendAndReceive(genericTopic, billConnection, "bill");
+ checkUserSendAndReceive(genericTopic, andrewConnection, "andrew");
+ checkUserSendAndReceive(genericTopic, frankConnection, "frank");
+ checkUserSendAndReceive(genericTopic, samConnection, "sam");
</code>
</pre>
- <li>We create a Text Message</li>
+ <li>We check permissions on news.europe.europeTopic for bill: can't send and can't receive</li>
<pre>
- <code>TextMessage message = session1.createTextMessage("This is a text message");</code>
+ <code>
+ checkUserNoSendNoReceive(europeTopic, billConnection, "bill", andrewConnection, frankConnection);
+ </code>
</pre>
- <li>We send the message by producer2</li>
+ <li>We check permissions on news.europe.europeTopic for andrew: can send but can't receive</li>
<pre>
<code>
- producer2.send(message);
- System.out.println("Producer2 sent message: " + message.getText());
+ checkUserSendNoReceive(europeTopic, andrewConnection, "andrew", frankConnection);
</code>
</pre>
- <li>We check no messages are received by either consumer.</li>
+ <li>We check permissions on news.europe.europeTopic for frank: can't send but can receive</li>
<pre>
<code>
- TextMessage messageReceived1 = (TextMessage) messageConsumer1.receive(2000);
- TextMessage messageReceived2 = (TextMessage) messageConsumer2.receive(2000);
- if (messageReceived1 != null)
- {
- System.out.println("Message received! " + messageReceived1.getText());
- result = false;
- }
- if (messageReceived2 != null)
- {
- System.out.println("Message received! " + messageReceived2.getText());
- result = false;
- }
+ checkUserReceiveNoSend(europeTopic, frankConnection, "frank", andrewConnection);
</code>
</pre>
- <li>We send the message by producer1.</li>
+ <li>We check permissions on news.europe.europeTopic for sam: can't send but can receive</li>
<pre>
- <code>producer1.send(message);</code>
+ <code>
+ checkUserReceiveNoSend(europeTopic, samConnection, "sam", andrewConnection);
+ </code>
</pre>
- <li>We receive the message.</li>
+ <li>We check permissions on news.us.usTopic for bill: can't send and can't receive</li>
<pre>
<code>
- messageReceived1 = (TextMessage) messageConsumer1.receive(1000);
- messageReceived2 = (TextMessage) messageConsumer2.receive(1000);
- System.out.println("Consumer 1 Received message: " + messageReceived1.getText());
- System.out.println("Consumer 2 Received message: " + messageReceived2.getText());
+ checkUserNoSendNoReceive(usTopic, billConnection, "bill");
</code>
</pre>
+
+ <li>We check permissions on news.us.usTopic for andrew: can't send and can't receive</li>
+ <pre>
+ <code>
+ checkUserNoSendNoReceive(usTopic, andrewConnection, "andrew");
+ </code>
+ </pre>
+
+ <li>We check permissions on news.us.usTopic for frank: can both send and receive</li>
+ <pre>
+ <code>
+ checkUserSendAndReceive(usTopic, frankConnection, "frank");
+ </code>
+ </pre>
+
+ <li>We check permissions on news.us.usTopic for sam: can't send but can receive</li>
+ <pre>
+ <code>
+ checkUserReceiveNoSend(usTopic, samConnection, "sam", frankConnection);
+ </code>
+ </pre>
<li>And finally, <b>always</b> remember to close your JMS connections and resources after use, in a <code>finally</code> block. Closing a JMS connection will automatically close all of its sessions, consumers, producer and browser objects</li>
<pre>
- <code>finally
+ <code>
+ finally
{
- if (initialContext != null)
+ if (billConnection != null)
{
- initialContext.close();
+ billConnection.close();
}
- if (connection != null)
+ if (andrewConnection != null)
{
- connection.close();
+ andrewConnection.close();
}
- }</code>
+ if (frankConnection != null)
+ {
+ frankConnection.close();
+ }
+ if (samConnection != null)
+ {
+ samConnection.close();
+ }
+
+ // Also the initialContext
+ if (initialContext != null)
+ {
+ initialContext.close();
+ }
+ }
+ </code>
</pre>
-
-
-
</ol>
</body>
</html>
\ No newline at end of file
Modified: trunk/examples/jms/security/server0/jbm-queues.xml
===================================================================
--- trunk/examples/jms/security/server0/jbm-queues.xml 2009-04-30 05:19:43 UTC (rev 6628)
+++ trunk/examples/jms/security/server0/jbm-queues.xml 2009-04-30 08:41:49 UTC (rev 6629)
@@ -12,7 +12,6 @@
<permission type="consume" roles="user"/>
</security>
- <!-- only europe-user can create/delete any news.europe topics and pulish news to it. -->
<security match="jms.topic.news.europe.#">
<permission type="createDurableQueue" roles="user"/>
<permission type="deleteDurableQueue" roles="user"/>
@@ -22,7 +21,6 @@
<permission type="consume" roles="news-user"/>
</security>
- <!-- only us-user can create/delete any news.europe topics and pulish news to it. -->
<security match="jms.topic.news.us.#">
<permission type="createDurableQueue" roles="user"/>
<permission type="deleteDurableQueue" roles="user"/>
Modified: trunk/examples/jms/security/src/org/jboss/jms/example/SecurityExample.java
===================================================================
--- trunk/examples/jms/security/src/org/jboss/jms/example/SecurityExample.java 2009-04-30 05:19:43 UTC (rev 6628)
+++ trunk/examples/jms/security/src/org/jboss/jms/example/SecurityExample.java 2009-04-30 08:41:49 UTC (rev 6629)
@@ -117,7 +117,7 @@
System.out.println("------------------------Checking permissions on " + europeTopic + "----------------");
//Step 11. Check permissions on news.europe.europeTopic for bill: can't send and can't receive
- checkUserNoSendNoReceive(europeTopic, billConnection, "bill", andrewConnection, frankConnection);
+ checkUserNoSendNoReceive(europeTopic, billConnection, "bill");
//Step 12. Check permissions on news.europe.europeTopic for andrew: can send but can't receive
checkUserSendNoReceive(europeTopic, andrewConnection, "andrew", frankConnection);
@@ -132,15 +132,15 @@
System.out.println("------------------------Checking permissions on " + usTopic + "----------------");
//Step 15. Check permissions on news.us.usTopic for bill: can't send and can't receive
- checkUserNoSendNoReceive(usTopic, billConnection, "bill", frankConnection, frankConnection);
+ checkUserNoSendNoReceive(usTopic, billConnection, "bill");
//Step 16. Check permissions on news.us.usTopic for andrew: can't send and can't receive
- checkUserNoSendNoReceive(usTopic, andrewConnection, "andrew", frankConnection, frankConnection);
+ checkUserNoSendNoReceive(usTopic, andrewConnection, "andrew");
//Step 17. Check permissions on news.us.usTopic for frank: can both send and receive
checkUserSendAndReceive(usTopic, frankConnection, "frank");
- //Step 18. Check permissions on news.us.usTopic for same: can't send but can receive
+ //Step 18. Check permissions on news.us.usTopic for sam: can't send but can receive
checkUserReceiveNoSend(usTopic, samConnection, "sam", frankConnection);
System.out.println("-------------------------------------------------------------------------------------");
@@ -220,10 +220,9 @@
{
Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
MessageProducer producer = session.createProducer(topic);
- MessageConsumer consumer = null;
try
{
- consumer = session.createConsumer(topic);
+ session.createConsumer(topic);
}
catch (JMSException e)
{
@@ -252,15 +251,14 @@
}
//Check the user has neither send nor receive permission on topic
- private void checkUserNoSendNoReceive(Topic topic, Connection connection, String user, Connection sendingConn, Connection receivingConn) throws JMSException
+ private void checkUserNoSendNoReceive(Topic topic, Connection connection, String user) throws JMSException
{
Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
MessageProducer producer = session.createProducer(topic);
- MessageConsumer consumer = null;
try
{
- consumer = session.createConsumer(topic);
+ session.createConsumer(topic);
}
catch (JMSException e)
{
More information about the jboss-cvs-commits
mailing list