[jboss-user] [Messaging, JMS & JBossMQ] - Re: cant control security in a jms queue

Mon Sep 24 04:03:49 EDT 2007

"anderslinden" wrote : Hello!
  | 
  | How do I setup this user database? 

See if http://wiki.jboss.org/wiki/Wiki.jsp?page=ConfigJBossMQDB helps. Once you have successfully done that, you can specify security restrictions on the Queue as follows (just an example):

<mbean code="org.jboss.mq.server.jmx.Queue"
  | 	 name="jboss.mq.destination:service=Queue,name=testQueue">
  |     <depends optional-attribute-name="DestinationManager">jboss.mq:service=DestinationManager</depends>
  |     <depends optional-attribute-name="SecurityManager">jboss.mq:service=SecurityManager</depends>
  | 
  |     <attribute name="SecurityConf">
  |       <security>
  |         <role name="guest" read="true" write="true"/>
  |         <role name="publisher" read="true" write="true" create="false"/>
  |         <role name="noacc" read="false" write="false" create="false"/>
  |       </security>
  |     </attribute>
  |   </mbean>

The above configuration can be done in "jbossmq-destinations-service.xml" file present in server/< serverName>/deploy/jms folder. The name of the queue in this example is "testQueue", change it to the name of your queue. 

As you can see, the above configuration uses a SecurityManager (=jboss.mq:service=SecurityManager) which is configured in the jbossmq-service.xml file present in server/< serverName>/deploy/jms folder. The SecurityManager config in that jbossmq-service.xml mentions the following:

<mbean code="org.jboss.mq.security.SecurityManager" name="jboss.mq:service=SecurityManager">
  |     <attribute name="DefaultSecurityConfig">
  |       <security>
  |         <role name="guest" read="true" write="true" create="true"/>
  |       </security>
  |     </attribute>
  |     <attribute name="SecurityDomain">java:/jaas/jbossmq</attribute>
  |     <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager</depends>
  |   </mbean>

As can be seen, this configuration uses the java:/jaas/jbossmq security domain to do the authentication. The login module is configured in login-config.xml file in server/< serverName>/conf folder (search for jbossmq in that file). All you have to do is configure that application policy to use your login module (similar to what's been mentioned in the link, above). 

anonymous wrote : I have tried to manipulate these files:
  | jboss/server/default/deploy/jms/jbossmq-destinations-service.xml
  | jboss/server/default/data/hypersonic/localDB.script
  | jboss/server/all/deploy-hasingleton/jms/jbossmq-service.xml
  | jboss/server/all/deploy-hasingleton/jms/jbossmq-destinations-service.xml
  | jboss/server/all/deploy-hasingleton/jms/hsqldb-jdbc-state-service.xml
  | 

Which server are you using, is it "default" or "all". Depending on that, you either have to change files in "default" or "all", but not both.

anonymous wrote : 
  | Actually, I would like to have a security model thats not password based, but based on which ip thats connected to the jms queue. I would like to setup a solution where only connections from localhost can write to the queue, in other words the server. Is that possible?

Once you get the security configurations done as mentioned above (and get working it with users stored in DB), this step should be simple enough. Just a change to the login-config.xml file to use a different login module instead of DB login module. As far as creating a login module for checking the IP address is concerned, i believe there was one, but was deprecated in recent releases of JBoss.

P.S: I havent tried anything of these. This is just based on the documents i could find, so you are sure to run into some issues, in which case just post it in the forums here. Maybe someone will be able to help.

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4087756#4087756

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4087756