[jboss-user] [JBoss Messaging] - Securing JBoss Messaging and EJB3

Alexander Hartner do-not-reply at jboss.com
Thu Jul 22 08:07:58 EDT 2010


Alexander Hartner [http://community.jboss.org/people/ejb3workshop] created the discussion

"Securing JBoss Messaging and EJB3"

To view the discussion, visit: http://community.jboss.org/message/553934#553934

--------------------------------------------------------------
I would like to ensure all access to any JMS destination is authenticated so I disabled the guest account in messaging-service.xml
> 
>       <attribute name="DefaultSecurityConfig">
> 
>         <security>
> 
>             <role name="jmsuser" read="true" write="true" create="true"/>
> 
>         </security>
> 
>       </attribute>
I then added a new users to messaging-roles.properties and messaging-users.properties. 

Now my problem is how can I get my application to access the queues. I am using EJB3 annotations as well as dependency injection for the connection factory and destinations. I was hoping to link the entire application to an application-policy specified in login-config.xml using something like this, in a similar way passwords are set on datasources:

>     <application-policy name="EncryptJMSPassword">
>         <authentication>
>             <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required">
>                 <module-option name="username"> jmsuser </module-option>
>                 <module-option name="password">XXXXXXXXXXXXXXXXXXXXXXXXX</module-option>
>             </login-module>
>         </authentication>
>     </application-policy>
and then to specify the policyname in either jboss.xml or jboss-app.xml. However I haven't found a way of doing this. I did get the application deployed using :
> *            <activation-config>*
> 
> 
> *               
> <activation-config-property>*
> 
> 
> *                   
> <activation-config-property-name>user</activation-config-property-name>*
> 
> 
> *                   
> <activation-config-property-value> jmsuser </activation-config-property-value>*
> 
> 
> *               
> </activation-config-property>*
> 
> 
> *               
> <activation-config-property>*
> 
> 
> *                   
> <activation-config-property-name>password</activation-config-property-name>*
> 
> 
> *                   
> <activation-config-property-value>jmspassword</activation-config-property-value>*
> 
> 
> *               
> </activation-config-property>*
> 
> 
> *           
> </activation-config>*
in ejb-jar.xml, however this only addresses the reading of messages from a queue, I believe. It also has to be done on each bean which is not ideal and not very flexible as the password is hard coded inside the ear. 

Are there any more elegant options of granting one application unrestricted access to any JMS resources. 

Without specifying these I am getting the following error message during startup:
> javax.jms.JMSSecurityException: User: null is not authorized to read from destination TransactionJobs
>         at org.jboss.jms.server.container.SecurityAspect.check(SecurityAspect.java:312)
>         at org.jboss.jms.server.container.SecurityAspect.handleCreateConsumerDelegate(SecurityAspect.java:112)
as well as:
> 20:04:43,097 FATAL [ConfigurationMonitor] Authentication failure
> javax.ejb.EJBAccessException: Authentication failure
>         at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.handleGeneralSecurityException(Ejb3AuthenticationInterceptor.java:68)
>         at org.jboss.aspects.security.AuthenticationInterceptor.invoke(AuthenticationInterceptor.java:70)
>         at org.jboss.ejb3.security.Ejb3AuthenticationInterceptor.invoke(Ejb3AuthenticationInterceptor.java:110)

--------------------------------------------------------------

Reply to this message by going to Community
[http://community.jboss.org/message/553934#553934]

Start a new discussion in JBoss Messaging at Community
[http://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2042]

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/jboss-user/attachments/20100722/f84520ef/attachment-0001.html 


More information about the jboss-user mailing list