Version 5

    JBossMQ Security Configuration

     

    To configure security on JBoss MQ there are a few steps you need to take. These involve the following:

     

    • Identify a security domain to use for messaging.

    • Configure your MDB:s to use security credentials when reading from the message queues / topics.

    • Use the authenticated connection methods when connecting to the messaging service from your clients.

    • Configure security on the topics and queues.

     

    Identify a security domain

     

    Security domains are configured in the conf/login-config.xml file. The sample file that comes with the distribution is pretty well commented with examples. By default there is a security domain configured with the name "jbossmq".

     

    To tell JBoss MQ which security domain to use when checking credentials, edit the file deploy/jms/jbossmq-service.xml. In this file you will have an entry that looks something like this:

     

     

    <mbean code="org.jboss.mq.security.SecurityManager" name="jboss.mq:service=SecurityManager">
        <attribute name="DefaultSecurityConfig">
          <security>
            <role name="guest" read="true" write="true" create="true"></role>
          </security>
        </attribute>
          <attribute name="SecurityDomain">java:/jaas/jbossmq</attribute>
        <depends optional-attribute-name="NextInterceptor">jboss.mq:service=DestinationManager</depends>
      </mbean>
    

     

    To change security domain to use, change the attribute called "SecurityDomain".

     

     

    Notice the DefaultSecurityConfig. To enable non-authenticated messaging make sure that the role name, in this case "guest" is the same as the "unauthenticatedIdentity" in the definition of the security domain in login-config.xml.

     

    Configure MDB:s to use security

     

    Your message driven beans "log in" to the queues / topics that "drive" them. If you enable security in JMS the beans will have to identify themselves.

     

    What identity the should use you specify in the jboss.xml file for the given beans. See below example:

     

            <message-driven>
                <ejb-name>CMyMessageBean</ejb-name>
                <destination-jndi-name>queue/myQueue</destination-jndi-name>
                <mdb-user>scott</mdb-user>
                <mdb-passwd>tiger</mdb-passwd>
                <resource-ref>
                    <res-ref-name>jdbc/base</res-ref-name>
                    <jndi-name>java:/jdbc/myconnection</jndi-name>
                </resource-ref>
            </message-driven>
    

     

    The mdb-user and mdb-passwd should match a user that exists in your security domain.

     

    Use authenticated connections in client code

     

    If you have clients connecting to your security enabled messaging service they will have to supply user credentials. It is not enough to login using the client-login you normally use when calling JBoss EJB:s, in fact it's not even related, so you don't have to login using that client-login.

     

    What you have to do is use these methods when creating the jms-connections:

     

            QueueConnectionFactory connectionFactory =
                (QueueConnectionFactory) ctx.lookup("ConnectionFactory");
            try {
                destination =
                    (javax.jms.Queue) ctx.lookup(QUEUENAME);
            } catch (javax.naming.NameNotFoundException nne) {
                m_log.fatal("Could not find recipent queue: " + QUEUENAME);
                System.exit(1);
            }
            QueueConnection connection = connectionFactory.createQueueConnection(JMSUSER, JMSPASS);
    

    And for topics:

     

            TopicConnectionFactory connectionFactory =
                (TopicConnectionFactory) ctx.lookup("ConnectionFactory");
            try {
                destination =
                    (javax.jms.Topic) ctx.lookup(TOPICNAME);
            } catch (javax.naming.NameNotFoundException nne) {
                m_log.fatal("Could not find topic: " + TOPICNAME);
                System.exit(1);
            }
            TopicConnection connection = connectionFactory.createTopicConnection(JMSUSER, JMSPASS);
    

     

    Configure security on the topics and queues

     

    In the deploy/jms/jbossmq-destinations-service.xml file you can configure the topics, queues and who can access them and how. The default file that comes with JBoss contains comments and examples that describes how this step is done.

     

    Make sure that the user that you supplied in your jboss.xml file for your MDB:s match the roles that you specify here.

     

    Disable Security

     

    As of JBoss 4.2.3, edit server/xxx/deploy/jms/jbossmq-service.xml.  Find

      <mbean code="org.jboss.mq.server.jmx.Invoker" name="jboss.mq:service=Invoker">
    

     

    And change 2 lines down from:

      <depends optional-attribute-name="NextInterceptor">jboss.mq:service=SecurityManager</depends>
    

     

    To:

    <depends optional-attribute-name="NextInterceptor">jboss.mq:service=TracingInterceptor</depends>
    

     

    This will eliminate principal=null errors for unauthenticated Message Driven Bean (MDB) by removing the SecurityManager interceptor that checks for them.  The errors look like this:

     

    javax.jms.JMSSecurityException: User: null is NOT authenticated
         at org.jboss.mq.security.SecurityManager.authenticate(SecurityManager.java:230)
         at org.jboss.mq.security.ServerSecurityInterceptor.authenticate(ServerSecurityInterceptor.java:66)
         at org.jboss.mq.server.TracingInterceptor.authenticate(TracingInterceptor.java:613)
         at org.jboss.mq.server.JMSServerInvoker.authenticate(JMSServerInvoker.java:172)
         at org.jboss.mq.il.jvm.JVMServerIL.authenticate(JVMServerIL.java:165)
         at org.jboss.mq.Connection.authenticate(Connection.java:1067)
    ...
    
    13:54:17,255 INFO  [JMSContainerInvoker] Waiting for reconnect internal 10000ms for RandomClientMessageBean
    13:54:27,256 INFO  [JMSContainerInvoker] Trying to reconnect to JMS provider for RandomClientMessageBean
    13:54:27,257 ERROR [UsersRolesLoginModule] Failed to load users/passwords/role files
    java.io.IOException: No properties file: props/jbossmq-users.properties or defaults: defaultUsers.properties found
    13:56:18,725 INFO  [JMSContainerInvoker] Waiting for reconnect internal 10000ms for RandomClientMessageBean
    ..
    2008-12-28 13:53:42,806 DEBUG [org.jboss.ejb.plugins.jms.DLQHandler] Initialization failed DLQHandler
    

     

    Additional information