6 Replies Latest reply: Jul 23, 2012 5:54 PM by madchedar0 RSS

Setup custom JAAS login module in HornetQ with JBoss 7.1.1.Final

madchedar0 Newbie

I'm on JBoss 7.1.1.Final and using whatever the stock HornetQ is in that distribution.

I would like to use JAAS as my authentication instead of the current "ApplicationRealm" that I'm using.

 

This is what my remoting subsystem looks like from my standalone-full.xml:

 

<subsystem xmlns="urn:jboss:domain:remoting:1.1">
            <connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>
 </subsystem>

 

Earlier in my standalone-full.xml ApplicationRealm is defined like this:

 

 

<security-realm name="ApplicationRealm">
                <authentication>
                    <properties path="application-users.properties" relative-to="jboss.server.config.dir"/>
                </authentication>
 </security-realm>

 

So currently I have HornetQ using just a regular properties file to authenticate, but I need to use JAAS instead.

 

I also have a security domain (which I just did my best at porting over from our old JBoss 5.1.0GA days - the code is untested) which uses the JAAS login module I would like to use for HornetQ:

 

 

<security-domain name="myapp" cache-type="default">
                    <authentication>
                        <login-module code="com.mycompany.myapp.user.UserLoginModule" flag="required"/>
                    </authentication>
</security-domain>

 

I had been trying to follow the HornetQ documentation on using JAAS here:

(From a HornetQ distribution I downloaded) $INSTALL_DIR/hornetq-2.2.14.Final/examples/jms/jaas/readme.html

Some notes on HornetQ Configuration

(Section 6.. 6.6 and 6.7) http://docs.jboss.org/hornetq/2.2.2.Final/user-manual/en/html_single/index.html

 

But I was wondering if there's an easier way to accomplish JAAS authentication?

 

I was wondering if it was possible to take the "myapp" security domain and use it as an authentication mechanism in a security realm like so? :

 

          <security-realm name="MessagingRealm">
                <authentication>
                    <jaas name="myapp"/>
                </authentication>
            </security-realm>

 

Then the remoting subsystem looks like so:

 

<subsystem xmlns="urn:jboss:domain:remoting:1.1">
            <connector name="remoting-connector" socket-binding="remoting" security-realm="MessagingRealm"/>
</subsystem>

 

I'm wondering if this approach works to accomplish having JAAS as a part of HornetQ?

 

I've been tinkering with it and it's not clear that any of the logger messages I have put in my com.mycompany.myapp.user.UserLoginModule are getting called.

So I'm interested if anyone in the community can shed some light on this because I'm not sure what to try next.

 

Thank you.

  • 1. Re: Setup custom JAAS login module in HornetQ with JBoss 7.1.1.Final
    Jeff Mesnil Master

    madchedar0 wrote:

     

    I also have a security domain (which I just did my best at porting over from our old JBoss 5.1.0GA days - the code is untested) which uses the JAAS login module I would like to use for HornetQ:

     

     

    <security-domain name="myapp" cache-type="default">
                        <authentication>
                            <login-module code="com.mycompany.myapp.user.UserLoginModule" flag="required"/>
                        </authentication>
    </security-domain>
    

     

    I had been trying to follow the HornetQ documentation on using JAAS here:

    (From a HornetQ distribution I downloaded) $INSTALL_DIR/hornetq-2.2.14.Final/examples/jms/jaas/readme.html

    Some notes on HornetQ Configuration

    (Section 6.. 6.6 and 6.7) http://docs.jboss.org/hornetq/2.2.2.Final/user-manual/en/html_single/index.html

     

    First, the configuration for HornetQ inside AS7 is done inside the subsystem urn:jboss:domain:messaging. HornetQ does not relate to the urn:jboss:domain:remoting subsystem at all.

     

    There is a property <security-domain> inside the hornetq-server configuration to specify which domain to use for authentication.

     

    I have not checked it but it should work with your domain by configuring it:

     

    
    

     

    Could you give it a try and tell me if that works?

     

    thanks,

    jeff

  • 2. Re: Setup custom JAAS login module in HornetQ with JBoss 7.1.1.Final
    Jeff Mesnil Master

    The wiki ate up my XML config... try add this:

     

    <hornetq-server>

        <security-domain>myapp</security-domain>

         ...

    </hornetq-server> 

  • 3. Re: Setup custom JAAS login module in HornetQ with JBoss 7.1.1.Final
    john gregory Newbie

    madchedar0,

     

    Yeah, documentation on this is very thin...

     

    I've got a condition where my client is a stand alone that sends a message to a queue on a jboss server.  Since jboss6 has hornetq embedded, i thought

    I'd follow the examples and set this up. I finally was able to get hornetq configured where it stopped spitting out errors, a very good step 1.  However, when

    I deployed my MDB to the server, I don't see any of the logging I have set up.  Have no idea why!  From what I can tell (using jmx console) I see my queue and

    I see my bean deployed to the jboss server.  I don't see any exceptions at all.

     

    Next, when my client connects, I need it to establish a 2-way ssl connection between it and the server for trust.  I set this up like I have done a million other times

    using weblogic, but once I do, my client starts throwing exceptions.  Since I need an ssl connection, I've tried using various combinations to bind to the server,

    all to no avail.  In weblogic, it's a matter of going from t3 to t3s.  I figured it'd be the same using jnp.  So it (caveat here) should be jnp to jnps.  That didn't work

    In digging, I found examples that used https and my secure ssl enabled port, but nothing but exceptions litter my client logs.

     

    Any ideas on this would be appreciated...

     

    John

  • 4. Re: Setup custom JAAS login module in HornetQ with JBoss 7.1.1.Final
    Justin Bertram Master

    John, you need to open a new thread about this. 

     

    I see you have started a few threads related to this already (https://community.jboss.org/thread/202284 and https://community.jboss.org/thread/202604).  If either of these are still relevant please comment on them and I'll try to investigate.

  • 5. Re: Setup custom JAAS login module in HornetQ with JBoss 7.1.1.Final
    madchedar0 Newbie

    Thanks for the reply!

     

    I guess I was so consumed with getting the client side of the application to be authenticated with JAAS that I focused on the remoting subsystem.  It makes sense that any HornetQ security would be defined within the messaging subsystem.

     

    I placed the recommended configuration in my standalone-full.xml:

     

     

                    <!-- Trying to get JAAS authentication -->
                    <security-domain>myapp</security-domain>
                </hornetq-server>
    

     

    And now I can see the server is attempting to look for/use my login module. 

     

    Here's what I see now:

     

    17:58:17,887 ERROR [org.jboss.security.authentication.JBossCachedAuthenticationManager] (Old I/O server worker (parentId: 1416925497, [id: 0x54749139, /127.0.0.1:5445])) Login failure: javax.security.
    auth.login.LoginException: unable to find LoginModule class: com.mycompany.myapp.user.UserLoginModule from [Module "org.jboss.as.messaging:main" from local module loader @7c594d5e (roots: <my jboss as7 install path>\jboss-as-7.1.1.Final\modules)]
    

     

    So it looks like JBoss is expecting the JAAS code to be a module?  I'm going to do a little more research on this.

     

    Thanks again

  • 6. Re: Setup custom JAAS login module in HornetQ with JBoss 7.1.1.Final
    madchedar0 Newbie

    I created a separate thread to address this javax.security.auth.LoginException since it's a slightly different issue.

     

    It's here: https://community.jboss.org/thread/203009