Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Difference between revisions of "Stardust/Knowledge Base/Security/JMSCustomization/Queue Security JBoss"
(→Understanding default JBoss setup) |
(→Creating a JMS user) |
||
| Line 39: | Line 39: | ||
Stardust system queues use this default security policy. Hence, any user who has required information to connect to the JBoss JNDI context and with the knowledge of Stardust queue names can connect, consume and create messages on these queues. However, security can be enabled on Stardust queues. Following steps will give detailed information on how this can be achieved. | Stardust system queues use this default security policy. Hence, any user who has required information to connect to the JBoss JNDI context and with the knowledge of Stardust queue names can connect, consume and create messages on these queues. However, security can be enabled on Stardust queues. Following steps will give detailed information on how this can be achieved. | ||
| − | === Creating a JMS user === | + | ==== Creating a JMS user ==== |
Before we define an access control setting on the queue, we need to create a JMS user. This user will be used by Stardust for creating connections on the queue connection factory. The default JMS user setup is part of this file: | Before we define an access control setting on the queue, we need to create a JMS user. This user will be used by Stardust for creating connections on the queue connection factory. The default JMS user setup is part of this file: | ||
%JBOSS_HOME%\server\default\deploy\messaging\hsqldb-persistence-service.xml | %JBOSS_HOME%\server\default\deploy\messaging\hsqldb-persistence-service.xml | ||
Revision as of 03:49, 9 December 2013
Contents
Customizing Queue and Connection Factory
This page details steps to customize Stardust JMS connection factory and JMS queues. The first part of the document deals with enabling queue security using authenticated queue connection factory. The second part details steps to change default Stardust queue names.
Platform Used
The customizations are verified on below platform. However, the changes should be easily adaptable to other versions of JBoss and Stardust.
JBoss Application server: jboss-5.1.0.GA Messaging provider: JBoss default Stardust: Applicable to all stardust versions
Enabling Queue Security
This section details the steps needed to enable queue security on Stardust system queues deployed on JBoss application server. The steps mentioned below assume default installation of JBoss and Stardust deployment in spring mode. These steps extend the default setup for creating security credentials and access control definitions.
Understanding default JBoss setup
The default messaging queue security settings for JBoss are defined in the file: %JBOSS_HOME%\server\default\deploy\messaging\messaging-jboss-beans.xml The default security config defines following access control on the queues:
<bean name="SecurityStore" class="org.jboss.jms.server.jbosssx.JBossASSecurityMetadataStore"> <property name="defaultSecurityConfig"> <![CDATA[<security> <role name="guest" read="true" write="true" create="true"/> </security> ]]> </property> <property name="securityDomain">messaging</property>
It defines that a guest user will have full access on the message queues. By default messaging is bound by security domain named “messaging” as seen in the above snippet. This domain is defined in the same file as:
<application-policy xmlns="urn:jboss:security-beans:1.0" name="messaging"> <authentication> <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="required"> <module-option name="unauthenticatedIdentity">guest</module-option> <module-option name="dsJndiName">java:/DefaultDS</module-option>…. <module-option name="principalsQuery">SELECT PASSWD FROM JBM_USER WHERE USER_ID=?</module-option> <module-option name="rolesQuery">SELECT ROLE_ID, 'Roles' FROM JBM_ROLE WHERE USER_ID=?</module-option>
The above security policy defines that any unauthenticated user will be treated as a guest and the guest user will eventually have full access to the messaging system as defined in the security config. Stardust system queues use this default security policy. Hence, any user who has required information to connect to the JBoss JNDI context and with the knowledge of Stardust queue names can connect, consume and create messages on these queues. However, security can be enabled on Stardust queues. Following steps will give detailed information on how this can be achieved.
Creating a JMS user
Before we define an access control setting on the queue, we need to create a JMS user. This user will be used by Stardust for creating connections on the queue connection factory. The default JMS user setup is part of this file: %JBOSS_HOME%\server\default\deploy\messaging\hsqldb-persistence-service.xml The user database is maintained in an embedded database instance of HSQLDB. The default configuration is as follows: <mbean code="org.jboss.jms.server.plugin.JDBCJMSUserManagerService"
name="jboss.messaging:service=JMSUserManager"
xmbean-dd="xmdesc/JMSUserManager-xmbean.xml">
<depends>jboss.jca:service=DataSourceBinding,name=DefaultDS</depends>
<depends optional-attribute-name="TransactionManager">jboss:service=TransactionManager</depends>
<attribute name="DataSource">java:/DefaultDS</attribute>
<attribute name="CreateTablesOnStartup">true</attribute>
<attribute name="SqlProperties"><![CDATA[
POPULATE.TABLES.1 = INSERT INTO JBM_USER (USER_ID, PASSWD) VALUES ('guest', 'guest') POPULATE.TABLES.2 = INSERT INTO JBM_USER (USER_ID, PASSWD) VALUES ('j2ee', 'j2ee') POPULATE.TABLES.3 = INSERT INTO JBM_USER (USER_ID, PASSWD, CLIENTID) VALUES ('john', 'needle', 'DurableSubscriberExample') POPULATE.TABLES.4 = INSERT INTO JBM_USER (USER_ID, PASSWD) VALUES ('nobody', 'nobody') POPULATE.TABLES.5 = INSERT INTO JBM_USER (USER_ID, PASSWD) VALUES ('dynsub', 'dynsub') POPULATE.TABLES.6 = INSERT INTO JBM_ROLE (ROLE_ID, USER_ID) VALUES ('guest','guest') POPULATE.TABLES.7 = INSERT INTO JBM_ROLE (ROLE_ID, USER_ID) VALUES ('j2ee','guest') …….
The SQL statements above will create a user and role database each time a server is started. We will create a user for Stardust queues, called “ippuser” and the role will be “ippuser”. Following statements need to be added to the above list: POPULATE.TABLES.15 = INSERT INTO JBM_USER (USER_ID, PASSWD) VALUES ('ippuser','ippuser') POPULATE.TABLES.16 = INSERT INTO JBM_ROLE (ROLE_ID, USER_ID) VALUES ('ippuser','ippuser')