How to configure a realm having role based authentication for hornetQ message queue?
Issue
- Why are role taken from ApplicationRealm to authorize message queue? Or from application-roles.properties. Is there configuration to setup another property files?
- How to set up a realm other than ApplicationRealm for role based authentication for hornetQ message queue?
Environment
- We connect to the hornetq subsystem from a remote client using the following protocol:-
remote://somehost:4447
- This usually refers to the ApplicationRealm as specified in the standalone-*.xml:-
<connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>
-
The following are the steps to use another property file:-
- Create a user and associate it to a role:-
What type of user do you wish to add? a) Management User (mgmt-users.properties) b) Application User (application-users.properties) (a): b Enter the details of the new user to add. Realm (ApplicationRealm) : Username : kunjan Password : kunjan1 Re-enter Password : kunjan1 What roles do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[guest]: guest Updated user 'kunjan' to file '/installed/jboss/EAP/EAP6/EAP-6.0.0.GA/replication/hornetq-sec/jboss-eap-6.0/standalone/configuration/application-users.properties' Updated user 'kunjan' to file '/installed/jboss/EAP/EAP6/EAP-6.0.0.GA/replication/hornetq-sec/jboss-eap-6.0/domain/configuration/application-users.properties' Updated user 'kunjan' with roles guest to file '/installed/jboss/EAP/EAP6/EAP-6.0.0.GA/replication/hornetq-sec/jboss-eap-6.0/standalone/configuration/application-roles.properties' Updated user 'kunjan' with roles guest to file '/installed/jboss/EAP/EAP6/EAP-6.0.0.GA/replication/hornetq-sec/jboss-eap-6.0/domain/configuration/application-roles.properties' Is this new user going to be used for one AS process to connect to another AS process e.g. slave domain controller? yes/no? yes To represent the user add the following to the server-identities definition <secret value="a3VuamFuMQ==" />
- This will add the user kunjan and password kunjan1 to the file application-users.properties and role guest
"kunjan=guest"
to the file application-roles.properties - Now copy the file
application-users(copy).properties
and rename it toMyRealm-users.properties
. Similarly copy the fileapplication-roles(copy).properties
and rename it toMyRealm-roles.properties
file and keep it in$JBOSS_HOME/standalone/configuration
. - Add a new realm using jboss-cli.sh as follows:-
$JBOSS_HOME/bin: ./jboss-cli.sh -c [standalone@localhost:9999 /] /core-service=management/security-realm=MyRealm/authentication=properties:add(path="MyRealm-users.properties", plain-text=false, relative-to="jboss.server.config.dir") { "outcome" => "success", "response-headers" => { "operation-requires-reload" => true, "process-state" => "reload-required" } } [standalone@localhost:9999 /] /core-service=management/security-realm=MyRealm/authentication=local:add(default-user="$local", allowed-users="*") { "outcome" => "success", "response-headers" => { "operation-requires-reload" => true, "process-state" => "reload-required" } } [standalone@localhost:9999 /] /core-service=management/security-realm=MyRealm/authorization=properties:add(path="MyRealm-roles.properties", relative-to="jboss.server.config.dir") { "outcome" => "success", "response-headers" => { "operation-requires-reload" => true, "process-state" => "reload-required" } }
- This will make the standalone file look like follows:-
<management> <security-realms> <security-realm name="ManagementRealm"> ... </security-realm> <security-realm name="ApplicationRealm"> ... </security-realm> <security-realm name="MyRealm"> <!-- This is added--> <authentication> <local default-user="$local" allowed-users="*"/> <properties path="MyRealm-users.properties" relative-to="jboss.server.config.dir"/> </authentication> <authorization> <properties path="MyRealm-roles.properties" relative-to="jboss.server.config.dir"/> </authorization> </security-realm> </security-realms> .... </management>
- Now change the security-realm setting in the remoting-connector setting to MyRealm instead of ApplicationRealm as follows:-
<connector name="remoting-connector" socket-binding="remoting" security-realm="MyRealm"/>
- There should be the following in standalone-full.xml for hornetq with respect to the user and role set previously in first step
"kunjan=guest"
:-
<security-settings> <security-setting match="#"> <permission type="send" roles="guest"/> <permission type="consume" roles="guest"/> <permission type="createNonDurableQueue" roles="guest"/> <permission type="deleteNonDurableQueue" roles="guest"/> </security-setting> </security-settings>
-
Now you should be able to communicate with hornetq subsystem having following in my client code:-
qconFactory = (QueueConnectionFactory) ctx.lookup(JMS_FACTORY);
qcon = qconFactory.createQueueConnection("kunjan","kunjan1");
...
Hashtable env = new Hashtable();
env.put(Context.INITIAL_CONTEXT_FACTORY, JNDI_FACTORY);
env.put(Context.PROVIDER_URL, url);
env.put(Context.SECURITY_PRINCIPAL, "kunjan");
env.put(Context.SECURITY_CREDENTIALS, "kunjan1");
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.