How to configure a realm having role based authentication for hornetQ message queue?

Solution Unverified - Updated -

Issue

  • Why are role taken from ApplicationRealm to authorize message queue? Or from application-roles.properties. Is there configuration to setup another property files?
  • How to set up a realm other than ApplicationRealm for role based authentication for hornetQ message queue?

Environment

  • We connect to the hornetq subsystem from a remote client using the following protocol:-
remote://somehost:4447
  • This usually refers to the ApplicationRealm as specified in the standalone-*.xml:-
<connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>

  • The following are the steps to use another property file:-

    • Create a user and associate it to a role:-
        What type of user do you wish to add? 
a) Management User (mgmt-users.properties) 
b) Application User (application-users.properties)
(a): b

Enter the details of the new user to add.
Realm (ApplicationRealm) : 
Username : kunjan 
Password : kunjan1
Re-enter Password : kunjan1 
What roles do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[guest]: guest
Updated user 'kunjan' to file '/installed/jboss/EAP/EAP6/EAP-6.0.0.GA/replication/hornetq-sec/jboss-eap-6.0/standalone/configuration/application-users.properties'
Updated user 'kunjan' to file '/installed/jboss/EAP/EAP6/EAP-6.0.0.GA/replication/hornetq-sec/jboss-eap-6.0/domain/configuration/application-users.properties'
Updated user 'kunjan' with roles guest to file '/installed/jboss/EAP/EAP6/EAP-6.0.0.GA/replication/hornetq-sec/jboss-eap-6.0/standalone/configuration/application-roles.properties'
Updated user 'kunjan' with roles guest to file '/installed/jboss/EAP/EAP6/EAP-6.0.0.GA/replication/hornetq-sec/jboss-eap-6.0/domain/configuration/application-roles.properties'
Is this new user going to be used for one AS process to connect to another AS process e.g. slave domain controller?
yes/no? yes
To represent the user add the following to the server-identities definition <secret value="a3VuamFuMQ==" />
    • This will add the user kunjan and password kunjan1 to the file application-users.properties and role guest "kunjan=guest" to the file application-roles.properties
    • Now copy the file application-users(copy).properties and rename it to MyRealm-users.properties. Similarly copy the file application-roles(copy).properties and rename it to MyRealm-roles.properties file and keep it in $JBOSS_HOME/standalone/configuration.
    • Add a new realm using jboss-cli.sh as follows:-
    $JBOSS_HOME/bin: ./jboss-cli.sh -c
        [standalone@localhost:9999 /] /core-service=management/security-realm=MyRealm/authentication=properties:add(path="MyRealm-users.properties", plain-text=false, relative-to="jboss.server.config.dir")
        {
            "outcome" => "success",
            "response-headers" => {
            "operation-requires-reload" => true,
            "process-state" => "reload-required"
        }
    }


    [standalone@localhost:9999 /] /core-service=management/security-realm=MyRealm/authentication=local:add(default-user="$local", allowed-users="*")
        {
            "outcome" => "success",
            "response-headers" => {
            "operation-requires-reload" => true,
            "process-state" => "reload-required"
        }
    }


    [standalone@localhost:9999 /] /core-service=management/security-realm=MyRealm/authorization=properties:add(path="MyRealm-roles.properties", relative-to="jboss.server.config.dir")
        {
            "outcome" => "success",
            "response-headers" => {
            "operation-requires-reload" => true,
            "process-state" => "reload-required"
        }
    }
    • This will make the standalone file look like follows:-
    <management>
    <security-realms>
        <security-realm name="ManagementRealm">
            ...
        </security-realm>
        <security-realm name="ApplicationRealm">
            ...
        </security-realm>
        <security-realm name="MyRealm"> <!-- This is added-->
            <authentication>
                <local default-user="$local" allowed-users="*"/>
                <properties path="MyRealm-users.properties" relative-to="jboss.server.config.dir"/>
            </authentication>
            <authorization>
                <properties path="MyRealm-roles.properties" relative-to="jboss.server.config.dir"/>
            </authorization>
        </security-realm>
    </security-realms>
 ....
</management>
    • Now change the security-realm setting in the remoting-connector setting to MyRealm instead of ApplicationRealm as follows:-
     <connector name="remoting-connector" socket-binding="remoting" security-realm="MyRealm"/>
    • There should be the following in standalone-full.xml for hornetq with respect to the user and role set previously in first step "kunjan=guest":-
        <security-settings>
                <security-setting match="#">
                    <permission type="send" roles="guest"/>
                    <permission type="consume" roles="guest"/>
                    <permission type="createNonDurableQueue" roles="guest"/>
                    <permission type="deleteNonDurableQueue" roles="guest"/>
                </security-setting>
    </security-settings>

  • Now you should be able to communicate with hornetq subsystem having following in my client code:-

        qconFactory = (QueueConnectionFactory) ctx.lookup(JMS_FACTORY);
    qcon = qconFactory.createQueueConnection("kunjan","kunjan1");

    ...
    Hashtable env = new Hashtable();
    env.put(Context.INITIAL_CONTEXT_FACTORY, JNDI_FACTORY);
    env.put(Context.PROVIDER_URL, url);
    env.put(Context.SECURITY_PRINCIPAL, "kunjan");
    env.put(Context.SECURITY_CREDENTIALS, "kunjan1");

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.