How to configure a realm having role based authentication for hornetQ message queue?

Environment

• We connect to the hornetq subsystem from a remote client using the following protocol:-

remote://somehost:4447

• This usually refers to the ApplicationRealm as specified in the standalone-*.xml:-

<connector name="remoting-connector" socket-binding="remoting" security-realm="ApplicationRealm"/>

• The following are the steps to use another property file:-

  • Create a user and associate it to a role:-

      What type of user do you wish to add? 
  a) Management User (mgmt-users.properties) 
  b) Application User (application-users.properties)
  (a): b
  
  Enter the details of the new user to add.
  Realm (ApplicationRealm) : 
  Username : kunjan 
  Password : kunjan1
  Re-enter Password : kunjan1 
  What roles do you want this user to belong to? (Please enter a comma separated list, or leave blank for none)[guest]: guest
  Updated user 'kunjan' to file '/installed/jboss/EAP/EAP6/EAP-6.0.0.GA/replication/hornetq-sec/jboss-eap-6.0/standalone/configuration/application-users.properties'
  Updated user 'kunjan' to file '/installed/jboss/EAP/EAP6/EAP-6.0.0.GA/replication/hornetq-sec/jboss-eap-6.0/domain/configuration/application-users.properties'
  Updated user 'kunjan' with roles guest to file '/installed/jboss/EAP/EAP6/EAP-6.0.0.GA/replication/hornetq-sec/jboss-eap-6.0/standalone/configuration/application-roles.properties'
  Updated user 'kunjan' with roles guest to file '/installed/jboss/EAP/EAP6/EAP-6.0.0.GA/replication/hornetq-sec/jboss-eap-6.0/domain/configuration/application-roles.properties'
  Is this new user going to be used for one AS process to connect to another AS process e.g. slave domain controller?
  yes/no? yes
  To represent the user add the following to the server-identities definition <secret value="a3VuamFuMQ==" />
  

  • This will add the user kunjan and password kunjan1 to the file application-users.properties and role guest "kunjan=guest" to the file application-roles.properties
  • Now copy the file application-users(copy).properties and rename it to MyRealm-users.properties. Similarly copy the file application-roles(copy).properties and rename it to MyRealm-roles.properties file and keep it in $JBOSS_HOME/standalone/configuration.
  • Add a new realm using jboss-cli.sh as follows:-

  $JBOSS_HOME/bin: ./jboss-cli.sh -c
          [standalone@localhost:9999 /] /core-service=management/security-realm=MyRealm/authentication=properties:add(path="MyRealm-users.properties", plain-text=false, relative-to="jboss.server.config.dir")
          {
              "outcome" => "success",
              "response-headers" => {
              "operation-requires-reload" => true,
              "process-state" => "reload-required"
          }
      }
  
  
      [standalone@localhost:9999 /] /core-service=management/security-realm=MyRealm/authentication=local:add(default-user="$local", allowed-users="*")
          {
              "outcome" => "success",
              "response-headers" => {
              "operation-requires-reload" => true,
              "process-state" => "reload-required"
          }
      }
  
  
      [standalone@localhost:9999 /] /core-service=management/security-realm=MyRealm/authorization=properties:add(path="MyRealm-roles.properties", relative-to="jboss.server.config.dir")
          {
              "outcome" => "success",
              "response-headers" => {
              "operation-requires-reload" => true,
              "process-state" => "reload-required"
          }
      }
  

  • This will make the standalone file look like follows:-

  <management>
      <security-realms>
          <security-realm name="ManagementRealm">
              ...
          </security-realm>
          <security-realm name="ApplicationRealm">
              ...
          </security-realm>
          <security-realm name="MyRealm"> <!-- This is added-->
              <authentication>
                  <local default-user="$local" allowed-users="*"/>
                  <properties path="MyRealm-users.properties" relative-to="jboss.server.config.dir"/>
              </authentication>
              <authorization>
                  <properties path="MyRealm-roles.properties" relative-to="jboss.server.config.dir"/>
              </authorization>
          </security-realm>
      </security-realms>
   ....
  </management>
  

  • Now change the security-realm setting in the remoting-connector setting to MyRealm instead of ApplicationRealm as follows:-

   <connector name="remoting-connector" socket-binding="remoting" security-realm="MyRealm"/>
  

  • There should be the following in standalone-full.xml for hornetq with respect to the user and role set previously in first step "kunjan=guest":-

      <security-settings>
                  <security-setting match="#">
                      <permission type="send" roles="guest"/>
                      <permission type="consume" roles="guest"/>
                      <permission type="createNonDurableQueue" roles="guest"/>
                      <permission type="deleteNonDurableQueue" roles="guest"/>
                  </security-setting>
      </security-settings>
  

• Now you should be able to communicate with hornetq subsystem having following in my client code:-

        qconFactory = (QueueConnectionFactory) ctx.lookup(JMS_FACTORY);
    qcon = qconFactory.createQueueConnection("kunjan","kunjan1");

    ...
    Hashtable env = new Hashtable();
    env.put(Context.INITIAL_CONTEXT_FACTORY, JNDI_FACTORY);
    env.put(Context.PROVIDER_URL, url);
    env.put(Context.SECURITY_PRINCIPAL, "kunjan");
    env.put(Context.SECURITY_CREDENTIALS, "kunjan1");