Sorry for the large post, but I wanted to provide all the relevant information.
I'm seeing the same problem as detailed in Thread 107745 (http://www.jboss.com/index.html?module=bb&op=viewtopic&t=107745). Basically it doesn't seem like the Security Configuration on the queue/topic level is working properly (or my configuration is wrong). The solution in that thread doesn't seem much like a solution at all. My configuration looks like: <server> | <loader-repository>jboss.messaging:loader=ScopedLoaderRepository | <loader-repository-config>java2ParentDelegation=false</loader-repository-config> | </loader-repository> | | <mbean code="org.jboss.jms.server.destination.QueueService" | name="jboss.messaging.destination:service=Queue,name=NotifyQueue" | xmbean-dd="xmdesc/Queue-xmbean.xml"> | <depends optional-attribute-name="ServerPeer">jboss.messaging:service=ServerPeer</depends> | <depends>jboss.messaging:service=PostOffice</depends> | <attribute name="SecurityConfig"> | <security> | <role name="commonPublisher" read="false" write="true"/> | <role name="commonSubscriber" read="true" write="true"/> | </security> | </attribute> | <attribute name="MessageCounterHistoryDayLimit">-1</attribute> | <attribute name="Clustered">true</attribute> | </mbean> | </server> The client error I see is: javax.jms.JMSSecurityException: User: commonuser is not authorized to read from destination NotifyQueue at org.jboss.jms.server.container.SecurityAspect.check(SecurityAspect.java:260) Here are some interesting bits from the server log: 2007-05-30 10:07:42,536 DEBUG [org.jboss.jms.server.destination.QueueService] Starting jboss.messaging.destination:name=NotifyQueue,service=Queue | 2007-05-30 10:07:42,552 DEBUG [org.jboss.jms.server.DestinationJNDIMapper] queue NotifyQueue registered | 2007-05-30 10:07:42,552 DEBUG [org.jboss.jms.server.DestinationJNDIMapper] queue bound in JNDI as /queue/NotifyQueue | 2007-05-30 10:07:42,552 DEBUG [org.jboss.jms.server.destination.QueueService] Queue[/queue/NotifyQueue] security configuration: | <security> | <role name="guest" read="true" write="true"/> | <role name="commonPublisher" read="false" write="true"/> | <role name="commonSubscriber" read="true" write="true"/> | </security> | 2007-05-30 10:07:42,552 INFO [org.jboss.jms.server.destination.QueueService] Queue[/queue/NotifyQueue] started, fullSize=200000, pageSize=2000, downCacheSize=2000 | 2007-05-30 10:07:42,552 DEBUG [org.jboss.jms.server.destination.QueueService] Started jboss.messaging.destination:name=NotifyQueue,service=Queue | .... | .... | 2007-05-30 10:08:11,704 DEBUG [org.jboss.jms.server.security.SecurityMetadataStore] No SecurityMetadadata was available for NotifyQueue, using default security config | 2007-05-30 10:08:11,704 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] authenticating user commonuser | .... | 2007-05-30 10:08:11,704 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] authorizing user commonuser for role(s) [guest] | 2007-05-30 10:08:11,704 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] doesUserHaveRole(Set), subject: Subject: | Principal: commonuser | Principal: Roles(members:commonSubscriber,statPublisher) | | 2007-05-30 10:08:11,704 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] roles=Roles(members:commonSubscriber,statPublisher) | 2007-05-30 10:08:11,719 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] hasRole(guest)=false | 2007-05-30 10:08:11,719 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] hasRole=false | 2007-05-30 10:08:11,719 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] user commonuser is NOT authorized | Notice the line that contains 'No SecurityMetadadata was available for NotifyQueue, using default security config'. I downloaded the source code to try and figure out what the problem with my configuration. I added the following to the log4j.xml file to see if I could see a log statement like 'adding security configuration for queue'. <category name="org.jboss.jms.server.security.SecurityMetadataStore"> | <priority value="TRACE" class="org.jboss.logging.XLevel"/> | </category> | That didn't help. It seemed to me that that the queue security configuration was never being registered with the SecurityMetadataStore class. In the DestinationServiceSupport class I found the following method. | public void setSecurityConfig(Element securityConfig) throws Exception | { | try | { | if (started) | { | // push security update to the server | sm.setSecurityConfig(isQueue(), destination.getName(), securityConfig); | } | | destination.setSecurityConfig(securityConfig); | } | catch (Throwable t) | { | ExceptionUtil.handleJMXInvocation(t, this + " setSecurityConfig"); | } | } | It seems to me that this method is called before the queue is started and so the security configuration is never registered with the SecurityManager. I added the following line to the startService() method in the org.jboss.jms.server.destination.QueueService class, right after the 'started = true;' statement: | serverPeer.getSecurityManager().setSecurityConfig(true, destination.getName(), destination.getSecurityConfig()); | I rebuilt the jboss-messaging.jar jar with the change and it seemed to work. This is what I found in the server log after the code change: | 2007-05-30 10:34:13,976 DEBUG [org.jboss.jms.server.DestinationJNDIMapper] queue NotifyQueue registered | 2007-05-30 10:34:13,976 DEBUG [org.jboss.jms.server.DestinationJNDIMapper] queue bound in JNDI as /queue/NotifyQueue | 2007-05-30 10:34:13,976 DEBUG [org.jboss.jms.server.destination.QueueService] Queue[/queue/NotifyQueue] security configuration: | <security> | <role name="guest" read="true" write="true"/> | <role name="commonPublisher" read="false" write="true"/> | <role name="commonSubscriber" read="true" write="true"/> | </security> | 2007-05-30 10:34:13,976 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] adding security configuration for queue NotifyQueue | 2007-05-30 10:34:13,976 INFO [org.jboss.jms.server.destination.QueueService] Queue[/queue/NotifyQueue] started, fullSize=200000, pageSize=2000, downCacheSize=2000 | 2007-05-30 10:34:13,976 DEBUG [org.jboss.jms.server.destination.QueueService] Started jboss.messaging.destination:name=NotifyQueue,service=Queue | ... | ... | 2007-05-30 11:03:41,279 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] authenticating user commonuser | ... | 2007-05-30 11:03:41,279 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] authorizing user commonuser for role(s) [commonSubscriber, guest] | 2007-05-30 11:03:41,279 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] doesUserHaveRole(Set), subject: Subject: | Principal: commonuser | Principal: Roles(members:commonSubscriber,statPublisher) | | 2007-05-30 11:03:41,279 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] roles=Roles(members:commonSubscriber,statPublisher) | 2007-05-30 11:03:41,279 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] hasRole(commonSubscriber)=true | 2007-05-30 11:03:41,279 TRACE [org.jboss.security.plugins.JaasSecurityManager.messaging] hasRole=true | 2007-05-30 11:03:41,279 TRACE [org.jboss.jms.server.security.SecurityMetadataStore] user commonuser is authorized | Notice the new line from the SecurityMetadataStore class that wasn't there before ('adding security configuration for queue NotifyQueue'). I can provide more information from my other configuration files if necessary. View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4049812#4049812 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4049812 _______________________________________________ jboss-user mailing list [email protected] https://lists.jboss.org/mailman/listinfo/jboss-user
