Tom,
I played around with this some more. Here's my setup and what I'm seeing.
I have a queue called TEST.Q, which gets created when the broker starts up.
That is, I have the following in the broker's cfg file.
<destinations>
<queue physicalName="TEST.Q" />
</destinations>
And I see the following DEBUG statement being put out when the broker starts
DEBUG AbstractRegion - Adding destination: queue://TEST.Q
I then start up my JNDI client (frick) that looks up TEST.Q, creates a
consumer object for TEST.Q, and then connects to the broker. Frick does not
have admin privileges for TEST.Q, but I see no exceptions being thrown by
the broker when frick connects. Here's frick's relevant source code.
conn = factory.createConnection("frick", "password");
myQueue = (javax.jms.Queue) ctx.lookup("TEST.Q");
session = conn.createSession(false,Session.AUTO_ACKNOWLEDGE);
MessageConsumer receiver = session.createConsumer(myQueue);
receiver.setMessageListener(this);
// Start the connection
conn.start();
I then start up my other JNDI client (frack) that looks up TEST.Q, creates
a producer object for TEST.Q and then connects to the broker. Frack also
does not have admin privileges for TEST.Q, and when it connects I see the
following exception being thrown by the AuthorizationBroker.
java.lang.SecurityException: User frack is not authorized to create:
queue://TEST.Q
I run my test again, but this time I do not have the broker create TEST.Q
on startup, and instead have frick (consumer) create it when it connects
to the broker; however, frick gets the SecurityException when it connects.
I agree that the AuthorizationBroker shouldn't enforce 'admin' rights
if the destination being added already exists. Let me know the JIRA number
and I can submit a patch for review.
If you're interested, I have updated our dynamically re-loadable AMQ
security plugin to do just that.
http://www.ttmsolutions.com/amqsec.php4
Regards,
Joe
Tom Purcell wrote:
>
> Looks like jira it is. I have not tried the consumer yet. Mined sharing
> your code?
>
>
> ttmdev wrote:
>>
>> Yup, I'm getting the same thing w/my JNDI producer. However, my consumer
>> has no problem. Perhaps a JIRA is in order ;)
>>
>> Joe
>>
>>
>>
>> Tom Purcell wrote:
>>>
>>> Joe
>>>
>>> Thanks for the follow up. I'm almost where I need to be. I made one
>>> change. I upgraded from AMQ 5.0 to AMQ 5.1. The SecurityException went
>>> away and AMQ came up clean. But I'm still have a problem and I think it
>>> has more to do with my client code than AMQ itself. That is I'm not sure
>>> how to connect.
>>>
>>> When I use dynamic queues my code is straightforward:
>>> requestQueue = queueSession.createQueue("Wile.Jms.Queue.Query.Asset");
>>> queueSender = queueSession.createSender(requestQueue);
>>>
>>> Now that I'm predefining the queues the user that is trying to send to
>>> the queue does not have admin access and therefore cannot create a
>>> queue. In fact I don't want that user to create one. I want that user to
>>> use the one that was created at start up via the AMQ xml configuration
>>> (<destinations>). The problem is with the above code AMQ throws an
>>> exception:
>>> java.lang.SecurityException: User queryuser is not authorized to create:
>>> queue://Wile.Jms.Queue.Query.Asset
>>>
>>> I see why I cannot use createQueue so I'm trying to figure out how to
>>> "findQueue" and it appears the only way is via JNDI. So I tried this:
>>> Queue queue = (Queue)jndiContext.lookup("Wile.Jms.Queue.Query.Asset") ;
>>> queueSender = queueSession.createSender(queue);
>>>
>>> And I get:
>>> java.lang.SecurityException: User queryuser is not authorized to create:
>>> queue://Wile.Jms.Queue.Query.Asset
>>>
>>> So I'm not sure how to connect to a predefined queue. Can you point me
>>> at an example?
>>>
>>> Thanks
>>> Tom
>>>
>>>
>>> ttmdev wrote:
>>>>
>>>> FWIW, I have dropped your configuration into my setup (AMQ 5.1, JDK
>>>> 1.5.0_06-b05, Windoze XP Pro)
>>>> and have not encountered your problem. I have used both
>>>> jaasAuthenticationPlugin and simpleAuthenticationPlugin.
>>>>
>>>> Joe
>>>>
>>>>
>>>>
>>>> Tom Purcell wrote:
>>>>>
>>>>> Hello
>>>>> I'm trying to get the ActiveMQ authorizationPlugin to work. I'm
>>>>> using the basic jaasAuthenticationPlugin
>>>>> configuration="activemq-domain" properties logon. My activemq.xml,
>>>>> login.conf, users.properties and groups.properties are all in my
>>>>> <AMQ_HOME>/conf directory. My activmq.xml is only slightly different
>>>>> for the example on the site. I have removed jetty, camel and the
>>>>> commandAgent. I'm running AMQ 5.0.0 on JDK 1.5.0_14-b03. I delete
>>>>> <AMQ_HOME>/data/localhost between each run to make sure I come up
>>>>> clean. Everything works... up to a point.
>>>>>
>>>>> If I run without any defined destinations (queues or topics)
>>>>> everything works. Users with authority can access the dynamically
>>>>> created queues. Bad users and bad passwords fail.
>>>>>
>>>>> The problem is I need to run with defined destinations. When I add
>>>>> the following to my activemq.xml:
>>>>> <destinations>
>>>>> <queue physicalName="wileJmsQueryQueue"/>
>>>>> </destinations>
>>>>>
>>>>> I get the following in the log:
>>>>> 14:11:50,731 | DEBUG | ActiveMQ Journal Checkpoint Worker |
>>>>> AMQPersistenceAdapter | tore.amq.AMQPersistenceAdapter 322 |
>>>>> Checkpoint started.
>>>>> 14:11:50,733 | DEBUG | ActiveMQ Journal Checkpoint Worker |
>>>>> AMQPersistenceAdapter | tore.amq.AMQPersistenceAdapter 354 |
>>>>> Checkpoint done.
>>>>> 14:11:50,921 | DEBUG | main | AbstractRegion |
>>>>> q.broker.region.AbstractRegion 112 | Adding destination:
>>>>> queue://wileJmsQueryQueue
>>>>> 14:11:50,923 | INFO | main | KahaStore |
>>>>> e.activemq.kaha.impl.KahaStore 448 | Kaha Store using data directory
>>>>> /data/apache-activemq-5.0.0/data/localhost/kr-store/data
>>>>> 14:11:50,986 | DEBUG | Checkpoint: queue://wileJmsQueryQueue |
>>>>> AMQMessageStore | vemq.store.amq.AMQMessageStore 328 | Doing
>>>>> batch update... adding: 0 removing: 0
>>>>> 14:11:50,987 | DEBUG | Checkpoint: queue://wileJmsQueryQueue |
>>>>> AMQMessageStore | vemq.store.amq.AMQMessageStore 366 | Batch
>>>>> update done.
>>>>> 14:11:50,993 | DEBUG | main | AMQMessageStore |
>>>>> vemq.store.amq.AMQMessageStore 266 | flush starting ...
>>>>> 14:11:51,014 | DEBUG | main | AbstractRegion |
>>>>> q.broker.region.AbstractRegion 112 | Adding destination:
>>>>> topic://ActiveMQ.Advisory.Queue
>>>>> 14:11:51,025 | INFO | main | BrokerService |
>>>>> .activemq.broker.BrokerService 413 | Using Persistence Adapter:
>>>>> AMQPersistenceAdapter(/data/apache-activemq-5.0.0/data/localhost)
>>>>> 14:11:51,029 | DEBUG | main | AMQMessageStore |
>>>>> vemq.store.amq.AMQMessageStore 266 | flush starting ...
>>>>> 14:11:51,030 | ERROR | main | BrokerService |
>>>>> .activemq.broker.BrokerService 439 | Failed to start ActiveMQ JMS
>>>>> Message Broker. Reason: java.lang.SecurityException: User is not
>>>>> authenticated.
>>>>> java.lang.SecurityException: User is not authenticated.
>>>>> at
>>>>> org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:52)
>>>>> at
>>>>> org.apache.activemq.broker.MutableBrokerFilter.addDestination(MutableBrokerFilter.java:151)
>>>>> at
>>>>> org.apache.activemq.broker.region.AbstractRegion.start(AbstractRegion.java:93)
>>>>> at
>>>>> org.apache.activemq.broker.region.RegionBroker.start(RegionBroker.java:182)
>>>>> at
>>>>> org.apache.activemq.broker.jmx.ManagedRegionBroker.start(ManagedRegionBroker.java:103)
>>>>> at
>>>>> org.apache.activemq.broker.TransactionBroker.start(TransactionBroker.java:112)
>>>>> at
>>>>> org.apache.activemq.broker.BrokerFilter.start(BrokerFilter.java:153)
>>>>> at
>>>>> org.apache.activemq.broker.BrokerFilter.start(BrokerFilter.java:153)
>>>>> at
>>>>> org.apache.activemq.broker.BrokerFilter.start(BrokerFilter.java:153)
>>>>> at
>>>>> org.apache.activemq.broker.BrokerFilter.start(BrokerFilter.java:153)
>>>>> at
>>>>> org.apache.activemq.broker.MutableBrokerFilter.start(MutableBrokerFilter.java:163)
>>>>> at
>>>>> org.apache.activemq.broker.BrokerService.start(BrokerService.java:422)
>>>>> at
>>>>> org.apache.activemq.xbean.XBeanBrokerService.afterPropertiesSet(XBeanBrokerService.java:46)
>>>>> at
>>>>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1201)
>>>>> at
>>>>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1171)
>>>>> at
>>>>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:425)
>>>>> at
>>>>> org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:251)
>>>>> at
>>>>> org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:156)
>>>>> at
>>>>> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:248)
>>>>> at
>>>>> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:160)
>>>>> at
>>>>> org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:287)
>>>>> at
>>>>> org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:352)
>>>>> at
>>>>> org.apache.xbean.spring.context.ResourceXmlApplicationContext.<init>(ResourceXmlApplicationContext.java:64)
>>>>> at
>>>>> org.apache.xbean.spring.context.ResourceXmlApplicationContext.<init>(ResourceXmlApplicationContext.java:52)
>>>>> at
>>>>> org.apache.activemq.xbean.XBeanBrokerFactory.createApplicationContext(XBeanBrokerFactory.java:91)
>>>>> at
>>>>> org.apache.activemq.xbean.XBeanBrokerFactory.createBroker(XBeanBrokerFactory.java:51)
>>>>> at
>>>>> org.apache.activemq.broker.BrokerFactory.createBroker(BrokerFactory.java:71)
>>>>> at
>>>>> org.apache.activemq.broker.BrokerFactory.createBroker(BrokerFactory.java:54)
>>>>> at
>>>>> org.apache.activemq.console.command.StartCommand.startBroker(StartCommand.java:112)
>>>>> at
>>>>> org.apache.activemq.console.command.StartCommand.runTask(StartCommand.java:74)
>>>>> at
>>>>> org.apache.activemq.console.command.AbstractCommand.execute(AbstractCommand.java:51)
>>>>> at
>>>>> org.apache.activemq.console.command.ShellCommand.runTask(ShellCommand.java:104)
>>>>> at
>>>>> org.apache.activemq.console.command.AbstractCommand.execute(AbstractCommand.java:51)
>>>>> at
>>>>> org.apache.activemq.console.command.ShellCommand.main(ShellCommand.java:76)
>>>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>> at
>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>>>> at
>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>>>> at java.lang.reflect.Method.invoke(Method.java:585)
>>>>> at org.apache.activemq.console.Main.runTaskClass(Main.java:222)
>>>>> at org.apache.activemq.console.Main.main(Main.java:106)
>>>>> 14:11:51,033 | INFO | main | faultListableBeanFactory |
>>>>> t.DefaultSingletonBeanRegistry 285 | Destroying singletons in
>>>>> [EMAIL PROTECTED]:
>>>>> defining beans
>>>>> [org.springframework.beans.factory.config.PropertyPlaceholderConfigurer,org.apache.activemq.xbean.XBeanBrokerService];
>>>>> root of factory hierarchy
>>>>> 14:11:51,048 | INFO | ActiveMQ ShutdownHook | BrokerService
>>>>> | .activemq.broker.BrokerService 448 | ActiveMQ Message Broker
>>>>> (localhost, null) is shutting down
>>>>>
>>>>> Note that the broker shuts down.
>>>>>
>>>>> I've tried looking through some AMQ code and the xsd to see if I'm
>>>>> missing something in the configuration and I'm at a loss. My
>>>>> activemq.xml (with destinations) is below. Any thoughts will be
>>>>> appreciated.
>>>>>
>>>>> Thanks
>>>>> Tom
>>>>>
>>>>> <beans
>>>>> xmlns="http://www.springframework.org/schema/beans";
>>>>> xmlns:amq="http://activemq.org/config/1.0";
>>>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
>>>>>
>>>>> xsi:schemaLocation="http://www.springframework.org/schema/beans
>>>>> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
>>>>> http://activemq.org/config/1.0
>>>>> http://activemq.apache.org/schema/activemq-core-5.0.0.xsd
>>>>> http://activemq.apache.org/camel/schema/spring
>>>>> http://activemq.apache.org/camel/schema/spring/camel-spring.xsd";>
>>>>>
>>>>> <!-- Allows us to use system properties as variables in this
>>>>> configuration file -->
>>>>> <bean
>>>>> class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
>>>>>
>>>>> <broker xmlns="http://activemq.org/config/1.0";
>>>>> brokerName="localhost" dataDirectory="${activemq.base}/data">
>>>>> <destinations>
>>>>> <queue physicalName="wileJmsQueryQueue"/>
>>>>> </destinations>
>>>>> <!-- The transport connectors ActiveMQ will listen to -->
>>>>> <transportConnectors>
>>>>> <transportConnector name="openwire"
>>>>> uri="tcp://localhost:61616" discoveryUri="multicast://default"/>
>>>>> <transportConnector name="ssl"
>>>>> uri="ssl://localhost:61617"/>
>>>>> <transportConnector name="stomp"
>>>>> uri="stomp://localhost:61613"/>
>>>>> <transportConnector name="xmpp"
>>>>> uri="xmpp://localhost:61222"/>
>>>>> </transportConnectors>
>>>>>
>>>>> <!-- The store and forward broker networks ActiveMQ will
>>>>> listen to -->
>>>>> <networkConnectors>
>>>>> <networkConnector name="default-nc"
>>>>> uri="multicast://default"/>
>>>>> </networkConnectors>
>>>>>
>>>>> <plugins>
>>>>> <!-- use JAAS to authenticate using the login.config file
>>>>> on the classpath to configure JAAS -->
>>>>> <jaasAuthenticationPlugin
>>>>> configuration="activemq-domain"/>
>>>>> <!-- lets configure a destination based authorization
>>>>> mechanism -->
>>>>> <authorizationPlugin>
>>>>> <map>
>>>>> <authorizationMap>
>>>>> <authorizationEntries>
>>>>> <authorizationEntry queue=">" read="all"
>>>>> write="all" admin="all"/>
>>>>> <authorizationEntry
>>>>> topic="ActiveMQ.Advisory.>" read="all" write="all" admin="all"/>
>>>>> </authorizationEntries>
>>>>> <tempDestinationAuthorizationEntry>
>>>>> <tempDestinationAuthorizationEntry
>>>>> read="all" write="all" admin="all"/>
>>>>> </tempDestinationAuthorizationEntry>
>>>>> </authorizationMap>
>>>>> </map>
>>>>> </authorizationPlugin>
>>>>> </plugins>
>>>>> </broker>
>>>>> </beans>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>
--
View this message in context:
http://www.nabble.com/Secutiry-and-Predefined-Destinations-tp17370190s2354p17460994.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
