Return-Path: 
 <users-return-14294-apmail-activemq-users-archive=activemq.apache.org@activemq.apache.org>
Delivered-To: apmail-activemq-users-archive@www.apache.org
Received: (qmail 94917 invoked from network); 27 May 2008 13:07:24 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
  by minotaur.apache.org with SMTP; 27 May 2008 13:07:24 -0000
Received: (qmail 13592 invoked by uid 500); 27 May 2008 13:07:25 -0000
Delivered-To: apmail-activemq-users-archive@activemq.apache.org
Received: (qmail 13228 invoked by uid 500); 27 May 2008 13:07:25 -0000
Mailing-List: contact users-help@activemq.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@activemq.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@activemq.apache.org>
List-Post: <mailto:users@activemq.apache.org>
List-Id: <users.activemq.apache.org>
Reply-To: users@activemq.apache.org
Delivered-To: mailing list users@activemq.apache.org
Received: (qmail 13217 invoked by uid 99); 27 May 2008 13:07:25 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 27 May 2008 06:07:25 -0700
X-ASF-Spam-Status: No, hits=2.6 required=10.0
	tests=DNS_FROM_OPENWHOIS,SPF_HELO_PASS,SPF_PASS,WHOIS_MYPRIVREG
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of lists@nabble.com designates
 216.139.236.158 as permitted sender)
Received: from [216.139.236.158] (HELO kuber.nabble.com) (216.139.236.158)
    by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 27 May 2008 13:06:27 +0000
Received: from isper.nabble.com ([192.168.236.156])
	by kuber.nabble.com with esmtp (Exim 4.63)
	(envelope-from <lists@nabble.com>)
	id 1K0yt7-0005RJ-33
	for users@activemq.apache.org; Tue, 27 May 2008 06:06:49 -0700
Message-ID: <17490030.post@talk.nabble.com>
Date: Tue, 27 May 2008 06:06:49 -0700 (PDT)
From: Tom Purcell <tpurcell@chariotsolutions.com>
To: users@activemq.apache.org
Subject: Re: Secutiry and Predefined Destinations
In-Reply-To: <17460994.post@talk.nabble.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Nabble-From: tpurcell@chariotsolutions.com
References: <17370190.post@talk.nabble.com> <17432647.post@talk.nabble.com>
 <17440643.post@talk.nabble.com> <17442329.post@talk.nabble.com>
 <17448270.post@talk.nabble.com> <17460994.post@talk.nabble.com>
X-Virus-Checked: Checked by ClamAV on apache.org


Joe

It looks like Dejan has created the issue: 
https://issues.apache.org/activemq/browse/AMQ-1747 AMQ-1747. 

ttmdev wrote:
>  Thanks for the help, the code and the confirmation that I wasn't missing
> something.
> 
> Thanks 
> Tom
> 
> 
> Tom,
> 
> I played around with this some more. Here's my setup and what I'm seeing. 
> 
> I have a queue called TEST.Q, which gets created when the broker starts
> up. That is, I have the following in the broker's cfg file.  
> 
> <destinations>
>   <queue physicalName="TEST.Q" />       
> </destinations>
> 
> And I see the following DEBUG statement being put out when the broker
> starts
> 
> DEBUG AbstractRegion   - Adding destination: queue://TEST.Q
> 
> I then start up my JNDI client (frick) that looks up TEST.Q, creates a 
> consumer object for TEST.Q, and then connects to the broker. Frick does
> not have admin privileges for TEST.Q, but I see no  exceptions being
> thrown by the broker when frick connects. Here's frick's relevant source
> code.
> 
> conn = factory.createConnection("frick", "password");
> myQueue = (javax.jms.Queue) ctx.lookup("TEST.Q");
> session = conn.createSession(false,Session.AUTO_ACKNOWLEDGE);
> MessageConsumer receiver = session.createConsumer(myQueue);
> receiver.setMessageListener(this);                        
> // Start the connection  
> conn.start();  
> 
> I then start up my other JNDI client (frack) that looks up TEST.Q, creates
> a producer object for TEST.Q and then connects to the broker. Frack also 
> does not have admin privileges for TEST.Q, and when it connects I see the
> following exception being thrown by the AuthorizationBroker. 
> 
> java.lang.SecurityException: User frack is not authorized to create:
> queue://TEST.Q
> 
> I run my test again, but this time I do not have the broker create TEST.Q 
> on startup, and instead have frick (consumer) create it when it connects
> to the broker; however, frick gets the SecurityException when it connects.  
> 
> I agree that the AuthorizationBroker shouldn't enforce 'admin' rights 
> if the destination being added already exists. Let me know the JIRA number
> and I can submit a patch for review.
> 
> If you're interested, I have updated our dynamically re-loadable AMQ 
> security plugin to do just that. 
> 
> http://www.ttmsolutions.com/amqsec.php4
> 
> Regards,
> Joe
> 
> 
> Tom Purcell wrote:
>> 
>> Looks like jira it is. I have not tried the consumer yet. Mined sharing
>> your code?
>> 
>> 
>> ttmdev wrote:
>>> 
>>> Yup, I'm getting the same thing w/my JNDI producer. However, my consumer
>>> has no problem. Perhaps a JIRA is in order ;)
>>> 
>>> Joe
>>> 
>>> 
>>> 
>>> Tom Purcell wrote:
>>>> 
>>>> Joe
>>>> 
>>>> Thanks for the follow up. I'm almost where I need to be. I made one
>>>> change. I upgraded from AMQ 5.0 to AMQ 5.1. The SecurityException went
>>>> away and AMQ came up clean. But I'm still have a problem and I think it
>>>> has more to do with my client code than AMQ itself. That is I'm not
>>>> sure how to connect.
>>>> 
>>>> When I use dynamic queues my code is straightforward:
>>>>  requestQueue = queueSession.createQueue("Wile.Jms.Queue.Query.Asset");
>>>>  queueSender = queueSession.createSender(requestQueue);
>>>> 
>>>> Now that I'm predefining the queues the user that is trying to send to
>>>> the queue does not have admin access and therefore cannot create a
>>>> queue. In fact I don't want that user to create one. I want that user
>>>> to use the one that was created at start up via the AMQ xml
>>>> configuration (<destinations>). The problem is with the above code AMQ
>>>> throws an exception:
>>>> java.lang.SecurityException: User queryuser is not authorized to
>>>> create: queue://Wile.Jms.Queue.Query.Asset
>>>> 
>>>> I see why I cannot use createQueue so I'm trying to figure out how to
>>>> "findQueue" and it appears the only way is via JNDI. So I tried this:
>>>>  Queue queue = (Queue)jndiContext.lookup("Wile.Jms.Queue.Query.Asset")
>>>> ;
>>>>  queueSender = queueSession.createSender(queue);
>>>> 
>>>> And I get:
>>>> java.lang.SecurityException: User queryuser is not authorized to
>>>> create: queue://Wile.Jms.Queue.Query.Asset
>>>> 
>>>> So I'm not sure how to connect to a predefined queue. Can you point me
>>>> at an example?
>>>> 
>>>> Thanks
>>>> Tom
>>>> 
>>>> 
>>>> ttmdev wrote:
>>>>> 
>>>>> FWIW, I have dropped your configuration into my setup (AMQ 5.1, JDK
>>>>> 1.5.0_06-b05, Windoze XP Pro)
>>>>> and have not encountered your problem. I have used both
>>>>> jaasAuthenticationPlugin and simpleAuthenticationPlugin.
>>>>> 
>>>>> Joe
>>>>> 
>>>>> 
>>>>> 
>>>>> Tom Purcell wrote:
>>>>>> 
>>>>>> Hello
>>>>>>     I'm trying to get the ActiveMQ authorizationPlugin to work. I'm
>>>>>> using the basic jaasAuthenticationPlugin
>>>>>> configuration="activemq-domain" properties logon. My activemq.xml,
>>>>>> login.conf, users.properties and groups.properties are all in my
>>>>>> <AMQ_HOME>/conf directory. My activmq.xml is only slightly different
>>>>>> for the example on the site. I have removed jetty, camel and the
>>>>>> commandAgent. I'm running AMQ 5.0.0 on JDK 1.5.0_14-b03. I delete
>>>>>> <AMQ_HOME>/data/localhost between each run to make sure I come up
>>>>>> clean. Everything works... up to a point.
>>>>>> 
>>>>>>     If I run without any defined destinations (queues or topics)
>>>>>> everything works. Users with authority can access the dynamically
>>>>>> created queues. Bad users and bad passwords fail.
>>>>>> 
>>>>>>    The problem is I need to run with defined destinations. When I add
>>>>>> the following to my activemq.xml:
>>>>>>         <destinations>
>>>>>>             <queue physicalName="wileJmsQueryQueue"/>
>>>>>>         </destinations>
>>>>>> 
>>>>>>     I get the following in the log:
>>>>>> 14:11:50,731 | DEBUG | ActiveMQ Journal Checkpoint Worker |
>>>>>> AMQPersistenceAdapter    | tore.amq.AMQPersistenceAdapter  322 |
>>>>>> Checkpoint started.
>>>>>> 14:11:50,733 | DEBUG | ActiveMQ Journal Checkpoint Worker |
>>>>>> AMQPersistenceAdapter    | tore.amq.AMQPersistenceAdapter  354 |
>>>>>> Checkpoint done.
>>>>>> 14:11:50,921 | DEBUG | main       | AbstractRegion           |
>>>>>> q.broker.region.AbstractRegion  112 | Adding destination:
>>>>>> queue://wileJmsQueryQueue
>>>>>> 14:11:50,923 | INFO  | main       | KahaStore                |
>>>>>> e.activemq.kaha.impl.KahaStore  448 | Kaha Store using data directory
>>>>>> /data/apache-activemq-5.0.0/data/localhost/kr-store/data
>>>>>> 14:11:50,986 | DEBUG | Checkpoint: queue://wileJmsQueryQueue |
>>>>>> AMQMessageStore          | vemq.store.amq.AMQMessageStore  328 |
>>>>>> Doing batch update... adding: 0 removing: 0
>>>>>> 14:11:50,987 | DEBUG | Checkpoint: queue://wileJmsQueryQueue |
>>>>>> AMQMessageStore          | vemq.store.amq.AMQMessageStore  366 |
>>>>>> Batch update done.
>>>>>> 14:11:50,993 | DEBUG | main       | AMQMessageStore          |
>>>>>> vemq.store.amq.AMQMessageStore  266 | flush starting ...
>>>>>> 14:11:51,014 | DEBUG | main       | AbstractRegion           |
>>>>>> q.broker.region.AbstractRegion  112 | Adding destination:
>>>>>> topic://ActiveMQ.Advisory.Queue
>>>>>> 14:11:51,025 | INFO  | main       | BrokerService            |
>>>>>> .activemq.broker.BrokerService  413 | Using Persistence Adapter:
>>>>>> AMQPersistenceAdapter(/data/apache-activemq-5.0.0/data/localhost)
>>>>>> 14:11:51,029 | DEBUG | main       | AMQMessageStore          |
>>>>>> vemq.store.amq.AMQMessageStore  266 | flush starting ...
>>>>>> 14:11:51,030 | ERROR | main       | BrokerService            |
>>>>>> .activemq.broker.BrokerService  439 | Failed to start ActiveMQ JMS
>>>>>> Message Broker. Reason: java.lang.SecurityException: User is not
>>>>>> authenticated.
>>>>>> java.lang.SecurityException: User is not authenticated.
>>>>>>     at
>>>>>> org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:52)
>>>>>>     at
>>>>>> org.apache.activemq.broker.MutableBrokerFilter.addDestination(MutableBrokerFilter.java:151)
>>>>>>     at
>>>>>> org.apache.activemq.broker.region.AbstractRegion.start(AbstractRegion.java:93)
>>>>>>     at
>>>>>> org.apache.activemq.broker.region.RegionBroker.start(RegionBroker.java:182)
>>>>>>     at
>>>>>> org.apache.activemq.broker.jmx.ManagedRegionBroker.start(ManagedRegionBroker.java:103)
>>>>>>     at
>>>>>> org.apache.activemq.broker.TransactionBroker.start(TransactionBroker.java:112)
>>>>>>     at
>>>>>> org.apache.activemq.broker.BrokerFilter.start(BrokerFilter.java:153)
>>>>>>     at
>>>>>> org.apache.activemq.broker.BrokerFilter.start(BrokerFilter.java:153)
>>>>>>     at
>>>>>> org.apache.activemq.broker.BrokerFilter.start(BrokerFilter.java:153)
>>>>>>     at
>>>>>> org.apache.activemq.broker.BrokerFilter.start(BrokerFilter.java:153)
>>>>>>     at
>>>>>> org.apache.activemq.broker.MutableBrokerFilter.start(MutableBrokerFilter.java:163)
>>>>>>     at
>>>>>> org.apache.activemq.broker.BrokerService.start(BrokerService.java:422)
>>>>>>     at
>>>>>> org.apache.activemq.xbean.XBeanBrokerService.afterPropertiesSet(XBeanBrokerService.java:46)
>>>>>>     at
>>>>>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1201)
>>>>>>     at
>>>>>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1171)
>>>>>>     at
>>>>>> org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:425)
>>>>>>     at
>>>>>> org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:251)
>>>>>>     at
>>>>>> org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:156)
>>>>>>     at
>>>>>> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:248)
>>>>>>     at
>>>>>> org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:160)
>>>>>>     at
>>>>>> org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:287)
>>>>>>     at
>>>>>> org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:352)
>>>>>>     at
>>>>>> org.apache.xbean.spring.context.ResourceXmlApplicationContext.<init>(ResourceXmlApplicationContext.java:64)
>>>>>>     at
>>>>>> org.apache.xbean.spring.context.ResourceXmlApplicationContext.<init>(ResourceXmlApplicationContext.java:52)
>>>>>>     at
>>>>>> org.apache.activemq.xbean.XBeanBrokerFactory.createApplicationContext(XBeanBrokerFactory.java:91)
>>>>>>     at
>>>>>> org.apache.activemq.xbean.XBeanBrokerFactory.createBroker(XBeanBrokerFactory.java:51)
>>>>>>     at
>>>>>> org.apache.activemq.broker.BrokerFactory.createBroker(BrokerFactory.java:71)
>>>>>>     at
>>>>>> org.apache.activemq.broker.BrokerFactory.createBroker(BrokerFactory.java:54)
>>>>>>     at
>>>>>> org.apache.activemq.console.command.StartCommand.startBroker(StartCommand.java:112)
>>>>>>     at
>>>>>> org.apache.activemq.console.command.StartCommand.runTask(StartCommand.java:74)
>>>>>>     at
>>>>>> org.apache.activemq.console.command.AbstractCommand.execute(AbstractCommand.java:51)
>>>>>>     at
>>>>>> org.apache.activemq.console.command.ShellCommand.runTask(ShellCommand.java:104)
>>>>>>     at
>>>>>> org.apache.activemq.console.command.AbstractCommand.execute(AbstractCommand.java:51)
>>>>>>     at
>>>>>> org.apache.activemq.console.command.ShellCommand.main(ShellCommand.java:76)
>>>>>>     at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>>>>     at
>>>>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>>>>>     at
>>>>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>>>>>     at java.lang.reflect.Method.invoke(Method.java:585)
>>>>>>     at org.apache.activemq.console.Main.runTaskClass(Main.java:222)
>>>>>>     at org.apache.activemq.console.Main.main(Main.java:106)
>>>>>> 14:11:51,033 | INFO  | main       | faultListableBeanFactory |
>>>>>> t.DefaultSingletonBeanRegistry  285 | Destroying singletons in
>>>>>> org.springframework.beans.factory.support.DefaultListableBeanFactory@162dbb6:
>>>>>> defining beans
>>>>>> [org.springframework.beans.factory.config.PropertyPlaceholderConfigurer,org.apache.activemq.xbean.XBeanBrokerService];
>>>>>> root of factory hierarchy
>>>>>> 14:11:51,048 | INFO  | ActiveMQ ShutdownHook | BrokerService           
>>>>>> | .activemq.broker.BrokerService  448 | ActiveMQ Message Broker
>>>>>> (localhost, null) is shutting down
>>>>>> 
>>>>>>     Note that the broker shuts down.
>>>>>> 
>>>>>>     I've tried looking through some AMQ code and the xsd to see if
>>>>>> I'm missing something in the configuration and I'm at a loss. My
>>>>>> activemq.xml (with destinations) is below. Any thoughts will be
>>>>>> appreciated.
>>>>>> 
>>>>>> Thanks
>>>>>> Tom
>>>>>> 
>>>>>> <beans
>>>>>>         xmlns="http://www.springframework.org/schema/beans"
>>>>>>         xmlns:amq="http://activemq.org/config/1.0"
>>>>>>         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>>>>>>        
>>>>>> xsi:schemaLocation="http://www.springframework.org/schema/beans
>>>>>> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
>>>>>>       http://activemq.org/config/1.0
>>>>>> http://activemq.apache.org/schema/activemq-core-5.0.0.xsd
>>>>>>       http://activemq.apache.org/camel/schema/spring
>>>>>> http://activemq.apache.org/camel/schema/spring/camel-spring.xsd">
>>>>>> 
>>>>>>     <!-- Allows us to use system properties as variables in this
>>>>>> configuration file -->
>>>>>>     <bean
>>>>>> class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
>>>>>> 
>>>>>>     <broker xmlns="http://activemq.org/config/1.0"
>>>>>> brokerName="localhost" dataDirectory="${activemq.base}/data">
>>>>>>         <destinations>
>>>>>>             <queue physicalName="wileJmsQueryQueue"/>
>>>>>>         </destinations>
>>>>>>         <!-- The transport connectors ActiveMQ will listen to -->
>>>>>>         <transportConnectors>
>>>>>>             <transportConnector name="openwire"
>>>>>> uri="tcp://localhost:61616" discoveryUri="multicast://default"/>
>>>>>>             <transportConnector name="ssl"
>>>>>> uri="ssl://localhost:61617"/>
>>>>>>             <transportConnector name="stomp"
>>>>>> uri="stomp://localhost:61613"/>
>>>>>>             <transportConnector name="xmpp"
>>>>>> uri="xmpp://localhost:61222"/>
>>>>>>         </transportConnectors>
>>>>>> 
>>>>>>         <!-- The store and forward broker networks ActiveMQ will
>>>>>> listen to -->
>>>>>>         <networkConnectors>
>>>>>>             <networkConnector name="default-nc"
>>>>>> uri="multicast://default"/>
>>>>>>         </networkConnectors>
>>>>>> 
>>>>>>         <plugins>
>>>>>>             <!--  use JAAS to authenticate using the login.config
>>>>>> file on the classpath to configure JAAS -->
>>>>>>             <jaasAuthenticationPlugin
>>>>>> configuration="activemq-domain"/>
>>>>>>             <!--  lets configure a destination based authorization
>>>>>> mechanism -->
>>>>>>             <authorizationPlugin>
>>>>>>                 <map>
>>>>>>                     <authorizationMap>
>>>>>>                         <authorizationEntries>
>>>>>>                             <authorizationEntry queue=">" read="all"
>>>>>> write="all" admin="all"/>
>>>>>>                             <authorizationEntry
>>>>>> topic="ActiveMQ.Advisory.>" read="all" write="all" admin="all"/>
>>>>>>                         </authorizationEntries>
>>>>>>                         <tempDestinationAuthorizationEntry>
>>>>>>                             <tempDestinationAuthorizationEntry
>>>>>> read="all" write="all" admin="all"/>
>>>>>>                         </tempDestinationAuthorizationEntry>
>>>>>>                     </authorizationMap>
>>>>>>                 </map>
>>>>>>             </authorizationPlugin>
>>>>>>         </plugins>
>>>>>>     </broker>
>>>>>> </beans>
>>>>>> 
>>>>>> 
>>>>>>    
>>>>>> 
>>>>>>    
>>>>>> 
>>>>>> 
>>>>> 
>>>>> 
>>>> 
>>>> 
>>> 
>>> 
>> 
>> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Secutiry-and-Predefined-Destinations-tp17370190s2354p17490030.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.