JBoss.org Community Documentation

7.3.7. org.jboss.mq.security.SecurityManager

If the org.jboss.mq.security.SecurityManager is part of the interceptor stack, then it will enforce the access control lists assigned to the destinations. The SecurityManager uses JAAS, and as such requires that at application policy be setup for in the JBoss login-config.xml file. The default configuration is shown below.

<application-policy name="jbossmq">
    <authentication>
        <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule"         
                      flag="required">
            <module-option name="unauthenticatedIdentity">guest</module-option>
            <module-option name="dsJndiName">java:/DefaultDS</module-option>
            <module-option name="principalsQuery">SELECT PASSWD FROM JMS_USERS
                WHERE USERID=?</module-option>
            <module-option name="rolesQuery">SELECT ROLEID, 'Roles' FROM
                JMS_ROLES WHERE USERID=?</module-option>
        </login-module>
    </authentication>
</application-policy>

The configurable attributes of the SecurityManager are as follows:

  • NextInterceptor : The JMX ObjectName of the next request interceptor. This attribute is used by all the interceptors to create the interceptor stack. The last interceptor in the chain should be the DestinationManager.

  • SecurityDomain : Specify the security domain name to use for authentication and role based authorization. This is the JNDI name of the JAAS domain to be used to perform authentication and authorization against.

  • DefaultSecurityConfig : This element specifies the default security configuration settings for destinations. This applies to temporary queues and topics as well as queues and topics that do not specifically specify a security configuration. The DefaultSecurityConfig should declare some number of role elements which represent each role that is allowed access to a destination. Each role should have the following attributes:

    • name : The name attribute defines the name of the role.

    • create : The create attribute is a true/false value that indicates whether the role has the ability to create durable subscriptions on the topic.

    • read : The read attribute is a true/false value that indicates whether the role can receive messages from the destination.

    • write : The write attribute is a true/false value that indicates whether the role can send messages to the destination.