glassfish
  1. glassfish
  2. GLASSFISH-18715

Cannot deny user(s) from producing messages for queues

    Details

    • Type: Bug Bug
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 3.1.2
    • Fix Version/s: 4.1
    • Component/s: jms
    • Labels:
      None
    • Environment:

      RHEL5, OpenMQ 4.5, PostgreSQL as persistent store, OpenLDAP as user repository

      Description

      My broker has the following in etc/accesscontrol.properties

      ###
      version=JMQFileAccessControlModel/100
      connection.NORMAL.allow.user=*
      connection.ADMIN.allow.group=admins

      queue..produce.allow.user=
      queue..consume.allow.user=

      queue.queuename.produce.deny.user=someone
      ###

      What happens:

      • the user 'someone' is allowed to create a producer for queue 'queuename'

      What was expected:

      • the user 'someone' should be denied when trying to create a producer for queue 'queuename'

      Other notes:

      • if this same type of scenario is repeated for a topic, things work as expected
      • if instead we deny consuming of a queue (e.g. queue.queuename.consume.deny.user=someone) instead of producing of a queue, things work as expected

      Seems odd that just this one scenario causes a problem, so it may be worth trying similar ones.

        Issue Links

          Activity

          ashie1287 created issue -
          Hide
          ashie1287 added a comment -

          Did not know that the summary field of the bug uses some kind of markup. Here is what I meant for the accesscontrol.properties file:

          ###
          version=JMQFileAccessControlModel/100
          connection.NORMAL.allow.user=*
          connection.ADMIN.allow.group=admins

          queue.*.produce.allow.user=*
          queue.*.consume.allow.user=*

          queue.queuename.produce.deny.user=someone
          ###

          Show
          ashie1287 added a comment - Did not know that the summary field of the bug uses some kind of markup. Here is what I meant for the accesscontrol.properties file: ### version=JMQFileAccessControlModel/100 connection.NORMAL.allow.user=* connection.ADMIN.allow.group=admins queue.*.produce.allow.user=* queue.*.consume.allow.user=* queue.queuename.produce.deny.user=someone ###
          David Zhao made changes -
          Field Original Value New Value
          Fix Version/s 4.0.1 [ 16061 ]
          Hide
          David Zhao added a comment -

          This partially depends on MQ-307 for applying custom username/password to create connection/producer.

          Show
          David Zhao added a comment - This partially depends on MQ-307 for applying custom username/password to create connection/producer.
          David Zhao made changes -
          Link This issue depends on MQ-307 [ MQ-307 ]
          Hide
          David Zhao added a comment -

          Add dependency on MQ-308

          Show
          David Zhao added a comment - Add dependency on MQ-308
          David Zhao made changes -
          Link This issue depends on MQ-308 [ MQ-308 ]
          David Zhao made changes -
          Tags 4_0_1-review
          alan42 made changes -
          Tags 4_0_1-review
          alan42 made changes -
          Tags 4_0_1-reviewed
          amyk made changes -
          Link This issue depends on MQ-354 [ MQ-354 ]
          amyk made changes -
          Link This issue is related to MQ-355 [ MQ-355 ]
          Hide
          amyk added a comment - - edited

          Another issue related to this case, discovered by David Zhao, is if a GlassFish JMS connection factory resource is accessed through the following non-standard path, the username/password in ConnectionFactory.createConnection(username, password) doesn't take effect. In this access path, GlassFish connector accesses JMSRA neither in AppClient container nor in EJB/Web container, David, it maybe necessary to require the sign-on information be specified in the JMS resource itself, that is via 'asadmin create-jms-resource --property UserName=username:Password=password' ? - at least that's a workaround.

          ---------------------------------------
          "
          Use a standalone GF server with JMS Service of EMBEDDED or LOCAL.
          Add a new imq user "imqusermgr add -u myuser -p mypass -g user"
          In imq's accesscontrol.properties, add a line "connection.NORMAL.deny.user=guest" to deny guest for getting connection.
          Start GF domain
          Create JMS connection factory "asadmin create-jms-resource --target server --restype javax.jms.QueueConnectionFactory jms/myFactory ".
          Create a JavaSE JMS client application,

          Properties jndiProps = new Properties();
          jndiProps.put("java.naming.factory.initial", "com.sun.enterprise.naming.impl.SerialInitContextFactory");
          jndiProps.put("java.naming.factory.url.pkgs", "com.sun.enterprise.naming");
          jndiProps.put("java.naming.factory.state", "com.sun.corba.ee.impl.presentation.rmi.JNDIStateFactoryImpl");
          jndiProps.setProperty("org.omg.CORBA.ORBInitialHost", "localhost");
          jndiProps.setProperty("org.omg.CORBA.ORBInitialPort", "3700");

          ctx = new InitialContext(jndiProps);
          qconFactory = (ConnectionFactory) ctx.lookup("jms/myFactory");

          Connection qcon = qconFactory.createConnection("myuser", "mypass");
          System.out.println(qcon);

          Run the client application which is remotely to GF server, then you will get the following security exception that shows the user being authenticated is guest instead of expected myuser which we specified in ConnectionFactory.createConnection(String username, String password) API.

          SEVERE: MQJMSRA_MC4001: constructor:Aborting:JMSException on createConnection=[C4084]: User authentication failed: user=guest, broker=localhost:7676(58859), error code: C4084
          com.sun.messaging.jms.JMSSecurityException: [C4084]: User authentication failed: user=guest, broker=localhost:7676(58859)
          at com.sun.messaging.jmq.jmsclient.ProtocolHandler.authenticate(ProtocolHandler.java:1124)
          at com.sun.messaging.jmq.jmsclient.ProtocolHandler.hello(ProtocolHandler.java:1041)
          at com.sun.messaging.jmq.jmsclient.ProtocolHandler.hello(ProtocolHandler.java:932)
          ...
          Caused by: com.sun.messaging.jms.JMSSecurityException: [C4084]: User authentication failed: user=guest, broker=localhost:7676(58859)
          at com.sun.messaging.jmq.jmsclient.ProtocolHandler.authenticate(ProtocolHandler.java:1124)
          at com.sun.messaging.jmq.jmsclient.ProtocolHandler.hello(ProtocolHandler.java:1041)
          at com.sun.messaging.jmq.jmsclient.ProtocolHandler.hello(ProtocolHandler.java:932)
          at com.sun.messaging.jmq.jmsclient.ConnectionImpl.hello(ConnectionImpl.java:590)
          at com.sun.messaging.jmq.jmsclient.ConnectionImpl.openConnection(ConnectionImpl.java:2500)
          at com.sun.messaging.jmq.jmsclient.ConnectionImpl.init(ConnectionImpl.java:1156)
          at com.sun.messaging.jmq.jmsclient.ConnectionImpl.<init>(ConnectionImpl.java:468)
          at com.sun.messaging.jmq.jmsclient.UnifiedConnectionImpl.<init>(UnifiedConnectionImpl.java:66)
          at com.sun.messaging.jmq.jmsclient.XAConnectionImpl.<init>(XAConnectionImpl.java:64)
          at com.sun.messaging.XAConnectionFactory.createXAConnection(XAConnectionFactory.java:110)
          at com.sun.messaging.jms.ra.ManagedConnection.<init>(ManagedConnection.java:204)
          ... 21 more

          "

          and David Zhao also commented - 04/Jun/14 07:12 AM (copy/paste from MQ-307) - pointing to GlassFish server code

          "
          The bug is inside ConnectionManagerImpl.internalGetConnection(...), here is the code snippet.

          {format}
          } else {
          if (prin == null) { <--- should it be "if (cxRequestInfo != null)" ? info = new ClientSecurityInfo(cxRequestInfo); } else {
          info = new ClientSecurityInfo(prin);
          if (prin.equals(defaultPrin)) {{format}

          "
          ---------------------

          Show
          amyk added a comment - - edited Another issue related to this case, discovered by David Zhao, is if a GlassFish JMS connection factory resource is accessed through the following non-standard path, the username/password in ConnectionFactory.createConnection(username, password) doesn't take effect. In this access path, GlassFish connector accesses JMSRA neither in AppClient container nor in EJB/Web container, David, it maybe necessary to require the sign-on information be specified in the JMS resource itself, that is via 'asadmin create-jms-resource --property UserName=username:Password=password' ? - at least that's a workaround. --------------------------------------- " Use a standalone GF server with JMS Service of EMBEDDED or LOCAL. Add a new imq user "imqusermgr add -u myuser -p mypass -g user" In imq's accesscontrol.properties, add a line "connection.NORMAL.deny.user=guest" to deny guest for getting connection. Start GF domain Create JMS connection factory "asadmin create-jms-resource --target server --restype javax.jms.QueueConnectionFactory jms/myFactory ". Create a JavaSE JMS client application, Properties jndiProps = new Properties(); jndiProps.put("java.naming.factory.initial", "com.sun.enterprise.naming.impl.SerialInitContextFactory"); jndiProps.put("java.naming.factory.url.pkgs", "com.sun.enterprise.naming"); jndiProps.put("java.naming.factory.state", "com.sun.corba.ee.impl.presentation.rmi.JNDIStateFactoryImpl"); jndiProps.setProperty("org.omg.CORBA.ORBInitialHost", "localhost"); jndiProps.setProperty("org.omg.CORBA.ORBInitialPort", "3700"); ctx = new InitialContext(jndiProps); qconFactory = (ConnectionFactory) ctx.lookup("jms/myFactory"); Connection qcon = qconFactory.createConnection("myuser", "mypass"); System.out.println(qcon); Run the client application which is remotely to GF server, then you will get the following security exception that shows the user being authenticated is guest instead of expected myuser which we specified in ConnectionFactory.createConnection(String username, String password) API. SEVERE: MQJMSRA_MC4001: constructor:Aborting:JMSException on createConnection= [C4084] : User authentication failed: user=guest, broker=localhost:7676(58859), error code: C4084 com.sun.messaging.jms.JMSSecurityException: [C4084] : User authentication failed: user=guest, broker=localhost:7676(58859) at com.sun.messaging.jmq.jmsclient.ProtocolHandler.authenticate(ProtocolHandler.java:1124) at com.sun.messaging.jmq.jmsclient.ProtocolHandler.hello(ProtocolHandler.java:1041) at com.sun.messaging.jmq.jmsclient.ProtocolHandler.hello(ProtocolHandler.java:932) ... Caused by: com.sun.messaging.jms.JMSSecurityException: [C4084] : User authentication failed: user=guest, broker=localhost:7676(58859) at com.sun.messaging.jmq.jmsclient.ProtocolHandler.authenticate(ProtocolHandler.java:1124) at com.sun.messaging.jmq.jmsclient.ProtocolHandler.hello(ProtocolHandler.java:1041) at com.sun.messaging.jmq.jmsclient.ProtocolHandler.hello(ProtocolHandler.java:932) at com.sun.messaging.jmq.jmsclient.ConnectionImpl.hello(ConnectionImpl.java:590) at com.sun.messaging.jmq.jmsclient.ConnectionImpl.openConnection(ConnectionImpl.java:2500) at com.sun.messaging.jmq.jmsclient.ConnectionImpl.init(ConnectionImpl.java:1156) at com.sun.messaging.jmq.jmsclient.ConnectionImpl.<init>(ConnectionImpl.java:468) at com.sun.messaging.jmq.jmsclient.UnifiedConnectionImpl.<init>(UnifiedConnectionImpl.java:66) at com.sun.messaging.jmq.jmsclient.XAConnectionImpl.<init>(XAConnectionImpl.java:64) at com.sun.messaging.XAConnectionFactory.createXAConnection(XAConnectionFactory.java:110) at com.sun.messaging.jms.ra.ManagedConnection.<init>(ManagedConnection.java:204) ... 21 more " and David Zhao also commented - 04/Jun/14 07:12 AM (copy/paste from MQ-307 ) - pointing to GlassFish server code " The bug is inside ConnectionManagerImpl.internalGetConnection(...), here is the code snippet. {format} } else { if (prin == null) { <--- should it be "if (cxRequestInfo != null)" ? info = new ClientSecurityInfo(cxRequestInfo); } else { info = new ClientSecurityInfo(prin); if (prin.equals(defaultPrin)) {{format} " ---------------------
          David Zhao made changes -
          Link This issue depends on GLASSFISH-21082 [ GLASSFISH-21082 ]
          Romain Grécourt made changes -
          Fix Version/s 4.1 [ 16387 ]
          Fix Version/s 4.0.1 [ 16061 ]

            People

            • Assignee:
              David Zhao
              Reporter:
              ashie1287
            • Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated: