AD248 - ch09s05

Red Hat JBoss Enterprise Application Platform (JBoss EAP) contains a message-oriented middleware (MOM) within the messaging-activemq subsystem. The messaging-activemq subsystem has the following security characteristics in the default configuration:

Authentication is required only from remote connections.
JMS connections are authenticated by using the other legacy security domain.
All deployed applications have access to publish and consume messages on all destinations.

This default configuration allows developers to quickly deploy JMS applications and test them without worrying about security, and without leaving the JBoss EAP instance open to remote attacks. It also allows easy testing of remote JMS applications because the developer only needs to add users and roles to the ApplicationRealm security realm by using the add-user.sh script.

Most production environments probably require three changes:

Enable the authentication for locally deployed applications.
Change the ActiveMQ security domain to one based on a relational database or LDAP directory.
Remove the permissions granted to the guest role.

These changes are implemented by the following commands:

To enable authentication for local applications, change the override-in-vm-security attribute to false:
```
/subsystem=messaging:/server=default:write-attribute(\
name=override-in-vm-security,value=false)
```
To change the ActiveMQ security domain, change the security-domain attribute to point to the desired security domain name. For example, to use production-sd as the security domain name for the JMS server, you can use the following CLI command:
```
/subsystem=messaging:/server=default:write-attribute(\
name=security-doman,value=production-sd)
```
After making any of the previous configuration changes, reload the server. In managed domain mode, reload all server instances using the changed profile.
There are two ways to remove the permissions granted to the guest role:
- Remove the guest role from the all-destinations (#) security-setting:

/subsystem=messaging:/server=default/security-setting=#/rule=guest:remove

Remove the whole all-destinations (#) security-setting:

/subsystem=messaging:/server=default/security-setting=#:remove

After making those changes, the administrator has to either create security-setting objects granting the correct permissions to the roles associated with ActiveMQ application users, or add new roles to the existing all-destinations security-setting object.

It is important to understand that the ActiveMQ users and roles have no relationship with application users and roles. Remember that MOM is a server by itself. The ActiveMQ users and roles control application access to MOM destinations the same way that database users and roles control application access to the database tables.

Securing a Topic or Queue

The ActiveMQ MOM embedded in JBoss EAP does not configure access rules in destination objects. Access rules are configured in security-setting objects, which work much like the address-setting objects described in the Configuring the Messaging Subsystem chapter. The security-setting objects make easier configuring access rules for applications requiring multiple destinations in a consistent way.

A security-setting name is a wildcard expression that matches one or more destinations internal ActiveMQ names. Refer to the references section to learn more about the using expression wildcards for destinations.

A security-setting has child objects of type role. The name of this child object is the role name that is granted access, and its attributes are permissions. ActiveMQ understands the following permissions that loosely correspond to JMS API operations that can be performed on a destination:

send: allows publication of messages to the destination.
consume: allows consumption of messages from the destination.
createDurableQueue: allows creation of durable queues.
deleteDurableQueue: allows deletion of durable queues.
createNonDurableQueue: allows creation of temporary queues.
deleteNonDurableQueue: allows deletion of temporary queues.
manage: allows management operations on the destination using a proprietary ActiveMQ API.

There are no permissions specific for JMS Topic resources because they are implemented by ActiveMQ as a queue for each subscriber. If a client has the consume permission on the jms-topic object, then it has permission to subscribe to the object.

To grant permissions to a destination for a role, create the role object inside a security-setting object whose name matches the destination, and set the granted permission attributes to true. All other permissions are false by default.

For example, the following commands grant the send and consume permissions to the publisherAndConsumer role on the jms-topic named StockQuotes:

/subsystem=messaging-activemq/server=default/security-setting=\
jms.topic.StockQuotes.#:add()

/subsystem=messaging-activemq/server=default/security-setting=\
jms.topic.StockQuotes.#/role=publisherAndConsumer:add(\
send=true,consume=true)

If multiple security-setting objects match the same destination, then the most specific one overrides the generic ones. In the previous example, if the all-destinations (#) security-setting granted the manage permission to the publisherAndConsumer, role the jms.topic.StockQuotes.# security-setting denies it.

References

For more information about JMS security configuration , refer to the Messaging Guide in the Red Hat JBoss EAP documentation at https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/configuring_messaging/index#configuring_messaging_security

For more information about the expressions that match destinations, refer to the Address Settings chapter in the Messaging Guide in the Red Hat JBoss EAP documentation at https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/configuring_messaging/index#configure_address_settings

For more information about hot to secure destinations by using elytron, refer to the Using the Elytron Subsystem section in the Messaging Guide in the Red Hat JBoss EAP documentation at https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/configuring_messaging/index#using_the_elytron_subsystem

Discuss Red Hat JBoss Enterprise Application Platform Administration I

Go to community

Welcome to the Red Hat JBoss Application Administration 1 (AD248) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat JBoss Application Administration I! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to AD248.Read more about Red Hat JBoss Application Administration I here.

270

Revision: ad248-7.4-18a9db2