ActiveMQ Locking down Web Console via LDAP

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

ActiveMQ Locking down Web Console via LDAP

mtod
I'm in the process of setting up ActiveMQ to use LDAP on Active Directory.

I have it working for the JMS connections but I'm running into some issues on the Web Console.
I gone through all the doc's and email threads I can find on the subject.
My setup is a Windows 10 desktop ActiveMQ loaded locally connecting to my AD domain on remote server.

I'm using ActiveMQ version 5.14.1

When I access using the Web Console I get this:

HTTP ERROR: 403

Problem accessing /admin/. Reason:

    !role
Powered by Jetty:// 9.3.z-SNAPSHOT

Does anyone have an idea why this would happen?

Thanks
Mike


Here is a snapshot of my console:

jvm 1    |  INFO | jetty-9.3.z-SNAPSHOT
jvm 1    |  INFO | No Spring WebApplicationInitializer types detected on classpath
jvm 1    |  INFO | Refreshing Root WebApplicationContext: startup date [Wed Oct 26 14:00:46 PDT 2016]; root of context hierarchy
jvm 1    |  INFO | Loading XML bean definitions from ServletContext resource [/WEB-INF/webconsole-embedded.xml]
jvm 1    |  INFO | Loading XML bean definitions from ServletContext resource [/WEB-INF/webconsole-query.xml]
jvm 1    |  INFO | Loading properties file from URL [file:../../conf/credentials.properties]
jvm 1    |  INFO | ActiveMQ WebConsole available at http://0.0.0.0:8161/
jvm 1    |  INFO | ActiveMQ Jolokia REST API available at http://0.0.0.0:8161/api/jolokia/
jvm 1    |  INFO | Initializing Spring FrameworkServlet 'dispatcher'
jvm 1    |  INFO | FrameworkServlet 'dispatcher': initialization started
jvm 1    |  INFO | Refreshing WebApplicationContext for namespace 'dispatcher-servlet': startup date [Wed Oct 26 14:00:46 PDT 2016]; parent: Root WebApplicationContext
jvm 1    |  INFO | Loading XML bean definitions from ServletContext resource [/WEB-INF/dispatcher-servlet.xml]
jvm 1    |  INFO | Mapped URL path [/createDestination.action] onto handler '/createDestination.action'
jvm 1    |  INFO | Mapped URL path [/deleteDestination.action] onto handler '/deleteDestination.action'
jvm 1    |  INFO | Mapped URL path [/createSubscriber.action] onto handler '/createSubscriber.action'
jvm 1    |  INFO | Mapped URL path [/deleteSubscriber.action] onto handler '/deleteSubscriber.action'
jvm 1    |  INFO | Mapped URL path [/sendMessage.action] onto handler '/sendMessage.action'
jvm 1    |  INFO | Mapped URL path [/purgeDestination.action] onto handler '/purgeDestination.action'
jvm 1    |  INFO | Mapped URL path [/deleteMessage.action] onto handler '/deleteMessage.action'
jvm 1    |  INFO | Mapped URL path [/copyMessage.action] onto handler '/copyMessage.action'
jvm 1    |  INFO | Mapped URL path [/moveMessage.action] onto handler '/moveMessage.action'
jvm 1    |  INFO | Mapped URL path [/deleteJob.action] onto handler '/deleteJob.action'
jvm 1    |  INFO | Mapped URL path [/retryMessage.action] onto handler '/retryMessage.action'
jvm 1    |  INFO | FrameworkServlet 'dispatcher': initialization completed in 139 ms
jvm 1    |  INFO | Started o.e.j.w.WebAppContext@a49d8a{/admin,file:///C:/Apache/apache-activemq-5.14.1/webapps/admin/,AVAILABLE}
jvm 1    |  INFO | ActiveMQ Console at http://ServerConnector@1a854e0{HTTP/1.1,[http/1.1]}{0.0.0.0:8161}/admin
jvm 1    |  INFO | No Spring WebApplicationInitializer types detected on classpath
jvm 1    |  INFO | jolokia-agent: Using policy access restrictor classpath:/jolokia-access.xml
jvm 1    |  INFO | Started o.e.j.w.WebAppContext@1362cf8{/api,file:///C:/Apache/apache-activemq-5.14.1/webapps/api/,AVAILABLE}
jvm 1    |  INFO | Apache ActiveMQ REST API at http://ServerConnector@1a854e0{HTTP/1.1,[http/1.1]}{0.0.0.0:8161}/api
jvm 1    |  INFO | Started ServerConnector@1a854e0{HTTP/1.1,[http/1.1]}{0.0.0.0:8161}
jvm 1    |  INFO | Started @2857ms


My Jetty.xml sections that I have changed:

        <bean id="defaultIdentityService" class="org.eclipse.jetty.security.DefaultIdentityService" />
        <bean id="securityLDAPLoginService" class="org.eclipse.jetty.jaas.JAASLoginService">
                <property name="name" value="ActiveMQLDAPRealm" />
                <property name="LoginModuleName" value="LDAP-Login" />
                <property name="identityService" ref="defaultIdentityService" />
                <property name="roleClassNames" value="org.eclipse.jetty.jaas.JAASRole" />
        </bean>

    <bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint">
        <property name="name" value="BASIC" />
        <property name="roles" value="APPDEV043 Admins" />
        <property name="authenticate" value="true" />
    </bean>
    <bean id="adminSecurityConstraint" class="org.eclipse.jetty.util.security.Constraint">
        <property name="name" value="BASIC" />
        <property name="roles" value="APPDEV043 Admins" />
        <property name="authenticate" value="true" />
    </bean>

    <bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler">
         <property name="realmName" value="ActiveMQLdapRealm" /> 
         <property name="loginService" ref="securityLDAPLoginService" /> 


My login.xml:


LDAP-Login {
   org.apache.activemq.jaas.LDAPLoginModule required
     debug=true
     initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
     connectionURL="ldap://corp.local"
     connectionUsername="CN=Mirth Development Service Account,OU=Service Accounts,DC=corp,DC=local"
     connectionPassword="XXXXX"
     connectionProtocol=s
     authentication=simple
     userBase="OU=Service Accounts,DC=corp,DC=local"
     userSearchMatching="(samaccountname={0})"
     userSearchSubtree=true
     roleBase="OU=Server Access Groups,OU=IT Security Groups,OU=Domain Groups,DC=corp,DC=local"
     roleName=CN
     roleSearchMatching="(memberOf={0})"
     roleSearchSubtree=true
     ;
};





Reply | Threaded
Open this post in threaded view
|

Re: ActiveMQ Locking down Web Console via LDAP

rchander
Hey, did you (or anyone) ever get this working?  
it seems like there's a real lack of info trying to get the webConsole working with Active Directory.
I've got a very similar setup to yours, and I'm running into the same issue.
I'll be trying a few different things, but it's mostly trial and error at this point...if anyone's got any info, specifically with Active Directory, that'd be great.
Reply | Threaded
Open this post in threaded view
|

Re: ActiveMQ Locking down Web Console via LDAP

Hari
Hi, I tried different things, but still getting the 403 error. If its worked for anyone, please share the info on how to fix it.
Thanks for the support!

Reply | Threaded
Open this post in threaded view
|

Re: ActiveMQ Locking down Web Console via LDAP

arpitshah_29
In reply to this post by mtod
Hello All -

I am also stuck in same limbo - is there anyone out there who has
successfully Locked down ActiveMQ Console using LDAP?



--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
Reply | Threaded
Open this post in threaded view
|

Re: ActiveMQ Locking down Web Console via LDAP

eleipold

I have the same issue with Active Directory and ActiveMQ 5.15.10. The
documentation refers to a cached LDAP configuration. However, that does not
appear to be the correct solution for me. I tried other solutions, including
two login.config configurations, one for the broker and one for the Web
console. The broker is working properly, but the Web console is not. The
problem that I have with the Web console is that
org.eclipse.jetty.plus.jaas.JAASLoginService class no longer exists and I
cannot find a replacement for it.

(from jetty.xml)
    <bean id="securityLoginService"
class="org.eclipse.jetty.plus.jaas.JAASLoginService">
        <property name="name" value="ActiveMQLDAPRealm" />
        <property name="LoginModuleName" value="JettyLdapConfiguration"/>
        <property name="CallbackHandlerClass"
value="org.eclipse.jetty.plus.jaas.callback.DefaultCallbackHandler" />
        <property name="roleClassNames"
value="org.eclipse.jetty.plus.jaas.JAASRole" />
    </bean>

(from login.config)
JettyLdapConfiguration {
  org.eclipse.jetty.plus.jaas.spi.LdapLoginModule required
    debug="true"
    contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
    hostname="********"
    port="3269"
    useLdaps="true"
    bindDn="CN=*****,OU=*******,OU=IntegrationServices,DC=dev,DC=local"
    bindPassword="*************"
    authenticationMethod="simple"
    forceBindingLogin="false"
    userBaseDn="DC=dev,DC=local"
    userRdnAttribute="uid"
    userIdAttribute="uid"
    userObjectClass="Person"
    roleBaseDn="(memberOf=OU=******,OU=**********,DC=dev,DC=local)"
    roleNameAttribute="cn"
    roleMemberAttribute="member"
    roleObjectClass="groupOfNames"
    authenticated="true"
    ;
};





--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
Reply | Threaded
Open this post in threaded view
|

Re: ActiveMQ Locking down Web Console via LDAP

eleipold
With the help of this articles and a couple of others, I think I solved the
problem. Below is a blog that I wrote on it:

https://www.workhorseintegrations.com/2020/05/14/securing-activemq-console-with-ldap/





--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
Reply | Threaded
Open this post in threaded view
|

Re: ActiveMQ Locking down Web Console via LDAP

Tim Bain
Looks great, thanks for sharing.

Tim

On Thu, May 14, 2020, 7:24 AM eleipold <[hidden email]>
wrote:

> With the help of this articles and a couple of others, I think I solved the
> problem. Below is a blog that I wrote on it:
>
>
> https://www.workhorseintegrations.com/2020/05/14/securing-activemq-console-with-ldap/
>
>
>
>
>
> --
> Sent from:
> http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
>