ActiveMQ Locking down Web Console via LDAP

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

ActiveMQ Locking down Web Console via LDAP

mtod
I'm in the process of setting up ActiveMQ to use LDAP on Active Directory.

I have it working for the JMS connections but I'm running into some issues on the Web Console.
I gone through all the doc's and email threads I can find on the subject.
My setup is a Windows 10 desktop ActiveMQ loaded locally connecting to my AD domain on remote server.

I'm using ActiveMQ version 5.14.1

When I access using the Web Console I get this:

HTTP ERROR: 403

Problem accessing /admin/. Reason:

    !role
Powered by Jetty:// 9.3.z-SNAPSHOT

Does anyone have an idea why this would happen?

Thanks
Mike


Here is a snapshot of my console:

jvm 1    |  INFO | jetty-9.3.z-SNAPSHOT
jvm 1    |  INFO | No Spring WebApplicationInitializer types detected on classpath
jvm 1    |  INFO | Refreshing Root WebApplicationContext: startup date [Wed Oct 26 14:00:46 PDT 2016]; root of context hierarchy
jvm 1    |  INFO | Loading XML bean definitions from ServletContext resource [/WEB-INF/webconsole-embedded.xml]
jvm 1    |  INFO | Loading XML bean definitions from ServletContext resource [/WEB-INF/webconsole-query.xml]
jvm 1    |  INFO | Loading properties file from URL [file:../../conf/credentials.properties]
jvm 1    |  INFO | ActiveMQ WebConsole available at http://0.0.0.0:8161/
jvm 1    |  INFO | ActiveMQ Jolokia REST API available at http://0.0.0.0:8161/api/jolokia/
jvm 1    |  INFO | Initializing Spring FrameworkServlet 'dispatcher'
jvm 1    |  INFO | FrameworkServlet 'dispatcher': initialization started
jvm 1    |  INFO | Refreshing WebApplicationContext for namespace 'dispatcher-servlet': startup date [Wed Oct 26 14:00:46 PDT 2016]; parent: Root WebApplicationContext
jvm 1    |  INFO | Loading XML bean definitions from ServletContext resource [/WEB-INF/dispatcher-servlet.xml]
jvm 1    |  INFO | Mapped URL path [/createDestination.action] onto handler '/createDestination.action'
jvm 1    |  INFO | Mapped URL path [/deleteDestination.action] onto handler '/deleteDestination.action'
jvm 1    |  INFO | Mapped URL path [/createSubscriber.action] onto handler '/createSubscriber.action'
jvm 1    |  INFO | Mapped URL path [/deleteSubscriber.action] onto handler '/deleteSubscriber.action'
jvm 1    |  INFO | Mapped URL path [/sendMessage.action] onto handler '/sendMessage.action'
jvm 1    |  INFO | Mapped URL path [/purgeDestination.action] onto handler '/purgeDestination.action'
jvm 1    |  INFO | Mapped URL path [/deleteMessage.action] onto handler '/deleteMessage.action'
jvm 1    |  INFO | Mapped URL path [/copyMessage.action] onto handler '/copyMessage.action'
jvm 1    |  INFO | Mapped URL path [/moveMessage.action] onto handler '/moveMessage.action'
jvm 1    |  INFO | Mapped URL path [/deleteJob.action] onto handler '/deleteJob.action'
jvm 1    |  INFO | Mapped URL path [/retryMessage.action] onto handler '/retryMessage.action'
jvm 1    |  INFO | FrameworkServlet 'dispatcher': initialization completed in 139 ms
jvm 1    |  INFO | Started o.e.j.w.WebAppContext@a49d8a{/admin,file:///C:/Apache/apache-activemq-5.14.1/webapps/admin/,AVAILABLE}
jvm 1    |  INFO | ActiveMQ Console at http://ServerConnector@1a854e0{HTTP/1.1,[http/1.1]}{0.0.0.0:8161}/admin
jvm 1    |  INFO | No Spring WebApplicationInitializer types detected on classpath
jvm 1    |  INFO | jolokia-agent: Using policy access restrictor classpath:/jolokia-access.xml
jvm 1    |  INFO | Started o.e.j.w.WebAppContext@1362cf8{/api,file:///C:/Apache/apache-activemq-5.14.1/webapps/api/,AVAILABLE}
jvm 1    |  INFO | Apache ActiveMQ REST API at http://ServerConnector@1a854e0{HTTP/1.1,[http/1.1]}{0.0.0.0:8161}/api
jvm 1    |  INFO | Started ServerConnector@1a854e0{HTTP/1.1,[http/1.1]}{0.0.0.0:8161}
jvm 1    |  INFO | Started @2857ms


My Jetty.xml sections that I have changed:

        <bean id="defaultIdentityService" class="org.eclipse.jetty.security.DefaultIdentityService" />
        <bean id="securityLDAPLoginService" class="org.eclipse.jetty.jaas.JAASLoginService">
                <property name="name" value="ActiveMQLDAPRealm" />
                <property name="LoginModuleName" value="LDAP-Login" />
                <property name="identityService" ref="defaultIdentityService" />
                <property name="roleClassNames" value="org.eclipse.jetty.jaas.JAASRole" />
        </bean>

    <bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint">
        <property name="name" value="BASIC" />
        <property name="roles" value="APPDEV043 Admins" />
        <property name="authenticate" value="true" />
    </bean>
    <bean id="adminSecurityConstraint" class="org.eclipse.jetty.util.security.Constraint">
        <property name="name" value="BASIC" />
        <property name="roles" value="APPDEV043 Admins" />
        <property name="authenticate" value="true" />
    </bean>

    <bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler">
         <property name="realmName" value="ActiveMQLdapRealm" /> 
         <property name="loginService" ref="securityLDAPLoginService" /> 


My login.xml:


LDAP-Login {
   org.apache.activemq.jaas.LDAPLoginModule required
     debug=true
     initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
     connectionURL="ldap://corp.local"
     connectionUsername="CN=Mirth Development Service Account,OU=Service Accounts,DC=corp,DC=local"
     connectionPassword="XXXXX"
     connectionProtocol=s
     authentication=simple
     userBase="OU=Service Accounts,DC=corp,DC=local"
     userSearchMatching="(samaccountname={0})"
     userSearchSubtree=true
     roleBase="OU=Server Access Groups,OU=IT Security Groups,OU=Domain Groups,DC=corp,DC=local"
     roleName=CN
     roleSearchMatching="(memberOf={0})"
     roleSearchSubtree=true
     ;
};





Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ActiveMQ Locking down Web Console via LDAP

rchander
Hey, did you (or anyone) ever get this working?  
it seems like there's a real lack of info trying to get the webConsole working with Active Directory.
I've got a very similar setup to yours, and I'm running into the same issue.
I'll be trying a few different things, but it's mostly trial and error at this point...if anyone's got any info, specifically with Active Directory, that'd be great.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: ActiveMQ Locking down Web Console via LDAP

Hari
Hi, I tried different things, but still getting the 403 error. If its worked for anyone, please share the info on how to fix it.
Thanks for the support!

Loading...