ActiveMQ and JAAS Authorization

classic Classic list List threaded Threaded
3 messages Options
ERP
Reply | Threaded
Open this post in threaded view
|

ActiveMQ and JAAS Authorization

ERP
Hello,

I have been working on a custom login module using JAAS for ActiveMQ.
I got authentication to work, but when I add the authorizationPlugin, I get
the following error:

java.lang.SecurityException: User user is not authorized to create:

> topic://ActiveMQ.Advisory.Connection
> at
> org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:115)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:174)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.broker.region.RegionBroker.send(RegionBroker.java:454)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.broker.jmx.ManagedRegionBroker.send(ManagedRegionBroker.java:293)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:909)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:836)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:831)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.advisory.AdvisoryBroker.addConnection(AdvisoryBroker.java:125)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:99)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:99)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:99)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.security.JaasAuthenticationBroker.addConnection(JaasAuthenticationBroker.java:71)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:99)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:99)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:849)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:77)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:139)[activemq-client-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:336)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:200)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.transport.MutexTransport.onCommand(MutexTransport.java:50)[activemq-client-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:125)[activemq-client-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.transport.AbstractInactivityMonitor.onCommand(AbstractInactivityMonitor.java:301)[activemq-client-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)[activemq-client-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233)[activemq-client-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215)[activemq-client-5.15.9.jar:5.15.9]
> at java.lang.Thread.run(Thread.java:748)[:1.8.0_211]
>

I can't seem to figure out what's the problem. When I change my
jaasAuthenticationPlugin to "<jaasAuthenticationPlugin
configuration="activemq-domain"/>" (which uses
"org.apache.activemq.jaas.PropertiesLoginModule") everything works as
expected. However, when I use my own custom LoginModule:

activemq.xml

> <jaasAuthenticationPlugin configuration="my-custom-login"/>
>

login.config

> my-custom-login {
>     x.x.x.x.x.x.PropertiesLoginModule required
>         debug=true
>         org.apache.activemq.jaas.properties.user="users.properties"
>         org.apache.activemq.jaas.properties.group="groups.properties"
>         reload=true;
> };
>

I get the error shown above. PropertiesLoginModule in "my-custom-login" is
basically a copy of (
https://github.com/apache/activemq/tree/master/activemq-jaas/src/main/java/org/apache/activemq/jaas
).

For reference, this is my authenticationPlugin:

> <authorizationPlugin>
>                 <map>
>                     <authorizationMap>
>                     <authorizationEntries>
>                     <authorizationEntry queue=">" read="admins"
> write="admins,users" admin="admins"/>
>                     <authorizationEntry queue="USERS.>" read="users"
> write="users" admin="users"/>
>                     <authorizationEntry queue="GUEST.>" read="guests"
> write="guests,users" admin="guests,users"/>
>                     <authorizationEntry topic=">" read="admins"
> write="admins,users" admin="admins"/>
>                     <authorizationEntry topic="USERS.>" read="users"
> write="users" admin="users"/>
>                     <authorizationEntry topic="GUEST.>" read="guests"
> write="guests,users" admin="guests,users"/>
>                     <authorizationEntry topic="ActiveMQ.Advisory.>"
> read="guests,users" write="guests,users" admin="guests,users"/>
>                     </authorizationEntries>
>                     <!--
>                      let's assign roles to temporary destinations. comment
> this entry if we don't want any roles assigned to temp destinations
>                     -->
>                     <tempDestinationAuthorizationEntry>
>                     <tempDestinationAuthorizationEntry
> read="tempDestinationAdmins" write="tempDestinationAdmins"
> admin="tempDestinationAdmins"/>
>                     </tempDestinationAuthorizationEntry>
>                     </authorizationMap>
>                 </map>
>             </authorizationPlugin>


users.properties:

> admin=admin
> user=password
> publisher=password
> consumer=password
> guest=password
>

groups.properties:

> admins=admin,user
> users=user,admin
> publishers=admin,publisher
> consumers=admin,publisher,consumer
> guests=guest


Any pointers? I want to change the authentication in login from
PropertiesLoginModule.
Thanks.
ERP
Reply | Threaded
Open this post in threaded view
|

Re: ActiveMQ and JAAS Authorization

ERP
Does authorization work with a custom JAAS Login Module? With the
configuration I have, this seems to work with the SimpleAuthenticationPlugin
and even <jaasAuthenticationPlugin
configuration="activemq-domain"/> (with the default LoginEntry), but just
not <jaasAuthenticationPlugin configuration="MyCustomModule"/> despite it
working for Authentication (with that same custom Login Module).



--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
ERP
Reply | Threaded
Open this post in threaded view
|

Re: ActiveMQ and JAAS Authorization

ERP
In reply to this post by ERP
Okay, so I found a work around(?) I literally cloned the actual project from
the activemq github
(https://github.com/apache/activemq/tree/master/activemq-jaas) and replaced
the code for PropertiesLoginModule with my code. Then, I recreated the jar
and, for some, reason that works.

Is there a specific way to package the project (or are there specifics of
what has to be in the pom.xml)? I am using Maven.



--
Sent from: http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html