Quantcast

Help with SimpleAuthenticationPlugin

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Help with SimpleAuthenticationPlugin

nazgul
Hi,

Can anyone help me configure the broker using SimpleAuthenticationPlugin?

I've already tried these in activemq.xml:
<beans ...>
  <broker ...>
    ...
    <plugins>
      <simpleAuthenticationPlugin userGroups="#groups" userPasswords="#users"/>
    </plugins>
  </broker>
  ...
  <bean id="users" class="java.util.HashMap">
    <property name="user1" value="user1"/>
    <property name="user2" value="user2"/>
  </bean>
  <bean id="groups" class="java.util.HashMap">
    <property name="user1" value="admin"/>
    <property name="user2" value="admin"/>
  </bean>
  ...
</beans>

And when I start the broker, it's returning an error creating bean.

Can anyone help me, pls?
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help with SimpleAuthenticationPlugin

Adrian Co
Hi,

Good you post the complete exception?

This could well be a namespace issue. Try adding an empty xmlns to your
spring beans:

  <bean id="users" class="java.util.HashMap" xmlns="">
    <property name="user1" value="user1"/>
    <property name="user2" value="user2"/>
  </bean>

Refer to this thread also, in case this is your issue:
http://www.nabble.com/Refreshing+authorizationPlugin++config-t1368949.html#a3889989

Hope this helps. :)

Regards,
Adrian Co

nazgul wrote:

>Hi,
>
>Can anyone help me configure the broker using SimpleAuthenticationPlugin?
>
>I've already tried these in activemq.xml:
><beans ...>
>  <broker ...>
>    ...
>    <plugins>
>      <simpleAuthenticationPlugin userGroups="#groups"
>userPasswords="#users"/>
>    </plugins>
>  </broker>
>  ...
>  <bean id="users" class="java.util.HashMap">
>    <property name="user1" value="user1"/>
>    <property name="user2" value="user2"/>
>  </bean>
>  <bean id="groups" class="java.util.HashMap">
>    <property name="user1" value="admin"/>
>    <property name="user2" value="admin"/>
>  </bean>
>  ...
></beans>
>
>And when I start the broker, it's returning an error creating bean.
>
>Can anyone help me, pls?
>
>--
>View this message in context: http://www.nabble.com/Help+with+SimpleAuthenticationPlugin-t1697796.html#a4607329
>Sent from the ActiveMQ - User forum at Nabble.com.
>
>  
>

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help with SimpleAuthenticationPlugin

nazgul
Hi Adrian, thanks for the quick reply.

Here is the exception encountered when I start the broker:

Loading message broker from: xbean:activemq.xml

ERROR: java.lang.RuntimeException: Failed to execute start task. Reason: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.apache.activemq.security.SimpleAuthenticationPlugin' defined in class path resource [activemq.xml]: Can't resolve reference to bean 'groups' while setting property 'userGroups'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'groups' defined in class path resource [activemq.xml]: Error setting property values; nested exception is org.springframework.beans.NotWritablePropertyException: Invalid property 'user1' of bean class [java.util.HashMap]: Bean property 'user1' is not writable or has an invalid setter method: Does the parameter type of the setter match the return type of the getter?

ERROR: java.lang.Exception: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.apache.activemq.security.SimpleAuthenticationPlugin' defined in class path resource [activemq.xml]: Can't resolve reference to bean 'groups' while setting property 'userGroups'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'groups' defined in class path resource [activemq.xml]: Error setting property values; nested exception is org.springframework.beans.NotWritablePropertyException: Invalid property 'user1' of bean class [java.util.HashMap]: Bean property 'user1' is not writable or has an invalid setter method: Does the parameter type of the setter match the return type of the getter?

What happened with my configuration? Did I configured it wrong?

All I want to do is requiring a simple authentication when clients connect to the broker, I've tried using JAAS but client returns an error when authenticating to the broker, the exception is JMSException, something with user cannot authorize to create ActiveMQ.Advisory.Connection topic.

Where can I get the full reference to the XML configuration?

Regards,
Ferry
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help with SimpleAuthenticationPlugin

dietrich-bollmann
Hi Ferry,

Here some notes I made when experimenting with JAAS and ActiveMQ some
time ago. They are kind of old and were written only for my personal use
- I hope they are still somehow helpful :)

Best wishes
--
Dietrich Bollmann

------------
During the login authentication, the LDAP login module does not compare
the user password with the one stored on the LDAP server directly.
Rather it uses the user's userid and password to access some (possibly
dummy) data stored in the user's LDAP DN on behalf of the user. Only if
the access is granted by the LDAP server, the user authentication will
succeed.

* ActiveMQ XML Configuration

ActiveMQ Brokers are configured at startup using a XML configuration
file. For using the LDAP login module the following attributes have to
be added to the <broker /> tag:

  <broker
    ...
    <plugins>
      <jaasAuthenticationPlugin configuration="LoginLdapConfiguration" />
    </plugins>
  ...
  </broker>

By asking to use JAAS Authentication (<plugins><jaasAuthenticationPlugin
... /></plugins>), all security critical broker operations are filtered
by the JAAS login module. They are allowed only if the user has been
authenticated correctly relative to his user date stored in the LDAP
user information server.

The jaasLdapConfiguration attribute specifies how to access the relevant
user data on the central user information server. A data structure with
the same name has to be provided in a special configuration file.

* The LDAP Login Configuration File

The LDAP login configuration file contains all information necessary to
access the user authentication information on the user information LDAP
server.

The location of this file has to be given using the Java property
java.security.auth.login.config. This can be done in the broker
properties file or on the command line using following option

-Djava.security.auth.login.config=/path/ldap-configuration-file

The information necessary for accessing the LDAP user information has to
be formatted as shown in the following example:

LoginLdapConfiguration {
    org.apache.activemq.jaas.LDAPLoginModule required
        debug=true
        initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
        connectionURL="ldap://<ldap host>:<ldap port>/o=<...>"
        connectionUsername="uid=<...>,ou=<...>"
        connectionPassword=<password>
        connectionProtocol=s
        authentication=simple
        userBase="ou=Users"
        userRoleName=dummyUserRoleName
        userSearchMatching="(uid={0})"
        userSearchSubtree=false
        roleBase="ou=Users"
        roleName=dummyRoleName
        roleSearchMatching="(uid={1})"
        roleSearchSubtree=false
        ;
};


* Explanations:

LoginLdapConfiguration
    This is the name of the configuration. All attributes necessary to
access the relevant user Information on the LDAP server are given
between a pair of curly braces.
org.apache.activemq.jaas.LDAPLoginModule required
    The Java sources of the LDAP login module.
debug=true
    Activating / deactivating log messages.
initialContextFactory
    The LDAP context factory used to get the initial context.
connectionURL
    URL of the LDAP server [and optionally the Base DN to use]
connectionUsername
    LDAP User DN (Distinguished Name)
connectionPassword
    Password
connectionProtocol
    The security protocol to use, ex: "s".
authentication
    Authentication method to use, ex: "simple".
userRoleName
    Name of attribute used for storing the user roles.
    For authentication this attribute is optional; an attribute which
does not exist in the user information entry can also be used. Ex:
"dummyUserRoleName".
userBase
    Name of the context to search for users entries and the values of
userRoleName.
userSearchMatching
    Message format to generate the user search filter. A valid value is
obligatory for a successful user authentication.
    {0} will be substituted with the full name of the user context,
example: "uid=peterb,ou=Users,o=TS". Note: This value is not usable to
search the LDAP user information service because only attributes are
allowed in the search expressions.[1]
    {1} will be substituted with the username.
userSearchSubtree
    Search one level of / the entire subtree rooted at userBase.
roleName
    Name of another attribute used for storing user roles.
    The user roles found here are added to those found as values of
userRoleName. The attribute values of userRoleName are accessed using
the security principal and credentials found in this configuration; the
values of 'roleName' are retrieved using the users password (credential)
and dn (principal).
    For authentication this attribute is optional; an attribute which
does not exist in the user information entry can also be used. Ex:
dummyRoleName.
    NOTE: The login of the user only succeeds if he is allowed - or, in
the case of this attribute being a dummy attribute, would be allowed -
to retrieve the values of this attribute from the Penrose Server: During
the whole login process the user password is only checked by trying to
access this attribute. If the Penrose server rejects this query the
login procedure fails.[2]
roleBase
    Name of the context to search for user roles using roleName.
roleSearchMatching
    Format for searching the user roles specified in the attribute given
by roleName.
    {0} will be substituted with the username.
roleSearchSubtree
    Search one level of / the entire subtree rooted at roleBase.

* Footnotes
   [1] See the paragraph "Search Filters" in The JNDI Tutorial.
         
http://java.sun.com/products/jndi/tutorial/basics/directory/filter.html 
, http://java.sun.com/products/jndi/tutorial/trailmap.html
   [2] Compare the notes on Penrose Authentication on the Penrose
Project pages.
         
http://docs.safehaus.org/display/PENROSE/Penrose+0.9.9+Authentication ,
http://docs.safehaus.org/display/PENROSE/Home

nazgul wrote:

> Hi Adrian, thanks for the quick reply.
>
> Here is the exception encountered when I start the broker:
>
> Loading message broker from: xbean:activemq.xml
>
> ERROR: java.lang.RuntimeException: Failed to execute start task. Reason:
> org.springframework.beans.factory.BeanCreationException: Error creating bean
> with name 'org.apache.activemq.security.SimpleAuthenticationPlugin' defined
> in class path resource [activemq.xml]: Can't resolve reference to bean
> 'groups' while setting property 'userGroups'; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating bean
> with name 'groups' defined in class path resource [activemq.xml]: Error
> setting property values; nested exception is
> org.springframework.beans.NotWritablePropertyException: Invalid property
> 'user1' of bean class [java.util.HashMap]: Bean property 'user1' is not
> writable or has an invalid setter method: Does the parameter type of the
> setter match the return type of the getter?
>
> ERROR: java.lang.Exception:
> org.springframework.beans.factory.BeanCreationException: Error creating bean
> with name 'org.apache.activemq.security.SimpleAuthenticationPlugin' defined
> in class path resource [activemq.xml]: Can't resolve reference to bean
> 'groups' while setting property 'userGroups'; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating bean
> with name 'groups' defined in class path resource [activemq.xml]: Error
> setting property values; nested exception is
> org.springframework.beans.NotWritablePropertyException: Invalid property
> 'user1' of bean class [java.util.HashMap]: Bean property 'user1' is not
> writable or has an invalid setter method: Does the parameter type of the
> setter match the return type of the getter?
>
> What happened with my configuration? Did I configured it wrong?
>
> All I want to do is requiring a simple authentication when clients connect
> to the broker, I've tried using JAAS but client returns an error when
> authenticating to the broker, the exception is JMSException, something with
> user cannot authorize to create ActiveMQ.Advisory.Connection topic.
>
> Where can I get the full reference to the XML configuration?
>
> Regards,
> Ferry
> --
> View this message in context: http://www.nabble.com/Help+with+SimpleAuthenticationPlugin-t1697796.html#a4608332
> Sent from the ActiveMQ - User forum at Nabble.com.
>
>
>  
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help with SimpleAuthenticationPlugin

nazgul
Hi Dietrich,

Thanks for your example and explanations, it's helpful for sure :)
I'll try to use your method in my broker and I'll inform the results later.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Help with SimpleAuthenticationPlugin

rousseau
I have the same issue. Does anyone have a complete example XML configuration file for Simple authentication (not using JAAS or anything else)?

My XML file is something like:
    <plugins>
     
    <simpleAuthenticationPlugin>
        <userGroups>
        <property name="user" value="users"/>
        </userGroups>

        <userPasswords>
        <property name="user" value = "password"/>
        </userPasswords>

    </simpleAuthenticationPlugin>

     
      <authorizationPlugin>
        <map>
          <authorizationMap>
            <authorizationEntries>


             
              <authorizationEntry queue=">" read="users" write="users" admin="users" />              
              <authorizationEntry topic=">" read="users" write="users" admin="users" />
             
            </authorizationEntries>
          </authorizationMap>
        </map>
      </authorizationPlugin>

    </plugins>


But i get errors...
ERROR: java.lang.RuntimeException: Failed to execute start task. Reason: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.apache.activemq.security.AuthorizationEntry' defined in class path resource [activemq.xml]: Error setting property values; nested exception is org.springframework.beans.PropertyAccessExceptionsException: PropertyAccessExceptionsException (3 errors); nested propertyAccessExceptions are: [org.springframework.beans.MethodInvocationException: Property 'admin' threw exception; nested exception is java.lang.NoClassDefFoundError: org/apache/activemq/jaas/GroupPrincipal], [org.springframework.beans.MethodInvocationException: Property 'read' threw exception; nested exception is java.lang.NoClassDefFoundError: org/apache/activemq/jaas/GroupPrincipal], [org.springframework.beans.MethodInvocationException: Property 'write' threw exception; nested exception is java.lang.NoClassDefFoundError: org/apache/activemq/jaas/GroupPrincipal]
java.lang.RuntimeException: Failed to execute start task. Reason: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'org.apache.activemq.security.AuthorizationEntry' defined in class path resource [activemq.xml]: Error setting property values; nested exception is org.springframework.beans.PropertyAccessExceptionsException: PropertyAccessExceptionsException (3 errors); nested propertyAccessExceptions are: [org.springframework.beans.MethodInvocationException: Property 'admin' threw exception; nested exception is java.lang.NoClassDefFoundError: org/apache/activemq/jaas/GroupPrincipal], [org.springframework.beans.MethodInvocationException: Property 'read' threw exception; nested exception is java.lang.NoClassDefFoundError: org/apache/activemq/jaas/Group etc .

I'm using AMQ 4.0.2.

cheers
/Steve


nazgul wrote
Hi Dietrich,

Thanks for your example and explanations, it's helpful for sure :)
I'll try to use your method in my broker and I'll inform the results later.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Help with SimpleAuthenticationPlugin

Chris Hofstaedter
I had this problem a few months ago, posted the question to this group,
and got a very helpful reply (with xml) that allowed me to get it
working.

http://www.mail-archive.com/activemq-users@.../msg05478.
html


-----Original Message-----
From: rousseau [mailto:[hidden email]]
Sent: Friday, January 19, 2007 4:46 AM
To: [hidden email]
Subject: Re: Help with SimpleAuthenticationPlugin


I have the same issue. Does anyone have a complete example XML
configuration
file for Simple authentication (not using JAAS or anything else)?

My XML file is something like:
    <plugins>
      <!--  simple user/password configuration -->
    <simpleAuthenticationPlugin>
        <userGroups>
        <property name="user" value="users"/>
        </userGroups>

        <userPasswords>
        <property name="user" value = "password"/>
        </userPasswords>

    </simpleAuthenticationPlugin>

      <!--  lets configure a destination based authorization mechanism
-->
      <authorizationPlugin>
        <map>
          <authorizationMap>
            <authorizationEntries>


              <!--  only allow access to authorised users -->
              <authorizationEntry queue=">" read="users" write="users"
admin="users" />              
              <authorizationEntry topic=">" read="users" write="users"
admin="users" />
             
            </authorizationEntries>
          </authorizationMap>
        </map>
      </authorizationPlugin>

    </plugins>


But i get errors...
ERROR: java.lang.RuntimeException: Failed to execute start task. Reason:
org.springframework.beans.factory.BeanCreationException: Error creating
bean
with name 'org.apache.activemq.security.AuthorizationEntry' defined in
class
path resource [activemq.xml]: Error setting property values; nested
exception is
org.springframework.beans.PropertyAccessExceptionsException:
PropertyAccessExceptionsException (3 errors); nested
propertyAccessExceptions are:
[org.springframework.beans.MethodInvocationException: Property 'admin'
threw
exception; nested exception is java.lang.NoClassDefFoundError:
org/apache/activemq/jaas/GroupPrincipal],
[org.springframework.beans.MethodInvocationException: Property 'read'
threw
exception; nested exception is java.lang.NoClassDefFoundError:
org/apache/activemq/jaas/GroupPrincipal],
[org.springframework.beans.MethodInvocationException: Property 'write'
threw
exception; nested exception is java.lang.NoClassDefFoundError:
org/apache/activemq/jaas/GroupPrincipal]
java.lang.RuntimeException: Failed to execute start task. Reason:
org.springframework.beans.factory.BeanCreationException: Error creating
bean
with name 'org.apache.activemq.security.AuthorizationEntry' defined in
class
path resource [activemq.xml]: Error setting property values; nested
exception is
org.springframework.beans.PropertyAccessExceptionsException:
PropertyAccessExceptionsException (3 errors); nested
propertyAccessExceptions are:
[org.springframework.beans.MethodInvocationException: Property 'admin'
threw
exception; nested exception is java.lang.NoClassDefFoundError:
org/apache/activemq/jaas/GroupPrincipal],
[org.springframework.beans.MethodInvocationException: Property 'read'
threw
exception; nested exception is java.lang.NoClassDefFoundError:
org/apache/activemq/jaas/Group etc .

I'm using AMQ 4.0.2.

cheers
/Steve



nazgul wrote:
>
> Hi Dietrich,
>
> Thanks for your example and explanations, it's helpful for sure :)
> I'll try to use your method in my broker and I'll inform the results
> later.
>

--
View this message in context:
http://www.nabble.com/Help-with-SimpleAuthenticationPlugin-tf1697796.htm
l#a8446342
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Loading...