SecurityException: User is not authenticated

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

SecurityException: User is not authenticated

Scammell
Hello,

I'm trying to set up ActiveMQ version 5.10.1 on Red Hat Enterprise Linux Server release 7.1 with a new user which can use the web console. What I have done:

1) Created following entry in users.properties: myUser=myPwd
2) Added the user to the 'publishers' and 'consumers' groups in groups.properties
3) Added the following to jetty-realm.properties to enable access to the web console: myUser: myPwd, user
4) Added the following in the activemq.xml file under plugins ->authorizationPlugin -> map -> authorizationMap:

<authorizationEntries>
    <authorizationEntry queue=">" read="admins" write="admins" admin="admins" />
    <authorizationEntry queue="MYQUEUES.>" read="consumers" write="publishers" admin="admins" />
    <authorizationEntry topic=">" read="admins" write="admins" admin="admins" />
    <authorizationEntry topic="MYQUEUES.>" read="consumers" write="publishers" admin="admins" />
</authorizationEntries>

I can log into the console with the new user, but am getting "SecurityException: User is not authenticated" messages in ActiveMQ's log file when, in the web console, I try and click on any of the ActiveMQ queues I have created.

The error is occurring when it's creating a bean with name 'queueBrowser' defined in /WEB-INF/webconsole-query.xml.

Thanks for any assistance.
Reply | Threaded
Open this post in threaded view
|

Re: SecurityException: User is not authenticated

Tim Bain
Did you enable authentication in jetty.xml as described in
http://activemq.apache.org/web-console.html?
On Apr 6, 2015 6:35 PM, "Scammell" <[hidden email]> wrote:

> Hello,
>
> I'm trying to set up ActiveMQ version 5.10.1 on Red Hat Enterprise Linux
> Server release 7.1 with a new user which can use the web console. What I
> have done:
>
> 1) Created following entry in users.properties: myUser=myPwd
> 2) Added the user to the 'publishers' and 'consumers' groups in
> groups.properties
> 3) Added the following to jetty-realm.properties to enable access to the
> web
> console: myUser: myPwd, user
> 4) Added the following in the activemq.xml file under plugins
> ->authorizationPlugin -> map -> authorizationMap:
>
> <authorizationEntries>
>     <authorizationEntry queue=">" read="admins" write="admins"
> admin="admins" />
>     <authorizationEntry queue="MYQUEUES.>" read="consumers"
> write="publishers" admin="admins" />
>     <authorizationEntry topic=">" read="admins" write="admins"
> admin="admins" />
>     <authorizationEntry topic="MYQUEUES.>" read="consumers"
> write="publishers" admin="admins" />
> </authorizationEntries>
>
> I can log into the console with the new user, but am getting
> "SecurityException: User is not authenticated" messages in ActiveMQ's log
> file when, in the web console, I try and click on any of the ActiveMQ
> queues
> I have created.
>
> The error is occurring when it's creating a bean with name 'queueBrowser'
> defined in /WEB-INF/webconsole-query.xml.
>
> Thanks for any assistance.
>
>
>
> --
> View this message in context:
> http://activemq.2283324.n4.nabble.com/SecurityException-User-is-not-authenticated-tp4694392.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|

Re: SecurityException: User is not authenticated

Scammell
> Did you enable authentication in jetty.xml as described in
> http://activemq.apache.org/web-console.html?

I believe so: I have the following entries in the jetty.xml file:

<bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint">
  <property name="name" value="BASIC" />
  <property name="roles" value="user,admin" />
  <property name="authenticate" value="true" />
</bean>
<bean id="adminSecurityConstraint" class="org.eclipse.jetty.util.security.Constraint">
  <property name="name" value="BASIC" />
  <property name="roles" value="admin" />
  <property name="authenticate" value="true" />
</bean>

Mark
Reply | Threaded
Open this post in threaded view
|

Re: SecurityException: User is not authenticated

Tim Bain
I thought Spring didn't allow multiple beans with the same name...  Try
commenting out the admin one, and if that works then try changing the admin
one's name.
On Apr 6, 2015 8:52 PM, "Scammell" <[hidden email]> wrote:

> > Did you enable authentication in jetty.xml as described in
> > http://activemq.apache.org/web-console.html?
>
> I believe so: I have the following entries in the jetty.xml file:
>
> <bean id="securityConstraint"
> class="org.eclipse.jetty.util.security.Constraint">
>   <property name="name" value="BASIC" />
>   <property name="roles" value="user,admin" />
>   <property name="authenticate" value="true" />
> </bean>
> <bean id="adminSecurityConstraint"
> class="org.eclipse.jetty.util.security.Constraint">
>   <property name="name" value="BASIC" />
>   <property name="roles" value="admin" />
>   <property name="authenticate" value="true" />
> </bean>
>
> Mark
>
>
>
> --
> View this message in context:
> http://activemq.2283324.n4.nabble.com/SecurityException-User-is-not-authenticated-tp4694392p4694401.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|

Re: SecurityException: User is not authenticated

Scammell
Tim Bain wrote
I thought Spring didn't allow multiple beans with the same name...  Try
commenting out the admin one, and if that works then try changing the admin
one's name.
Don't the beans already have different names? "securityConstraint" and "adminSecurityConstraint".

Mark
Reply | Threaded
Open this post in threaded view
|

Re: SecurityException: User is not authenticated

Tim Bain
Those are IDs (and I'm positive they have to be unique); I was referring to
<property name="name" value="BASIC" /> in each bean.  Maybe Spring doesn't
mind that, I don't remember (I mainly use annotations these days), but it
seemed like an easy thing for you to check.

More generally, I'd simplify your config till it works and then you can add
back in the bells and whistles.  So any references to admin are superfluous
to what you're currently trying to get working; comment all that out and
see if it works.  If it does, you know something's wrong with that aspect
of your config; if not, at least you know that's not the problem.
On Apr 6, 2015 9:46 PM, "Scammell" <[hidden email]> wrote:

> Tim Bain wrote
> > I thought Spring didn't allow multiple beans with the same name...  Try
> > commenting out the admin one, and if that works then try changing the
> > admin
> > one's name.
>
> Don't the beans already have different names? "securityConstraint" and
> "adminSecurityConstraint".
>
> Mark
>
>
>
> --
> View this message in context:
> http://activemq.2283324.n4.nabble.com/SecurityException-User-is-not-authenticated-tp4694392p4694403.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|

Re: SecurityException: User is not authenticated

Scammell
Tim Bain wrote
Those are IDs (and I'm positive they have to be unique); I was referring to
<property name="name" value="BASIC" /> in each bean.  Maybe Spring doesn't
mind that, I don't remember (I mainly use annotations these days), but it
seemed like an easy thing for you to check.

More generally, I'd simplify your config till it works and then you can add
back in the bells and whistles.  So any references to admin are superfluous
to what you're currently trying to get working; comment all that out and
see if it works.  If it does, you know something's wrong with that aspect
of your config; if not, at least you know that's not the problem.
Well, the configuration supplied in jetty.xml is the default one included in the download, so I'm not sure what I can simplify. I've followed the instructions on the ActiveMQ website (http://activemq.apache.org/web-console.html) and I'm still getting the error.

Mark
Reply | Threaded
Open this post in threaded view
|

Re: SecurityException: User is not authenticated

Tim Bain
My jetty.xml file has only your second bean, not the first one (and our
users list in jetty-realm.properties includes only admin users), and
authentication works, so commenting out your entire securityConstraint bean
seems like an easy way to simplify your config and see if authentication
works in that simpler configuration.

If that works, then you can dig into why adding your second bean fails.
I'd start by validating your assumption that you're supposed to be able to
have more than one securityConstraint in the first place; the instructions
on the web site reference uncommenting **a** security constraint config
(not multiple of them), so I'd make sure that what you're assuming to be
legal really is.

Tim

On Tue, Apr 7, 2015 at 1:41 PM, Scammell <[hidden email]>
wrote:

> Tim Bain wrote
> > Those are IDs (and I'm positive they have to be unique); I was referring
> > to
> > <property name="name" value="BASIC" />
> >  in each bean.  Maybe Spring doesn't
> > mind that, I don't remember (I mainly use annotations these days), but it
> > seemed like an easy thing for you to check.
> >
> > More generally, I'd simplify your config till it works and then you can
> > add
> > back in the bells and whistles.  So any references to admin are
> > superfluous
> > to what you're currently trying to get working; comment all that out and
> > see if it works.  If it does, you know something's wrong with that aspect
> > of your config; if not, at least you know that's not the problem.
>
> Well, the configuration supplied in jetty.xml is the default one included
> in
> the download, so I'm not sure what I can simplify. I've followed the
> instructions on the ActiveMQ website
> (http://activemq.apache.org/web-console.html) and I'm still getting the
> error.
>
> Mark
>
>
>
> --
> View this message in context:
> http://activemq.2283324.n4.nabble.com/SecurityException-User-is-not-authenticated-tp4694392p4694457.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|

Re: SecurityException: User is not authenticated

Scammell
Tim Bain wrote
My jetty.xml file has only your second bean, not the first one (and our
users list in jetty-realm.properties includes only admin users), and
authentication works, so commenting out your entire securityConstraint bean
seems like an easy way to simplify your config and see if authentication
works in that simpler configuration.

If that works, then you can dig into why adding your second bean fails.
I'd start by validating your assumption that you're supposed to be able to
have more than one securityConstraint in the first place; the instructions
on the web site reference uncommenting **a** security constraint config
(not multiple of them), so I'd make sure that what you're assuming to be
legal really is.
I have found that the jetty.xml file is OK; the issue was more to do with the authentication plugin that I specified in activemq.xml. I'll create a new thread for this.

Thanks,

Mark