[activemq-user] JAAS security question

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[activemq-user] JAAS security question

Paul Smith-2
I think I've managed to get very close to securing ActiveMQ with Jaas  
+ the Tagish Jaas Login modules, however I seem to be stuck in that  
Jaas is correctly authenticating the user/password provided by  
Hermes, however I keep getting an Access Denied message.

I'm pretty sure it's to do with my policy configuration file, so I'll  
post that first to see if anyone can spot the obvious mistake, but  
the rest of the config is further below.  I've modified the standard  
java.policy file in the JRE root just for testing sake:

[java.policy file]
....
// grant principal com.tagish.auth.TypedPrincipal "root"  {
grant principal * * {
         permission  
org.activemq.security.jassjacc.JMSBrokerPermission "connect";
         permission  
org.activemq.security.jassjacc.JMSBrokerPermission "destroy  
destination";
         permission  
org.activemq.security.jassjacc.JMSBrokerPermission "create destination";
};

[Note: I've just tried to get ANY principal that authenticates to  
have access to JMS for testing purposes, ideally I just want specific  
roles to get access, hence the commented out "root" principal for the  
time being


The exception I get is:

....
15:36:23 INFO  ActiveMQ JMS Message Broker (ID:Paul-Smiths-
Computer.local-49196-1119245738549-0:0) has started
15:37:59 WARN  caught exception consuming packet:  
ACTIVEMQ_CONNECTION_INFO: id = 2 ConnectionInfo{ clientId = 'ID:Paul-
Smiths-Computer.local-49199-1119245803445-2:0' , userName = 'test1' ,  
hostName = 'Paul-Smiths-Computer.local' , clientVersion = '3.0' ,  
wireFormatVersion = 3, startTime = 1119245877932, started = true,  
closed = false, properties = {noDelay=false} }
java.security.AccessControlException: access denied  
(org.activemq.security.jassjacc.JMSBrokerPermission ID:Paul-Smiths-
Computer.local-49196-1119245738549-0:0 connect)

I'm sure I'm configuring the 3 permission entries wrong, but I'm very  
new to Jaas, so help appreciated. If I type the password wrong, I get  
a different exception, so my guess is that it is authenticating the  
user correctly, but not assigning the correct permissions to connect  
to ActiveMQ.

All the other configs/changes are:

[Modify activemq.sh to set the jaas security config]
   ACTIVEMQ_OPTS="-Xmx512M -Dderby.system.home=../var -
Dderby.storage.fileSyncTransactionLog=true -
Djava.security.auth.login.config=jaas.config"

[jaas.config - it's in the local path]
FileLogin
{
com.tagish.auth.FileLogin required debug=true pwdFile="/JavaStuff/
activemq/conf/passwd";
};

[passwd file, copy/paste from the tagish site just for testing purposes]
# Passwords for com.tagish.auth.FileLogin
test1:5a105e8b9d40e1329780d62ea2265d8a:root:administrator
test2:ad0234829205b9033196ba818f7a872b

Any ideas appreciated.

cheers,

Paul Smith




Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [activemq-user] JAAS security question

Paul Smith-2
Of course http://jira.logicblaze.com/jira/browse/AMQ-57 has me  
worried now... Is Jaas fully working in ActiveMQ?

I really need to be able to only allow authenticated clients to  
access the JMS instance.

Paul

On 20/06/2005, at 3:45 PM, Paul Smith wrote:

> I think I've managed to get very close to securing ActiveMQ with  
> Jaas + the Tagish Jaas Login modules, however I seem to be stuck in  
> that Jaas is correctly authenticating the user/password provided by  
> Hermes, however I keep getting an Access Denied message.
>
> I'm pretty sure it's to do with my policy configuration file, so  
> I'll post that first to see if anyone can spot the obvious mistake,  
> but the rest of the config is further below.  I've modified the  
> standard java.policy file in the JRE root just for testing sake:
>
> [java.policy file]
> ....
> // grant principal com.tagish.auth.TypedPrincipal "root"  {
> grant principal * * {
>         permission  
> org.activemq.security.jassjacc.JMSBrokerPermission "connect";
>         permission  
> org.activemq.security.jassjacc.JMSBrokerPermission "destroy  
> destination";
>         permission  
> org.activemq.security.jassjacc.JMSBrokerPermission "create  
> destination";
> };
>
> [Note: I've just tried to get ANY principal that authenticates to  
> have access to JMS for testing purposes, ideally I just want  
> specific roles to get access, hence the commented out "root"  
> principal for the time being
>
>
> The exception I get is:
>
> ....
> 15:36:23 INFO  ActiveMQ JMS Message Broker (ID:Paul-Smiths-
> Computer.local-49196-1119245738549-0:0) has started
> 15:37:59 WARN  caught exception consuming packet:  
> ACTIVEMQ_CONNECTION_INFO: id = 2 ConnectionInfo{ clientId =  
> 'ID:Paul-Smiths-Computer.local-49199-1119245803445-2:0' , userName  
> = 'test1' , hostName = 'Paul-Smiths-Computer.local' , clientVersion  
> = '3.0' , wireFormatVersion = 3, startTime = 1119245877932, started  
> = true, closed = false, properties = {noDelay=false} }
> java.security.AccessControlException: access denied  
> (org.activemq.security.jassjacc.JMSBrokerPermission ID:Paul-Smiths-
> Computer.local-49196-1119245738549-0:0 connect)
>
> I'm sure I'm configuring the 3 permission entries wrong, but I'm  
> very new to Jaas, so help appreciated. If I type the password  
> wrong, I get a different exception, so my guess is that it is  
> authenticating the user correctly, but not assigning the correct  
> permissions to connect to ActiveMQ.
>
> All the other configs/changes are:
>
> [Modify activemq.sh to set the jaas security config]
>   ACTIVEMQ_OPTS="-Xmx512M -Dderby.system.home=../var -
> Dderby.storage.fileSyncTransactionLog=true -
> Djava.security.auth.login.config=jaas.config"
>
> [jaas.config - it's in the local path]
> FileLogin
> {
> com.tagish.auth.FileLogin required debug=true pwdFile="/JavaStuff/
> activemq/conf/passwd";
> };
>
> [passwd file, copy/paste from the tagish site just for testing  
> purposes]
> # Passwords for com.tagish.auth.FileLogin
> test1:5a105e8b9d40e1329780d62ea2265d8a:root:administrator
> test2:ad0234829205b9033196ba818f7a872b
>
> Any ideas appreciated.
>
> cheers,
>
> Paul Smith
>
>
>
>
>
>

Loading...