activemq-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Gary Tully (JIRA)" <j...@apache.org>
Subject [jira] Resolved: (AMQ-3198) Allow JAAS GuestLoginModule to fail if users specify a password
Date Fri, 04 Mar 2011 16:56:37 GMT

     [ https://issues.apache.org/jira/browse/AMQ-3198?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Gary Tully resolved AMQ-3198.
-----------------------------

    Resolution: Fixed

fix in http://svn.apache.org/viewvc?rev=1078048&view=rev

config in the description now works to only allow guest login if there is no password. A password
will cause the guest login to fail, allowing the properties login module to validate the password
and overall success only it it succeeds. End result, guest is no longer applicable to invalue
username/password combinations.

> Allow JAAS GuestLoginModule to fail if users specify a password
> ---------------------------------------------------------------
>
>                 Key: AMQ-3198
>                 URL: https://issues.apache.org/jira/browse/AMQ-3198
>             Project: ActiveMQ
>          Issue Type: Improvement
>          Components: Broker
>    Affects Versions: 5.4.2
>            Reporter: Gary Tully
>            Assignee: Gary Tully
>              Labels: JAAS, Security
>             Fix For: 5.5.0
>
>
> The GuestLoginModule currently always allows login so it is a handy default. In the case
where two login modules are configured, it is nice to have the guest login module only succeed
if there are no password credentials such that the second module gets a chance to authenticate.
This ensures that only anonymous users (or users that do not supply a password, map to guest,
where as any user that supplies a password will have to pass authorization or fail.
>  
> Without this option, and using GuestLoginModule sufficient, a failed authentication attempt
will map you to the guest user.
> This enhancement will implement the credentialsInvalidate attribute.
> With the following config, if you don't specify a password you are guest. If you do specify
a valid username/password pair you will authenticate, else you are rejected.
> {code}
> activemq-guest-when-no-creds-only-domain {
>     org.apache.activemq.jaas.GuestLoginModule sufficient
>        debug=true
>        credentialsInvalidate=true
>        org.apache.activemq.jaas.guest.user="guest"
>        org.apache.activemq.jaas.guest.group="guests";
>     org.apache.activemq.jaas.PropertiesLoginModule requisite
>         debug=true
>         org.apache.activemq.jaas.properties.user="org/apache/activemq/security/users.properties"
>         org.apache.activemq.jaas.properties.group="org/apache/activemq/security/groups.properties";
> };
> {code}

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message