activemq-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ARTEMIS-1122) ActiveMQJAASSecurityManager class loading issue
Date Tue, 18 Apr 2017 14:10:41 GMT

    [ https://issues.apache.org/jira/browse/ARTEMIS-1122?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15972748#comment-15972748
] 

ASF GitHub Bot commented on ARTEMIS-1122:
-----------------------------------------

GitHub user gaohoward opened a pull request:

    https://github.com/apache/activemq-artemis/pull/1209

    ARTEMIS-1122 ActiveMQJAASSecurityManager class loading issue

    The ActiveMQJAASSecurityManager class uses LoginContext to validate
    users and roles. LoginContext loads LoginModule classes defined in
    the configuration (login.config) using current thread's context
    classloader.
    Normally this wouldn't be a problem but when a caller thread comes
    from JMX (for example a client calls QueueControl.sendMessage() via
    JMX) the caller thread has a different context class loader.
    This will cause the LoginContext to fail to load the LoginModule
    class (e.g. PropertiesLoginModule) and the validation will fail
    even if correct credentials are supplied.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/gaohoward/activemq-artemis master_sec_cnfe

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/activemq-artemis/pull/1209.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #1209
    
----

----


> ActiveMQJAASSecurityManager class loading issue
> -----------------------------------------------
>
>                 Key: ARTEMIS-1122
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-1122
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>          Components: Broker
>    Affects Versions: 2.0.0
>            Reporter: Howard Gao
>            Assignee: Howard Gao
>             Fix For: 2.next
>
>
> The ActiveMQJAASSecurityManager class uses LoginContext to validate users and roles.
LoginContext loads LoginModule classes defined in the configuration (login.config) using current
thread's context classloader.
> Normally this wouldn't be a problem but when a caller thread comes from JMX (for example
a client calls QueueControl.sendMessage() via JMX) the caller thread has a different context
class loader. This will cause the LoginContext fails to load the LoginModule class (e.g. org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule)
and the validation will fail even correct credentials are supplied.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message