Return-Path: 
 <activemq-users-return-1003-apmail-geronimo-activemq-users-archive=geronimo.apache.org@geronimo.apache.org>
Delivered-To: apmail-geronimo-activemq-users-archive@www.apache.org
Received: (qmail 7612 invoked from network); 28 Apr 2006 04:52:59 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 28 Apr 2006 04:52:59 -0000
Received: (qmail 78064 invoked by uid 500); 28 Apr 2006 04:52:58 -0000
Delivered-To: apmail-geronimo-activemq-users-archive@geronimo.apache.org
Received: (qmail 78041 invoked by uid 500); 28 Apr 2006 04:52:58 -0000
Mailing-List: contact activemq-users-help@geronimo.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:activemq-users-help@geronimo.apache.org>
List-Unsubscribe: <mailto:activemq-users-unsubscribe@geronimo.apache.org>
List-Post: <mailto:activemq-users@geronimo.apache.org>
List-Id: <activemq-users.geronimo.apache.org>
Reply-To: activemq-users@geronimo.apache.org
Delivered-To: mailing list activemq-users@geronimo.apache.org
Received: (qmail 78031 invoked by uid 99); 28 Apr 2006 04:52:58 -0000
Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Apr 2006 21:52:58 -0700
X-ASF-Spam-Status: No, hits=1.3 required=10.0
	tests=RCVD_IN_BL_SPAMCOP_NET,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (asf.osuosl.org: domain of james.strachan@gmail.com
 designates 66.249.92.172 as permitted sender)
Received: from [66.249.92.172] (HELO uproxy.gmail.com) (66.249.92.172)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 27 Apr 2006 21:52:57 -0700
Received: by uproxy.gmail.com with SMTP id m3so1475191ugc
        for <activemq-users@geronimo.apache.org>;
 Thu, 27 Apr 2006 21:52:34 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
        s=beta; d=gmail.com;
        h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=fYSZB/2RH6+dCWma0Lvc5sOewwGpSj/BcXL2GzI/Bg07TIp5cD1mR1wtSgVv+moCtY+LJHGk+y9rLP4ON2rIKJfMn1hoXYvePw1pQkxms0nTFc0/2aFXJigki+5RylBB5B/0LYotp4XNCE1GiC3OvYBy7aKdX/37USe87oq7mTU=
Received: by 10.78.21.7 with SMTP id 7mr437874huu;
        Thu, 27 Apr 2006 21:52:34 -0700 (PDT)
Received: by 10.78.27.13 with HTTP; Thu, 27 Apr 2006 21:52:34 -0700 (PDT)
Message-ID: <ec6e67fd0604272152i3e90f54eq3413882f63c662f8@mail.gmail.com>
Date: Fri, 28 Apr 2006 05:52:34 +0100
From: "James Strachan" <james.strachan@gmail.com>
To: activemq-users@geronimo.apache.org
Subject: Re: Trouble geting JAAS authorization to work with ActiveMQ-4.0-RC2
In-Reply-To: 
 <3834E2B49C8B5342837E7D6F68E8D21901C02349@apiexchsrv19.APIMEM.apiparts.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
References: 
 <3834E2B49C8B5342837E7D6F68E8D21901C02349@apiexchsrv19.APIMEM.apiparts.com>
X-Virus-Checked: Checked by ClamAV on apache.org
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

A quick workaround is to create the advisory destinattions manually
via JMX or the Web Console to avoid your client being the first person
to create the destination - but it does look like somethings wrong -
it looks like either the users's group is not being found correctly or
that the authorizationPlugin is not being properly initialised.

We could maybe patch the code for the authorizationPlugin to add debug
logging to help you figure this one out?


On 4/25/06, Johan Hallgren <jhallgren@apiworldwide.com> wrote:
> Hello list,
>
> I am trying to get authentication and authorization using JAAS to work wi=
th ActiveMQ-RC2, and am having troubles with the authorization part (authen=
tication seems to be working fine). I am trying to get a setup as close to =
the one outlined in http://www.activemq.org/Security to work first, so this=
 is what I have set up:
>
> I have created a login.config file in $ACTIVE_HOME/lib with these content=
s:
>
> activemq-domain {
>     org.apache.activemq.jaas.PropertiesLoginModule required
>         debug=3Dtrue
>         org.apache.activemq.jaas.properties.user=3D"users.properties"
>         org.apache.activemq.jaas.properties.group=3D"groups.properties";
> };
>
> In the same directory, I have created users.properties with this content:
>
> myuser=3Dmypassword
>
> Also in the same directory, I have created groups.properties with this co=
ntent:
>
> myuser=3Dmygroup
>
> Finally, I have made this addition to activemq.xml, and placed it as the =
first element in the broker element:
>
>     <plugins>
>       <!--  use JAAS to authenticate using the login.config file on the c=
lasspath to configure JAAS -->
>       <jaasAuthenticationPlugin configuration=3D"activemq-domain" />
>
>       <!--  lets configure a destination based authorization mechanism --=
>
>       <authorizationPlugin>
>         <map>
>           <authorizationMap>
>             <authorizationEntries>
>               <authorizationEntry queue=3D">" read=3D"mygroup" write=3D"m=
ygroup" admin=3D"mygroup" />
>               <authorizationEntry queue=3D"USERS.>" read=3D"mygroup" writ=
e=3D"mygroup" admin=3D"mygroup" />
>               <authorizationEntry queue=3D"GUEST.>" read=3D"mygroup" writ=
e=3D"mygroup" admin=3D"mygroup" />
>
>               <authorizationEntry topic=3D">" read=3D"mygroup" write=3D"m=
ygroup" admin=3D"mygroup" />
>               <authorizationEntry topic=3D"USERS.>" read=3D"mygroup" writ=
e=3D"mygroup" admin=3D"mygroup" />
>               <authorizationEntry topic=3D"GUEST.>" read=3D"mygroup" writ=
e=3D"mygroup" admin=3D"mygroup" />
>
>               <authorizationEntry topic=3D"ActiveMQ.Advisory.>" read=3D"m=
ygroup" write=3D"mygroup" admin=3D"mygroup"/>
>             </authorizationEntries>
>           </authorizationMap>
>         </map>
>       </authorizationPlugin>
>     </plugins>
>
> I am then trying to send messages to a queue from an application in my se=
rvlet container, that I have based on the example that came with the Active=
MQ distribution. Basically, first I create a connection like this:
>
> ActiveMQConnection connection =3D ActiveMQConnection.makeConnection("myus=
er", "mypassword", "tcp://localhost:61616");
>
> I then try and create a javax.jms.Session like this:
>
> Session session =3D connection.createSession(false, Session.AUTO_ACKNOWLE=
DGE);
>
> However, when doing this, I get an exception:
>
> javax.jms.JMSException: User myuser is not authorized to create: topic://=
ActiveMQ.Advisory.Connection
>
> I have also tried doing a connection.start() before creating the session,=
 but that statement also yields the above exception. The authentication pie=
ce does seem to work, though, because if I supply an erroneous user name, c=
reating the session throws this exception:
>
> javax.jms.JMSException: User name or password is invalid.
>
> Also, sending messages without using JAAS (by removing the above plugins =
element from activemq.xml) works fine.
>
> I'm now lost trying to figure out where I'm going wrong. I have not refer=
enced any topic or queue names in the code prior to creating the session, s=
o I'm wondering why the exception states that I'm trying to create an Activ=
eMQ.Advisory.Connection topic. Have I misconfigured activemq.xml or login.c=
onfig somewhere, or is there something in the code that needs to happen to =
invoke the authorization logic, other than specifying the autorizationMap i=
n activemq.xml?
>
> Any insight would be most appreciated!
>
> Thanks in advance,
> Johan Hallgren
>
>


--

James
-------
http://radio.weblogs.com/0112098/