activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Johan Hallgren" <jhallg...@apiworldwide.com>
Subject RE: Trouble getting JAAS authorization to work with ActiveMQ-4.0-RC2
Date Wed, 17 May 2006 18:41:19 GMT
Hi list,

I'm reposting this in the hope that I'll get closer to aresolution than the last time. To
recap, I'm having trouble with JAAS; specifically, authentication works, but authorization
does not (details below). Could someone please give me a pointer as to have I might proceed
to patch the authorizationPlugin code to get more details on what is going on, as suggested
by James below?

Any advice would be much appreciated!

/Johan


-----Original Message-----
From: Johan Hallgren
Sent: Fri 4/28/2006 8:57 AM
To: activemq-users@geronimo.apache.org
Subject: RE: Trouble getting JAAS authorization to work with ActiveMQ-4.0-RC2
 
James,

Thanks for your suggestions. Before attempting a work-around, I would like to put some more
effort into fixing the problem outright, if any. To that end, I turned on the console debugging
at level DEBUG and found that it seems to at least find my users.properties and groups.properties
files. These are the relevant lines at broker startup:

DEBUG PropertiesLoginModule          - Initialized debug=true usersFile=users.properties groupsFile=groups.properties
basedir=/usr/local/activemq/lib
DEBUG PropertiesLoginModule          - login myuser
DEBUG PropertiesLoginModule          - commit

However, when sending a message to a (as yet uncreated) queue (with an arbitrary queue name),
I immediately thereafter see:

INFO  Service                        - Sync error occurred: java.lang.SecurityException: User
myser is not authorized to create: topic://ActiveMQ.Advisory.Connection
java.lang.SecurityException: User ksngf is not authorized to create: topic://ActiveMQ.Advisory.Connection

...and a stack trace after that. Since myuser is in the admins group and I have 
"<authorizationEntry queue=">" read="admins" write="admins" admin="admins" />" in
activemq.xml, I'm assuming that this should work.

Please let me know where I can patch the code to add relevant logging to more closely observe
the error. Obviously, I'd be happy to provide whatever assistance I can in getting it resolved.

/Johan

-----Original Message-----
From: James Strachan [mailto:james.strachan@gmail.com]
Sent: Thu 4/27/2006 11:52 PM
To: activemq-users@geronimo.apache.org
Subject: Re: Trouble geting JAAS authorization to work with ActiveMQ-4.0-RC2
 
A quick workaround is to create the advisory destinattions manually
via JMX or the Web Console to avoid your client being the first person
to create the destination - but it does look like somethings wrong -
it looks like either the users's group is not being found correctly or
that the authorizationPlugin is not being properly initialised.

We could maybe patch the code for the authorizationPlugin to add debug
logging to help you figure this one out?


On 4/25/06, Johan Hallgren <jhallgren@apiworldwide.com> wrote:
> Hello list,
>
> I am trying to get authentication and authorization using JAAS to work with ActiveMQ-RC2,
and am having troubles with the authorization part (authentication seems to be working fine).
I am trying to get a setup as close to the one outlined in http://www.activemq.org/Security
to work first, so this is what I have set up:
>
> I have created a login.config file in $ACTIVE_HOME/lib with these contents:
>
> activemq-domain {
>     org.apache.activemq.jaas.PropertiesLoginModule required
>         debug=true
>         org.apache.activemq.jaas.properties.user="users.properties"
>         org.apache.activemq.jaas.properties.group="groups.properties";
> };
>
> In the same directory, I have created users.properties with this content:
>
> myuser=mypassword
>
> Also in the same directory, I have created groups.properties with this content:
>
> myuser=mygroup
>
> Finally, I have made this addition to activemq.xml, and placed it as the first element
in the broker element:
>
>     <plugins>
>       <!--  use JAAS to authenticate using the login.config file on the classpath
to configure JAAS -->
>       <jaasAuthenticationPlugin configuration="activemq-domain" />
>
>       <!--  lets configure a destination based authorization mechanism -->
>       <authorizationPlugin>
>         <map>
>           <authorizationMap>
>             <authorizationEntries>
>               <authorizationEntry queue=">" read="mygroup" write="mygroup" admin="mygroup"
/>
>               <authorizationEntry queue="USERS.>" read="mygroup" write="mygroup"
admin="mygroup" />
>               <authorizationEntry queue="GUEST.>" read="mygroup" write="mygroup"
admin="mygroup" />
>
>               <authorizationEntry topic=">" read="mygroup" write="mygroup" admin="mygroup"
/>
>               <authorizationEntry topic="USERS.>" read="mygroup" write="mygroup"
admin="mygroup" />
>               <authorizationEntry topic="GUEST.>" read="mygroup" write="mygroup"
admin="mygroup" />
>
>               <authorizationEntry topic="ActiveMQ.Advisory.>" read="mygroup" write="mygroup"
admin="mygroup"/>
>             </authorizationEntries>
>           </authorizationMap>
>         </map>
>       </authorizationPlugin>
>     </plugins>
>
> I am then trying to send messages to a queue from an application in my servlet container,
that I have based on the example that came with the ActiveMQ distribution. Basically, first
I create a connection like this:
>
> ActiveMQConnection connection = ActiveMQConnection.makeConnection("myuser", "mypassword",
"tcp://localhost:61616");
>
> I then try and create a javax.jms.Session like this:
>
> Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
>
> However, when doing this, I get an exception:
>
> javax.jms.JMSException: User myuser is not authorized to create: topic://ActiveMQ.Advisory.Connection
>
> I have also tried doing a connection.start() before creating the session, but that statement
also yields the above exception. The authentication piece does seem to work, though, because
if I supply an erroneous user name, creating the session throws this exception:
>
> javax.jms.JMSException: User name or password is invalid.
>
> Also, sending messages without using JAAS (by removing the above plugins element from
activemq.xml) works fine.
>
> I'm now lost trying to figure out where I'm going wrong. I have not referenced any topic
or queue names in the code prior to creating the session, so I'm wondering why the exception
states that I'm trying to create an ActiveMQ.Advisory.Connection topic. Have I misconfigured
activemq.xml or login.config somewhere, or is there something in the code that needs to happen
to invoke the authorization logic, other than specifying the autorizationMap in activemq.xml?
>
> Any insight would be most appreciated!
>
> Thanks in advance,
> Johan Hallgren
>
>


--

James
-------
http://radio.weblogs.com/0112098/



Mime
  • Unnamed multipart/mixed (inline, None, 0 bytes)
View raw message