activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dietrich Bollmann <dbollmann...@web.de>
Subject Re: Help with SimpleAuthenticationPlugin
Date Mon, 29 May 2006 10:42:52 GMT
Hi Ferry,

Here some notes I made when experimenting with JAAS and ActiveMQ some 
time ago. They are kind of old and were written only for my personal use 
- I hope they are still somehow helpful :)

Best wishes
--
Dietrich Bollmann

------------
During the login authentication, the LDAP login module does not compare 
the user password with the one stored on the LDAP server directly. 
Rather it uses the user's userid and password to access some (possibly 
dummy) data stored in the user's LDAP DN on behalf of the user. Only if 
the access is granted by the LDAP server, the user authentication will 
succeed.

* ActiveMQ XML Configuration

ActiveMQ Brokers are configured at startup using a XML configuration 
file. For using the LDAP login module the following attributes have to 
be added to the <broker /> tag:

  <broker
    ...
    <plugins>
      <jaasAuthenticationPlugin configuration="LoginLdapConfiguration" />
    </plugins>
  ...
  </broker>

By asking to use JAAS Authentication (<plugins><jaasAuthenticationPlugin 
... /></plugins>), all security critical broker operations are filtered 
by the JAAS login module. They are allowed only if the user has been 
authenticated correctly relative to his user date stored in the LDAP 
user information server.

The jaasLdapConfiguration attribute specifies how to access the relevant 
user data on the central user information server. A data structure with 
the same name has to be provided in a special configuration file.

* The LDAP Login Configuration File

The LDAP login configuration file contains all information necessary to 
access the user authentication information on the user information LDAP 
server.

The location of this file has to be given using the Java property 
java.security.auth.login.config. This can be done in the broker 
properties file or on the command line using following option

-Djava.security.auth.login.config=/path/ldap-configuration-file

The information necessary for accessing the LDAP user information has to 
be formatted as shown in the following example:

LoginLdapConfiguration {
    org.apache.activemq.jaas.LDAPLoginModule required
        debug=true
        initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
        connectionURL="ldap://<ldap host>:<ldap port>/o=<...>"
        connectionUsername="uid=<...>,ou=<...>"
        connectionPassword=<password>
        connectionProtocol=s
        authentication=simple
        userBase="ou=Users"
        userRoleName=dummyUserRoleName
        userSearchMatching="(uid={0})"
        userSearchSubtree=false
        roleBase="ou=Users"
        roleName=dummyRoleName
        roleSearchMatching="(uid={1})"
        roleSearchSubtree=false
        ;
};


* Explanations:

LoginLdapConfiguration
    This is the name of the configuration. All attributes necessary to 
access the relevant user Information on the LDAP server are given 
between a pair of curly braces.
org.apache.activemq.jaas.LDAPLoginModule required
    The Java sources of the LDAP login module.
debug=true
    Activating / deactivating log messages.
initialContextFactory
    The LDAP context factory used to get the initial context.
connectionURL
    URL of the LDAP server [and optionally the Base DN to use]
connectionUsername
    LDAP User DN (Distinguished Name)
connectionPassword
    Password
connectionProtocol
    The security protocol to use, ex: "s".
authentication
    Authentication method to use, ex: "simple".
userRoleName
    Name of attribute used for storing the user roles.
    For authentication this attribute is optional; an attribute which 
does not exist in the user information entry can also be used. Ex: 
"dummyUserRoleName".
userBase
    Name of the context to search for users entries and the values of 
userRoleName.
userSearchMatching
    Message format to generate the user search filter. A valid value is 
obligatory for a successful user authentication.
    {0} will be substituted with the full name of the user context, 
example: "uid=peterb,ou=Users,o=TS". Note: This value is not usable to 
search the LDAP user information service because only attributes are 
allowed in the search expressions.[1]
    {1} will be substituted with the username.
userSearchSubtree
    Search one level of / the entire subtree rooted at userBase.
roleName
    Name of another attribute used for storing user roles.
    The user roles found here are added to those found as values of 
userRoleName. The attribute values of userRoleName are accessed using 
the security principal and credentials found in this configuration; the 
values of 'roleName' are retrieved using the users password (credential) 
and dn (principal).
    For authentication this attribute is optional; an attribute which 
does not exist in the user information entry can also be used. Ex: 
dummyRoleName.
    NOTE: The login of the user only succeeds if he is allowed - or, in 
the case of this attribute being a dummy attribute, would be allowed - 
to retrieve the values of this attribute from the Penrose Server: During 
the whole login process the user password is only checked by trying to 
access this attribute. If the Penrose server rejects this query the 
login procedure fails.[2]
roleBase
    Name of the context to search for user roles using roleName.
roleSearchMatching
    Format for searching the user roles specified in the attribute given 
by roleName.
    {0} will be substituted with the username.
roleSearchSubtree
    Search one level of / the entire subtree rooted at roleBase.

* Footnotes
   [1] See the paragraph "Search Filters" in The JNDI Tutorial.
         
http://java.sun.com/products/jndi/tutorial/basics/directory/filter.html 
, http://java.sun.com/products/jndi/tutorial/trailmap.html
   [2] Compare the notes on Penrose Authentication on the Penrose 
Project pages.
         
http://docs.safehaus.org/display/PENROSE/Penrose+0.9.9+Authentication , 
http://docs.safehaus.org/display/PENROSE/Home

nazgul wrote:
> Hi Adrian, thanks for the quick reply.
>
> Here is the exception encountered when I start the broker:
>
> Loading message broker from: xbean:activemq.xml
>
> ERROR: java.lang.RuntimeException: Failed to execute start task. Reason:
> org.springframework.beans.factory.BeanCreationException: Error creating bean
> with name 'org.apache.activemq.security.SimpleAuthenticationPlugin' defined
> in class path resource [activemq.xml]: Can't resolve reference to bean
> 'groups' while setting property 'userGroups'; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating bean
> with name 'groups' defined in class path resource [activemq.xml]: Error
> setting property values; nested exception is
> org.springframework.beans.NotWritablePropertyException: Invalid property
> 'user1' of bean class [java.util.HashMap]: Bean property 'user1' is not
> writable or has an invalid setter method: Does the parameter type of the
> setter match the return type of the getter?
>
> ERROR: java.lang.Exception:
> org.springframework.beans.factory.BeanCreationException: Error creating bean
> with name 'org.apache.activemq.security.SimpleAuthenticationPlugin' defined
> in class path resource [activemq.xml]: Can't resolve reference to bean
> 'groups' while setting property 'userGroups'; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating bean
> with name 'groups' defined in class path resource [activemq.xml]: Error
> setting property values; nested exception is
> org.springframework.beans.NotWritablePropertyException: Invalid property
> 'user1' of bean class [java.util.HashMap]: Bean property 'user1' is not
> writable or has an invalid setter method: Does the parameter type of the
> setter match the return type of the getter?
>
> What happened with my configuration? Did I configured it wrong?
>
> All I want to do is requiring a simple authentication when clients connect
> to the broker, I've tried using JAAS but client returns an error when
> authenticating to the broker, the exception is JMSException, something with
> user cannot authorize to create ActiveMQ.Advisory.Connection topic.
>
> Where can I get the full reference to the XML configuration?
>
> Regards,
> Ferry
> --
> View this message in context: http://www.nabble.com/Help+with+SimpleAuthenticationPlugin-t1697796.html#a4608332
> Sent from the ActiveMQ - User forum at Nabble.com.
>
>
>   

Mime
View raw message