activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From j0llyr0g3r <timo.roess...@wincor-nixdorf.com>
Subject Re: Securing the web console impossible?
Date Sat, 19 Apr 2008 14:59:38 GMT

Hey Bruce,

thanks for your advice, i am almost there......:-)
.....but still one problem left...
 (believe me, if i get this done, i will write / add a tutorial to the
confluence wiki, because i really think there is a need for a detailed
description of what to do for people who are not very familiar with
JAAS....)

Ok, 

here i am:

-> I defined a realm in $ACTIVEMQ_HOME/webapps/admin/WEb-INF/web.xml which
looks like that:

  <security-constraint>
	  <web-resource-collection>
		  <web-resource-name>adminInterface</web-resource-name>
		  <url-pattern>/*</url-pattern>
	  </web-resource-collection>
	  <auth-constraint>
		  <role-name>adminRole</role-name>
	  </auth-constraint>
</security-constraint>

<login-config>
	<auth-method>BASIC</auth-method>
	<realm-name>adminInterface</realm-name>
</login-config>

This look good so far, if i try to browse http://localhost:8161/admin i get
a 500-error.

-> added "userRealms" to the activemq.xml like described in the afore
mentioned example:

    <userRealms>
      <!-- "name" must match the realm in web.xml, and "loginModuleName"
must be defined in login.conf -->
      <jaasUserRealm name="adminInterface" loginModuleName="ActiveMQ"
        
callbackHandlerClass="org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler"
/>
    </userRealms> 

And changed the parameter jaasUserRealm name= to the realm-name i had
defined in the web.xml, namely "adminInterface".

-> login.config under $AMQ_HOME/conf:

activemq-domain {
    org.apache.activemq.jaas.PropertiesLoginModule required
        debug=true
       
org.apache.activemq.jaas.properties.user="org/apache/activemq/security/users.properties"
       
org.apache.activemq.jaas.properties.group="org/apache/activemq/security/groups.properties";
};

-> users.properties under $AMQ_HOME/conf:

admin=manager

-> groups.properties under $AMQ_HOME/conf:

admin=adminRole

I copied jetty-plus-6.1.9.jar to $ACTIVEMQ_HOME/lib/ and restarted the
broker.

And....hooray! I get a login mask with a user and a password field!

But when i enter 

name:admin
password: manager
(like defined in the user.properties)

i don't get logged in but the the login-mask pops up again.

The broker-log tells me:

WARN  log                            - AUTH FAILURE: user admin
WARN  log                            - java.lang.SecurityException: Unable
to locate a login configuration

So i assume i am still doing something wrong. Probably because i
misunderstood some of your answers:

You wrote:

The login.conf file is pointed to by a system property named
java.security.auth.login.config as in:

-Djava.security.auth.login.config=login.conf 

Ok, but do i actually have to edit the activemq-startscript or is it
sufficient to put the login.conf in a classpath-directory? I assumed the
later, so put the login.conf in AMQ_HOME/conf, which i believe is in the
classpath?

>  What should its content look like?

Follow the rules specified in the Javadoc for the Java Security
Configuration object here:

http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html

Thx for the link, as far as i can tell, i did this right?

>  What "loginModuleName" should i specify?

You can specify any string as the loginModuleName. The important part
is that the realm-name in the web.xml and the loginModuleName in the
Jetty config match exactly. 

Was that a typo? I think you meant "the realm in the web.xml and
jaasUserRealm name must match exactly", right?

Furthermore:

I assume the in the web.xml defined role "adminRole" is mapped to the
group-entry "adminRole"?




bsnyder wrote:
> 
> On Fri, Apr 18, 2008 at 3:22 PM, j0llyr0g3r
> <timo.roessner@wincor-nixdorf.com> wrote:
>>
>>  Hey folks,
>>
>>  i am desperately trying to find out how to configure a simple access
>> control
>>  for the web console, but this is simply not documented......
>>
>>  The documentation here: http://activemq.apache.org/web-console.html
>>  refers to a separate jetty instance, not to the integrated jetty.
>>
>>  That's when i thought
>>
>>   "ok, it's simply not possible using the integrated jetty"
>>
>>  but then i stumbled over this peace of user-submitted configuration
>> example:
>>  http://activemq.apache.org/user-submitted-configurations.html
>>
>>  This looks really good:
>>
>>   <!-- Web Console.  Auth is via JAAS.  Beware: jetty-plus-6.1.4.jar
>> contains
>>  the
>>        JAAS classes, and is not included with ActiveMQ.  You need to
>>  download
>>        separately.  Web Console queue browser will fail, as it tries to
>> use
>>  JMS
>>        to browse the queue, and that requires a password.
>>   -->
>>
>>   <jetty xmlns="http://mortbay.com/schemas/jetty/1.0">
>>     <connectors>
>>       <nioConnector port="8161" />
>>     </connectors>
>>
>>     <userRealms>
>>       <!-- "name" must match the realm in web.xml, and "loginModuleName"
>>  must be defined in login.conf -->
>>       <jaasUserRealm name="ActiveMQ" loginModuleName="ActiveMQ"
>>
>> 
>> callbackHandlerClass="org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler"
>>  />
>>     </userRealms>
>>
>>     <handlers>
>>       <webAppContext contextPath="/admin"
>>  resourceBase="${activemq.base}/webapps/admin" logUrlOnStart="true" />
>>     </handlers>
>>   </jetty>
>>
>>  But unfortunately, it lacks important information:
>>
>>  <userRealms>
>>       <!-- "name" must match the realm in web.xml, and "loginModuleName"
>>  must be defined in login.conf -->
>>
>>  Defining a realm in the web.xml is ok, but what about the "login.conf"?
>>
>>  Where should i place this file?
> 
> The login.conf file is pointed to by a system property named
> java.security.auth.login.config as in:
> 
> -Djava.security.auth.login.config=login.conf
> 
>>  What should its content look like?
> 
> Follow the rules specified in the Javadoc for the Java Security
> Configuration object here:
> 
> http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html
> 
>>  What "loginModuleName" should i specify?
> 
> You can specify any string as the loginModuleName. The important part
> is that the realm-name in the web.xml and the loginModuleName in the
> Jetty config match exactly.
> 
> Bruce
> -- 
> perl -e 'print
> unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*"
> );'
> 
> Apache ActiveMQ - http://activemq.org/
> Apache Camel - http://activemq.org/camel/
> Apache ServiceMix - http://servicemix.org/
> Apache Geronimo - http://geronimo.apache.org/
> 
> Blog: http://bruceblog.org/
> 
> 

-- 
View this message in context: http://www.nabble.com/Securing-the-web-console-impossible--tp16765525s2354p16784012.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.


Mime
View raw message