activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From huntc <>
Subject SSL authorisation using a client's subject DN for JNDI
Date Thu, 12 Mar 2009 06:56:52 GMT

Hi there,

I have a situation where I need to support authentication and authorisation
for endpoints connecting to my broker. I have successfully configured an
LDAP server for this purpose and have everything working.

My concern though is that endpoints must provide a username and password to
establish their identity. Indeed ActiveMQ also needs to provide its username
and password so that it can interrogate the LDAP store.

This then requires that passwords are stored in the clear somewhere;
generally in some configuration file like activemq.xml. I realise that I can
use operating system permissions to lock the configuration files down, but I
am looking for a better way.

I am presently thinking of writing my own JAAS LoginModule to authorise
endpoints that have successfully authenticated using mutual SSL
authentication i.e. verifies the client's certificate. On login my module
would extract the subject DN from the client's certificate by getting the
public certificate from the Subject object. It would then perform an JNDI
search for the groups that has the DN as a member. The CNs of member groups
would then be established as roles (much like the existing
org.apache.activemq.jaas.LDAPLoginModule does).

To further aid security I would disallow all but SSL based communication
with the broker.

Does the strategy make sense? Is there a better way of avoiding storing
usernames and passwords in the clear?

Thank you for your time.

Kind regards,
View this message in context:
Sent from the ActiveMQ - User mailing list archive at

View raw message