activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <>
Subject Re: SSL authorisation using a client's subject DN for JNDI
Date Thu, 12 Mar 2009 07:46:06 GMT

On Mar 11, 2009, at 11:56 PM, huntc wrote:

> Hi there,
> I have a situation where I need to support authentication and  
> authorisation
> for endpoints connecting to my broker. I have successfully  
> configured an
> LDAP server for this purpose and have everything working.
> My concern though is that endpoints must provide a username and  
> password to
> establish their identity. Indeed ActiveMQ also needs to provide its  
> username
> and password so that it can interrogate the LDAP store.

??? I'm not familiar with the activemq stuff but the ldap login  
modules I've seen work by binding to ldap using the client's supplied  
user name and password.  If it works, then the user name/password is  
valid and you can go on to look for groups/roles/whatever, otherwise  
the username/password is not valid.  So, activemq does not need a  
"system identity" known to ldap for this to work.

In ldap I think the usual strategy is to hash the stored passwords and  
also hash the incoming supplied passwords.  Thus, no passwords in the  
> This then requires that passwords are stored in the clear somewhere;
> generally in some configuration file like activemq.xml. I realise  
> that I can
> use operating system permissions to lock the configuration files  
> down, but I
> am looking for a better way.
> I am presently thinking of writing my own JAAS LoginModule to  
> authorise
> endpoints that have successfully authenticated using mutual SSL
> authentication i.e. verifies the client's certificate. On login my  
> module
> would extract the subject DN from the client's certificate by  
> getting the
> public certificate from the Subject object. It would then perform an  
> search for the groups that has the DN as a member. The CNs of member  
> groups
> would then be established as roles (much like the existing
> org.apache.activemq.jaas.LDAPLoginModule does).

With this strategy I think you need to authenticate activemq to the  
ldap system??  or can you use the client cert to authenticate the  
original client?  In either case it doesn't really seem different to  
me than the username/password case except your description appears to  
require an identity known to ldap for activemq.  Unless you require  
the admin to type in the credentials when starting activemq, I don't  
see how you're going to avoid storing the credentials in the clear on  

Maybe I'm misunderstanding what you are proposing....

david jencks

> To further aid security I would disallow all but SSL based  
> communication
> with the broker.
> Does the strategy make sense? Is there a better way of avoiding  
> storing
> usernames and passwords in the clear?
> Thank you for your time.
> Kind regards,
> Christopher
> -- 
> View this message in context:
> Sent from the ActiveMQ - User mailing list archive at

View raw message