atlas-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Melvin E Santos-Piza (JIRA)" <j...@apache.org>
Subject [jira] [Created] (ATLAS-578) Enhance AMQ jaasAuthenticationPlugin(s)
Date Mon, 21 Mar 2016 06:08:25 GMT
Melvin E Santos-Piza created ATLAS-578:
------------------------------------------

             Summary: Enhance AMQ jaasAuthenticationPlugin(s)
                 Key: ATLAS-578
                 URL: https://issues.apache.org/jira/browse/ATLAS-578
             Project: Atlas
          Issue Type: Improvement
            Reporter: Melvin E Santos-Piza


I'm standing a cluster of AMQs, which I will offer in a multi-tenant setup.  Each tenant will
have a networkOfBrokers with SSL transports (only) on each broker.  Each broker will have
two transports: 1) frontdoor - which is what the clients will connect to (1-way TLS + LDAP
Auth) 2) backdoor - will connect the network (2-way TLS).  The problem is that the broker
expects me to also authenticate the broker via LDAP on the backdoor.  This proves troublesome
as I would've to configure, and protect, customers LDAP credentials.  I would much rather
have 2-Way TLS, as I can have the certificates in a keystore + its key vaulted somewhere in
the host.

I've looked at 1) org.apache.activemq.jaas.TextFileCertificateLoginModule + org.apache.activemq.security.JaasCertificateAuthenticationPlugin
2) org.apache.activemq.jaas.LDAPLoginModule + org.apache.activemq.security.JaasAuthenticationPlugin

but, both of these LoginModules handle different callBacks + the authenticationPlugins expect
sequential successes; the way BrokerFilter works, one can't have a fallback jaasPlugin. What's
needed, is an authenticationPlugin that will use a CertificateCallBackHandler as the primary
logon, and a CredentialsCallBackHandler as a the default, kind of what SSH does (i.e org.apache.karaf.shell.ssh.KarafJaasAuthenticator)



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message