geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aman Nanner (JIRA)" <j...@apache.org>
Subject [jira] Created: (GERONIMO-3084) Incompatibilitiy between ActiveMQ JAAS and Geronimo JAAS
Date Tue, 10 Apr 2007 17:46:36 GMT
Incompatibilitiy between ActiveMQ JAAS and Geronimo JAAS
--------------------------------------------------------

                 Key: GERONIMO-3084
                 URL: https://issues.apache.org/jira/browse/GERONIMO-3084
             Project: Geronimo
          Issue Type: Bug
      Security Level: public (Regular issues)
          Components: ActiveMQ
    Affects Versions: 1.2
            Reporter: Aman Nanner


I have reconfigured Geronimo so that the ActiveMQ broker loads its configuration from an external
XML file.  Within this file, I have specified a security configuration for my queues and topics.
 This is the file:

----
{code}
<beans>

  <!-- Allows us to use system properties as variables in this configuration file -->
  <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
  
  <broker brokerName="localhost" useJmx="true" xmlns="http://activemq.org/config/1.0">
      
    <plugins>
      <!--  use JAAS to authenticate using the login.config file on the classpath to configure
JAAS -->
      <jaasAuthenticationPlugin configuration="geronimo-admin" />

      <!--  lets configure a destination based authorization mechanism -->
      <authorizationPlugin>
        <map>
          <authorizationMap>
            <authorizationEntries>
              <authorizationEntry queue=">" read="admin" write="admin" admin="admin"
/>
              <authorizationEntry topic=">" read="admin" write="admin" admin="admin"
/>
            </authorizationEntries>    
          </authorizationMap>
        </map>
      </authorizationPlugin>
    </plugins>
    
  </broker>


  <!-- lets create a command agent to respond to message based admin commands on the ActiveMQ.Agent
topic 
  <commandAgent xmlns="http://activemq.org/config/1.0"/>-->


</beans>
{code}
----

As can be seen, I am using the following JAAS login config domain: geronimo-admin.  This is
the standard login domain that gets its users and groups from properties files.  However,
when running the Geronimo server, JAAS cannot matchup the "admin" role specified in the ActiveMQ
XML file with the "admin" role specified in the groups.properties file for the "geronimo-admin"
login domain.  The problem is that the ActiveMQ role is a principal of type {{org.apache.activemq.jaas.GroupPrincipal}},
while the Geronimo JAAS "admin" role is of the type {{org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal}}.
 Because these principals are different classes, they are not considered "equal" to each other
by the {{equals()}} method on {{org.apache.activemq.jaas.GroupPrincipal}}.  The stack trace
where the error occurs is here:

----
{code}
Thread [ActiveMQ Transport: tcp:///192.168.12.196:2453] (Suspended)	
	GeronimoGroupPrincipal.equals(Object) line: 42	
	HashMap<K,V>.eq(Object, Object) line: 299	
	HashMap<K,V>.containsKey(Object) line: 381	
	HashSet<E>.contains(Object) line: 182	
	HashSet<E>(AbstractCollection<E>).retainAll(Collection<?>) line: 392	
	JaasAuthenticationBroker$JaasSecurityContext(SecurityContext).isInOneOf(Set) line: 43	
	AuthorizationBroker.addDestination(ConnectionContext, ActiveMQDestination) line: 64	
	BrokerService$2(MutableBrokerFilter).addDestination(ConnectionContext, ActiveMQDestination)
line: 152	
	ManagedTopicRegion(AbstractRegion).lookup(ConnectionContext, ActiveMQDestination) line: 316

	ManagedTopicRegion(AbstractRegion).send(ConnectionContext, Message) line: 291	
	ManagedRegionBroker(RegionBroker).send(ConnectionContext, Message) line: 385	
	TransactionBroker.send(ConnectionContext, Message) line: 193	
	AdvisoryBroker.fireAdvisory(ConnectionContext, ActiveMQTopic, Command, ConsumerId, ActiveMQMessage)
line: 272	
	AdvisoryBroker.fireAdvisory(ConnectionContext, ActiveMQTopic, Command, ConsumerId) line:
237	
	AdvisoryBroker.fireAdvisory(ConnectionContext, ActiveMQTopic, Command) line: 232	
	AdvisoryBroker.addConnection(ConnectionContext, ConnectionInfo) line: 73	
	CompositeDestinationBroker(BrokerFilter).addConnection(ConnectionContext, ConnectionInfo)
line: 82	
	JaasAuthenticationBroker(BrokerFilter).addConnection(ConnectionContext, ConnectionInfo) line:
82	
	JaasAuthenticationBroker.addConnection(ConnectionContext, ConnectionInfo) line: 90	
	AuthorizationBroker(BrokerFilter).addConnection(ConnectionContext, ConnectionInfo) line:
82	
	BrokerService$2(MutableBrokerFilter).addConnection(ConnectionContext, ConnectionInfo) line:
92	
	TransportConnection.processAddConnection(ConnectionInfo) line: 706	
	ConnectionInfo.visit(CommandVisitor) line: 121	
	TransportConnection.service(Command) line: 294	
	TransportConnection$1.onCommand(Object) line: 185	
	MutexTransport(TransportFilter).onCommand(Object) line: 65	
	WireFormatNegotiator.onCommand(Object) line: 133	
	InactivityMonitor.onCommand(Object) line: 122	
	TcpTransport(TransportSupport).doConsume(Object) line: 84	
	TcpTransport.run() line: 137	
	Thread.run() line: 595	
{code}
----

Securing the ActiveMQ resources is an important component to securing a production server,
so some way of resolving this issue should be determined.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message