Hey Bruce,
thanks for your advice, i am almost there......:-)
.....but still one problem left...
(believe me, if i get this done, i will write / add a tutorial to the
confluence wiki, because i really think there is a need for a detailed
description of what to do for people who are not very familiar with
JAAS....)
Ok,
here i am:
-> I defined a realm in $ACTIVEMQ_HOME/webapps/admin/WEb-INF/web.xml which
looks like that:
<security-constraint>
<web-resource-collection>
<web-resource-name>adminInterface</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>adminRole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>adminInterface</realm-name>
</login-config>
This look good so far, if i try to browse http://localhost:8161/admin i get
a 500-error.
-> added "userRealms" to the activemq.xml like described in the afore
mentioned example:
<userRealms>
<!-- "name" must match the realm in web.xml, and "loginModuleName"
must be defined in login.conf -->
<jaasUserRealm name="adminInterface" loginModuleName="ActiveMQ"
callbackHandlerClass="org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler"
/>
</userRealms>
And changed the parameter jaasUserRealm name= to the realm-name i had
defined in the web.xml, namely "adminInterface".
-> login.config under $AMQ_HOME/conf:
activemq-domain {
org.apache.activemq.jaas.PropertiesLoginModule required
debug=true
org.apache.activemq.jaas.properties.user="org/apache/activemq/security/users.properties"
org.apache.activemq.jaas.properties.group="org/apache/activemq/security/groups.properties";
};
-> users.properties under $AMQ_HOME/conf:
admin=manager
-> groups.properties under $AMQ_HOME/conf:
admin=adminRole
I copied jetty-plus-6.1.9.jar to $ACTIVEMQ_HOME/lib/ and restarted the
broker.
And....hooray! I get a login mask with a user and a password field!
But when i enter
name:admin
password: manager
(like defined in the user.properties)
i don't get logged in but the the login-mask pops up again.
The broker-log tells me:
WARN log - AUTH FAILURE: user admin
WARN log - java.lang.SecurityException: Unable
to locate a login configuration
So i assume i am still doing something wrong. Probably because i
misunderstood some of your answers:
You wrote:
The login.conf file is pointed to by a system property named
java.security.auth.login.config as in:
-Djava.security.auth.login.config=login.conf
Ok, but do i actually have to edit the activemq-startscript or is it
sufficient to put the login.conf in a classpath-directory? I assumed the
later, so put the login.conf in AMQ_HOME/conf, which i believe is in the
classpath?
> What should its content look like?
Follow the rules specified in the Javadoc for the Java Security
Configuration object here:
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html
Thx for the link, as far as i can tell, i did this right?
> What "loginModuleName" should i specify?
You can specify any string as the loginModuleName. The important part
is that the realm-name in the web.xml and the loginModuleName in the
Jetty config match exactly.
Was that a typo? I think you meant "the realm in the web.xml and
jaasUserRealm name must match exactly", right?
Furthermore:
I assume the in the web.xml defined role "adminRole" is mapped to the
group-entry "adminRole"?
bsnyder wrote:
>
> On Fri, Apr 18, 2008 at 3:22 PM, j0llyr0g3r
> <[EMAIL PROTECTED]> wrote:
>>
>> Hey folks,
>>
>> i am desperately trying to find out how to configure a simple access
>> control
>> for the web console, but this is simply not documented......
>>
>> The documentation here: http://activemq.apache.org/web-console.html
>> refers to a separate jetty instance, not to the integrated jetty.
>>
>> That's when i thought
>>
>> "ok, it's simply not possible using the integrated jetty"
>>
>> but then i stumbled over this peace of user-submitted configuration
>> example:
>> http://activemq.apache.org/user-submitted-configurations.html
>>
>> This looks really good:
>>
>> <!-- Web Console. Auth is via JAAS. Beware: jetty-plus-6.1.4.jar
>> contains
>> the
>> JAAS classes, and is not included with ActiveMQ. You need to
>> download
>> separately. Web Console queue browser will fail, as it tries to
>> use
>> JMS
>> to browse the queue, and that requires a password.
>> -->
>>
>> <jetty xmlns="http://mortbay.com/schemas/jetty/1.0";>
>> <connectors>
>> <nioConnector port="8161" />
>> </connectors>
>>
>> <userRealms>
>> <!-- "name" must match the realm in web.xml, and "loginModuleName"
>> must be defined in login.conf -->
>> <jaasUserRealm name="ActiveMQ" loginModuleName="ActiveMQ"
>>
>>
>> callbackHandlerClass="org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler"
>> />
>> </userRealms>
>>
>> <handlers>
>> <webAppContext contextPath="/admin"
>> resourceBase="${activemq.base}/webapps/admin" logUrlOnStart="true" />
>> </handlers>
>> </jetty>
>>
>> But unfortunately, it lacks important information:
>>
>> <userRealms>
>> <!-- "name" must match the realm in web.xml, and "loginModuleName"
>> must be defined in login.conf -->
>>
>> Defining a realm in the web.xml is ok, but what about the "login.conf"?
>>
>> Where should i place this file?
>
> The login.conf file is pointed to by a system property named
> java.security.auth.login.config as in:
>
> -Djava.security.auth.login.config=login.conf
>
>> What should its content look like?
>
> Follow the rules specified in the Javadoc for the Java Security
> Configuration object here:
>
> http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html
>
>> What "loginModuleName" should i specify?
>
> You can specify any string as the loginModuleName. The important part
> is that the realm-name in the web.xml and the loginModuleName in the
> Jetty config match exactly.
>
> Bruce
> --
> perl -e 'print
> unpack("u30","D0G)[EMAIL PROTECTED]&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*"
> );'
>
> Apache ActiveMQ - http://activemq.org/
> Apache Camel - http://activemq.org/camel/
> Apache ServiceMix - http://servicemix.org/
> Apache Geronimo - http://geronimo.apache.org/
>
> Blog: http://bruceblog.org/
>
>
--
View this message in context:
http://www.nabble.com/Securing-the-web-console-impossible--tp16765525s2354p16784012.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
