Re: Securing the web console impossible?

j0llyr0g3r Sat, 19 Apr 2008 08:38:36 -0700

Hi again,

ok, i am one step further.....


I thought about my last question (which was kind of stupid by the way)


Ok, but do i actually have to edit the activemq-startscript or is it
sufficient to put the login.conf in a classpath-directory? I assumed the
later, so put the login.conf in AMQ_HOME/conf, which i believe is in the
classpath?

-> I edited $AMQ_HOME/bin/activemq and added

-Djava.security.auth.login.config="${ACTIVEMQ_HOME}/conf/login.config"

to the last section in the script:

ACTIVEMQ_TASK="start"
if [ -n "$CYGHOME" ]; then
    exec "$JAVACMD" $ACTIVEMQ_DEBUG_OPTS $ACTIVEMQ_OPTS
-Dactivemq.classpath="${ACTIVEMQ_CLASSPATH}"
-Dactivemq.home="${ACTIVEMQ_HOME}" -Dactivemq.base="${ACTIVEMQ_BASE}"
-Dcygwin.user.home="$CYGHOME" 
-Djava.security.auth.login.config="/opt/activemq/conf/login.config" -jar
"${ACTIVEMQ_HOME}/bin/run.jar" $ACTIVEMQ_TASK $@
else
    exec "$JAVACMD" $ACTIVEMQ_DEBUG_OPTS $ACTIVEMQ_OPTS
-Dactivemq.classpath="${ACTIVEMQ_CLASSPATH}"
-Dactivemq.home="${ACTIVEMQ_HOME}" -Dactivemq.base="${ACTIVEMQ_BASE}"
-Djava.security.auth.login.config="${ACTIVEMQ_HOME}/conf/login.config"  
-jar "${ACTIVEMQ_HOME}/bin/run.jar" $ACTIVEMQ_TASK $@
fi


Now the broker message when trying to log in is different:

WARN  log                            -
javax.security.auth.login.LoginException: No LoginModules configured for
ActiveMQ
WARN  log                            - AUTH FAILURE: user admin

Ok, so i edited $AMQ_HOME/conf/activemq.xml and changed the parameter
loginModuleName from 

 <jaasUserRealm name="adminInterface" loginModuleName="ActiveMQ"
        
callbackHandlerClass="org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler"
/>
    </userRealms> 

to 

    <userRealms>
            <!-- "name" must match the realm in web.xml, and "loginModuleName" 
must
be defined in login.conf -->
            <jaasUserRealm name="adminInterface"
loginModuleName="org.apache.activemq.jaas.PropertiesLoginModule"
                          
callbackHandlerClass="org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler"
/>
    </userRealms> 

The broker tells me:

WARN  log                            -
javax.security.auth.login.LoginException: No LoginModules configured for
org.apache.activemq.jaas.PropertiesLoginModule
WARN  log                            - AUTH FAILURE: user admin

Now i am confused, i thought 

org.apache.activemq.jaas.PropertiesLoginModule

was actually a login module?

Googleing after the error message "javax.security.auth.login.LoginException:
No LoginModules" hasn't helped me so far.....


j0llyr0g3r wrote:
> 
> Hey Bruce,
> 
> thanks for your advice, i am almost there......:-)
> .....but still one problem left...
>  (believe me, if i get this done, i will write / add a tutorial to the
> confluence wiki, because i really think there is a need for a detailed
> description of what to do for people who are not very familiar with
> JAAS....)
> 
> Ok, 
> 
> here i am:
> 
> -> I defined a realm in $ACTIVEMQ_HOME/webapps/admin/WEb-INF/web.xml which
> looks like that:
> 
>   <security-constraint>
>         <web-resource-collection>
>                 <web-resource-name>adminInterface</web-resource-name>
>                 <url-pattern>/*</url-pattern>
>         </web-resource-collection>
>         <auth-constraint>
>                 <role-name>adminRole</role-name>
>         </auth-constraint>
> </security-constraint>
> 
> <login-config>
>       <auth-method>BASIC</auth-method>
>       <realm-name>adminInterface</realm-name>
> </login-config>
> 
> This look good so far, if i try to browse http://localhost:8161/admin i
> get a 500-error.
> 
> -> added "userRealms" to the activemq.xml like described in the afore
> mentioned example:
> 
>     <userRealms>
>       <!-- "name" must match the realm in web.xml, and "loginModuleName"
> must be defined in login.conf -->
>       <jaasUserRealm name="adminInterface" loginModuleName="ActiveMQ"
>         
> callbackHandlerClass="org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler"
> />
>     </userRealms> 
> 
> And changed the parameter jaasUserRealm name= to the realm-name i had
> defined in the web.xml, namely "adminInterface".
> 
> -> login.config under $AMQ_HOME/conf:
> 
> activemq-domain {
>     org.apache.activemq.jaas.PropertiesLoginModule required
>         debug=true
>        
> org.apache.activemq.jaas.properties.user="org/apache/activemq/security/users.properties"
>        
> org.apache.activemq.jaas.properties.group="org/apache/activemq/security/groups.properties";
> };
> 
> -> users.properties under $AMQ_HOME/conf:
> 
> admin=manager
> 
> -> groups.properties under $AMQ_HOME/conf:
> 
> admin=adminRole
> 
> I copied jetty-plus-6.1.9.jar to $ACTIVEMQ_HOME/lib/ and restarted the
> broker.
> 
> And....hooray! I get a login mask with a user and a password field!
> 
> But when i enter 
> 
> name:admin
> password: manager
> (like defined in the user.properties)
> 
> i don't get logged in but the the login-mask pops up again.
> 
> The broker-log tells me:
> 
> WARN  log                            - AUTH FAILURE: user admin
> WARN  log                            - java.lang.SecurityException: Unable
> to locate a login configuration
> 
> So i assume i am still doing something wrong. Probably because i
> misunderstood some of your answers:
> 
> You wrote:
> 
> The login.conf file is pointed to by a system property named
> java.security.auth.login.config as in:
> 
> -Djava.security.auth.login.config=login.conf 
> 
> Ok, but do i actually have to edit the activemq-startscript or is it
> sufficient to put the login.conf in a classpath-directory? I assumed the
> later, so put the login.conf in AMQ_HOME/conf, which i believe is in the
> classpath?
> 
> >  What should its content look like?
> 
> Follow the rules specified in the Javadoc for the Java Security
> Configuration object here:
> 
> http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html
> 
> Thx for the link, as far as i can tell, i did this right?
> 
> >  What "loginModuleName" should i specify?
> 
> You can specify any string as the loginModuleName. The important part
> is that the realm-name in the web.xml and the loginModuleName in the
> Jetty config match exactly. 
> 
> Was that a typo? I think you meant "the realm in the web.xml and
> jaasUserRealm name must match exactly", right?
> 
> Furthermore:
> 
> I assume the in the web.xml defined role "adminRole" is mapped to the
> group-entry "adminRole"?
> 
> 
> 
> 
> bsnyder wrote:
>> 
>> On Fri, Apr 18, 2008 at 3:22 PM, j0llyr0g3r
>> <[EMAIL PROTECTED]> wrote:
>>>
>>>  Hey folks,
>>>
>>>  i am desperately trying to find out how to configure a simple access
>>> control
>>>  for the web console, but this is simply not documented......
>>>
>>>  The documentation here: http://activemq.apache.org/web-console.html
>>>  refers to a separate jetty instance, not to the integrated jetty.
>>>
>>>  That's when i thought
>>>
>>>   "ok, it's simply not possible using the integrated jetty"
>>>
>>>  but then i stumbled over this peace of user-submitted configuration
>>> example:
>>>  http://activemq.apache.org/user-submitted-configurations.html
>>>
>>>  This looks really good:
>>>
>>>   <!-- Web Console.  Auth is via JAAS.  Beware: jetty-plus-6.1.4.jar
>>> contains
>>>  the
>>>        JAAS classes, and is not included with ActiveMQ.  You need to
>>>  download
>>>        separately.  Web Console queue browser will fail, as it tries to
>>> use
>>>  JMS
>>>        to browse the queue, and that requires a password.
>>>   -->
>>>
>>>   <jetty xmlns="http://mortbay.com/schemas/jetty/1.0";>
>>>     <connectors>
>>>       <nioConnector port="8161" />
>>>     </connectors>
>>>
>>>     <userRealms>
>>>       <!-- "name" must match the realm in web.xml, and "loginModuleName"
>>>  must be defined in login.conf -->
>>>       <jaasUserRealm name="ActiveMQ" loginModuleName="ActiveMQ"
>>>
>>> 
>>> callbackHandlerClass="org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler"
>>>  />
>>>     </userRealms>
>>>
>>>     <handlers>
>>>       <webAppContext contextPath="/admin"
>>>  resourceBase="${activemq.base}/webapps/admin" logUrlOnStart="true" />
>>>     </handlers>
>>>   </jetty>
>>>
>>>  But unfortunately, it lacks important information:
>>>
>>>  <userRealms>
>>>       <!-- "name" must match the realm in web.xml, and "loginModuleName"
>>>  must be defined in login.conf -->
>>>
>>>  Defining a realm in the web.xml is ok, but what about the "login.conf"?
>>>
>>>  Where should i place this file?
>> 
>> The login.conf file is pointed to by a system property named
>> java.security.auth.login.config as in:
>> 
>> -Djava.security.auth.login.config=login.conf
>> 
>>>  What should its content look like?
>> 
>> Follow the rules specified in the Javadoc for the Java Security
>> Configuration object here:
>> 
>> http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html
>> 
>>>  What "loginModuleName" should i specify?
>> 
>> You can specify any string as the loginModuleName. The important part
>> is that the realm-name in the web.xml and the loginModuleName in the
>> Jetty config match exactly.
>> 
>> Bruce
>> -- 
>> perl -e 'print
>> unpack("u30","D0G)[EMAIL PROTECTED]&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*"
>> );'
>> 
>> Apache ActiveMQ - http://activemq.org/
>> Apache Camel - http://activemq.org/camel/
>> Apache ServiceMix - http://servicemix.org/
>> Apache Geronimo - http://geronimo.apache.org/
>> 
>> Blog: http://bruceblog.org/
>> 
>> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Securing-the-web-console-impossible--tp16765525s2354p16784476.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: Securing the web console impossible?

Reply via email to