Re: Securing the web console impossible?

Sat, 19 Apr 2008 12:42:20 -0700 

Hey folks, 

sorry for flooding, but i have made some great progress.......:-)

I get one last error from the broker now when i try to access the interface:

WARN  log                            - AUTH FAILURE: incorrect role for
system

This seems quite logical (to me at least):

I don't know how to map the role i defined in my
$AMQ_HOME/webapps/admin/WEB-INF/web.xml

  <security-constraint>
........
          <auth-constraint>
                  <role-name>fooo</role-name>
          </auth-constraint>
</security-constraint>

to the user and groups i defined:

users.properties:

system=manager

groups.properties:

admins=system

How do i map the user above to the defined role?

First i thought, if something like

        org.apache.activemq.jaas.properties.user="users.properties"
        org.apache.activemq.jaas.properties.group="groups.properties";

exists, something like

org.apache.activemq.jaas.properties.role

would exist too, but i looked through the sourcecode and it doesn't?

If you search for example like this:

grep -irsI "org.apache.activemq.jaas.properties.group" apache-activemq-5.0.0

you get:

apache-activemq-5.0.0/src/activemq-jaas/login.config:       
org.apache.activemq.jaas.properties.group="src/test/resources/groups.properties"

but nothing for

grep -irsI "org.apache.activemq.jaas.properties.role" apache-activemq-5.0.0

Then i thought, that i could define it in the web.xml in the section:

          <auth-constraint>
                  <role-name>system</role-name>
          </auth-constraint>

but i looked in the servlet-specification, and there are no according
elements?

How can i map the defined users to the role "FOO"?


j0llyr0g3r wrote:
> 
> Hi again,
> 
> ok, i am one step further.....
> 
> I thought about my last question (which was kind of stupid by the way)
> 
> 
> Ok, but do i actually have to edit the activemq-startscript or is it
> sufficient to put the login.conf in a classpath-directory? I assumed the
> later, so put the login.conf in AMQ_HOME/conf, which i believe is in the
> classpath?
> 
> -> I edited $AMQ_HOME/bin/activemq and added
> 
> -Djava.security.auth.login.config="${ACTIVEMQ_HOME}/conf/login.config"
> 
> to the last section in the script:
> 
> ACTIVEMQ_TASK="start"
> if [ -n "$CYGHOME" ]; then
>     exec "$JAVACMD" $ACTIVEMQ_DEBUG_OPTS $ACTIVEMQ_OPTS
> -Dactivemq.classpath="${ACTIVEMQ_CLASSPATH}"
> -Dactivemq.home="${ACTIVEMQ_HOME}" -Dactivemq.base="${ACTIVEMQ_BASE}"
> -Dcygwin.user.home="$CYGHOME" 
> -Djava.security.auth.login.config="/opt/activemq/conf/login.config" -jar
> "${ACTIVEMQ_HOME}/bin/run.jar" $ACTIVEMQ_TASK $@
> else
>     exec "$JAVACMD" $ACTIVEMQ_DEBUG_OPTS $ACTIVEMQ_OPTS
> -Dactivemq.classpath="${ACTIVEMQ_CLASSPATH}"
> -Dactivemq.home="${ACTIVEMQ_HOME}" -Dactivemq.base="${ACTIVEMQ_BASE}"
> -Djava.security.auth.login.config="${ACTIVEMQ_HOME}/conf/login.config"  
> -jar "${ACTIVEMQ_HOME}/bin/run.jar" $ACTIVEMQ_TASK $@
> fi
> 
> 
> Now the broker message when trying to log in is different:
> 
> WARN  log                            -
> javax.security.auth.login.LoginException: No LoginModules configured for
> ActiveMQ
> WARN  log                            - AUTH FAILURE: user admin
> 
> Ok, so i edited $AMQ_HOME/conf/activemq.xml and changed the parameter
> loginModuleName from 
> 
>  <jaasUserRealm name="adminInterface" loginModuleName="ActiveMQ"
>         
> callbackHandlerClass="org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler"
> />
>     </userRealms> 
> 
> to 
> 
>     <userRealms>
>           <!-- "name" must match the realm in web.xml, and "loginModuleName"
> must be defined in login.conf -->
>           <jaasUserRealm name="adminInterface"
> loginModuleName="org.apache.activemq.jaas.PropertiesLoginModule"
>                         
> callbackHandlerClass="org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler"
> />
>     </userRealms> 
> 
> The broker tells me:
> 
> WARN  log                            -
> javax.security.auth.login.LoginException: No LoginModules configured for
> org.apache.activemq.jaas.PropertiesLoginModule
> WARN  log                            - AUTH FAILURE: user admin
> 
> Now i am confused, i thought 
> 
> org.apache.activemq.jaas.PropertiesLoginModule
> 
> was actually a login module?
> 
> Googleing after the error message
> "javax.security.auth.login.LoginException: No LoginModules" hasn't helped
> me so far.....
> 
> 
> j0llyr0g3r wrote:
>> 
>> Hey Bruce,
>> 
>> thanks for your advice, i am almost there......:-)
>> .....but still one problem left...
>>  (believe me, if i get this done, i will write / add a tutorial to the
>> confluence wiki, because i really think there is a need for a detailed
>> description of what to do for people who are not very familiar with
>> JAAS....)
>> 
>> Ok, 
>> 
>> here i am:
>> 
>> -> I defined a realm in $ACTIVEMQ_HOME/webapps/admin/WEb-INF/web.xml
>> which looks like that:
>> 
>>   <security-constraint>
>>        <web-resource-collection>
>>                <web-resource-name>adminInterface</web-resource-name>
>>                <url-pattern>/*</url-pattern>
>>        </web-resource-collection>
>>        <auth-constraint>
>>                <role-name>adminRole</role-name>
>>        </auth-constraint>
>> </security-constraint>
>> 
>> <login-config>
>>      <auth-method>BASIC</auth-method>
>>      <realm-name>adminInterface</realm-name>
>> </login-config>
>> 
>> This look good so far, if i try to browse http://localhost:8161/admin i
>> get a 500-error.
>> 
>> -> added "userRealms" to the activemq.xml like described in the afore
>> mentioned example:
>> 
>>     <userRealms>
>>       <!-- "name" must match the realm in web.xml, and "loginModuleName"
>> must be defined in login.conf -->
>>       <jaasUserRealm name="adminInterface" loginModuleName="ActiveMQ"
>>         
>> callbackHandlerClass="org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler"
>> />
>>     </userRealms> 
>> 
>> And changed the parameter jaasUserRealm name= to the realm-name i had
>> defined in the web.xml, namely "adminInterface".
>> 
>> -> login.config under $AMQ_HOME/conf:
>> 
>> activemq-domain {
>>     org.apache.activemq.jaas.PropertiesLoginModule required
>>         debug=true
>>        
>> org.apache.activemq.jaas.properties.user="org/apache/activemq/security/users.properties"
>>        
>> org.apache.activemq.jaas.properties.group="org/apache/activemq/security/groups.properties";
>> };
>> 
>> -> users.properties under $AMQ_HOME/conf:
>> 
>> admin=manager
>> 
>> -> groups.properties under $AMQ_HOME/conf:
>> 
>> admin=adminRole
>> 
>> I copied jetty-plus-6.1.9.jar to $ACTIVEMQ_HOME/lib/ and restarted the
>> broker.
>> 
>> And....hooray! I get a login mask with a user and a password field!
>> 
>> But when i enter 
>> 
>> name:admin
>> password: manager
>> (like defined in the user.properties)
>> 
>> i don't get logged in but the the login-mask pops up again.
>> 
>> The broker-log tells me:
>> 
>> WARN  log                            - AUTH FAILURE: user admin
>> WARN  log                            - java.lang.SecurityException:
>> Unable to locate a login configuration
>> 
>> So i assume i am still doing something wrong. Probably because i
>> misunderstood some of your answers:
>> 
>> You wrote:
>> 
>> The login.conf file is pointed to by a system property named
>> java.security.auth.login.config as in:
>> 
>> -Djava.security.auth.login.config=login.conf 
>> 
>> Ok, but do i actually have to edit the activemq-startscript or is it
>> sufficient to put the login.conf in a classpath-directory? I assumed the
>> later, so put the login.conf in AMQ_HOME/conf, which i believe is in the
>> classpath?
>> 
>> >  What should its content look like?
>> 
>> Follow the rules specified in the Javadoc for the Java Security
>> Configuration object here:
>> 
>> http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html
>> 
>> Thx for the link, as far as i can tell, i did this right?
>> 
>> >  What "loginModuleName" should i specify?
>> 
>> You can specify any string as the loginModuleName. The important part
>> is that the realm-name in the web.xml and the loginModuleName in the
>> Jetty config match exactly. 
>> 
>> Was that a typo? I think you meant "the realm in the web.xml and
>> jaasUserRealm name must match exactly", right?
>> 
>> Furthermore:
>> 
>> I assume the in the web.xml defined role "adminRole" is mapped to the
>> group-entry "adminRole"?
>> 
>> 
>> 
>> 
>> bsnyder wrote:
>>> 
>>> On Fri, Apr 18, 2008 at 3:22 PM, j0llyr0g3r
>>> <[EMAIL PROTECTED]> wrote:
>>>>
>>>>  Hey folks,
>>>>
>>>>  i am desperately trying to find out how to configure a simple access
>>>> control
>>>>  for the web console, but this is simply not documented......
>>>>
>>>>  The documentation here: http://activemq.apache.org/web-console.html
>>>>  refers to a separate jetty instance, not to the integrated jetty.
>>>>
>>>>  That's when i thought
>>>>
>>>>   "ok, it's simply not possible using the integrated jetty"
>>>>
>>>>  but then i stumbled over this peace of user-submitted configuration
>>>> example:
>>>>  http://activemq.apache.org/user-submitted-configurations.html
>>>>
>>>>  This looks really good:
>>>>
>>>>   <!-- Web Console.  Auth is via JAAS.  Beware: jetty-plus-6.1.4.jar
>>>> contains
>>>>  the
>>>>        JAAS classes, and is not included with ActiveMQ.  You need to
>>>>  download
>>>>        separately.  Web Console queue browser will fail, as it tries to
>>>> use
>>>>  JMS
>>>>        to browse the queue, and that requires a password.
>>>>   -->
>>>>
>>>>   <jetty xmlns="http://mortbay.com/schemas/jetty/1.0";>
>>>>     <connectors>
>>>>       <nioConnector port="8161" />
>>>>     </connectors>
>>>>
>>>>     <userRealms>
>>>>       <!-- "name" must match the realm in web.xml, and
>>>> "loginModuleName"
>>>>  must be defined in login.conf -->
>>>>       <jaasUserRealm name="ActiveMQ" loginModuleName="ActiveMQ"
>>>>
>>>> 
>>>> callbackHandlerClass="org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler"
>>>>  />
>>>>     </userRealms>
>>>>
>>>>     <handlers>
>>>>       <webAppContext contextPath="/admin"
>>>>  resourceBase="${activemq.base}/webapps/admin" logUrlOnStart="true" />
>>>>     </handlers>
>>>>   </jetty>
>>>>
>>>>  But unfortunately, it lacks important information:
>>>>
>>>>  <userRealms>
>>>>       <!-- "name" must match the realm in web.xml, and
>>>> "loginModuleName"
>>>>  must be defined in login.conf -->
>>>>
>>>>  Defining a realm in the web.xml is ok, but what about the
>>>> "login.conf"?
>>>>
>>>>  Where should i place this file?
>>> 
>>> The login.conf file is pointed to by a system property named
>>> java.security.auth.login.config as in:
>>> 
>>> -Djava.security.auth.login.config=login.conf
>>> 
>>>>  What should its content look like?
>>> 
>>> Follow the rules specified in the Javadoc for the Java Security
>>> Configuration object here:
>>> 
>>> http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html
>>> 
>>>>  What "loginModuleName" should i specify?
>>> 
>>> You can specify any string as the loginModuleName. The important part
>>> is that the realm-name in the web.xml and the loginModuleName in the
>>> Jetty config match exactly.
>>> 
>>> Bruce
>>> -- 
>>> perl -e 'print
>>> unpack("u30","D0G)[EMAIL PROTECTED]&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*"
>>> );'
>>> 
>>> Apache ActiveMQ - http://activemq.org/
>>> Apache Camel - http://activemq.org/camel/
>>> Apache ServiceMix - http://servicemix.org/
>>> Apache Geronimo - http://geronimo.apache.org/
>>> 
>>> Blog: http://bruceblog.org/
>>> 
>>> 
>> 
>> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Securing-the-web-console-impossible--tp16765525s2354p16786969.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Reply via email to