Note — This also falls under one of the goals for ActiveMQ 7.x’s non-Spring bootstrapping to support single JAAS-provider for all services, that uses broker-wide crypto and config services to handle encrypted macro expansion across authn/authz and config params.
> On Apr 13, 2024, at 11:49 PM, Jean-Baptiste Onofré <j...@nanthrax.net> wrote: > > Hi Martin > > That's normal: broker authentication and webconsole/api authentication > are two different layers (it's intentional). > If, in theory, it would be possible to configure conf/jetty.xml to use > the same authentication files as for broker, Jetty doesn't use exactly > the same authentication schema. > > A possible option would be to add a Jetty authentication plugin > supporting the authentication broker, or use the same JAAS realm. > > If you create a Jira, I can work on this :) > > Regards > JB > > On Fri, Apr 12, 2024 at 1:44 PM Zeissig, Martin > <mzeis...@gk-software.com> wrote: >> >> Dear Community >> >> I tried to setup my ActiveMQ broker with authentication which is working >> fine. But for productive usage I would like to encrypt plain passwords in >> the property files. I used the following guides: >> >> https://activemq.apache.org/components/classic/documentation/security >> https://activemq.apache.org/components/classic/documentation/encrypted-passwords >> >> The user setup with encrypted passwords is working now for the broker but >> not for the web-based services like /admin or /api. After long reading I've >> only found the possibility to use the old approach from ActiveMQ v5x using >> jetty-realm.properties which supports encrypted passwords via Jetty's >> Password Utilility. >> >> At the moment it seems when using encrypted passwords that I have to >> maintain 2 files in parallel with users and also different encryption >> algorithms. One for the broker and one for the web-based services. >> >> Is it somehow possible to use the same User/Groups from the broker also for >> the web-based services when using password encryption in file >> credentials-enc.properties? I don't want to configure 2 files. Additionally >> I am not happy with insecure hashes from Jetty Utility (OBF / MD5 / CRYPT). >> >> I look forward to your feedback. >> >> Best regards >> Martin
