You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "Jean-Baptiste Onofré (Jira)" <ji...@apache.org> on 2022/08/17 05:44:00 UTC

[jira] [Updated] (AMQ-8987) EncryptableLDAPLoginModule does not support AES encryption schemes

     [ https://issues.apache.org/jira/browse/AMQ-8987?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Jean-Baptiste Onofré updated AMQ-8987:
--------------------------------------
    Fix Version/s: 5.18.0
                   5.17.2
                   5.16.6

> EncryptableLDAPLoginModule does not support AES encryption schemes
> ------------------------------------------------------------------
>
>                 Key: AMQ-8987
>                 URL: https://issues.apache.org/jira/browse/AMQ-8987
>             Project: ActiveMQ
>          Issue Type: Bug
>    Affects Versions: 5.17.1, 5.16.5
>            Reporter: Charlie Chen
>            Priority: Major
>             Fix For: 5.18.0, 5.17.2, 5.16.6
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> In EncryptableLDAPLoginModule encryptionAlgorithm field, if we select a more modern PBE algorithms for example: "PBEWITHHMACSHA256ANDAES_256", It will throw org.jasypt.exceptions.EncryptionOperationNotPossibleException for encryption password specified in connectionPassword.
> Example login.config:
> {code:java}
> org.apache.activemq.jaas.EncryptableLDAPLoginModule required
>         debug=true
>         initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
>         connectionURL="ldap://localhost:1024"
>         connectionUsername="uid=admin,ou=system"
>         connectionPassword="ENC(l3ZDKzR+ADzlmYr2Csd/CBXnFRd5Jk02JGKaraMHc7NRQp5amOxvHbuUCQNUQ0cE)"
>         connectionProtocol=s
>         authentication=simple
>         userBase="ou=system"
>         userSearchMatching="(uid={0})"
>         userSearchSubtree=false
>         roleBase="ou=system"
>         roleName=dummyRoleName
>         roleSearchMatching="(uid={1})"
>         roleSearchSubtree=false
>         encryptionAlgorithm=PBEWITHHMACSHA256ANDAES_256
>         encryptionPassword="activemq"
>         ; {code}
> The error we got from client is 
> {code:java}
> Caused by: java.lang.SecurityException: User name [admin] or password is invalid.
>     at org.apache.activemq.security.JaasAuthenticationBroker.authenticate(JaasAuthenticationBroker.java:97)
>     at org.apache.activemq.security.JaasAuthenticationBroker.addConnection(JaasAuthenticationBroker.java:68)
>     at org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:99)
>     at org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:852)
>     at org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:77)
>     at org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:139)
>     at org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:335)
>     at org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:200)
>     at org.apache.activemq.transport.MutexTransport.onCommand(MutexTransport.java:50)
>     at org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:125)
>     at org.apache.activemq.transport.AbstractInactivityMonitor.onCommand(AbstractInactivityMonitor.java:301)
>     at org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)
>     at org.apache.activemq.transport.tcp.SslTransport.doConsume(SslTransport.java:172)
>     at org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233)
>     at org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215)
>     at java.lang.Thread.run(Thread.java:750)
> Caused by: javax.security.auth.login.LoginException: org.jasypt.exceptions.EncryptionOperationNotPossibleException
>     at org.jasypt.encryption.pbe.StandardPBEByteEncryptor.decrypt(StandardPBEByteEncryptor.java:1169)
>     at org.jasypt.encryption.pbe.StandardPBEStringEncryptor.decrypt(StandardPBEStringEncryptor.java:738)
>     at org.jasypt.properties.PropertyValueEncryptionUtils.decrypt(PropertyValueEncryptionUtils.java:72)
>     at org.jasypt.properties.EncryptableProperties.decode(EncryptableProperties.java:230)
>     at org.jasypt.properties.EncryptableProperties.get(EncryptableProperties.java:209)
>     at org.apache.activemq.jaas.LDAPLoginModule.initialize(LDAPLoginModule.java:91)
>     at org.apache.activemq.jaas.EncryptableLDAPLoginModule.initialize(EncryptableLDAPLoginModule.java:66)
>     at javax.security.auth.login.LoginContext.invoke(LoginContext.java:736)
>     at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
>     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
>     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
>     at java.security.AccessController.doPrivileged(Native Method)
>     at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
>     at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
>     at org.apache.activemq.security.JaasAuthenticationBroker.authenticate(JaasAuthenticationBroker.java:92)
>     at org.apache.activemq.security.JaasAuthenticationBroker.addConnection(JaasAuthenticationBroker.java:68)
>     at org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:99)
>     at org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:852)
>     at org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:77)
>     at org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:139)
>     at org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:335)
>     at org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:200)
>     at org.apache.activemq.transport.MutexTransport.onCommand(MutexTransport.java:50)
>     at org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:125)
>     at org.apache.activemq.transport.AbstractInactivityMonitor.onCommand(AbstractInactivityMonitor.java:301)
>     at org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)
>     at org.apache.activemq.transport.tcp.SslTransport.doConsume(SslTransport.java:172)
>     at org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233)
>     at org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215)
>     at java.lang.Thread.run(Thread.java:750)    at javax.security.auth.login.LoginContext.invoke(LoginContext.java:856)
>     at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
>     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
>     at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
>     at java.security.AccessController.doPrivileged(Native Method)
>     at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
>     at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
>     at org.apache.activemq.security.JaasAuthenticationBroker.authenticate(JaasAuthenticationBroker.java:92) {code}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)