You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@activemq.apache.org by "Freeman Fang (JIRA)" <ji...@apache.org> on 2012/06/15 03:48:42 UTC
[jira] [Created] (AMQ-3883) activemq-jaas authorization doesn't
work with Karaf JAAS LoginModule
Freeman Fang created AMQ-3883:
---------------------------------
Summary: activemq-jaas authorization doesn't work with Karaf JAAS LoginModule
Key: AMQ-3883
URL: https://issues.apache.org/jira/browse/AMQ-3883
Project: ActiveMQ
Issue Type: Bug
Reporter: Freeman Fang
currently activemq-jaas can't work with karaf loginModule, the reason comes from the compare between
amq GroupPrincipal and karaf UserPrincipal/RolePrincipal doesn't work
More details please see[1].
We have a similar issue in Servicemix NMR[2] and the fix can honor the compare between
amq GroupPrincipal and karaf UserPrincipal/RolePrincipal yet not introduce any dependency between activemq-jaas and karaf jaas.
[1]http://karaf.922171.n3.nabble.com/Karaf-ActiveMQ-authorization-problem-td4024834.html
[2]https://issues.apache.org/jira/browse/SMX4NMR-283
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (AMQ-3883) activemq-jaas authorization
doesn't work with Karaf JAAS LoginModule
Posted by "Raj Saini (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMQ-3883?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13295445#comment-13295445 ]
Raj Saini edited comment on AMQ-3883 at 6/15/12 4:09 AM:
---------------------------------------------------------
Hello Freeman,
Would it not be better to compare the getName() method of Principal interface? For example:
public boolean equals(Object o) {
if (this == o) {
return true;
}
if(o instanceof Principal) {
if (((Principal) o).getName().equals(this.getName())) {
return true;
}
}
if (o == null || getClass() != o.getClass()) {
return false;
}
final GroupPrincipal that = (GroupPrincipal)o;
if (!name.equals(that.name)) {
return false;
}
return true;
}
This way, compare will not only work with any other JAAS implementation.
was (Author: rajsaini):
Hello Freeman,
Would it not be better to compare the getName() method of Principal interface? For example:
{{monospaced}}
public boolean equals(Object o) {
if (this == o) {
return true;
}
if(o instanceof Principal) {
if (((Principal) o).getName().equals(this.getName())) {
return true;
}
}
if (o == null || getClass() != o.getClass()) {
return false;
}
final GroupPrincipal that = (GroupPrincipal)o;
if (!name.equals(that.name)) {
return false;
}
return true;
}
This way, compare will not only work with any other JAAS implementation.
> activemq-jaas authorization doesn't work with Karaf JAAS LoginModule
> --------------------------------------------------------------------
>
> Key: AMQ-3883
> URL: https://issues.apache.org/jira/browse/AMQ-3883
> Project: ActiveMQ
> Issue Type: Bug
> Reporter: Freeman Fang
> Attachments: AMQ-3883.patch
>
>
> currently activemq-jaas can't work with karaf loginModule, the reason comes from the compare between
> amq GroupPrincipal and karaf UserPrincipal/RolePrincipal doesn't work
> More details please see[1].
> We have a similar issue in Servicemix NMR[2] and the fix can honor the compare between
> amq GroupPrincipal and karaf UserPrincipal/RolePrincipal yet not introduce any dependency between activemq-jaas and karaf jaas.
> [1]http://karaf.922171.n3.nabble.com/Karaf-ActiveMQ-authorization-problem-td4024834.html
> [2]https://issues.apache.org/jira/browse/SMX4NMR-283
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Comment Edited] (AMQ-3883) activemq-jaas authorization
doesn't work with Karaf JAAS LoginModule
Posted by "Freeman Fang (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMQ-3883?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13295454#comment-13295454 ]
Freeman Fang edited comment on AMQ-3883 at 6/15/12 4:47 AM:
------------------------------------------------------------
Hi,
As you said, your code will honor Principal from any other jaas implementations, I'm not sure Activemq would accept it, as it MIGHT cause security hole. But Principal from karaf could be considered as trusted Principal.
Anyway, let Activemq team make this decision.
Regards
Freeman
was (Author: ffang):
Hi,
As you said, your code will honor Principal from any other jaas implementations, I'm not sure Activemq would accept it, as it MIGHT cause security hole.
Anyway, let Activemq team make this decision.
Regards
Freeman
> activemq-jaas authorization doesn't work with Karaf JAAS LoginModule
> --------------------------------------------------------------------
>
> Key: AMQ-3883
> URL: https://issues.apache.org/jira/browse/AMQ-3883
> Project: ActiveMQ
> Issue Type: Bug
> Reporter: Freeman Fang
> Attachments: AMQ-3883.patch
>
>
> currently activemq-jaas can't work with karaf loginModule, the reason comes from the compare between
> amq GroupPrincipal and karaf UserPrincipal/RolePrincipal doesn't work
> More details please see[1].
> We have a similar issue in Servicemix NMR[2] and the fix can honor the compare between
> amq GroupPrincipal and karaf UserPrincipal/RolePrincipal yet not introduce any dependency between activemq-jaas and karaf jaas.
> [1]http://karaf.922171.n3.nabble.com/Karaf-ActiveMQ-authorization-problem-td4024834.html
> [2]https://issues.apache.org/jira/browse/SMX4NMR-283
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMQ-3883) activemq-jaas authorization doesn't
work with Karaf JAAS LoginModule
Posted by "Raj Saini (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMQ-3883?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13295445#comment-13295445 ]
Raj Saini commented on AMQ-3883:
--------------------------------
Hello Freeman,
Would it not be better to compare the getName() method of Principal interface? For example:
{{monospaced}}
public boolean equals(Object o) {
if (this == o) {
return true;
}
if(o instanceof Principal) {
if (((Principal) o).getName().equals(this.getName())) {
return true;
}
}
if (o == null || getClass() != o.getClass()) {
return false;
}
final GroupPrincipal that = (GroupPrincipal)o;
if (!name.equals(that.name)) {
return false;
}
return true;
}
This way, compare will not only work with any other JAAS implementation.
> activemq-jaas authorization doesn't work with Karaf JAAS LoginModule
> --------------------------------------------------------------------
>
> Key: AMQ-3883
> URL: https://issues.apache.org/jira/browse/AMQ-3883
> Project: ActiveMQ
> Issue Type: Bug
> Reporter: Freeman Fang
> Attachments: AMQ-3883.patch
>
>
> currently activemq-jaas can't work with karaf loginModule, the reason comes from the compare between
> amq GroupPrincipal and karaf UserPrincipal/RolePrincipal doesn't work
> More details please see[1].
> We have a similar issue in Servicemix NMR[2] and the fix can honor the compare between
> amq GroupPrincipal and karaf UserPrincipal/RolePrincipal yet not introduce any dependency between activemq-jaas and karaf jaas.
> [1]http://karaf.922171.n3.nabble.com/Karaf-ActiveMQ-authorization-problem-td4024834.html
> [2]https://issues.apache.org/jira/browse/SMX4NMR-283
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (AMQ-3883) activemq-jaas authorization doesn't
work with Karaf JAAS LoginModule
Posted by "Freeman Fang (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMQ-3883?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Freeman Fang updated AMQ-3883:
------------------------------
Attachment: AMQ-3883.patch
patch which honor compare between principal from amq and principal from karaf, yet not introduce any dependency between amq jaas and karaf jaas
> activemq-jaas authorization doesn't work with Karaf JAAS LoginModule
> --------------------------------------------------------------------
>
> Key: AMQ-3883
> URL: https://issues.apache.org/jira/browse/AMQ-3883
> Project: ActiveMQ
> Issue Type: Bug
> Reporter: Freeman Fang
> Attachments: AMQ-3883.patch
>
>
> currently activemq-jaas can't work with karaf loginModule, the reason comes from the compare between
> amq GroupPrincipal and karaf UserPrincipal/RolePrincipal doesn't work
> More details please see[1].
> We have a similar issue in Servicemix NMR[2] and the fix can honor the compare between
> amq GroupPrincipal and karaf UserPrincipal/RolePrincipal yet not introduce any dependency between activemq-jaas and karaf jaas.
> [1]http://karaf.922171.n3.nabble.com/Karaf-ActiveMQ-authorization-problem-td4024834.html
> [2]https://issues.apache.org/jira/browse/SMX4NMR-283
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (AMQ-3883) activemq-jaas authorization doesn't
work with Karaf JAAS LoginModule
Posted by "Claus Ibsen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMQ-3883?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Claus Ibsen updated AMQ-3883:
-----------------------------
Affects Version/s: 5.6.0
Issue Type: Improvement (was: Bug)
> activemq-jaas authorization doesn't work with Karaf JAAS LoginModule
> --------------------------------------------------------------------
>
> Key: AMQ-3883
> URL: https://issues.apache.org/jira/browse/AMQ-3883
> Project: ActiveMQ
> Issue Type: Improvement
> Affects Versions: 5.6.0
> Reporter: Freeman Fang
> Attachments: AMQ-3883.patch
>
>
> currently activemq-jaas can't work with karaf loginModule, the reason comes from the compare between
> amq GroupPrincipal and karaf UserPrincipal/RolePrincipal doesn't work
> More details please see[1].
> We have a similar issue in Servicemix NMR[2] and the fix can honor the compare between
> amq GroupPrincipal and karaf UserPrincipal/RolePrincipal yet not introduce any dependency between activemq-jaas and karaf jaas.
> [1]http://karaf.922171.n3.nabble.com/Karaf-ActiveMQ-authorization-problem-td4024834.html
> [2]https://issues.apache.org/jira/browse/SMX4NMR-283
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMQ-3883) activemq-jaas authorization doesn't
work with Karaf JAAS LoginModule
Posted by "Gary Tully (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMQ-3883?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13295565#comment-13295565 ]
Gary Tully commented on AMQ-3883:
---------------------------------
is another possible approach, to add the activemq login module to the jaas config so that both the amq and karaf credentials are present on the authenticated user principal.
My understanding is that to work reliably, an authorization module needs to participate in the authentication process so it can be sure to trust the identities. It is for this reason that there are multiple principals (set) in an authenticated Subject.
Having said that, there is value in only having to configure a single set of roles/users, a karaf aware activemq-jaas authorization module may be the way to go.
> activemq-jaas authorization doesn't work with Karaf JAAS LoginModule
> --------------------------------------------------------------------
>
> Key: AMQ-3883
> URL: https://issues.apache.org/jira/browse/AMQ-3883
> Project: ActiveMQ
> Issue Type: Bug
> Reporter: Freeman Fang
> Attachments: AMQ-3883.patch
>
>
> currently activemq-jaas can't work with karaf loginModule, the reason comes from the compare between
> amq GroupPrincipal and karaf UserPrincipal/RolePrincipal doesn't work
> More details please see[1].
> We have a similar issue in Servicemix NMR[2] and the fix can honor the compare between
> amq GroupPrincipal and karaf UserPrincipal/RolePrincipal yet not introduce any dependency between activemq-jaas and karaf jaas.
> [1]http://karaf.922171.n3.nabble.com/Karaf-ActiveMQ-authorization-problem-td4024834.html
> [2]https://issues.apache.org/jira/browse/SMX4NMR-283
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMQ-3883) activemq-jaas authorization doesn't
work with Karaf JAAS LoginModule
Posted by "Freeman Fang (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMQ-3883?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13295454#comment-13295454 ]
Freeman Fang commented on AMQ-3883:
-----------------------------------
Hi,
As you said, your code will honor Principal from any other jaas implementations, I'm not sure Activemq would accept it, as it MIGHT cause security hole.
Anyway, let Activemq team make this decision.
Regards
Freeman
> activemq-jaas authorization doesn't work with Karaf JAAS LoginModule
> --------------------------------------------------------------------
>
> Key: AMQ-3883
> URL: https://issues.apache.org/jira/browse/AMQ-3883
> Project: ActiveMQ
> Issue Type: Bug
> Reporter: Freeman Fang
> Attachments: AMQ-3883.patch
>
>
> currently activemq-jaas can't work with karaf loginModule, the reason comes from the compare between
> amq GroupPrincipal and karaf UserPrincipal/RolePrincipal doesn't work
> More details please see[1].
> We have a similar issue in Servicemix NMR[2] and the fix can honor the compare between
> amq GroupPrincipal and karaf UserPrincipal/RolePrincipal yet not introduce any dependency between activemq-jaas and karaf jaas.
> [1]http://karaf.922171.n3.nabble.com/Karaf-ActiveMQ-authorization-problem-td4024834.html
> [2]https://issues.apache.org/jira/browse/SMX4NMR-283
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMQ-3883) activemq-jaas authorization doesn't
work with Karaf JAAS LoginModule
Posted by "Freeman Fang (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMQ-3883?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13295421#comment-13295421 ]
Freeman Fang commented on AMQ-3883:
-----------------------------------
I will append a patch soon
> activemq-jaas authorization doesn't work with Karaf JAAS LoginModule
> --------------------------------------------------------------------
>
> Key: AMQ-3883
> URL: https://issues.apache.org/jira/browse/AMQ-3883
> Project: ActiveMQ
> Issue Type: Bug
> Reporter: Freeman Fang
>
> currently activemq-jaas can't work with karaf loginModule, the reason comes from the compare between
> amq GroupPrincipal and karaf UserPrincipal/RolePrincipal doesn't work
> More details please see[1].
> We have a similar issue in Servicemix NMR[2] and the fix can honor the compare between
> amq GroupPrincipal and karaf UserPrincipal/RolePrincipal yet not introduce any dependency between activemq-jaas and karaf jaas.
> [1]http://karaf.922171.n3.nabble.com/Karaf-ActiveMQ-authorization-problem-td4024834.html
> [2]https://issues.apache.org/jira/browse/SMX4NMR-283
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMQ-3883) activemq-jaas authorization doesn't
work with Karaf JAAS LoginModule
Posted by "Claus Ibsen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMQ-3883?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13458615#comment-13458615 ]
Claus Ibsen commented on AMQ-3883:
----------------------------------
Hmm in Camel we had an issue with hadoop (its hdfs). I think that the principal on the current thread should be sufficient to be accepted. This is what I have seen in other frameworks.
So the code proposed by Raj, may see as a good idea.
If ever other framework have to create a special activemq-jaas-xxx component then that is not a good direction.
> activemq-jaas authorization doesn't work with Karaf JAAS LoginModule
> --------------------------------------------------------------------
>
> Key: AMQ-3883
> URL: https://issues.apache.org/jira/browse/AMQ-3883
> Project: ActiveMQ
> Issue Type: Improvement
> Affects Versions: 5.6.0
> Reporter: Freeman Fang
> Attachments: AMQ-3883.patch
>
>
> currently activemq-jaas can't work with karaf loginModule, the reason comes from the compare between
> amq GroupPrincipal and karaf UserPrincipal/RolePrincipal doesn't work
> More details please see[1].
> We have a similar issue in Servicemix NMR[2] and the fix can honor the compare between
> amq GroupPrincipal and karaf UserPrincipal/RolePrincipal yet not introduce any dependency between activemq-jaas and karaf jaas.
> [1]http://karaf.922171.n3.nabble.com/Karaf-ActiveMQ-authorization-problem-td4024834.html
> [2]https://issues.apache.org/jira/browse/SMX4NMR-283
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (AMQ-3883) activemq-jaas authorization doesn't
work with Karaf JAAS LoginModule
Posted by "Gary Tully (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AMQ-3883?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13458623#comment-13458623 ]
Gary Tully commented on AMQ-3883:
---------------------------------
Check out https://issues.apache.org/jira/browse/AMQ-908 - the impl should be plugable, of the set of acceptable classes should be configurable. Just using whatever is on the thread is a little risky.
> activemq-jaas authorization doesn't work with Karaf JAAS LoginModule
> --------------------------------------------------------------------
>
> Key: AMQ-3883
> URL: https://issues.apache.org/jira/browse/AMQ-3883
> Project: ActiveMQ
> Issue Type: Improvement
> Affects Versions: 5.6.0
> Reporter: Freeman Fang
> Attachments: AMQ-3883.patch
>
>
> currently activemq-jaas can't work with karaf loginModule, the reason comes from the compare between
> amq GroupPrincipal and karaf UserPrincipal/RolePrincipal doesn't work
> More details please see[1].
> We have a similar issue in Servicemix NMR[2] and the fix can honor the compare between
> amq GroupPrincipal and karaf UserPrincipal/RolePrincipal yet not introduce any dependency between activemq-jaas and karaf jaas.
> [1]http://karaf.922171.n3.nabble.com/Karaf-ActiveMQ-authorization-problem-td4024834.html
> [2]https://issues.apache.org/jira/browse/SMX4NMR-283
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira