You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by "Aman Nanner (JIRA)" <ji...@apache.org> on 2007/04/10 19:46:36 UTC
[jira] Created: (GERONIMO-3084) Incompatibilitiy between ActiveMQ
JAAS and Geronimo JAAS
Incompatibilitiy between ActiveMQ JAAS and Geronimo JAAS
--------------------------------------------------------
Key: GERONIMO-3084
URL: https://issues.apache.org/jira/browse/GERONIMO-3084
Project: Geronimo
Issue Type: Bug
Security Level: public (Regular issues)
Components: ActiveMQ
Affects Versions: 1.2
Reporter: Aman Nanner
I have reconfigured Geronimo so that the ActiveMQ broker loads its configuration from an external XML file. Within this file, I have specified a security configuration for my queues and topics. This is the file:
----
{code}
<beans>
<!-- Allows us to use system properties as variables in this configuration file -->
<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
<broker brokerName="localhost" useJmx="true" xmlns="http://activemq.org/config/1.0">
<plugins>
<!-- use JAAS to authenticate using the login.config file on the classpath to configure JAAS -->
<jaasAuthenticationPlugin configuration="geronimo-admin" />
<!-- lets configure a destination based authorization mechanism -->
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue=">" read="admin" write="admin" admin="admin" />
<authorizationEntry topic=">" read="admin" write="admin" admin="admin" />
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
</broker>
<!-- lets create a command agent to respond to message based admin commands on the ActiveMQ.Agent topic
<commandAgent xmlns="http://activemq.org/config/1.0"/>-->
</beans>
{code}
----
As can be seen, I am using the following JAAS login config domain: geronimo-admin. This is the standard login domain that gets its users and groups from properties files. However, when running the Geronimo server, JAAS cannot matchup the "admin" role specified in the ActiveMQ XML file with the "admin" role specified in the groups.properties file for the "geronimo-admin" login domain. The problem is that the ActiveMQ role is a principal of type {{org.apache.activemq.jaas.GroupPrincipal}}, while the Geronimo JAAS "admin" role is of the type {{org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal}}. Because these principals are different classes, they are not considered "equal" to each other by the {{equals()}} method on {{org.apache.activemq.jaas.GroupPrincipal}}. The stack trace where the error occurs is here:
----
{code}
Thread [ActiveMQ Transport: tcp:///192.168.12.196:2453] (Suspended)
GeronimoGroupPrincipal.equals(Object) line: 42
HashMap<K,V>.eq(Object, Object) line: 299
HashMap<K,V>.containsKey(Object) line: 381
HashSet<E>.contains(Object) line: 182
HashSet<E>(AbstractCollection<E>).retainAll(Collection<?>) line: 392
JaasAuthenticationBroker$JaasSecurityContext(SecurityContext).isInOneOf(Set) line: 43
AuthorizationBroker.addDestination(ConnectionContext, ActiveMQDestination) line: 64
BrokerService$2(MutableBrokerFilter).addDestination(ConnectionContext, ActiveMQDestination) line: 152
ManagedTopicRegion(AbstractRegion).lookup(ConnectionContext, ActiveMQDestination) line: 316
ManagedTopicRegion(AbstractRegion).send(ConnectionContext, Message) line: 291
ManagedRegionBroker(RegionBroker).send(ConnectionContext, Message) line: 385
TransactionBroker.send(ConnectionContext, Message) line: 193
AdvisoryBroker.fireAdvisory(ConnectionContext, ActiveMQTopic, Command, ConsumerId, ActiveMQMessage) line: 272
AdvisoryBroker.fireAdvisory(ConnectionContext, ActiveMQTopic, Command, ConsumerId) line: 237
AdvisoryBroker.fireAdvisory(ConnectionContext, ActiveMQTopic, Command) line: 232
AdvisoryBroker.addConnection(ConnectionContext, ConnectionInfo) line: 73
CompositeDestinationBroker(BrokerFilter).addConnection(ConnectionContext, ConnectionInfo) line: 82
JaasAuthenticationBroker(BrokerFilter).addConnection(ConnectionContext, ConnectionInfo) line: 82
JaasAuthenticationBroker.addConnection(ConnectionContext, ConnectionInfo) line: 90
AuthorizationBroker(BrokerFilter).addConnection(ConnectionContext, ConnectionInfo) line: 82
BrokerService$2(MutableBrokerFilter).addConnection(ConnectionContext, ConnectionInfo) line: 92
TransportConnection.processAddConnection(ConnectionInfo) line: 706
ConnectionInfo.visit(CommandVisitor) line: 121
TransportConnection.service(Command) line: 294
TransportConnection$1.onCommand(Object) line: 185
MutexTransport(TransportFilter).onCommand(Object) line: 65
WireFormatNegotiator.onCommand(Object) line: 133
InactivityMonitor.onCommand(Object) line: 122
TcpTransport(TransportSupport).doConsume(Object) line: 84
TcpTransport.run() line: 137
Thread.run() line: 595
{code}
----
Securing the ActiveMQ resources is an important component to securing a production server, so some way of resolving this issue should be determined.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-3084) Incompatibilitiy between ActiveMQ
JAAS and Geronimo JAAS
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-3084?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12488590 ]
David Jencks commented on GERONIMO-3084:
----------------------------------------
I have not looked into this AT ALL so my comment may be ridiculous but I wonder if writing a jacc-based ActiveMQ authoriztion plugin would be the best solution here? There would be some ActiveMQ permissions and we'd check them against the ACC. I tried something similar for jetspeed portal permissions and it worked fine.
> Incompatibilitiy between ActiveMQ JAAS and Geronimo JAAS
> --------------------------------------------------------
>
> Key: GERONIMO-3084
> URL: https://issues.apache.org/jira/browse/GERONIMO-3084
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: ActiveMQ
> Affects Versions: 1.2
> Reporter: Aman Nanner
>
> I have reconfigured Geronimo so that the ActiveMQ broker loads its configuration from an external XML file. Within this file, I have specified a security configuration for my queues and topics. This is the file:
> ----
> {code}
> <beans>
> <!-- Allows us to use system properties as variables in this configuration file -->
> <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
>
> <broker brokerName="localhost" useJmx="true" xmlns="http://activemq.org/config/1.0">
>
> <plugins>
> <!-- use JAAS to authenticate using the login.config file on the classpath to configure JAAS -->
> <jaasAuthenticationPlugin configuration="geronimo-admin" />
> <!-- lets configure a destination based authorization mechanism -->
> <authorizationPlugin>
> <map>
> <authorizationMap>
> <authorizationEntries>
> <authorizationEntry queue=">" read="admin" write="admin" admin="admin" />
> <authorizationEntry topic=">" read="admin" write="admin" admin="admin" />
> </authorizationEntries>
> </authorizationMap>
> </map>
> </authorizationPlugin>
> </plugins>
>
> </broker>
> <!-- lets create a command agent to respond to message based admin commands on the ActiveMQ.Agent topic
> <commandAgent xmlns="http://activemq.org/config/1.0"/>-->
> </beans>
> {code}
> ----
> As can be seen, I am using the following JAAS login config domain: geronimo-admin. This is the standard login domain that gets its users and groups from properties files. However, when running the Geronimo server, JAAS cannot matchup the "admin" role specified in the ActiveMQ XML file with the "admin" role specified in the groups.properties file for the "geronimo-admin" login domain. The problem is that the ActiveMQ role is a principal of type {{org.apache.activemq.jaas.GroupPrincipal}}, while the Geronimo JAAS "admin" role is of the type {{org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal}}. Because these principals are different classes, they are not considered "equal" to each other by the {{equals()}} method on {{org.apache.activemq.jaas.GroupPrincipal}}. The stack trace where the error occurs is here:
> ----
> {code}
> Thread [ActiveMQ Transport: tcp:///192.168.12.196:2453] (Suspended)
> GeronimoGroupPrincipal.equals(Object) line: 42
> HashMap<K,V>.eq(Object, Object) line: 299
> HashMap<K,V>.containsKey(Object) line: 381
> HashSet<E>.contains(Object) line: 182
> HashSet<E>(AbstractCollection<E>).retainAll(Collection<?>) line: 392
> JaasAuthenticationBroker$JaasSecurityContext(SecurityContext).isInOneOf(Set) line: 43
> AuthorizationBroker.addDestination(ConnectionContext, ActiveMQDestination) line: 64
> BrokerService$2(MutableBrokerFilter).addDestination(ConnectionContext, ActiveMQDestination) line: 152
> ManagedTopicRegion(AbstractRegion).lookup(ConnectionContext, ActiveMQDestination) line: 316
> ManagedTopicRegion(AbstractRegion).send(ConnectionContext, Message) line: 291
> ManagedRegionBroker(RegionBroker).send(ConnectionContext, Message) line: 385
> TransactionBroker.send(ConnectionContext, Message) line: 193
> AdvisoryBroker.fireAdvisory(ConnectionContext, ActiveMQTopic, Command, ConsumerId, ActiveMQMessage) line: 272
> AdvisoryBroker.fireAdvisory(ConnectionContext, ActiveMQTopic, Command, ConsumerId) line: 237
> AdvisoryBroker.fireAdvisory(ConnectionContext, ActiveMQTopic, Command) line: 232
> AdvisoryBroker.addConnection(ConnectionContext, ConnectionInfo) line: 73
> CompositeDestinationBroker(BrokerFilter).addConnection(ConnectionContext, ConnectionInfo) line: 82
> JaasAuthenticationBroker(BrokerFilter).addConnection(ConnectionContext, ConnectionInfo) line: 82
> JaasAuthenticationBroker.addConnection(ConnectionContext, ConnectionInfo) line: 90
> AuthorizationBroker(BrokerFilter).addConnection(ConnectionContext, ConnectionInfo) line: 82
> BrokerService$2(MutableBrokerFilter).addConnection(ConnectionContext, ConnectionInfo) line: 92
> TransportConnection.processAddConnection(ConnectionInfo) line: 706
> ConnectionInfo.visit(CommandVisitor) line: 121
> TransportConnection.service(Command) line: 294
> TransportConnection$1.onCommand(Object) line: 185
> MutexTransport(TransportFilter).onCommand(Object) line: 65
> WireFormatNegotiator.onCommand(Object) line: 133
> InactivityMonitor.onCommand(Object) line: 122
> TcpTransport(TransportSupport).doConsume(Object) line: 84
> TcpTransport.run() line: 137
> Thread.run() line: 595
> {code}
> ----
> Securing the ActiveMQ resources is an important component to securing a production server, so some way of resolving this issue should be determined.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Closed: (GERONIMO-3084) Incompatibilitiy between ActiveMQ
JAAS and Geronimo JAAS
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-3084?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
David Jencks closed GERONIMO-3084.
----------------------------------
Resolution: Invalid
Assignee: David Jencks
We could try to make activemq more flexible, which would be good, but not really a subject for a geronimo jira.
> Incompatibilitiy between ActiveMQ JAAS and Geronimo JAAS
> --------------------------------------------------------
>
> Key: GERONIMO-3084
> URL: https://issues.apache.org/jira/browse/GERONIMO-3084
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: ActiveMQ
> Affects Versions: 1.2
> Reporter: Aman Nanner
> Assignee: David Jencks
>
> I have reconfigured Geronimo so that the ActiveMQ broker loads its configuration from an external XML file. Within this file, I have specified a security configuration for my queues and topics. This is the file:
> ----
> {code}
> <beans>
> <!-- Allows us to use system properties as variables in this configuration file -->
> <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
>
> <broker brokerName="localhost" useJmx="true" xmlns="http://activemq.org/config/1.0">
>
> <plugins>
> <!-- use JAAS to authenticate using the login.config file on the classpath to configure JAAS -->
> <jaasAuthenticationPlugin configuration="geronimo-admin" />
> <!-- lets configure a destination based authorization mechanism -->
> <authorizationPlugin>
> <map>
> <authorizationMap>
> <authorizationEntries>
> <authorizationEntry queue=">" read="admin" write="admin" admin="admin" />
> <authorizationEntry topic=">" read="admin" write="admin" admin="admin" />
> </authorizationEntries>
> </authorizationMap>
> </map>
> </authorizationPlugin>
> </plugins>
>
> </broker>
> <!-- lets create a command agent to respond to message based admin commands on the ActiveMQ.Agent topic
> <commandAgent xmlns="http://activemq.org/config/1.0"/>-->
> </beans>
> {code}
> ----
> As can be seen, I am using the following JAAS login config domain: geronimo-admin. This is the standard login domain that gets its users and groups from properties files. However, when running the Geronimo server, JAAS cannot matchup the "admin" role specified in the ActiveMQ XML file with the "admin" role specified in the groups.properties file for the "geronimo-admin" login domain. The problem is that the ActiveMQ role is a principal of type {{org.apache.activemq.jaas.GroupPrincipal}}, while the Geronimo JAAS "admin" role is of the type {{org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal}}. Because these principals are different classes, they are not considered "equal" to each other by the {{equals()}} method on {{org.apache.activemq.jaas.GroupPrincipal}}. The stack trace where the error occurs is here:
> ----
> {code}
> Thread [ActiveMQ Transport: tcp:///192.168.12.196:2453] (Suspended)
> GeronimoGroupPrincipal.equals(Object) line: 42
> HashMap<K,V>.eq(Object, Object) line: 299
> HashMap<K,V>.containsKey(Object) line: 381
> HashSet<E>.contains(Object) line: 182
> HashSet<E>(AbstractCollection<E>).retainAll(Collection<?>) line: 392
> JaasAuthenticationBroker$JaasSecurityContext(SecurityContext).isInOneOf(Set) line: 43
> AuthorizationBroker.addDestination(ConnectionContext, ActiveMQDestination) line: 64
> BrokerService$2(MutableBrokerFilter).addDestination(ConnectionContext, ActiveMQDestination) line: 152
> ManagedTopicRegion(AbstractRegion).lookup(ConnectionContext, ActiveMQDestination) line: 316
> ManagedTopicRegion(AbstractRegion).send(ConnectionContext, Message) line: 291
> ManagedRegionBroker(RegionBroker).send(ConnectionContext, Message) line: 385
> TransactionBroker.send(ConnectionContext, Message) line: 193
> AdvisoryBroker.fireAdvisory(ConnectionContext, ActiveMQTopic, Command, ConsumerId, ActiveMQMessage) line: 272
> AdvisoryBroker.fireAdvisory(ConnectionContext, ActiveMQTopic, Command, ConsumerId) line: 237
> AdvisoryBroker.fireAdvisory(ConnectionContext, ActiveMQTopic, Command) line: 232
> AdvisoryBroker.addConnection(ConnectionContext, ConnectionInfo) line: 73
> CompositeDestinationBroker(BrokerFilter).addConnection(ConnectionContext, ConnectionInfo) line: 82
> JaasAuthenticationBroker(BrokerFilter).addConnection(ConnectionContext, ConnectionInfo) line: 82
> JaasAuthenticationBroker.addConnection(ConnectionContext, ConnectionInfo) line: 90
> AuthorizationBroker(BrokerFilter).addConnection(ConnectionContext, ConnectionInfo) line: 82
> BrokerService$2(MutableBrokerFilter).addConnection(ConnectionContext, ConnectionInfo) line: 92
> TransportConnection.processAddConnection(ConnectionInfo) line: 706
> ConnectionInfo.visit(CommandVisitor) line: 121
> TransportConnection.service(Command) line: 294
> TransportConnection$1.onCommand(Object) line: 185
> MutexTransport(TransportFilter).onCommand(Object) line: 65
> WireFormatNegotiator.onCommand(Object) line: 133
> InactivityMonitor.onCommand(Object) line: 122
> TcpTransport(TransportSupport).doConsume(Object) line: 84
> TcpTransport.run() line: 137
> Thread.run() line: 595
> {code}
> ----
> Securing the ActiveMQ resources is an important component to securing a production server, so some way of resolving this issue should be determined.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (GERONIMO-3084) Incompatibilitiy between ActiveMQ
JAAS and Geronimo JAAS
Posted by "David Jencks (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/GERONIMO-3084?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12578933#action_12578933 ]
David Jencks commented on GERONIMO-3084:
----------------------------------------
Now I looked into this a bit.
IIUC there are no exceptions thrown, the only problem is that activemq doesn't recognize the principals supplied by a non-activemq login module?
By far the simplest way to proceed here would be to use only the activemq properties file login module and configure the geronimo security settings for your app to map the jee roles to those activemq principals. Geronimo does supply a flexible principal-role mapping for just such reasons.
There is now a little tiny bit of documentation on the principal-role mapping in g 2.1:
http://cwiki.apache.org/GMOxDOC21/configuring-run-as-and-default-subjects-and-principal-role-mapping.html
> Incompatibilitiy between ActiveMQ JAAS and Geronimo JAAS
> --------------------------------------------------------
>
> Key: GERONIMO-3084
> URL: https://issues.apache.org/jira/browse/GERONIMO-3084
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: ActiveMQ
> Affects Versions: 1.2
> Reporter: Aman Nanner
>
> I have reconfigured Geronimo so that the ActiveMQ broker loads its configuration from an external XML file. Within this file, I have specified a security configuration for my queues and topics. This is the file:
> ----
> {code}
> <beans>
> <!-- Allows us to use system properties as variables in this configuration file -->
> <bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
>
> <broker brokerName="localhost" useJmx="true" xmlns="http://activemq.org/config/1.0">
>
> <plugins>
> <!-- use JAAS to authenticate using the login.config file on the classpath to configure JAAS -->
> <jaasAuthenticationPlugin configuration="geronimo-admin" />
> <!-- lets configure a destination based authorization mechanism -->
> <authorizationPlugin>
> <map>
> <authorizationMap>
> <authorizationEntries>
> <authorizationEntry queue=">" read="admin" write="admin" admin="admin" />
> <authorizationEntry topic=">" read="admin" write="admin" admin="admin" />
> </authorizationEntries>
> </authorizationMap>
> </map>
> </authorizationPlugin>
> </plugins>
>
> </broker>
> <!-- lets create a command agent to respond to message based admin commands on the ActiveMQ.Agent topic
> <commandAgent xmlns="http://activemq.org/config/1.0"/>-->
> </beans>
> {code}
> ----
> As can be seen, I am using the following JAAS login config domain: geronimo-admin. This is the standard login domain that gets its users and groups from properties files. However, when running the Geronimo server, JAAS cannot matchup the "admin" role specified in the ActiveMQ XML file with the "admin" role specified in the groups.properties file for the "geronimo-admin" login domain. The problem is that the ActiveMQ role is a principal of type {{org.apache.activemq.jaas.GroupPrincipal}}, while the Geronimo JAAS "admin" role is of the type {{org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal}}. Because these principals are different classes, they are not considered "equal" to each other by the {{equals()}} method on {{org.apache.activemq.jaas.GroupPrincipal}}. The stack trace where the error occurs is here:
> ----
> {code}
> Thread [ActiveMQ Transport: tcp:///192.168.12.196:2453] (Suspended)
> GeronimoGroupPrincipal.equals(Object) line: 42
> HashMap<K,V>.eq(Object, Object) line: 299
> HashMap<K,V>.containsKey(Object) line: 381
> HashSet<E>.contains(Object) line: 182
> HashSet<E>(AbstractCollection<E>).retainAll(Collection<?>) line: 392
> JaasAuthenticationBroker$JaasSecurityContext(SecurityContext).isInOneOf(Set) line: 43
> AuthorizationBroker.addDestination(ConnectionContext, ActiveMQDestination) line: 64
> BrokerService$2(MutableBrokerFilter).addDestination(ConnectionContext, ActiveMQDestination) line: 152
> ManagedTopicRegion(AbstractRegion).lookup(ConnectionContext, ActiveMQDestination) line: 316
> ManagedTopicRegion(AbstractRegion).send(ConnectionContext, Message) line: 291
> ManagedRegionBroker(RegionBroker).send(ConnectionContext, Message) line: 385
> TransactionBroker.send(ConnectionContext, Message) line: 193
> AdvisoryBroker.fireAdvisory(ConnectionContext, ActiveMQTopic, Command, ConsumerId, ActiveMQMessage) line: 272
> AdvisoryBroker.fireAdvisory(ConnectionContext, ActiveMQTopic, Command, ConsumerId) line: 237
> AdvisoryBroker.fireAdvisory(ConnectionContext, ActiveMQTopic, Command) line: 232
> AdvisoryBroker.addConnection(ConnectionContext, ConnectionInfo) line: 73
> CompositeDestinationBroker(BrokerFilter).addConnection(ConnectionContext, ConnectionInfo) line: 82
> JaasAuthenticationBroker(BrokerFilter).addConnection(ConnectionContext, ConnectionInfo) line: 82
> JaasAuthenticationBroker.addConnection(ConnectionContext, ConnectionInfo) line: 90
> AuthorizationBroker(BrokerFilter).addConnection(ConnectionContext, ConnectionInfo) line: 82
> BrokerService$2(MutableBrokerFilter).addConnection(ConnectionContext, ConnectionInfo) line: 92
> TransportConnection.processAddConnection(ConnectionInfo) line: 706
> ConnectionInfo.visit(CommandVisitor) line: 121
> TransportConnection.service(Command) line: 294
> TransportConnection$1.onCommand(Object) line: 185
> MutexTransport(TransportFilter).onCommand(Object) line: 65
> WireFormatNegotiator.onCommand(Object) line: 133
> InactivityMonitor.onCommand(Object) line: 122
> TcpTransport(TransportSupport).doConsume(Object) line: 84
> TcpTransport.run() line: 137
> Thread.run() line: 595
> {code}
> ----
> Securing the ActiveMQ resources is an important component to securing a production server, so some way of resolving this issue should be determined.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.