You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by Bruce Snyder <br...@gmail.com> on 2009/10/29 20:06:14 UTC
Re: Dynamically setting activemq username password when logging into
web console
On Thu, Oct 29, 2009 at 2:49 PM, magellings <ma...@qg.com> wrote:
>
> Hi.
>
> I'm using ActiveMQ 5.2 and am wondering if there is a way to set the
> userName and password properties in webconsole-embedded.xml based on
> credentials entered with a basic authentication setup for the web console?
>
> <bean id="connectionFactory"
> class="org.apache.activemq.ActiveMQConnectionFactory">
> <property name="brokerURL" value="vm://localhost"/>
> <property name="userName" value="${activemq.username}"/>
> <property name="password" value="${activemq.password}"/>
> </bean>
>
> These are the credentials the web console uses to connect to the broker. I
> want to be able to configure privs based on what credentials the user uses
> to log into the web console. I currently configure privs with the
> simpleAuthentication/authorization plugin configured in activemq.xml. I'd
> like to add another user with read-only privs in which they can log in with
> that user to the web console and restricts them from deleting
> queues/messages etc.
>
> <plugins>
> <simpleAuthenticationPlugin>
> <users>
> <authenticationUser username="GL$ACTIVEMQ_QUADNMS"
> password="destination" groups="producers,consumers,admins" />
> </users>
> </simpleAuthenticationPlugin>
> <authorizationPlugin>
> <map>
> <authorizationMap>
> <authorizationEntries>
> <authorizationEntry queue=">" write="producers"
> read="consumers" admin="admins,producers" />
> <authorizationEntry topic=">" read="admins"
> write="admins,producers" admin="admins,producers,consumers" />
> </authorizationEntries>
> </authorizationMap>
> </map>
> </authorizationPlugin>
> </plugins>
>
> Here's a seperate thread explaining how to configure the web console to use
> basic authentication.
>
> http://www.nabble.com/Securing-the-web-console-impossible--tt16765525.html#a16784476
Broker authentication for a JMS connection is wholly separate from JMX
authentication. Here's some info on setting up standard JMX
authentication:
http://java.sun.com/j2se/1.5.0/docs/guide/management/agent.html
Once JMX authentication is configured, you'll need to specify the JMX
authentication credentials using the web console user/password system
properties as noted here:
http://activemq.apache.org/web-console.html
Bruce
--
perl -e 'print unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*"
);'
ActiveMQ in Action: http://bit.ly/2je6cQ
Blog: http://bruceblog.org/
Twitter: http://twitter.com/brucesnyder
Re: Dynamically setting activemq username password when logging into
web console
Posted by Dejan Bosanac <de...@nighttale.net>.
Hi,
web console doesn't support fine-grained authorization at the moment. The
jira would be great for starters, if you can provide a patch it'd be even
better.
Cheers
--
Dejan Bosanac - http://twitter.com/dejanb
Open Source Integration - http://fusesource.com/
ActiveMQ in Action - http://www.manning.com/snyder/
Blog - http://www.nighttale.net
On Thu, Oct 29, 2009 at 9:18 PM, magellings <ma...@qg.com> wrote:
>
> From what I can tell even with JMX properly set up you still can't maintain
> seperate privs. One user/password is hard-coded/configured to be used by
> the web console at start up to connect to the broker. I want to be able to
> configure separate user/passwords to connect to the broker grabbed when the
> user logs into the web console. I already have the web console configured
> for BASIC authentication with two different user/passwords (based on the
> link in my original post) I just need to somehow use those to then connect
> to the broker.
>
> It's possible to configure different roles to be used when logging into the
> web console. But it is not possible to control the rights the user has
> based on this. Example:
>
> web.xml
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>adminRealm</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>admin</role-name>
> <role-name>guest</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>adminRealm</realm-name>
> </login-config>
>
> realm.properties
>
> admin: MD5:6990a54322d9232390a784c5c9247dd6,admin
> guest: MD5:084e0343a0486ff05530df6c705c8bb4,guest
>
> With the above config I can log on as either admin or guest successfully
> when entering the appropriate password at the basic authentication prompt.
>
> I'd like guest to have read privs (see messages on queues, etc.), and admin
> to have read/write privs (see messages on queues, delete messages, delete
> queues, etc.). In our scenario guest is producing a message and just wants
> to verify the message has been created successfully on the queue. Admin
> owns the queue and the broker as they are on a separate development team
> than user guest. They do not want guest to be able to delete
> messages/queues etc. Right now we have no way to let guest see for
> themselves that the message is on the queue unless we give them the admin
> user/password for the basic authentication prompt when using the web
> console. If we give that out, we give out read/write privs to guest which
> we don't want to do.
>
> I think for this to be possible two separate connections would need to be
> maintained to the broker, one for guest and one for admin so as the
> simpleAuthenticationPlugin and authorizationPlugin can be used based on the
> user/password used to log on. Ideally the user/password entered during a
> basic authentication prompt could be mapped to the same user/password used
> to connect to the broker. Maybe this isn't possible if the web console
> only
> maintains one connection to the broker. Maybe the web console would need
> to
> be enhanced with a user/group security section to control what privs in the
> web console the logged on user has. An admin could then control whether a
> user has the right to delete a message, a queue, etc. and the web console
> has the smarts to display the delete link or not based on the privs of the
> logged on user.
>
> Not sure if this was ever discussed. Maybe a jira should be created and
> the
> functionality request backlogged???
>
> --
> View this message in context:
> http://www.nabble.com/Dynamically-setting-activemq-username-password-when-logging-into-web-console-tp26118677p26120009.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>
>
Re: Dynamically setting activemq username password when logging
into web console
Posted by magellings <ma...@qg.com>.
>From what I can tell even with JMX properly set up you still can't maintain
seperate privs. One user/password is hard-coded/configured to be used by
the web console at start up to connect to the broker. I want to be able to
configure separate user/passwords to connect to the broker grabbed when the
user logs into the web console. I already have the web console configured
for BASIC authentication with two different user/passwords (based on the
link in my original post) I just need to somehow use those to then connect
to the broker.
It's possible to configure different roles to be used when logging into the
web console. But it is not possible to control the rights the user has
based on this. Example:
web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>adminRealm</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>guest</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>adminRealm</realm-name>
</login-config>
realm.properties
admin: MD5:6990a54322d9232390a784c5c9247dd6,admin
guest: MD5:084e0343a0486ff05530df6c705c8bb4,guest
With the above config I can log on as either admin or guest successfully
when entering the appropriate password at the basic authentication prompt.
I'd like guest to have read privs (see messages on queues, etc.), and admin
to have read/write privs (see messages on queues, delete messages, delete
queues, etc.). In our scenario guest is producing a message and just wants
to verify the message has been created successfully on the queue. Admin
owns the queue and the broker as they are on a separate development team
than user guest. They do not want guest to be able to delete
messages/queues etc. Right now we have no way to let guest see for
themselves that the message is on the queue unless we give them the admin
user/password for the basic authentication prompt when using the web
console. If we give that out, we give out read/write privs to guest which
we don't want to do.
I think for this to be possible two separate connections would need to be
maintained to the broker, one for guest and one for admin so as the
simpleAuthenticationPlugin and authorizationPlugin can be used based on the
user/password used to log on. Ideally the user/password entered during a
basic authentication prompt could be mapped to the same user/password used
to connect to the broker. Maybe this isn't possible if the web console only
maintains one connection to the broker. Maybe the web console would need to
be enhanced with a user/group security section to control what privs in the
web console the logged on user has. An admin could then control whether a
user has the right to delete a message, a queue, etc. and the web console
has the smarts to display the delete link or not based on the privs of the
logged on user.
Not sure if this was ever discussed. Maybe a jira should be created and the
functionality request backlogged???
--
View this message in context: http://www.nabble.com/Dynamically-setting-activemq-username-password-when-logging-into-web-console-tp26118677p26120009.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.