You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by j0llyr0g3r <ti...@wincor-nixdorf.com> on 2008/04/18 23:22:40 UTC
Securing the web console impossible?
Hey folks,
i am desperately trying to find out how to configure a simple access control
for the web console, but this is simply not documented......
The documentation here: http://activemq.apache.org/web-console.html
refers to a separate jetty instance, not to the integrated jetty.
That's when i thought
"ok, it's simply not possible using the integrated jetty"
but then i stumbled over this peace of user-submitted configuration example:
http://activemq.apache.org/user-submitted-configurations.html
This looks really good:
<!-- Web Console. Auth is via JAAS. Beware: jetty-plus-6.1.4.jar contains
the
JAAS classes, and is not included with ActiveMQ. You need to
download
separately. Web Console queue browser will fail, as it tries to use
JMS
to browse the queue, and that requires a password.
-->
<jetty xmlns="http://mortbay.com/schemas/jetty/1.0">
<connectors>
<nioConnector port="8161" />
</connectors>
<userRealms>
<!-- "name" must match the realm in web.xml, and "loginModuleName"
must be defined in login.conf -->
<jaasUserRealm name="ActiveMQ" loginModuleName="ActiveMQ"
callbackHandlerClass="org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler"
/>
</userRealms>
<handlers>
<webAppContext contextPath="/admin"
resourceBase="${activemq.base}/webapps/admin" logUrlOnStart="true" />
</handlers>
</jetty>
But unfortunately, it lacks important information:
<userRealms>
<!-- "name" must match the realm in web.xml, and "loginModuleName"
must be defined in login.conf -->
Defining a realm in the web.xml is ok, but what about the "login.conf"?
Where should i place this file?
What should its content look like?
What "loginModuleName" should i specify?
--
View this message in context: http://www.nabble.com/Securing-the-web-console-impossible--tp16765525s2354p16765525.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Securing the web console impossible?
Posted by magellings <ma...@qg.com>.
I was successfully able to get everything working with login configured with
BASIC authentication and following all the steps in this thread by original
poster.
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>adminRealm</realm-name>
</login-config>
Trying with DIGEST led me to the "all modules ignored" error, which also is
logged with a user who isn't authentic still attempts logging in.
criggster wrote:
>
> Try either using the OBF format in your realm.properties in bold below
> or
> use BASIC authentication (instead of DIGEST)
>
> criggster "DIGEST and MD5/Crypt do not play well together."
>
>
>
> wiseguysby wrote:
>>
>> Hi bro,
>>
>> I've just following like below, but not success, when i've trying login
>> always failed ( Login failure : all modules ignored)
>>
>> I've ActiveMQ 5.0 and jetty 1.6.9 and installed on windows XP. ActiveMQ
>> without security login is working properly. so what should i do?
>>
>> regards
>>
>> hakim
>>
>> Hey folks,
>>
>> i finally solved it.....:-)
>>
>> I will add this information to the wiki so that the average idiot -
>> thereby referring to me - can set this up.
>>
>> But since it might take some time until i find the time to edit the wiki,
>> here's a short summary, and hopefully an idiot-proof copy&paste method:
>>
>>
>> * jetty-plus
>>
>> Download jetty, extract the archive and copy the jar jetty-plus.x.x.x.jar
>> to $AMQ_HOME/lib/web/.
>>
>>
>> * activemq.xml
>>
>> Edit the file $AMQ_HOME/conf/activemq.xml. Find this section:
>>
>> <jetty xmlns="http://mortbay.com/schemas/jetty/1.0">
>> <connectors>
>> <nioConnector port="8161" />
>> </connectors>
>> <handlers>
>> <webAppContext contextPath="/admin"
>> resourceBase="${activemq.base}/webapps/admin" logUrlOnStart="true" />
>> <webAppContext contextPath="/demo"
>> resourceBase="${activemq.base}/webapps/demo" logUrlOnStart="true" />
>> </handlers>
>> </jetty>
>>
>> Now add a realm between </connectors> and <handlers> like this:
>>
>> <userRealms>
>> <jaasUserRealm name="adminRealm" loginModuleName="adminLoginModule">
>> </jaasUserRealm>
>> </userRealms>
>>
>> * activemq start-script
>>
>> Edit the activemq-startscript under $AMQ_HOME/bin/activemq (or set a
>> corresponding env-variable):
>>
>> Append this line to the last block of code (last else):
>>
>> -Djava.security.auth.login.config="${ACTIVEMQ_HOME}/webapps/admin/login.conf"
>>
>> The last else-block should look like this:
>>
>> else
>> exec "$JAVACMD" $ACTIVEMQ_DEBUG_OPTS $ACTIVEMQ_OPTS
>> -Dactivemq.classpath="${ACTIVEMQ_CLASSPATH}"
>> -Dactivemq.home="${ACTIVEMQ_HOME}" -Dactivemq.base="${ACTIVEMQ_BASE}"
>> -Djava.security.auth.login.config="${ACTIVEMQ_HOME}/webapps/admin/login.config"
>> -jar "${ACTIVEMQ_HOME}/bin/run.jar"
>> $ACTIVEMQ_TASK $@
>> fi
>>
>> But setting a corresponding environment variable is highly recommended!
>>
>> * login.config
>>
>> Create the file login.config in ${ACTIVEMQ_HOME}/webapps/admin/:
>>
>> adminLoginModule {
>> org.mortbay.jetty.plus.jaas.spi.PropertyFileLoginModule required
>> debug="true"
>> file="/opt/activemq/conf/realm.properties";
>> };
>>
>>
>> * Create a password
>>
>> cd $JETTY_HOME
>> java -cp lib/jetty-6.1.9.jar:lib/jetty-util-6.1.9.jar
>> org.mortbay.jetty.security.Password admin test
>> test
>> OBF:1z0f1vu91vv11z0f
>> MD5:098f6bcd4621d373cade4e832627b4f6
>> CRYPT:oewgD4ujswzhg
>>
>> * realm.properties
>>
>> Create the file realm.properties in ${ACTIVEMQ_HOME}/conf/:
>>
>>
>> admin: OBF:1z0f1vu91vv11z0f,user,admin
>>
>>
>> * admin-webapp: web.xml
>>
>>
>> Edit $AMQ_HOME/webapps/admin/WEB-INF/web.xml. Append this section:
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>adminRealm</web-resource-name>
>> <url-pattern>/*</url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>admin</role-name>
>> <role-name>user</role-name>
>> <role-name>moderator</role-name>
>> </auth-constraint>
>> </security-constraint>
>> <login-config>
>> <auth-method>DIGEST</auth-method>
>> <realm-name>adminRealm</realm-name>
>> </login-config>
>>
>>
>
>
--
View this message in context: http://www.nabble.com/Securing-the-web-console-impossible--tp16765525p22789539.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Securing the web console impossible?
Posted by criggster <cu...@yahoo.com>.
Try either using the OBF format in your realm.properties in bold below
or
use BASIC authentication (instead of DIGEST)
criggster "DIGEST and MD5/Crypt do not play well together."
wiseguysby wrote:
>
> Hi bro,
>
> I've just following like below, but not success, when i've trying login
> always failed ( Login failure : all modules ignored)
>
> I've ActiveMQ 5.0 and jetty 1.6.9 and installed on windows XP. ActiveMQ
> without security login is working properly. so what should i do?
>
> regards
>
> hakim
>
> Hey folks,
>
> i finally solved it.....:-)
>
> I will add this information to the wiki so that the average idiot -
> thereby referring to me - can set this up.
>
> But since it might take some time until i find the time to edit the wiki,
> here's a short summary, and hopefully an idiot-proof copy&paste method:
>
>
> * jetty-plus
>
> Download jetty, extract the archive and copy the jar jetty-plus.x.x.x.jar
> to $AMQ_HOME/lib/web/.
>
>
> * activemq.xml
>
> Edit the file $AMQ_HOME/conf/activemq.xml. Find this section:
>
> <jetty xmlns="http://mortbay.com/schemas/jetty/1.0">
> <connectors>
> <nioConnector port="8161" />
> </connectors>
> <handlers>
> <webAppContext contextPath="/admin"
> resourceBase="${activemq.base}/webapps/admin" logUrlOnStart="true" />
> <webAppContext contextPath="/demo"
> resourceBase="${activemq.base}/webapps/demo" logUrlOnStart="true" />
> </handlers>
> </jetty>
>
> Now add a realm between </connectors> and <handlers> like this:
>
> <userRealms>
> <jaasUserRealm name="adminRealm" loginModuleName="adminLoginModule">
> </jaasUserRealm>
> </userRealms>
>
> * activemq start-script
>
> Edit the activemq-startscript under $AMQ_HOME/bin/activemq (or set a
> corresponding env-variable):
>
> Append this line to the last block of code (last else):
>
> -Djava.security.auth.login.config="${ACTIVEMQ_HOME}/webapps/admin/login.conf"
>
> The last else-block should look like this:
>
> else
> exec "$JAVACMD" $ACTIVEMQ_DEBUG_OPTS $ACTIVEMQ_OPTS
> -Dactivemq.classpath="${ACTIVEMQ_CLASSPATH}"
> -Dactivemq.home="${ACTIVEMQ_HOME}" -Dactivemq.base="${ACTIVEMQ_BASE}"
> -Djava.security.auth.login.config="${ACTIVEMQ_HOME}/webapps/admin/login.config"
> -jar "${ACTIVEMQ_HOME}/bin/run.jar"
> $ACTIVEMQ_TASK $@
> fi
>
> But setting a corresponding environment variable is highly recommended!
>
> * login.config
>
> Create the file login.config in ${ACTIVEMQ_HOME}/webapps/admin/:
>
> adminLoginModule { org.mortbay.jetty.plus.jaas.spi.PropertyFileLoginModule
> required
> debug="true"
> file="/opt/activemq/conf/realm.properties";
> };
>
>
> * Create a password
>
> cd $JETTY_HOME
> java -cp lib/jetty-6.1.9.jar:lib/jetty-util-6.1.9.jar
> org.mortbay.jetty.security.Password admin test
> test
> OBF:1z0f1vu91vv11z0f
> MD5:098f6bcd4621d373cade4e832627b4f6
> CRYPT:oewgD4ujswzhg
>
> * realm.properties
>
> Create the file realm.properties in ${ACTIVEMQ_HOME}/conf/:
>
>
> admin: OBF:1z0f1vu91vv11z0f,user,admin
>
>
> * admin-webapp: web.xml
>
>
> Edit $AMQ_HOME/webapps/admin/WEB-INF/web.xml. Append this section:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>adminRealm</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>admin</role-name>
> <role-name>user</role-name>
> <role-name>moderator</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>DIGEST</auth-method>
> <realm-name>adminRealm</realm-name>
> </login-config>
>
>
--
View this message in context: http://www.nabble.com/Securing-the-web-console-impossible--tp16765525p19167118.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Securing the web console impossible?
Posted by wiseguysby <wi...@yahoo.com.sg>.
Hi bro,
I've just following like below, but not success, when i've trying login
always failed ( Login failure : all modules ignored)
I've ActiveMQ 5.0 and jetty 1.6.9 and installed on windows XP. ActiveMQ
without security login is working properly. so what should i do?
regards
hakim
j0llyr0g3r wrote:
>
> Hey folks,
>
> i finally solved it.....:-)
>
> I will add this information to the wiki so that the average idiot -
> thereby referring to me - can set this up.
>
> But since it might take some time until i find the time to edit the wiki,
> here's a short summary, and hopefully an idiot-proof copy&paste method:
>
>
> * jetty-plus
>
> Download jetty, extract the archive and copy the jar jetty-plus.x.x.x.jar
> to $AMQ_HOME/lib/web/.
>
>
> * activemq.xml
>
> Edit the file $AMQ_HOME/conf/activemq.xml. Find this section:
>
> <jetty xmlns="http://mortbay.com/schemas/jetty/1.0">
> <connectors>
> <nioConnector port="8161" />
> </connectors>
> <handlers>
> <webAppContext contextPath="/admin"
> resourceBase="${activemq.base}/webapps/admin" logUrlOnStart="true" />
> <webAppContext contextPath="/demo"
> resourceBase="${activemq.base}/webapps/demo" logUrlOnStart="true" />
> </handlers>
> </jetty>
>
> Now add a realm between </connectors> and <handlers> like this:
>
> <userRealms>
> <jaasUserRealm name="adminRealm" loginModuleName="adminLoginModule">
> </jaasUserRealm>
> </userRealms>
>
> * activemq start-script
>
> Edit the activemq-startscript under $AMQ_HOME/bin/activemq (or set a
> corresponding env-variable):
>
> Append this line to the last block of code (last else):
>
> -Djava.security.auth.login.config="${ACTIVEMQ_HOME}/webapps/admin/login.conf"
>
> The last else-block should look like this:
>
> else
> exec "$JAVACMD" $ACTIVEMQ_DEBUG_OPTS $ACTIVEMQ_OPTS
> -Dactivemq.classpath="${ACTIVEMQ_CLASSPATH}"
> -Dactivemq.home="${ACTIVEMQ_HOME}" -Dactivemq.base="${ACTIVEMQ_BASE}"
> -Djava.security.auth.login.config="${ACTIVEMQ_HOME}/webapps/admin/login.conf"
> -jar "${ACTIVEMQ_HOME}/bin/run.jar"
> $ACTIVEMQ_TASK $@
> fi
>
> But setting a corresponding environment variable is highly recommended!
>
> * login.config
>
> Create the file login.config in ${ACTIVEMQ_HOME}/webapps/admin/:
>
> adminLoginModule { org.mortbay.jetty.plus.jaas.spi.PropertyFileLoginModule
> required
> debug="true"
> file="/opt/activemq/conf/realm.properties";
> };
>
>
> * Create a password
>
> cd $JETTY_HOME
> java -cp lib/jetty-6.1.9.jar:lib/jetty-util-6.1.9.jar
> org.mortbay.jetty.security.Password admin test
> test
> OBF:1z0f1vu91vv11z0f
> MD5:098f6bcd4621d373cade4e832627b4f6
> CRYPT:oewgD4ujswzhg
>
> * login.config
>
> Create the file realm.properties in ${ACTIVEMQ_HOME}/conf/:
>
>
> admin: MD5:098f6bcd4621d373cade4e832627b4f6,user,admin
>
>
> * admin-webapp: web.xml
>
>
> Edit $AMQ_HOME/webapps/admin/WEB-INF/web.xml. Append this section:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>adminRealm</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>admin</role-name>
> <role-name>user</role-name>
> <role-name>moderator</role-name>
> </auth-constraint>
> </security-constraint>
> <login-config>
> <auth-method>DIGEST</auth-method>
> <realm-name>adminRealm</realm-name>
> </login-config>
>
>
>
--
View this message in context: http://www.nabble.com/Securing-the-web-console-impossible--tp16765525s2354p17071452.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Securing the web console impossible?
Posted by j0llyr0g3r <ti...@wincor-nixdorf.com>.
Hey folks,
i finally solved it.....:-)
I will add this information to the wiki so that the average idiot - thereby
referring to me - can set this up.
But since it might take some time until i find the time to edit the wiki,
here's a short summary, and hopefully an idiot-proof copy&paste method:
* jetty-plus
Download jetty, extract the archive and copy the jar jetty-plus.x.x.x.jar to
$AMQ_HOME/lib/web/.
* activemq.xml
Edit the file $AMQ_HOME/conf/activemq.xml. Find this section:
<jetty xmlns="http://mortbay.com/schemas/jetty/1.0">
<connectors>
<nioConnector port="8161" />
</connectors>
<handlers>
<webAppContext contextPath="/admin"
resourceBase="${activemq.base}/webapps/admin" logUrlOnStart="true" />
<webAppContext contextPath="/demo"
resourceBase="${activemq.base}/webapps/demo" logUrlOnStart="true" />
</handlers>
</jetty>
Now add a realm between </connectors> and <handlers> like this:
<userRealms>
<jaasUserRealm name="adminRealm" loginModuleName="adminLoginModule">
</jaasUserRealm>
</userRealms>
* activemq start-script
Edit the activemq-startscript under $AMQ_HOME/bin/activemq (or set a
corresponding env-variable):
Append this line to the last block of code (last else):
-Djava.security.auth.login.config="${ACTIVEMQ_HOME}/webapps/admin/login.conf"
The last else-block should look like this:
else
exec "$JAVACMD" $ACTIVEMQ_DEBUG_OPTS $ACTIVEMQ_OPTS
-Dactivemq.classpath="${ACTIVEMQ_CLASSPATH}"
-Dactivemq.home="${ACTIVEMQ_HOME}" -Dactivemq.base="${ACTIVEMQ_BASE}"
-Djava.security.auth.login.config="${ACTIVEMQ_HOME}/webapps/admin/login.conf"
-jar "${ACTIVEMQ_HOME}/bin/run.jar"
$ACTIVEMQ_TASK $@
fi
But setting a corresponding environment variable is highly recommended!
* login.config
Create the file login.config in ${ACTIVEMQ_HOME}/webapps/admin/:
adminLoginModule { org.mortbay.jetty.plus.jaas.spi.PropertyFileLoginModule
required
debug="true"
file="/opt/activemq/conf/realm.properties";
};
* Create a password
cd $JETTY_HOME
java -cp lib/jetty-6.1.9.jar:lib/jetty-util-6.1.9.jar
org.mortbay.jetty.security.Password admin test
test
OBF:1z0f1vu91vv11z0f
MD5:098f6bcd4621d373cade4e832627b4f6
CRYPT:oewgD4ujswzhg
* login.config
Create the file realm.properties in ${ACTIVEMQ_HOME}/conf/:
admin: MD5:098f6bcd4621d373cade4e832627b4f6,user,admin
* admin-webapp: web.xml
Edit $AMQ_HOME/webapps/admin/WEB-INF/web.xml. Append this section:
<security-constraint>
<web-resource-collection>
<web-resource-name>adminRealm</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>admin</role-name>
<role-name>user</role-name>
<role-name>moderator</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>adminRealm</realm-name>
</login-config>
--
View this message in context: http://www.nabble.com/Securing-the-web-console-impossible--tp16765525s2354p16823509.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Securing the web console impossible?
Posted by j0llyr0g3r <ti...@wincor-nixdorf.com>.
Hey folks,
sorry for flooding, but i have made some great progress.......:-)
I get one last error from the broker now when i try to access the interface:
WARN log - AUTH FAILURE: incorrect role for
system
This seems quite logical (to me at least):
I don't know how to map the role i defined in my
$AMQ_HOME/webapps/admin/WEB-INF/web.xml
<security-constraint>
........
<auth-constraint>
<role-name>fooo</role-name>
</auth-constraint>
</security-constraint>
to the user and groups i defined:
users.properties:
system=manager
groups.properties:
admins=system
How do i map the user above to the defined role?
First i thought, if something like
org.apache.activemq.jaas.properties.user="users.properties"
org.apache.activemq.jaas.properties.group="groups.properties";
exists, something like
org.apache.activemq.jaas.properties.role
would exist too, but i looked through the sourcecode and it doesn't?
If you search for example like this:
grep -irsI "org.apache.activemq.jaas.properties.group" apache-activemq-5.0.0
you get:
apache-activemq-5.0.0/src/activemq-jaas/login.config:
org.apache.activemq.jaas.properties.group="src/test/resources/groups.properties"
but nothing for
grep -irsI "org.apache.activemq.jaas.properties.role" apache-activemq-5.0.0
Then i thought, that i could define it in the web.xml in the section:
<auth-constraint>
<role-name>system</role-name>
</auth-constraint>
but i looked in the servlet-specification, and there are no according
elements?
How can i map the defined users to the role "FOO"?
j0llyr0g3r wrote:
>
> Hi again,
>
> ok, i am one step further.....
>
> I thought about my last question (which was kind of stupid by the way)
>
>
> Ok, but do i actually have to edit the activemq-startscript or is it
> sufficient to put the login.conf in a classpath-directory? I assumed the
> later, so put the login.conf in AMQ_HOME/conf, which i believe is in the
> classpath?
>
> -> I edited $AMQ_HOME/bin/activemq and added
>
> -Djava.security.auth.login.config="${ACTIVEMQ_HOME}/conf/login.config"
>
> to the last section in the script:
>
> ACTIVEMQ_TASK="start"
> if [ -n "$CYGHOME" ]; then
> exec "$JAVACMD" $ACTIVEMQ_DEBUG_OPTS $ACTIVEMQ_OPTS
> -Dactivemq.classpath="${ACTIVEMQ_CLASSPATH}"
> -Dactivemq.home="${ACTIVEMQ_HOME}" -Dactivemq.base="${ACTIVEMQ_BASE}"
> -Dcygwin.user.home="$CYGHOME"
> -Djava.security.auth.login.config="/opt/activemq/conf/login.config" -jar
> "${ACTIVEMQ_HOME}/bin/run.jar" $ACTIVEMQ_TASK $@
> else
> exec "$JAVACMD" $ACTIVEMQ_DEBUG_OPTS $ACTIVEMQ_OPTS
> -Dactivemq.classpath="${ACTIVEMQ_CLASSPATH}"
> -Dactivemq.home="${ACTIVEMQ_HOME}" -Dactivemq.base="${ACTIVEMQ_BASE}"
> -Djava.security.auth.login.config="${ACTIVEMQ_HOME}/conf/login.config"
> -jar "${ACTIVEMQ_HOME}/bin/run.jar" $ACTIVEMQ_TASK $@
> fi
>
>
> Now the broker message when trying to log in is different:
>
> WARN log -
> javax.security.auth.login.LoginException: No LoginModules configured for
> ActiveMQ
> WARN log - AUTH FAILURE: user admin
>
> Ok, so i edited $AMQ_HOME/conf/activemq.xml and changed the parameter
> loginModuleName from
>
> <jaasUserRealm name="adminInterface" loginModuleName="ActiveMQ"
>
> callbackHandlerClass="org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler"
> />
> </userRealms>
>
> to
>
> <userRealms>
> <!-- "name" must match the realm in web.xml, and "loginModuleName"
> must be defined in login.conf -->
> <jaasUserRealm name="adminInterface"
> loginModuleName="org.apache.activemq.jaas.PropertiesLoginModule"
>
> callbackHandlerClass="org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler"
> />
> </userRealms>
>
> The broker tells me:
>
> WARN log -
> javax.security.auth.login.LoginException: No LoginModules configured for
> org.apache.activemq.jaas.PropertiesLoginModule
> WARN log - AUTH FAILURE: user admin
>
> Now i am confused, i thought
>
> org.apache.activemq.jaas.PropertiesLoginModule
>
> was actually a login module?
>
> Googleing after the error message
> "javax.security.auth.login.LoginException: No LoginModules" hasn't helped
> me so far.....
>
>
> j0llyr0g3r wrote:
>>
>> Hey Bruce,
>>
>> thanks for your advice, i am almost there......:-)
>> .....but still one problem left...
>> (believe me, if i get this done, i will write / add a tutorial to the
>> confluence wiki, because i really think there is a need for a detailed
>> description of what to do for people who are not very familiar with
>> JAAS....)
>>
>> Ok,
>>
>> here i am:
>>
>> -> I defined a realm in $ACTIVEMQ_HOME/webapps/admin/WEb-INF/web.xml
>> which looks like that:
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>adminInterface</web-resource-name>
>> <url-pattern>/*</url-pattern>
>> </web-resource-collection>
>> <auth-constraint>
>> <role-name>adminRole</role-name>
>> </auth-constraint>
>> </security-constraint>
>>
>> <login-config>
>> <auth-method>BASIC</auth-method>
>> <realm-name>adminInterface</realm-name>
>> </login-config>
>>
>> This look good so far, if i try to browse http://localhost:8161/admin i
>> get a 500-error.
>>
>> -> added "userRealms" to the activemq.xml like described in the afore
>> mentioned example:
>>
>> <userRealms>
>> <!-- "name" must match the realm in web.xml, and "loginModuleName"
>> must be defined in login.conf -->
>> <jaasUserRealm name="adminInterface" loginModuleName="ActiveMQ"
>>
>> callbackHandlerClass="org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler"
>> />
>> </userRealms>
>>
>> And changed the parameter jaasUserRealm name= to the realm-name i had
>> defined in the web.xml, namely "adminInterface".
>>
>> -> login.config under $AMQ_HOME/conf:
>>
>> activemq-domain {
>> org.apache.activemq.jaas.PropertiesLoginModule required
>> debug=true
>>
>> org.apache.activemq.jaas.properties.user="org/apache/activemq/security/users.properties"
>>
>> org.apache.activemq.jaas.properties.group="org/apache/activemq/security/groups.properties";
>> };
>>
>> -> users.properties under $AMQ_HOME/conf:
>>
>> admin=manager
>>
>> -> groups.properties under $AMQ_HOME/conf:
>>
>> admin=adminRole
>>
>> I copied jetty-plus-6.1.9.jar to $ACTIVEMQ_HOME/lib/ and restarted the
>> broker.
>>
>> And....hooray! I get a login mask with a user and a password field!
>>
>> But when i enter
>>
>> name:admin
>> password: manager
>> (like defined in the user.properties)
>>
>> i don't get logged in but the the login-mask pops up again.
>>
>> The broker-log tells me:
>>
>> WARN log - AUTH FAILURE: user admin
>> WARN log - java.lang.SecurityException:
>> Unable to locate a login configuration
>>
>> So i assume i am still doing something wrong. Probably because i
>> misunderstood some of your answers:
>>
>> You wrote:
>>
>> The login.conf file is pointed to by a system property named
>> java.security.auth.login.config as in:
>>
>> -Djava.security.auth.login.config=login.conf
>>
>> Ok, but do i actually have to edit the activemq-startscript or is it
>> sufficient to put the login.conf in a classpath-directory? I assumed the
>> later, so put the login.conf in AMQ_HOME/conf, which i believe is in the
>> classpath?
>>
>> > What should its content look like?
>>
>> Follow the rules specified in the Javadoc for the Java Security
>> Configuration object here:
>>
>> http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html
>>
>> Thx for the link, as far as i can tell, i did this right?
>>
>> > What "loginModuleName" should i specify?
>>
>> You can specify any string as the loginModuleName. The important part
>> is that the realm-name in the web.xml and the loginModuleName in the
>> Jetty config match exactly.
>>
>> Was that a typo? I think you meant "the realm in the web.xml and
>> jaasUserRealm name must match exactly", right?
>>
>> Furthermore:
>>
>> I assume the in the web.xml defined role "adminRole" is mapped to the
>> group-entry "adminRole"?
>>
>>
>>
>>
>> bsnyder wrote:
>>>
>>> On Fri, Apr 18, 2008 at 3:22 PM, j0llyr0g3r
>>> <ti...@wincor-nixdorf.com> wrote:
>>>>
>>>> Hey folks,
>>>>
>>>> i am desperately trying to find out how to configure a simple access
>>>> control
>>>> for the web console, but this is simply not documented......
>>>>
>>>> The documentation here: http://activemq.apache.org/web-console.html
>>>> refers to a separate jetty instance, not to the integrated jetty.
>>>>
>>>> That's when i thought
>>>>
>>>> "ok, it's simply not possible using the integrated jetty"
>>>>
>>>> but then i stumbled over this peace of user-submitted configuration
>>>> example:
>>>> http://activemq.apache.org/user-submitted-configurations.html
>>>>
>>>> This looks really good:
>>>>
>>>> <!-- Web Console. Auth is via JAAS. Beware: jetty-plus-6.1.4.jar
>>>> contains
>>>> the
>>>> JAAS classes, and is not included with ActiveMQ. You need to
>>>> download
>>>> separately. Web Console queue browser will fail, as it tries to
>>>> use
>>>> JMS
>>>> to browse the queue, and that requires a password.
>>>> -->
>>>>
>>>> <jetty xmlns="http://mortbay.com/schemas/jetty/1.0">
>>>> <connectors>
>>>> <nioConnector port="8161" />
>>>> </connectors>
>>>>
>>>> <userRealms>
>>>> <!-- "name" must match the realm in web.xml, and
>>>> "loginModuleName"
>>>> must be defined in login.conf -->
>>>> <jaasUserRealm name="ActiveMQ" loginModuleName="ActiveMQ"
>>>>
>>>>
>>>> callbackHandlerClass="org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler"
>>>> />
>>>> </userRealms>
>>>>
>>>> <handlers>
>>>> <webAppContext contextPath="/admin"
>>>> resourceBase="${activemq.base}/webapps/admin" logUrlOnStart="true" />
>>>> </handlers>
>>>> </jetty>
>>>>
>>>> But unfortunately, it lacks important information:
>>>>
>>>> <userRealms>
>>>> <!-- "name" must match the realm in web.xml, and
>>>> "loginModuleName"
>>>> must be defined in login.conf -->
>>>>
>>>> Defining a realm in the web.xml is ok, but what about the
>>>> "login.conf"?
>>>>
>>>> Where should i place this file?
>>>
>>> The login.conf file is pointed to by a system property named
>>> java.security.auth.login.config as in:
>>>
>>> -Djava.security.auth.login.config=login.conf
>>>
>>>> What should its content look like?
>>>
>>> Follow the rules specified in the Javadoc for the Java Security
>>> Configuration object here:
>>>
>>> http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html
>>>
>>>> What "loginModuleName" should i specify?
>>>
>>> You can specify any string as the loginModuleName. The important part
>>> is that the realm-name in the web.xml and the loginModuleName in the
>>> Jetty config match exactly.
>>>
>>> Bruce
>>> --
>>> perl -e 'print
>>> unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*"
>>> );'
>>>
>>> Apache ActiveMQ - http://activemq.org/
>>> Apache Camel - http://activemq.org/camel/
>>> Apache ServiceMix - http://servicemix.org/
>>> Apache Geronimo - http://geronimo.apache.org/
>>>
>>> Blog: http://bruceblog.org/
>>>
>>>
>>
>>
>
>
--
View this message in context: http://www.nabble.com/Securing-the-web-console-impossible--tp16765525s2354p16786969.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Securing the web console impossible?
Posted by j0llyr0g3r <ti...@wincor-nixdorf.com>.
Hi again,
ok, i am one step further.....
I thought about my last question (which was kind of stupid by the way)
Ok, but do i actually have to edit the activemq-startscript or is it
sufficient to put the login.conf in a classpath-directory? I assumed the
later, so put the login.conf in AMQ_HOME/conf, which i believe is in the
classpath?
-> I edited $AMQ_HOME/bin/activemq and added
-Djava.security.auth.login.config="${ACTIVEMQ_HOME}/conf/login.config"
to the last section in the script:
ACTIVEMQ_TASK="start"
if [ -n "$CYGHOME" ]; then
exec "$JAVACMD" $ACTIVEMQ_DEBUG_OPTS $ACTIVEMQ_OPTS
-Dactivemq.classpath="${ACTIVEMQ_CLASSPATH}"
-Dactivemq.home="${ACTIVEMQ_HOME}" -Dactivemq.base="${ACTIVEMQ_BASE}"
-Dcygwin.user.home="$CYGHOME"
-Djava.security.auth.login.config="/opt/activemq/conf/login.config" -jar
"${ACTIVEMQ_HOME}/bin/run.jar" $ACTIVEMQ_TASK $@
else
exec "$JAVACMD" $ACTIVEMQ_DEBUG_OPTS $ACTIVEMQ_OPTS
-Dactivemq.classpath="${ACTIVEMQ_CLASSPATH}"
-Dactivemq.home="${ACTIVEMQ_HOME}" -Dactivemq.base="${ACTIVEMQ_BASE}"
-Djava.security.auth.login.config="${ACTIVEMQ_HOME}/conf/login.config"
-jar "${ACTIVEMQ_HOME}/bin/run.jar" $ACTIVEMQ_TASK $@
fi
Now the broker message when trying to log in is different:
WARN log -
javax.security.auth.login.LoginException: No LoginModules configured for
ActiveMQ
WARN log - AUTH FAILURE: user admin
Ok, so i edited $AMQ_HOME/conf/activemq.xml and changed the parameter
loginModuleName from
<jaasUserRealm name="adminInterface" loginModuleName="ActiveMQ"
callbackHandlerClass="org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler"
/>
</userRealms>
to
<userRealms>
<!-- "name" must match the realm in web.xml, and "loginModuleName" must
be defined in login.conf -->
<jaasUserRealm name="adminInterface"
loginModuleName="org.apache.activemq.jaas.PropertiesLoginModule"
callbackHandlerClass="org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler"
/>
</userRealms>
The broker tells me:
WARN log -
javax.security.auth.login.LoginException: No LoginModules configured for
org.apache.activemq.jaas.PropertiesLoginModule
WARN log - AUTH FAILURE: user admin
Now i am confused, i thought
org.apache.activemq.jaas.PropertiesLoginModule
was actually a login module?
Googleing after the error message "javax.security.auth.login.LoginException:
No LoginModules" hasn't helped me so far.....
j0llyr0g3r wrote:
>
> Hey Bruce,
>
> thanks for your advice, i am almost there......:-)
> .....but still one problem left...
> (believe me, if i get this done, i will write / add a tutorial to the
> confluence wiki, because i really think there is a need for a detailed
> description of what to do for people who are not very familiar with
> JAAS....)
>
> Ok,
>
> here i am:
>
> -> I defined a realm in $ACTIVEMQ_HOME/webapps/admin/WEb-INF/web.xml which
> looks like that:
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>adminInterface</web-resource-name>
> <url-pattern>/*</url-pattern>
> </web-resource-collection>
> <auth-constraint>
> <role-name>adminRole</role-name>
> </auth-constraint>
> </security-constraint>
>
> <login-config>
> <auth-method>BASIC</auth-method>
> <realm-name>adminInterface</realm-name>
> </login-config>
>
> This look good so far, if i try to browse http://localhost:8161/admin i
> get a 500-error.
>
> -> added "userRealms" to the activemq.xml like described in the afore
> mentioned example:
>
> <userRealms>
> <!-- "name" must match the realm in web.xml, and "loginModuleName"
> must be defined in login.conf -->
> <jaasUserRealm name="adminInterface" loginModuleName="ActiveMQ"
>
> callbackHandlerClass="org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler"
> />
> </userRealms>
>
> And changed the parameter jaasUserRealm name= to the realm-name i had
> defined in the web.xml, namely "adminInterface".
>
> -> login.config under $AMQ_HOME/conf:
>
> activemq-domain {
> org.apache.activemq.jaas.PropertiesLoginModule required
> debug=true
>
> org.apache.activemq.jaas.properties.user="org/apache/activemq/security/users.properties"
>
> org.apache.activemq.jaas.properties.group="org/apache/activemq/security/groups.properties";
> };
>
> -> users.properties under $AMQ_HOME/conf:
>
> admin=manager
>
> -> groups.properties under $AMQ_HOME/conf:
>
> admin=adminRole
>
> I copied jetty-plus-6.1.9.jar to $ACTIVEMQ_HOME/lib/ and restarted the
> broker.
>
> And....hooray! I get a login mask with a user and a password field!
>
> But when i enter
>
> name:admin
> password: manager
> (like defined in the user.properties)
>
> i don't get logged in but the the login-mask pops up again.
>
> The broker-log tells me:
>
> WARN log - AUTH FAILURE: user admin
> WARN log - java.lang.SecurityException: Unable
> to locate a login configuration
>
> So i assume i am still doing something wrong. Probably because i
> misunderstood some of your answers:
>
> You wrote:
>
> The login.conf file is pointed to by a system property named
> java.security.auth.login.config as in:
>
> -Djava.security.auth.login.config=login.conf
>
> Ok, but do i actually have to edit the activemq-startscript or is it
> sufficient to put the login.conf in a classpath-directory? I assumed the
> later, so put the login.conf in AMQ_HOME/conf, which i believe is in the
> classpath?
>
> > What should its content look like?
>
> Follow the rules specified in the Javadoc for the Java Security
> Configuration object here:
>
> http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html
>
> Thx for the link, as far as i can tell, i did this right?
>
> > What "loginModuleName" should i specify?
>
> You can specify any string as the loginModuleName. The important part
> is that the realm-name in the web.xml and the loginModuleName in the
> Jetty config match exactly.
>
> Was that a typo? I think you meant "the realm in the web.xml and
> jaasUserRealm name must match exactly", right?
>
> Furthermore:
>
> I assume the in the web.xml defined role "adminRole" is mapped to the
> group-entry "adminRole"?
>
>
>
>
> bsnyder wrote:
>>
>> On Fri, Apr 18, 2008 at 3:22 PM, j0llyr0g3r
>> <ti...@wincor-nixdorf.com> wrote:
>>>
>>> Hey folks,
>>>
>>> i am desperately trying to find out how to configure a simple access
>>> control
>>> for the web console, but this is simply not documented......
>>>
>>> The documentation here: http://activemq.apache.org/web-console.html
>>> refers to a separate jetty instance, not to the integrated jetty.
>>>
>>> That's when i thought
>>>
>>> "ok, it's simply not possible using the integrated jetty"
>>>
>>> but then i stumbled over this peace of user-submitted configuration
>>> example:
>>> http://activemq.apache.org/user-submitted-configurations.html
>>>
>>> This looks really good:
>>>
>>> <!-- Web Console. Auth is via JAAS. Beware: jetty-plus-6.1.4.jar
>>> contains
>>> the
>>> JAAS classes, and is not included with ActiveMQ. You need to
>>> download
>>> separately. Web Console queue browser will fail, as it tries to
>>> use
>>> JMS
>>> to browse the queue, and that requires a password.
>>> -->
>>>
>>> <jetty xmlns="http://mortbay.com/schemas/jetty/1.0">
>>> <connectors>
>>> <nioConnector port="8161" />
>>> </connectors>
>>>
>>> <userRealms>
>>> <!-- "name" must match the realm in web.xml, and "loginModuleName"
>>> must be defined in login.conf -->
>>> <jaasUserRealm name="ActiveMQ" loginModuleName="ActiveMQ"
>>>
>>>
>>> callbackHandlerClass="org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler"
>>> />
>>> </userRealms>
>>>
>>> <handlers>
>>> <webAppContext contextPath="/admin"
>>> resourceBase="${activemq.base}/webapps/admin" logUrlOnStart="true" />
>>> </handlers>
>>> </jetty>
>>>
>>> But unfortunately, it lacks important information:
>>>
>>> <userRealms>
>>> <!-- "name" must match the realm in web.xml, and "loginModuleName"
>>> must be defined in login.conf -->
>>>
>>> Defining a realm in the web.xml is ok, but what about the "login.conf"?
>>>
>>> Where should i place this file?
>>
>> The login.conf file is pointed to by a system property named
>> java.security.auth.login.config as in:
>>
>> -Djava.security.auth.login.config=login.conf
>>
>>> What should its content look like?
>>
>> Follow the rules specified in the Javadoc for the Java Security
>> Configuration object here:
>>
>> http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html
>>
>>> What "loginModuleName" should i specify?
>>
>> You can specify any string as the loginModuleName. The important part
>> is that the realm-name in the web.xml and the loginModuleName in the
>> Jetty config match exactly.
>>
>> Bruce
>> --
>> perl -e 'print
>> unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*"
>> );'
>>
>> Apache ActiveMQ - http://activemq.org/
>> Apache Camel - http://activemq.org/camel/
>> Apache ServiceMix - http://servicemix.org/
>> Apache Geronimo - http://geronimo.apache.org/
>>
>> Blog: http://bruceblog.org/
>>
>>
>
>
--
View this message in context: http://www.nabble.com/Securing-the-web-console-impossible--tp16765525s2354p16784476.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Securing the web console impossible?
Posted by j0llyr0g3r <ti...@wincor-nixdorf.com>.
Hey Bruce,
thanks for your advice, i am almost there......:-)
.....but still one problem left...
(believe me, if i get this done, i will write / add a tutorial to the
confluence wiki, because i really think there is a need for a detailed
description of what to do for people who are not very familiar with
JAAS....)
Ok,
here i am:
-> I defined a realm in $ACTIVEMQ_HOME/webapps/admin/WEb-INF/web.xml which
looks like that:
<security-constraint>
<web-resource-collection>
<web-resource-name>adminInterface</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>adminRole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>adminInterface</realm-name>
</login-config>
This look good so far, if i try to browse http://localhost:8161/admin i get
a 500-error.
-> added "userRealms" to the activemq.xml like described in the afore
mentioned example:
<userRealms>
<!-- "name" must match the realm in web.xml, and "loginModuleName"
must be defined in login.conf -->
<jaasUserRealm name="adminInterface" loginModuleName="ActiveMQ"
callbackHandlerClass="org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler"
/>
</userRealms>
And changed the parameter jaasUserRealm name= to the realm-name i had
defined in the web.xml, namely "adminInterface".
-> login.config under $AMQ_HOME/conf:
activemq-domain {
org.apache.activemq.jaas.PropertiesLoginModule required
debug=true
org.apache.activemq.jaas.properties.user="org/apache/activemq/security/users.properties"
org.apache.activemq.jaas.properties.group="org/apache/activemq/security/groups.properties";
};
-> users.properties under $AMQ_HOME/conf:
admin=manager
-> groups.properties under $AMQ_HOME/conf:
admin=adminRole
I copied jetty-plus-6.1.9.jar to $ACTIVEMQ_HOME/lib/ and restarted the
broker.
And....hooray! I get a login mask with a user and a password field!
But when i enter
name:admin
password: manager
(like defined in the user.properties)
i don't get logged in but the the login-mask pops up again.
The broker-log tells me:
WARN log - AUTH FAILURE: user admin
WARN log - java.lang.SecurityException: Unable
to locate a login configuration
So i assume i am still doing something wrong. Probably because i
misunderstood some of your answers:
You wrote:
The login.conf file is pointed to by a system property named
java.security.auth.login.config as in:
-Djava.security.auth.login.config=login.conf
Ok, but do i actually have to edit the activemq-startscript or is it
sufficient to put the login.conf in a classpath-directory? I assumed the
later, so put the login.conf in AMQ_HOME/conf, which i believe is in the
classpath?
> What should its content look like?
Follow the rules specified in the Javadoc for the Java Security
Configuration object here:
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html
Thx for the link, as far as i can tell, i did this right?
> What "loginModuleName" should i specify?
You can specify any string as the loginModuleName. The important part
is that the realm-name in the web.xml and the loginModuleName in the
Jetty config match exactly.
Was that a typo? I think you meant "the realm in the web.xml and
jaasUserRealm name must match exactly", right?
Furthermore:
I assume the in the web.xml defined role "adminRole" is mapped to the
group-entry "adminRole"?
bsnyder wrote:
>
> On Fri, Apr 18, 2008 at 3:22 PM, j0llyr0g3r
> <ti...@wincor-nixdorf.com> wrote:
>>
>> Hey folks,
>>
>> i am desperately trying to find out how to configure a simple access
>> control
>> for the web console, but this is simply not documented......
>>
>> The documentation here: http://activemq.apache.org/web-console.html
>> refers to a separate jetty instance, not to the integrated jetty.
>>
>> That's when i thought
>>
>> "ok, it's simply not possible using the integrated jetty"
>>
>> but then i stumbled over this peace of user-submitted configuration
>> example:
>> http://activemq.apache.org/user-submitted-configurations.html
>>
>> This looks really good:
>>
>> <!-- Web Console. Auth is via JAAS. Beware: jetty-plus-6.1.4.jar
>> contains
>> the
>> JAAS classes, and is not included with ActiveMQ. You need to
>> download
>> separately. Web Console queue browser will fail, as it tries to
>> use
>> JMS
>> to browse the queue, and that requires a password.
>> -->
>>
>> <jetty xmlns="http://mortbay.com/schemas/jetty/1.0">
>> <connectors>
>> <nioConnector port="8161" />
>> </connectors>
>>
>> <userRealms>
>> <!-- "name" must match the realm in web.xml, and "loginModuleName"
>> must be defined in login.conf -->
>> <jaasUserRealm name="ActiveMQ" loginModuleName="ActiveMQ"
>>
>>
>> callbackHandlerClass="org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler"
>> />
>> </userRealms>
>>
>> <handlers>
>> <webAppContext contextPath="/admin"
>> resourceBase="${activemq.base}/webapps/admin" logUrlOnStart="true" />
>> </handlers>
>> </jetty>
>>
>> But unfortunately, it lacks important information:
>>
>> <userRealms>
>> <!-- "name" must match the realm in web.xml, and "loginModuleName"
>> must be defined in login.conf -->
>>
>> Defining a realm in the web.xml is ok, but what about the "login.conf"?
>>
>> Where should i place this file?
>
> The login.conf file is pointed to by a system property named
> java.security.auth.login.config as in:
>
> -Djava.security.auth.login.config=login.conf
>
>> What should its content look like?
>
> Follow the rules specified in the Javadoc for the Java Security
> Configuration object here:
>
> http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html
>
>> What "loginModuleName" should i specify?
>
> You can specify any string as the loginModuleName. The important part
> is that the realm-name in the web.xml and the loginModuleName in the
> Jetty config match exactly.
>
> Bruce
> --
> perl -e 'print
> unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*"
> );'
>
> Apache ActiveMQ - http://activemq.org/
> Apache Camel - http://activemq.org/camel/
> Apache ServiceMix - http://servicemix.org/
> Apache Geronimo - http://geronimo.apache.org/
>
> Blog: http://bruceblog.org/
>
>
--
View this message in context: http://www.nabble.com/Securing-the-web-console-impossible--tp16765525s2354p16784012.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: Securing the web console impossible?
Posted by Bruce Snyder <br...@gmail.com>.
On Fri, Apr 18, 2008 at 3:22 PM, j0llyr0g3r
<ti...@wincor-nixdorf.com> wrote:
>
> Hey folks,
>
> i am desperately trying to find out how to configure a simple access control
> for the web console, but this is simply not documented......
>
> The documentation here: http://activemq.apache.org/web-console.html
> refers to a separate jetty instance, not to the integrated jetty.
>
> That's when i thought
>
> "ok, it's simply not possible using the integrated jetty"
>
> but then i stumbled over this peace of user-submitted configuration example:
> http://activemq.apache.org/user-submitted-configurations.html
>
> This looks really good:
>
> <!-- Web Console. Auth is via JAAS. Beware: jetty-plus-6.1.4.jar contains
> the
> JAAS classes, and is not included with ActiveMQ. You need to
> download
> separately. Web Console queue browser will fail, as it tries to use
> JMS
> to browse the queue, and that requires a password.
> -->
>
> <jetty xmlns="http://mortbay.com/schemas/jetty/1.0">
> <connectors>
> <nioConnector port="8161" />
> </connectors>
>
> <userRealms>
> <!-- "name" must match the realm in web.xml, and "loginModuleName"
> must be defined in login.conf -->
> <jaasUserRealm name="ActiveMQ" loginModuleName="ActiveMQ"
>
> callbackHandlerClass="org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler"
> />
> </userRealms>
>
> <handlers>
> <webAppContext contextPath="/admin"
> resourceBase="${activemq.base}/webapps/admin" logUrlOnStart="true" />
> </handlers>
> </jetty>
>
> But unfortunately, it lacks important information:
>
> <userRealms>
> <!-- "name" must match the realm in web.xml, and "loginModuleName"
> must be defined in login.conf -->
>
> Defining a realm in the web.xml is ok, but what about the "login.conf"?
>
> Where should i place this file?
The login.conf file is pointed to by a system property named
java.security.auth.login.config as in:
-Djava.security.auth.login.config=login.conf
> What should its content look like?
Follow the rules specified in the Javadoc for the Java Security
Configuration object here:
http://java.sun.com/j2se/1.5.0/docs/api/javax/security/auth/login/Configuration.html
> What "loginModuleName" should i specify?
You can specify any string as the loginModuleName. The important part
is that the realm-name in the web.xml and the loginModuleName in the
Jetty config match exactly.
Bruce
--
perl -e 'print unpack("u30","D0G)U8V4\@4VYY9&5R\"F)R=6-E+G-N>61E<D\!G;6%I;\"YC;VT*"
);'
Apache ActiveMQ - http://activemq.org/
Apache Camel - http://activemq.org/camel/
Apache ServiceMix - http://servicemix.org/
Apache Geronimo - http://geronimo.apache.org/
Blog: http://bruceblog.org/
Re: Securing the web console impossible?
Posted by magellings <ma...@qg.com>.
Minor note.
java -cp lib/jetty-6.1.9.jar:lib/jetty-util-6.1.9.jar
org.mortbay.jetty.security.Password admin test
The : needs to change to a ; in order for java to search both JAR archives.
Otherwise you'll get a:
java.lang.ClassNotFoundException: org.mortbay.jetty.security.Password
Correct syntax is:
java -cp lib/jetty-6.1.9.jar;lib/jetty-util-6.1.9.jar
org.mortbay.jetty.security.Password admin test
--
View this message in context: http://www.nabble.com/Securing-the-web-console-impossible--tp16765525p24851300.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.