Can I connect to a vm URL without a password?

[Quinn Stevenson <qu...@pronoia-solutions.com>]

I have several components running inside the same JVM as ActiveMQ, and they connect to the broker using a vm URL.  Guest access to the broker has been disabled for security reasons, but I’d like the embedded components to be able to connect to the broker without a username or password.

Is there a way to configure ActiveMQ to allow anonymous/guest access for VM connections only?

Re: Can I connect to a vm URL without a password?

[Tim Bain <tb...@alumni.duke.edu>]

Thanks for creating the request; what you did sounds fine.

Tim

On Thu, Mar 29, 2018, 11:31 AM Quinn Stevenson <qu...@pronoia-solutions.com>
wrote:

> Thanks for all your help Tim.
>
> I created https://issues.apache.org/jira/browse/AMQ-6941 <
> https://issues.apache.org/jira/browse/AMQ-6941> for this request, and I
> put a link to the example implementation in the JIRA rather than the
> source.  I did it that way because the jar with the plugin is in Maven
> Central, and the source can be found on Github.
>
> I’ll be moving this customer to Artemis in the near future - I guess I’ll
> have to look at doing the same thing in Artemis.
>
> Thanks Again
>
>
> > On Mar 27, 2018, at 7:12 AM, Tim Bain <tb...@alumni.duke.edu> wrote:
> >
> > Quinn,
> >
> > Great, I'm glad you got it working.
> >
> > Yes, I think there would be benefit to having this capability. However,
> I'm
> > not sure if what you've implemented is the ideal implementation from a
> > long-term maintenance standpoint (I suspect that we'd want to fold it
> into
> > the Simple Authentication Plugin, with configuration options to turn it
> on
> > and off and possibly a way to specify the set of protocols that do not
> > require authentication), so I suggest you create an enhancement request
> in
> > JIRA and attach your implementation to it. Whoever implements the
> > enhancement request can use the core of your code and wrap the
> appropriate
> > options around it in the Simple Authentication Plugin (or wherever else),
> > and anyone who wants the capability before it gets implemented officially
> > can grab your plugin file off of the enhancement request.
> >
> > Tim
> >
> > On Mon, Mar 26, 2018, 9:48 PM Quinn Stevenson <
> quinn@pronoia-solutions.com>
> > wrote:
> >
> >> Thanks Tim - I think I’ve got one working now.
> >>
> >> I wound up casting the result of getConnector() to TransportConnector
> and
> >> then calling getName() - it looks like it has what I need.
> >>
> >> I’ve got a version running locally now, and it seems to be doing what
> I’m
> >> after.  Thanks for all of your help.
> >>
> >> BTW - let me know if you think this is something the community would
> like
> >> and I’ll put together a PR for it.
> >>
> >> Thanks Again
> >> Quinn
> >>
> >>> On Mar 25, 2018, at 11:11 PM, Tim Bain <tb...@alumni.duke.edu> wrote:
> >>>
> >>> Quinn,
> >>>
> >>> I think you should be able to access the URI to which the connection is
> >>> bound by calling
> >>>
> ((TransportConnector)context.getConnector()).getServer().getConnectURI(),
> >>> and then you can parse the protocol out of it. But it's not something
> >> I've
> >>> personally done and I don't have time to try it right now, so this is
> >>> purely conjecture based on the documentation plus reading the code. So
> if
> >>> that doesn't work, I apologize, but let me know how it blows up and I
> can
> >>> try to help further.
> >>>
> >>> Tim
> >>>
> >>> On Thu, Mar 22, 2018 at 10:22 AM, Quinn Stevenson <
> >>> quinn@pronoia-solutions.com> wrote:
> >>>
> >>>> Thank you Tim -
> >>>>
> >>>> I was afraid you were going to say that :-)
> >>>>
> >>>> I was looking at the SimpleAuthenticationPlugin /
> >>>> SimpleAuthenticationBroker, and I have an idea how to do this.  The
> one
> >>>> thing I’m not sure about is how I can tell when the connection is
> coming
> >>>> via a VM URL - do you have any hints on that?
> >>>>
> >>>>
> >>>>> On Mar 21, 2018, at 7:21 PM, Tim Bain <tb...@alumni.duke.edu> wrote:
> >>>>>
> >>>>> I'm not sure there's a built-in way to do this without writing any
> >> code,
> >>>>> but you should be able to write a simple security plugin that allows
> >> you
> >>>> to
> >>>>> allow or deny connections based on their transport and whether they
> are
> >>>>> anonymous. The bottom of http://activemq.apache.org/security.html
> has
> >>>>> details about how to get started.
> >>>>>
> >>>>> Tim
> >>>>>
> >>>>> On Wed, Mar 21, 2018, 6:08 PM Quinn Stevenson <
> >>>> quinn@pronoia-solutions.com>
> >>>>> wrote:
> >>>>>
> >>>>>> I have several components running inside the same JVM as ActiveMQ,
> and
> >>>>>> they connect to the broker using a vm URL.  Guest access to the
> broker
> >>>> has
> >>>>>> been disabled for security reasons, but I’d like the embedded
> >>>> components to
> >>>>>> be able to connect to the broker without a username or password.
> >>>>>>
> >>>>>> Is there a way to configure ActiveMQ to allow anonymous/guest access
> >> for
> >>>>>> VM connections only?
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>
> >>>>
> >>
> >>
>
>

Re: Can I connect to a vm URL without a password?

[Quinn Stevenson <qu...@pronoia-solutions.com>]

Thanks for all your help Tim.

I created https://issues.apache.org/jira/browse/AMQ-6941 <https://issues.apache.org/jira/browse/AMQ-6941> for this request, and I put a link to the example implementation in the JIRA rather than the source.  I did it that way because the jar with the plugin is in Maven Central, and the source can be found on Github. 

I’ll be moving this customer to Artemis in the near future - I guess I’ll have to look at doing the same thing in Artemis.

Thanks Again


> On Mar 27, 2018, at 7:12 AM, Tim Bain <tb...@alumni.duke.edu> wrote:
> 
> Quinn,
> 
> Great, I'm glad you got it working.
> 
> Yes, I think there would be benefit to having this capability. However, I'm
> not sure if what you've implemented is the ideal implementation from a
> long-term maintenance standpoint (I suspect that we'd want to fold it into
> the Simple Authentication Plugin, with configuration options to turn it on
> and off and possibly a way to specify the set of protocols that do not
> require authentication), so I suggest you create an enhancement request in
> JIRA and attach your implementation to it. Whoever implements the
> enhancement request can use the core of your code and wrap the appropriate
> options around it in the Simple Authentication Plugin (or wherever else),
> and anyone who wants the capability before it gets implemented officially
> can grab your plugin file off of the enhancement request.
> 
> Tim
> 
> On Mon, Mar 26, 2018, 9:48 PM Quinn Stevenson <qu...@pronoia-solutions.com>
> wrote:
> 
>> Thanks Tim - I think I’ve got one working now.
>> 
>> I wound up casting the result of getConnector() to TransportConnector and
>> then calling getName() - it looks like it has what I need.
>> 
>> I’ve got a version running locally now, and it seems to be doing what I’m
>> after.  Thanks for all of your help.
>> 
>> BTW - let me know if you think this is something the community would like
>> and I’ll put together a PR for it.
>> 
>> Thanks Again
>> Quinn
>> 
>>> On Mar 25, 2018, at 11:11 PM, Tim Bain <tb...@alumni.duke.edu> wrote:
>>> 
>>> Quinn,
>>> 
>>> I think you should be able to access the URI to which the connection is
>>> bound by calling
>>> ((TransportConnector)context.getConnector()).getServer().getConnectURI(),
>>> and then you can parse the protocol out of it. But it's not something
>> I've
>>> personally done and I don't have time to try it right now, so this is
>>> purely conjecture based on the documentation plus reading the code. So if
>>> that doesn't work, I apologize, but let me know how it blows up and I can
>>> try to help further.
>>> 
>>> Tim
>>> 
>>> On Thu, Mar 22, 2018 at 10:22 AM, Quinn Stevenson <
>>> quinn@pronoia-solutions.com> wrote:
>>> 
>>>> Thank you Tim -
>>>> 
>>>> I was afraid you were going to say that :-)
>>>> 
>>>> I was looking at the SimpleAuthenticationPlugin /
>>>> SimpleAuthenticationBroker, and I have an idea how to do this.  The one
>>>> thing I’m not sure about is how I can tell when the connection is coming
>>>> via a VM URL - do you have any hints on that?
>>>> 
>>>> 
>>>>> On Mar 21, 2018, at 7:21 PM, Tim Bain <tb...@alumni.duke.edu> wrote:
>>>>> 
>>>>> I'm not sure there's a built-in way to do this without writing any
>> code,
>>>>> but you should be able to write a simple security plugin that allows
>> you
>>>> to
>>>>> allow or deny connections based on their transport and whether they are
>>>>> anonymous. The bottom of http://activemq.apache.org/security.html has
>>>>> details about how to get started.
>>>>> 
>>>>> Tim
>>>>> 
>>>>> On Wed, Mar 21, 2018, 6:08 PM Quinn Stevenson <
>>>> quinn@pronoia-solutions.com>
>>>>> wrote:
>>>>> 
>>>>>> I have several components running inside the same JVM as ActiveMQ, and
>>>>>> they connect to the broker using a vm URL.  Guest access to the broker
>>>> has
>>>>>> been disabled for security reasons, but I’d like the embedded
>>>> components to
>>>>>> be able to connect to the broker without a username or password.
>>>>>> 
>>>>>> Is there a way to configure ActiveMQ to allow anonymous/guest access
>> for
>>>>>> VM connections only?
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>> 
>>>> 
>> 
>> 

Re: Can I connect to a vm URL without a password?

[Tim Bain <tb...@alumni.duke.edu>]

Quinn,

Great, I'm glad you got it working.

Yes, I think there would be benefit to having this capability. However, I'm
not sure if what you've implemented is the ideal implementation from a
long-term maintenance standpoint (I suspect that we'd want to fold it into
the Simple Authentication Plugin, with configuration options to turn it on
and off and possibly a way to specify the set of protocols that do not
require authentication), so I suggest you create an enhancement request in
JIRA and attach your implementation to it. Whoever implements the
enhancement request can use the core of your code and wrap the appropriate
options around it in the Simple Authentication Plugin (or wherever else),
and anyone who wants the capability before it gets implemented officially
can grab your plugin file off of the enhancement request.

Tim

On Mon, Mar 26, 2018, 9:48 PM Quinn Stevenson <qu...@pronoia-solutions.com>
wrote:

> Thanks Tim - I think I’ve got one working now.
>
> I wound up casting the result of getConnector() to TransportConnector and
> then calling getName() - it looks like it has what I need.
>
> I’ve got a version running locally now, and it seems to be doing what I’m
> after.  Thanks for all of your help.
>
> BTW - let me know if you think this is something the community would like
> and I’ll put together a PR for it.
>
> Thanks Again
> Quinn
>
> > On Mar 25, 2018, at 11:11 PM, Tim Bain <tb...@alumni.duke.edu> wrote:
> >
> > Quinn,
> >
> > I think you should be able to access the URI to which the connection is
> > bound by calling
> > ((TransportConnector)context.getConnector()).getServer().getConnectURI(),
> > and then you can parse the protocol out of it. But it's not something
> I've
> > personally done and I don't have time to try it right now, so this is
> > purely conjecture based on the documentation plus reading the code. So if
> > that doesn't work, I apologize, but let me know how it blows up and I can
> > try to help further.
> >
> > Tim
> >
> > On Thu, Mar 22, 2018 at 10:22 AM, Quinn Stevenson <
> > quinn@pronoia-solutions.com> wrote:
> >
> >> Thank you Tim -
> >>
> >> I was afraid you were going to say that :-)
> >>
> >> I was looking at the SimpleAuthenticationPlugin /
> >> SimpleAuthenticationBroker, and I have an idea how to do this.  The one
> >> thing I’m not sure about is how I can tell when the connection is coming
> >> via a VM URL - do you have any hints on that?
> >>
> >>
> >>> On Mar 21, 2018, at 7:21 PM, Tim Bain <tb...@alumni.duke.edu> wrote:
> >>>
> >>> I'm not sure there's a built-in way to do this without writing any
> code,
> >>> but you should be able to write a simple security plugin that allows
> you
> >> to
> >>> allow or deny connections based on their transport and whether they are
> >>> anonymous. The bottom of http://activemq.apache.org/security.html has
> >>> details about how to get started.
> >>>
> >>> Tim
> >>>
> >>> On Wed, Mar 21, 2018, 6:08 PM Quinn Stevenson <
> >> quinn@pronoia-solutions.com>
> >>> wrote:
> >>>
> >>>> I have several components running inside the same JVM as ActiveMQ, and
> >>>> they connect to the broker using a vm URL.  Guest access to the broker
> >> has
> >>>> been disabled for security reasons, but I’d like the embedded
> >> components to
> >>>> be able to connect to the broker without a username or password.
> >>>>
> >>>> Is there a way to configure ActiveMQ to allow anonymous/guest access
> for
> >>>> VM connections only?
> >>>>
> >>>>
> >>>>
> >>>>
> >>
> >>
>
>

Re: Can I connect to a vm URL without a password?

[Quinn Stevenson <qu...@pronoia-solutions.com>]

Thanks Tim - I think I’ve got one working now.

I wound up casting the result of getConnector() to TransportConnector and then calling getName() - it looks like it has what I need.

I’ve got a version running locally now, and it seems to be doing what I’m after.  Thanks for all of your help.

BTW - let me know if you think this is something the community would like and I’ll put together a PR for it.

Thanks Again
Quinn

> On Mar 25, 2018, at 11:11 PM, Tim Bain <tb...@alumni.duke.edu> wrote:
> 
> Quinn,
> 
> I think you should be able to access the URI to which the connection is
> bound by calling
> ((TransportConnector)context.getConnector()).getServer().getConnectURI(),
> and then you can parse the protocol out of it. But it's not something I've
> personally done and I don't have time to try it right now, so this is
> purely conjecture based on the documentation plus reading the code. So if
> that doesn't work, I apologize, but let me know how it blows up and I can
> try to help further.
> 
> Tim
> 
> On Thu, Mar 22, 2018 at 10:22 AM, Quinn Stevenson <
> quinn@pronoia-solutions.com> wrote:
> 
>> Thank you Tim -
>> 
>> I was afraid you were going to say that :-)
>> 
>> I was looking at the SimpleAuthenticationPlugin /
>> SimpleAuthenticationBroker, and I have an idea how to do this.  The one
>> thing I’m not sure about is how I can tell when the connection is coming
>> via a VM URL - do you have any hints on that?
>> 
>> 
>>> On Mar 21, 2018, at 7:21 PM, Tim Bain <tb...@alumni.duke.edu> wrote:
>>> 
>>> I'm not sure there's a built-in way to do this without writing any code,
>>> but you should be able to write a simple security plugin that allows you
>> to
>>> allow or deny connections based on their transport and whether they are
>>> anonymous. The bottom of http://activemq.apache.org/security.html has
>>> details about how to get started.
>>> 
>>> Tim
>>> 
>>> On Wed, Mar 21, 2018, 6:08 PM Quinn Stevenson <
>> quinn@pronoia-solutions.com>
>>> wrote:
>>> 
>>>> I have several components running inside the same JVM as ActiveMQ, and
>>>> they connect to the broker using a vm URL.  Guest access to the broker
>> has
>>>> been disabled for security reasons, but I’d like the embedded
>> components to
>>>> be able to connect to the broker without a username or password.
>>>> 
>>>> Is there a way to configure ActiveMQ to allow anonymous/guest access for
>>>> VM connections only?
>>>> 
>>>> 
>>>> 
>>>> 
>> 
>> 

Re: Can I connect to a vm URL without a password?

[Tim Bain <tb...@alumni.duke.edu>]

Quinn,

I think you should be able to access the URI to which the connection is
bound by calling
((TransportConnector)context.getConnector()).getServer().getConnectURI(),
and then you can parse the protocol out of it. But it's not something I've
personally done and I don't have time to try it right now, so this is
purely conjecture based on the documentation plus reading the code. So if
that doesn't work, I apologize, but let me know how it blows up and I can
try to help further.

Tim

On Thu, Mar 22, 2018 at 10:22 AM, Quinn Stevenson <
quinn@pronoia-solutions.com> wrote:

> Thank you Tim -
>
> I was afraid you were going to say that :-)
>
> I was looking at the SimpleAuthenticationPlugin /
> SimpleAuthenticationBroker, and I have an idea how to do this.  The one
> thing I’m not sure about is how I can tell when the connection is coming
> via a VM URL - do you have any hints on that?
>
>
> > On Mar 21, 2018, at 7:21 PM, Tim Bain <tb...@alumni.duke.edu> wrote:
> >
> > I'm not sure there's a built-in way to do this without writing any code,
> > but you should be able to write a simple security plugin that allows you
> to
> > allow or deny connections based on their transport and whether they are
> > anonymous. The bottom of http://activemq.apache.org/security.html has
> > details about how to get started.
> >
> > Tim
> >
> > On Wed, Mar 21, 2018, 6:08 PM Quinn Stevenson <
> quinn@pronoia-solutions.com>
> > wrote:
> >
> >> I have several components running inside the same JVM as ActiveMQ, and
> >> they connect to the broker using a vm URL.  Guest access to the broker
> has
> >> been disabled for security reasons, but I’d like the embedded
> components to
> >> be able to connect to the broker without a username or password.
> >>
> >> Is there a way to configure ActiveMQ to allow anonymous/guest access for
> >> VM connections only?
> >>
> >>
> >>
> >>
>
>

Re: Can I connect to a vm URL without a password?

[Quinn Stevenson <qu...@pronoia-solutions.com>]

Thank you Tim -

I was afraid you were going to say that :-)

I was looking at the SimpleAuthenticationPlugin / SimpleAuthenticationBroker, and I have an idea how to do this.  The one thing I’m not sure about is how I can tell when the connection is coming via a VM URL - do you have any hints on that?


> On Mar 21, 2018, at 7:21 PM, Tim Bain <tb...@alumni.duke.edu> wrote:
> 
> I'm not sure there's a built-in way to do this without writing any code,
> but you should be able to write a simple security plugin that allows you to
> allow or deny connections based on their transport and whether they are
> anonymous. The bottom of http://activemq.apache.org/security.html has
> details about how to get started.
> 
> Tim
> 
> On Wed, Mar 21, 2018, 6:08 PM Quinn Stevenson <qu...@pronoia-solutions.com>
> wrote:
> 
>> I have several components running inside the same JVM as ActiveMQ, and
>> they connect to the broker using a vm URL.  Guest access to the broker has
>> been disabled for security reasons, but I’d like the embedded components to
>> be able to connect to the broker without a username or password.
>> 
>> Is there a way to configure ActiveMQ to allow anonymous/guest access for
>> VM connections only?
>> 
>> 
>> 
>> 

Re: Can I connect to a vm URL without a password?

[Tim Bain <tb...@alumni.duke.edu>]

I'm not sure there's a built-in way to do this without writing any code,
but you should be able to write a simple security plugin that allows you to
allow or deny connections based on their transport and whether they are
anonymous. The bottom of http://activemq.apache.org/security.html has
details about how to get started.

Tim

On Wed, Mar 21, 2018, 6:08 PM Quinn Stevenson <qu...@pronoia-solutions.com>
wrote:

> I have several components running inside the same JVM as ActiveMQ, and
> they connect to the broker using a vm URL.  Guest access to the broker has
> been disabled for security reasons, but I’d like the embedded components to
> be able to connect to the broker without a username or password.
>
> Is there a way to configure ActiveMQ to allow anonymous/guest access for
> VM connections only?
>
>
>
>