You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@activemq.apache.org by "Gary Tully (JIRA)" <ji...@apache.org> on 2011/03/04 17:56:37 UTC

[jira] Resolved: (AMQ-3198) Allow JAAS GuestLoginModule to fail if users specify a password

     [ https://issues.apache.org/jira/browse/AMQ-3198?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Gary Tully resolved AMQ-3198.
-----------------------------

    Resolution: Fixed

fix in http://svn.apache.org/viewvc?rev=1078048&view=rev

config in the description now works to only allow guest login if there is no password. A password will cause the guest login to fail, allowing the properties login module to validate the password and overall success only it it succeeds. End result, guest is no longer applicable to invalue username/password combinations.

> Allow JAAS GuestLoginModule to fail if users specify a password
> ---------------------------------------------------------------
>
>                 Key: AMQ-3198
>                 URL: https://issues.apache.org/jira/browse/AMQ-3198
>             Project: ActiveMQ
>          Issue Type: Improvement
>          Components: Broker
>    Affects Versions: 5.4.2
>            Reporter: Gary Tully
>            Assignee: Gary Tully
>              Labels: JAAS, Security
>             Fix For: 5.5.0
>
>
> The GuestLoginModule currently always allows login so it is a handy default. In the case where two login modules are configured, it is nice to have the guest login module only succeed if there are no password credentials such that the second module gets a chance to authenticate. This ensures that only anonymous users (or users that do not supply a password, map to guest, where as any user that supplies a password will have to pass authorization or fail.
>  
> Without this option, and using GuestLoginModule sufficient, a failed authentication attempt will map you to the guest user.
> This enhancement will implement the credentialsInvalidate attribute.
> With the following config, if you don't specify a password you are guest. If you do specify a valid username/password pair you will authenticate, else you are rejected.
> {code}
> activemq-guest-when-no-creds-only-domain {
>     org.apache.activemq.jaas.GuestLoginModule sufficient
>        debug=true
>        credentialsInvalidate=true
>        org.apache.activemq.jaas.guest.user="guest"
>        org.apache.activemq.jaas.guest.group="guests";
>     org.apache.activemq.jaas.PropertiesLoginModule requisite
>         debug=true
>         org.apache.activemq.jaas.properties.user="org/apache/activemq/security/users.properties"
>         org.apache.activemq.jaas.properties.group="org/apache/activemq/security/groups.properties";
> };
> {code}

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira