You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@activemq.apache.org by "Jeff Mesnil (JIRA)" <ji...@apache.org> on 2016/07/12 08:54:20 UTC

[jira] [Commented] (ARTEMIS-617) Improve Container-managed security in resource adapter

    [ https://issues.apache.org/jira/browse/ARTEMIS-617?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15372545#comment-15372545 ] 

Jeff Mesnil commented on ARTEMIS-617:
-------------------------------------

Artemis RA also uses the username/password credential in its recovery configuration.

If the credentials are not specified by the RA, recovery will not work.
But if the credentials are specified by the RA, they take precedence over the domain's subject and container-managed security will not work.

A possible solution would be to add 2 properties to the resource adapter: recoveryUserName and recoveryPassword that would only be used to configure recovery.
In order to avoid having to specify multiple times, these 2 properties would only be used in the absence of the regular userName and password:
* if userName and password are null, use recoveryUserName and recoveryPassword to configure the recovery
* else use userName and password to configure the recovery.

An use would then be able to use container-managed security and recovery by only specifying the recoveryUserName and recoveryPassword.

What do you think?

> Improve Container-managed security in resource adapter
> ------------------------------------------------------
>
>                 Key: ARTEMIS-617
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-617
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>    Affects Versions: 1.1.0, 1.2.0
>            Reporter: Jeff Mesnil
>
> Artemis RA has been coded to support container-managed security.
> If there is a security domain specified for its resource adapter, Artemis
> ManagedConnection will use the security's Subject for its
> authentication on the broker side.
> However there is one use case that is not working as I expect.
> When the user specifies credentials when calling the RA's
> ConnectionFactory methods, Artemis discards them if there is a subject
> from the SecurityDomain.
> The correct behaviour should be the opposite: (more specific) credential parameters from the ConnectionRequestInfo should have precedence over the (more general) Subject's from the security domain.
> The new code path would be:
> * If there are credentials from the ConnectionRequestInfo, use them
> * else if there is a Subject, use it
> * else raise an exception.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)