You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@activemq.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2022/08/17 05:45:00 UTC
[jira] [Commented] (AMQ-8987) EncryptableLDAPLoginModule does not support AES encryption schemes
[ https://issues.apache.org/jira/browse/AMQ-8987?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17580595#comment-17580595 ]
ASF subversion and git services commented on AMQ-8987:
------------------------------------------------------
Commit 8214bb839a73d0d7b0d38c907522ebdffee56c31 in activemq's branch refs/heads/main from Jean-Baptiste Onofré
[ https://gitbox.apache.org/repos/asf?p=activemq.git;h=8214bb839 ]
Merge pull request #857 from Charlie-chenchrl/AMQ-8987
AMQ-8987 EncryptableLDAPLoginModule support wider password encryption…
> EncryptableLDAPLoginModule does not support AES encryption schemes
> ------------------------------------------------------------------
>
> Key: AMQ-8987
> URL: https://issues.apache.org/jira/browse/AMQ-8987
> Project: ActiveMQ
> Issue Type: Bug
> Affects Versions: 5.17.1, 5.16.5
> Reporter: Charlie Chen
> Assignee: Jean-Baptiste Onofré
> Priority: Major
> Fix For: 5.18.0, 5.17.2, 5.16.6
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> In EncryptableLDAPLoginModule encryptionAlgorithm field, if we select a more modern PBE algorithms for example: "PBEWITHHMACSHA256ANDAES_256", It will throw org.jasypt.exceptions.EncryptionOperationNotPossibleException for encryption password specified in connectionPassword.
> Example login.config:
> {code:java}
> org.apache.activemq.jaas.EncryptableLDAPLoginModule required
> debug=true
> initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
> connectionURL="ldap://localhost:1024"
> connectionUsername="uid=admin,ou=system"
> connectionPassword="ENC(l3ZDKzR+ADzlmYr2Csd/CBXnFRd5Jk02JGKaraMHc7NRQp5amOxvHbuUCQNUQ0cE)"
> connectionProtocol=s
> authentication=simple
> userBase="ou=system"
> userSearchMatching="(uid={0})"
> userSearchSubtree=false
> roleBase="ou=system"
> roleName=dummyRoleName
> roleSearchMatching="(uid={1})"
> roleSearchSubtree=false
> encryptionAlgorithm=PBEWITHHMACSHA256ANDAES_256
> encryptionPassword="activemq"
> ; {code}
> The error we got from client is
> {code:java}
> Caused by: java.lang.SecurityException: User name [admin] or password is invalid.
> at org.apache.activemq.security.JaasAuthenticationBroker.authenticate(JaasAuthenticationBroker.java:97)
> at org.apache.activemq.security.JaasAuthenticationBroker.addConnection(JaasAuthenticationBroker.java:68)
> at org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:99)
> at org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:852)
> at org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:77)
> at org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:139)
> at org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:335)
> at org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:200)
> at org.apache.activemq.transport.MutexTransport.onCommand(MutexTransport.java:50)
> at org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:125)
> at org.apache.activemq.transport.AbstractInactivityMonitor.onCommand(AbstractInactivityMonitor.java:301)
> at org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)
> at org.apache.activemq.transport.tcp.SslTransport.doConsume(SslTransport.java:172)
> at org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233)
> at org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215)
> at java.lang.Thread.run(Thread.java:750)
> Caused by: javax.security.auth.login.LoginException: org.jasypt.exceptions.EncryptionOperationNotPossibleException
> at org.jasypt.encryption.pbe.StandardPBEByteEncryptor.decrypt(StandardPBEByteEncryptor.java:1169)
> at org.jasypt.encryption.pbe.StandardPBEStringEncryptor.decrypt(StandardPBEStringEncryptor.java:738)
> at org.jasypt.properties.PropertyValueEncryptionUtils.decrypt(PropertyValueEncryptionUtils.java:72)
> at org.jasypt.properties.EncryptableProperties.decode(EncryptableProperties.java:230)
> at org.jasypt.properties.EncryptableProperties.get(EncryptableProperties.java:209)
> at org.apache.activemq.jaas.LDAPLoginModule.initialize(LDAPLoginModule.java:91)
> at org.apache.activemq.jaas.EncryptableLDAPLoginModule.initialize(EncryptableLDAPLoginModule.java:66)
> at javax.security.auth.login.LoginContext.invoke(LoginContext.java:736)
> at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
> at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
> at org.apache.activemq.security.JaasAuthenticationBroker.authenticate(JaasAuthenticationBroker.java:92)
> at org.apache.activemq.security.JaasAuthenticationBroker.addConnection(JaasAuthenticationBroker.java:68)
> at org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:99)
> at org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:852)
> at org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:77)
> at org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:139)
> at org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:335)
> at org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:200)
> at org.apache.activemq.transport.MutexTransport.onCommand(MutexTransport.java:50)
> at org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:125)
> at org.apache.activemq.transport.AbstractInactivityMonitor.onCommand(AbstractInactivityMonitor.java:301)
> at org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)
> at org.apache.activemq.transport.tcp.SslTransport.doConsume(SslTransport.java:172)
> at org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233)
> at org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215)
> at java.lang.Thread.run(Thread.java:750) at javax.security.auth.login.LoginContext.invoke(LoginContext.java:856)
> at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
> at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
> at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
> at org.apache.activemq.security.JaasAuthenticationBroker.authenticate(JaasAuthenticationBroker.java:92) {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)