You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@servicemix.apache.org by Mukesh Mediratta <me...@mail.nih.gov> on 2006/08/09 06:38:04 UTC
JAAS Support
Has any one configured JAAS Authentication and Authorization Services in
ServiceMix. Any details shall be appreciated.
I notice security.xml, user-credentials properties, groups etc.. Is there
any document describing these.
Thanks
Mukesh Mediratta
--
View this message in context: http://www.nabble.com/JAAS-Support-tf2076691.html#a5719650
Sent from the ServiceMix - User forum at Nabble.com.
Re: JAAS Support
Posted by Guillaume Nodet <gn...@gmail.com>.
You need to implement a custom version of the AuthorizationMap [1] and
configure it in the security.xml [2] in place of the existing one.
Btw, i think the LDAP login module and AuthorizationMap would be a
good addition to ServiceMix ;-)
[1] http://servicemix.apache.org/dist/servicemix-3.0-incubating/site/servicemix-core/apidocs/org/apache/servicemix/jbi/security/acl/AuthorizationMap.html
[2] http://svn.apache.org/repos/asf/servicemix/smx3/trunk/distributions/apache-servicemix/src/main/release/conf/security.xml
On Tue, May 13, 2008 at 9:14 AM, pratibhaG <pr...@in2m.com> wrote:
>
> I have done authentication with LDAP. But how can I achieve authorization
>
>
> --
> View this message in context: http://www.nabble.com/JAAS-Support-tp5719650p17202506.html
>
>
> Sent from the ServiceMix - User mailing list archive at Nabble.com.
>
>
--
Cheers,
Guillaume Nodet
------------------------
Blog: http://gnodet.blogspot.com/
Re: JAAS Support
Posted by pratibhaG <pr...@in2m.com>.
I have done authentication with LDAP. But how can I achieve authorization
--
View this message in context: http://www.nabble.com/JAAS-Support-tp5719650p17202506.html
Sent from the ServiceMix - User mailing list archive at Nabble.com.
Re: JAAS Support
Posted by "Lukasz L." <Lu...@sabre.com>.
gnodet wrote:
>
> This is not really documented. For the time being, you'll have to rely on
> the source code, but if you have any specific questions, feel free to ask.
>
A question:
As maybe you know you can get access to any jbi endpoint inside SM through
ANY http endpoint using WS-Addressing, not only to the endpoint for which
http endpoint is a proxy. This raises security issue because one would like
to restrict access only to proxied endpoint. Access to some service endpoint
in the middle of internal flow can be unwanted.
I thought that this can be done using certain roles for services but it
turned out that I'm getting an error "Endpoint is not authorized for this
user" on further services (after message was authorized and routed correctly
through the http proxy).
What is a right solution for the problem?
--
View this message in context: http://www.nabble.com/JAAS-Support-tp5719650s12049p14668783.html
Sent from the ServiceMix - User mailing list archive at Nabble.com.
Re: JAAS Support
Posted by Tijs <t....@chello.nl>.
Hi,
I have been working out an example with JAAS as part of my upcoming book
"Open Source ESBs in action" which include lots of examples with ServiceMix
and Mule. So with a shameless plug you can look at
http://www.manning.com/rademakers for more details.
To use the default JAAS properties login configuration you don't have to do
a lot actually.
You can use the following configurating on a HTTP endpoint:
<http:endpoint service="esb:SimpleAuthentication"
endpoint="authEndpoint"
targetService="esb:testComponent"
targetEndpoint="testEndpoint"
role="consumer"
locationURI="http://localhost:8192/AuthenticationService/"
authMethod="basic"
defaultMep="http://www.w3.org/2004/08/wsdl/in-only"/>
So you only have to set the authMethod attribute to basic.
Now you can only call this AuthenticationService with the default user smx
and password smx to have the exchange succeed.
If you would like more details about the JAAS configuration just sent me an
email on tijs@apache.org,
Best regards,
Tijs
Lukasz L. wrote:
>
>
> Is basic authentication configured this way:
>
> <http:basicAuthentication>
> <http:basicAuthCredentials username="testuser" password="testpass" />
> </http:basicAuthentication>
>
> equal to
>
> authMethod="basic"
> plus specifying user's password in users-passwords.properties (and changes
> to goups.properties and security.xm) ?
>
>
>
> gnodet wrote:
>>
>> This is not really documented. For the time being, you'll have to rely
>> on
>> the source code, but if you have any specific questions, feel free to
>> ask.
>>
>> On Dec 19, 2007 3:47 PM, Lukasz L. <Lu...@sabre.com> wrote:
>>
>>>
>>> I'm joing the question,
>>> is there an example of doing this in dynamic configuration?
>>> was the current state of security in service mix?
>>
>>
>
>
--
View this message in context: http://www.nabble.com/JAAS-Support-tp5719650s12049p14585753.html
Sent from the ServiceMix - User mailing list archive at Nabble.com.
Re: JAAS Support
Posted by "Lukasz L." <Lu...@sabre.com>.
Is basic authentication configured this way:
<http:basicAuthentication>
<http:basicAuthCredentials username="testuser" password="testpass" />
</http:basicAuthentication>
equal to
authMethod="basic"
plus specifying user's password in users-passwords.properties (and changes
to goups.properties and security.xm) ?
gnodet wrote:
>
> This is not really documented. For the time being, you'll have to rely on
> the source code, but if you have any specific questions, feel free to ask.
>
> On Dec 19, 2007 3:47 PM, Lukasz L. <Lu...@sabre.com> wrote:
>
>>
>> I'm joing the question,
>> is there an example of doing this in dynamic configuration?
>> was the current state of security in service mix?
>
>
--
View this message in context: http://www.nabble.com/JAAS-Support-tp5719650s12049p14579701.html
Sent from the ServiceMix - User mailing list archive at Nabble.com.
Re: JAAS Support
Posted by Mukesh Mediratta <me...@mail.nih.gov>.
Hi Guillaume,
My reply to your questions below :
GN: "What exactly do you mean by securing a queue ? You mean that not
everybody can send a message to this queue ?"
MM: Yes that is what we want to accomplish. Also we donot want any
unauthorised client receiving data from the outboud queue.
GN : In such a case, is the user mapped to ServiceMix or is it the user that
originaly sent the
message ? -
MM: No.. We are not sure how to do this. Could you please advice.
GN: or you want to send the user identity in the JMS message in
some way ?
MM: No we are not looking for message level security.
We attempted implimenting JAAS in embeded ActiveMQ/ServiceMix configuration
and we failed.
1. Configure embeded ActiveMQ JMS with JAAS configuration and we get the
error starting our service unit as given below. This code works fine without
JAAS security. In this case we changed following files
- ActiveMQ.xml ( JAAS Configuration in new files for ActiveMQ..
login.config, user.properties, group.properties )
- ServiceMix.xml ( Added user name, password to JMS flow )
- JNDI.xml ( Added username, password to manage ActiveMQ
managedConnectionFactory)
- login.properties (Added loginModuleConfiguration for ActiveMQ-Domain )
After we make these changes we tried restarting ServiceMix and we get
following error.
We would appreciate your valuable inputs.
Thanks
Mukesh Mediratta
10:13:46,421 | INFO | Timer-4 | ServiceUnitLifeCycle |
framework.ServiceUnitLifeCycle 97 | Starting service unit:
caXchange-beans-su
10:13:46,453 | ERROR | Timer-4 | JCAFlow |
cemix.jbi.nmr.flow.jca.JCAFlow 372 | Cannot create consumer for
ServiceEndpoint[service={http://nci.nih.gov/caXchange}ctomRegistrationRollback,endpoint=ctomRegistrationRollbackEndpoint]
javax.jms.JMSException: User name or password is invalid.
at
org.apache.activemq.util.JMSExceptionSupport.create(JMSExceptionSupport.java:46)
at
org.apache.activemq.ActiveMQConnection.syncSendPacket(ActiveMQConnection.java:1181)
at
org.apache.activemq.ActiveMQConnection.ensureConnectionInfoSent(ActiveMQConnection.java:1263)
at
org.apache.activemq.ActiveMQConnection.createSession(ActiveMQConnection.java:276)
at
org.apache.activemq.ra.ManagedConnectionProxy.createSessionProxy(ManagedConnectionProxy.java:116)
at
org.apache.activemq.ra.ManagedConnectionProxy.createSession(ManagedConnectionProxy.java:106)
at
org.apache.servicemix.jbi.nmr.flow.jca.JCAFlow.sendJmsMessage(JCAFlow.java:579)
at
org.apache.servicemix.jbi.nmr.flow.jca.JCAFlow.onInternalEndpointRegistered(JCAFlow.java:369)
at
org.apache.servicemix.jbi.nmr.flow.jca.JCAFlow$1.internalEndpointRegistered(JCAFlow.java:195)
at
org.apache.servicemix.jbi.framework.EndpointRegistry.fireEvent(EndpointRegistry.java:520)
at
org.apache.servicemix.jbi.framework.EndpointRegistry.registerInternalEndpoint(EndpointRegistry.java:212)
at
org.apache.servicemix.jbi.framework.Registry.activateEndpoint(Registry.java:192)
at
org.apache.servicemix.jbi.framework.ComponentContextImpl.activateEndpoint(ComponentContextImpl.java:126)
at
org.apache.servicemix.common.endpoints.ProviderEndpoint.start(ProviderEndpoint.java:58)
at org.apache.servicemix.bean.BeanEndpoint.start(BeanEndpoint.java:94)
at
org.apache.servicemix.common.endpoints.SimpleEndpoint.activate(SimpleEndpoint.java:55)
at org.apache.servicemix.common.ServiceUnit.start(ServiceUnit.java:55)
at
org.apache.servicemix.common.BaseServiceUnitManager.start(BaseServiceUnitManager.java:151)
at
org.apache.servicemix.jbi.framework.ServiceUnitLifeCycle.start(ServiceUnitLifeCycle.java:103)
at
org.apache.servicemix.jbi.framework.ServiceAssemblyLifeCycle.start(ServiceAssemblyLifeCycle.java:130)
at
org.apache.servicemix.jbi.framework.DeploymentService.start(DeploymentService.java:374)
at
org.apache.servicemix.jbi.framework.AutoDeploymentService.checkPendingSAs(AutoDeploymentService.java:472)
at
org.apache.servicemix.jbi.framework.AutoDeploymentService.updateArchive(AutoDeploymentService.java:278)
at
org.apache.servicemix.jbi.framework.AutoDeploymentService.monitorDirectory(AutoDeploymentService.java:646)
at
org.apache.servicemix.jbi.framework.AutoDeploymentService.access$200(AutoDeploymentService.java:62)
at
org.apache.servicemix.jbi.framework.AutoDeploymentService$1.run(AutoDeploymentService.java:609)
at java.util.TimerThread.mainLoop(Timer.java:512)
at java.util.TimerThread.run(Timer.java:462)
Caused by: java.lang.SecurityException: User name or password is invalid.
at
org.apache.activemq.security.JaasAuthenticationBroker.addConnection(JaasAuthenticationBroker.java:84)
at
org.apache.activemq.broker.MutableBrokerFilter.addConnection(MutableBrokerFilter.java:92)
at
org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:706)
at
org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:86)
at
org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:121)
at
org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:294)
at
org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:185)
at
org.apache.activemq.transport.TransportFilter.onCommand(TransportFilter.java:65)
at
org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:133)
at
org.apache.activemq.transport.InactivityMonitor.onCommand(InactivityMonitor.java:122)
at
org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:84)
at
org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:137)
at java.lang.Thread.run(Thread.java:595)
Caused by: javax.security.auth.login.LoginException:
java.lang.NullPointerException
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:872)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at
org.apache.activemq.security.JaasAuthenticationBroker.addConnection(JaasAuthenticationBroker.java:77)
... 12 more
gnodet wrote:
>
> What exactly do you mean by securing a queue ? You mean that not
> everybody can send a message to this queue ? In such a case, is the
> user mapped to ServiceMix or is it the user that originaly sent the
> message ? or you want to send the user identity in the JMS message in
> some way ?
>
> On Mon, Jun 2, 2008 at 11:15 PM, Mukesh Mediratta <me...@mail.nih.gov>
> wrote:
>>
>> Hi Guillaume,
>>
>> Any development on this now. We are Using ActiveMQ JMS Queues for
>> inbound/outbound communication with our our partner application. We want
>> to
>> secure these inboud/outbound queues.
>>
>> We have external ActiveMQ running and we are able to configure JAAS on
>> this.
>> However we are not able to configure servicemix components to pass the
>> user
>> credentials when they have to communicate with ActiveMQ. Please help us
>> understand how to configure this.
>>
>> Thanks
>> Mukesh Mediratta
>>
>>
>>
>> gnodet wrote:
>>>
>>> This is not really documented. For the time being, you'll have to rely
>>> on
>>> the source code, but if you have any specific questions, feel free to
>>> ask.
>>>
>>> On Dec 19, 2007 3:47 PM, Lukasz L. <Lu...@sabre.com> wrote:
>>>
>>>>
>>>> I'm joing the question,
>>>> is there an example of doing this in dynamic configuration?
>>>> was the current state of security in service mix?
>>>>
>>>>
>>>> Mukesh Mediratta wrote:
>>>> >
>>>> > Has any one configured JAAS Authentication and Authorization Services
>>>> in
>>>> > ServiceMix. Any details shall be appreciated.
>>>> >
>>>> > I notice security.xml, user-credentials properties, groups etc.. Is
>>>> there
>>>> > any document describing these.
>>>> >
>>>> > Thanks
>>>> > Mukesh Mediratta
>>>> >
>>>>
>>>> --
>>>> View this message in context:
>>>> http://www.nabble.com/JAAS-Support-tp5719650s12049p14418363.html
>>>> Sent from the ServiceMix - User mailing list archive at Nabble.com.
>>>>
>>>>
>>>
>>>
>>> --
>>> Cheers,
>>> Guillaume Nodet
>>> ------------------------
>>> Blog: http://gnodet.blogspot.com/
>>>
>>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/JAAS-Support-tp5719650p17610977.html
>> Sent from the ServiceMix - User mailing list archive at Nabble.com.
>>
>>
>
>
>
> --
> Cheers,
> Guillaume Nodet
> ------------------------
> Blog: http://gnodet.blogspot.com/
>
>
--
View this message in context: http://www.nabble.com/JAAS-Support-tp5719650p17625036.html
Sent from the ServiceMix - User mailing list archive at Nabble.com.
Re: JAAS Support
Posted by Guillaume Nodet <gn...@gmail.com>.
What exactly do you mean by securing a queue ? You mean that not
everybody can send a message to this queue ? In such a case, is the
user mapped to ServiceMix or is it the user that originaly sent the
message ? or you want to send the user identity in the JMS message in
some way ?
On Mon, Jun 2, 2008 at 11:15 PM, Mukesh Mediratta <me...@mail.nih.gov> wrote:
>
> Hi Guillaume,
>
> Any development on this now. We are Using ActiveMQ JMS Queues for
> inbound/outbound communication with our our partner application. We want to
> secure these inboud/outbound queues.
>
> We have external ActiveMQ running and we are able to configure JAAS on this.
> However we are not able to configure servicemix components to pass the user
> credentials when they have to communicate with ActiveMQ. Please help us
> understand how to configure this.
>
> Thanks
> Mukesh Mediratta
>
>
>
> gnodet wrote:
>>
>> This is not really documented. For the time being, you'll have to rely on
>> the source code, but if you have any specific questions, feel free to ask.
>>
>> On Dec 19, 2007 3:47 PM, Lukasz L. <Lu...@sabre.com> wrote:
>>
>>>
>>> I'm joing the question,
>>> is there an example of doing this in dynamic configuration?
>>> was the current state of security in service mix?
>>>
>>>
>>> Mukesh Mediratta wrote:
>>> >
>>> > Has any one configured JAAS Authentication and Authorization Services
>>> in
>>> > ServiceMix. Any details shall be appreciated.
>>> >
>>> > I notice security.xml, user-credentials properties, groups etc.. Is
>>> there
>>> > any document describing these.
>>> >
>>> > Thanks
>>> > Mukesh Mediratta
>>> >
>>>
>>> --
>>> View this message in context:
>>> http://www.nabble.com/JAAS-Support-tp5719650s12049p14418363.html
>>> Sent from the ServiceMix - User mailing list archive at Nabble.com.
>>>
>>>
>>
>>
>> --
>> Cheers,
>> Guillaume Nodet
>> ------------------------
>> Blog: http://gnodet.blogspot.com/
>>
>>
>
> --
> View this message in context: http://www.nabble.com/JAAS-Support-tp5719650p17610977.html
> Sent from the ServiceMix - User mailing list archive at Nabble.com.
>
>
--
Cheers,
Guillaume Nodet
------------------------
Blog: http://gnodet.blogspot.com/
Re: JAAS Support
Posted by Mukesh Mediratta <me...@mail.nih.gov>.
Hi Guillaume,
Any development on this now. We are Using ActiveMQ JMS Queues for
inbound/outbound communication with our our partner application. We want to
secure these inboud/outbound queues.
We have external ActiveMQ running and we are able to configure JAAS on this.
However we are not able to configure servicemix components to pass the user
credentials when they have to communicate with ActiveMQ. Please help us
understand how to configure this.
Thanks
Mukesh Mediratta
gnodet wrote:
>
> This is not really documented. For the time being, you'll have to rely on
> the source code, but if you have any specific questions, feel free to ask.
>
> On Dec 19, 2007 3:47 PM, Lukasz L. <Lu...@sabre.com> wrote:
>
>>
>> I'm joing the question,
>> is there an example of doing this in dynamic configuration?
>> was the current state of security in service mix?
>>
>>
>> Mukesh Mediratta wrote:
>> >
>> > Has any one configured JAAS Authentication and Authorization Services
>> in
>> > ServiceMix. Any details shall be appreciated.
>> >
>> > I notice security.xml, user-credentials properties, groups etc.. Is
>> there
>> > any document describing these.
>> >
>> > Thanks
>> > Mukesh Mediratta
>> >
>>
>> --
>> View this message in context:
>> http://www.nabble.com/JAAS-Support-tp5719650s12049p14418363.html
>> Sent from the ServiceMix - User mailing list archive at Nabble.com.
>>
>>
>
>
> --
> Cheers,
> Guillaume Nodet
> ------------------------
> Blog: http://gnodet.blogspot.com/
>
>
--
View this message in context: http://www.nabble.com/JAAS-Support-tp5719650p17610977.html
Sent from the ServiceMix - User mailing list archive at Nabble.com.
Re: JAAS Support
Posted by Guillaume Nodet <gn...@gmail.com>.
This is not really documented. For the time being, you'll have to rely on
the source code, but if you have any specific questions, feel free to ask.
On Dec 19, 2007 3:47 PM, Lukasz L. <Lu...@sabre.com> wrote:
>
> I'm joing the question,
> is there an example of doing this in dynamic configuration?
> was the current state of security in service mix?
>
>
> Mukesh Mediratta wrote:
> >
> > Has any one configured JAAS Authentication and Authorization Services in
> > ServiceMix. Any details shall be appreciated.
> >
> > I notice security.xml, user-credentials properties, groups etc.. Is
> there
> > any document describing these.
> >
> > Thanks
> > Mukesh Mediratta
> >
>
> --
> View this message in context:
> http://www.nabble.com/JAAS-Support-tp5719650s12049p14418363.html
> Sent from the ServiceMix - User mailing list archive at Nabble.com.
>
>
--
Cheers,
Guillaume Nodet
------------------------
Blog: http://gnodet.blogspot.com/
Re: JAAS Support
Posted by "Lukasz L." <Lu...@sabre.com>.
I'm joing the question,
is there an example of doing this in dynamic configuration?
was the current state of security in service mix?
Mukesh Mediratta wrote:
>
> Has any one configured JAAS Authentication and Authorization Services in
> ServiceMix. Any details shall be appreciated.
>
> I notice security.xml, user-credentials properties, groups etc.. Is there
> any document describing these.
>
> Thanks
> Mukesh Mediratta
>
--
View this message in context: http://www.nabble.com/JAAS-Support-tp5719650s12049p14418363.html
Sent from the ServiceMix - User mailing list archive at Nabble.com.