[jira] Created: (GERONIMO-3084) Incompatibilitiy between ActiveMQ JAAS and Geronimo JAAS

Tue, 10 Apr 2007 10:46:58 -0700 

Incompatibilitiy between ActiveMQ JAAS and Geronimo JAAS
--------------------------------------------------------

                 Key: GERONIMO-3084
                 URL: https://issues.apache.org/jira/browse/GERONIMO-3084
             Project: Geronimo
          Issue Type: Bug
      Security Level: public (Regular issues)
          Components: ActiveMQ
    Affects Versions: 1.2
            Reporter: Aman Nanner


I have reconfigured Geronimo so that the ActiveMQ broker loads its 
configuration from an external XML file.  Within this file, I have specified a 
security configuration for my queues and topics.  This is the file:

----
{code}
<beans>

  <!-- Allows us to use system properties as variables in this configuration 
file -->
  <bean 
class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
  
  <broker brokerName="localhost" useJmx="true" 
xmlns="http://activemq.org/config/1.0";>
      
    <plugins>
      <!--  use JAAS to authenticate using the login.config file on the 
classpath to configure JAAS -->
      <jaasAuthenticationPlugin configuration="geronimo-admin" />

      <!--  lets configure a destination based authorization mechanism -->
      <authorizationPlugin>
        <map>
          <authorizationMap>
            <authorizationEntries>
              <authorizationEntry queue=">" read="admin" write="admin" 
admin="admin" />
              <authorizationEntry topic=">" read="admin" write="admin" 
admin="admin" />
            </authorizationEntries>    
          </authorizationMap>
        </map>
      </authorizationPlugin>
    </plugins>
    
  </broker>


  <!-- lets create a command agent to respond to message based admin commands 
on the ActiveMQ.Agent topic 
  <commandAgent xmlns="http://activemq.org/config/1.0"/>-->


</beans>
{code}
----

As can be seen, I am using the following JAAS login config domain: 
geronimo-admin.  This is the standard login domain that gets its users and 
groups from properties files.  However, when running the Geronimo server, JAAS 
cannot matchup the "admin" role specified in the ActiveMQ XML file with the 
"admin" role specified in the groups.properties file for the "geronimo-admin" 
login domain.  The problem is that the ActiveMQ role is a principal of type 
{{org.apache.activemq.jaas.GroupPrincipal}}, while the Geronimo JAAS "admin" 
role is of the type 
{{org.apache.geronimo.security.realm.providers.GeronimoGroupPrincipal}}.  
Because these principals are different classes, they are not considered "equal" 
to each other by the {{equals()}} method on 
{{org.apache.activemq.jaas.GroupPrincipal}}.  The stack trace where the error 
occurs is here:

----
{code}
Thread [ActiveMQ Transport: tcp:///192.168.12.196:2453] (Suspended)     
        GeronimoGroupPrincipal.equals(Object) line: 42  
        HashMap<K,V>.eq(Object, Object) line: 299       
        HashMap<K,V>.containsKey(Object) line: 381      
        HashSet<E>.contains(Object) line: 182   
        HashSet<E>(AbstractCollection<E>).retainAll(Collection<?>) line: 392    
        
JaasAuthenticationBroker$JaasSecurityContext(SecurityContext).isInOneOf(Set) 
line: 43   
        AuthorizationBroker.addDestination(ConnectionContext, 
ActiveMQDestination) line: 64     
        BrokerService$2(MutableBrokerFilter).addDestination(ConnectionContext, 
ActiveMQDestination) line: 152   
        ManagedTopicRegion(AbstractRegion).lookup(ConnectionContext, 
ActiveMQDestination) line: 316     
        ManagedTopicRegion(AbstractRegion).send(ConnectionContext, Message) 
line: 291   
        ManagedRegionBroker(RegionBroker).send(ConnectionContext, Message) 
line: 385    
        TransactionBroker.send(ConnectionContext, Message) line: 193    
        AdvisoryBroker.fireAdvisory(ConnectionContext, ActiveMQTopic, Command, 
ConsumerId, ActiveMQMessage) line: 272   
        AdvisoryBroker.fireAdvisory(ConnectionContext, ActiveMQTopic, Command, 
ConsumerId) line: 237    
        AdvisoryBroker.fireAdvisory(ConnectionContext, ActiveMQTopic, Command) 
line: 232        
        AdvisoryBroker.addConnection(ConnectionContext, ConnectionInfo) line: 
73        
        
CompositeDestinationBroker(BrokerFilter).addConnection(ConnectionContext, 
ConnectionInfo) line: 82      
        JaasAuthenticationBroker(BrokerFilter).addConnection(ConnectionContext, 
ConnectionInfo) line: 82        
        JaasAuthenticationBroker.addConnection(ConnectionContext, 
ConnectionInfo) line: 90      
        AuthorizationBroker(BrokerFilter).addConnection(ConnectionContext, 
ConnectionInfo) line: 82     
        BrokerService$2(MutableBrokerFilter).addConnection(ConnectionContext, 
ConnectionInfo) line: 92  
        TransportConnection.processAddConnection(ConnectionInfo) line: 706      
        ConnectionInfo.visit(CommandVisitor) line: 121  
        TransportConnection.service(Command) line: 294  
        TransportConnection$1.onCommand(Object) line: 185       
        MutexTransport(TransportFilter).onCommand(Object) line: 65      
        WireFormatNegotiator.onCommand(Object) line: 133        
        InactivityMonitor.onCommand(Object) line: 122   
        TcpTransport(TransportSupport).doConsume(Object) line: 84       
        TcpTransport.run() line: 137    
        Thread.run() line: 595  
{code}
----

Securing the ActiveMQ resources is an important component to securing a 
production server, so some way of resolving this issue should be determined.

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to