Hi Ferry,
Here some notes I made when experimenting with JAAS and ActiveMQ some
time ago. They are kind of old and were written only for my personal use
- I hope they are still somehow helpful :)
Best wishes
--
Dietrich Bollmann
------------
During the login authentication, the LDAP login module does not compare
the user password with the one stored on the LDAP server directly.
Rather it uses the user's userid and password to access some (possibly
dummy) data stored in the user's LDAP DN on behalf of the user. Only if
the access is granted by the LDAP server, the user authentication will
succeed.
* ActiveMQ XML Configuration
ActiveMQ Brokers are configured at startup using a XML configuration
file. For using the LDAP login module the following attributes have to
be added to the <broker /> tag:
<broker
...
<plugins>
<jaasAuthenticationPlugin configuration="LoginLdapConfiguration" />
</plugins>
...
</broker>
By asking to use JAAS Authentication (<plugins><jaasAuthenticationPlugin
... /></plugins>), all security critical broker operations are filtered
by the JAAS login module. They are allowed only if the user has been
authenticated correctly relative to his user date stored in the LDAP
user information server.
The jaasLdapConfiguration attribute specifies how to access the relevant
user data on the central user information server. A data structure with
the same name has to be provided in a special configuration file.
* The LDAP Login Configuration File
The LDAP login configuration file contains all information necessary to
access the user authentication information on the user information LDAP
server.
The location of this file has to be given using the Java property
java.security.auth.login.config. This can be done in the broker
properties file or on the command line using following option
-Djava.security.auth.login.config=/path/ldap-configuration-file
The information necessary for accessing the LDAP user information has to
be formatted as shown in the following example:
LoginLdapConfiguration {
org.apache.activemq.jaas.LDAPLoginModule required
debug=true
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connectionURL="ldap://<ldap host>:<ldap port>/o=<...>"
connectionUsername="uid=<...>,ou=<...>"
connectionPassword=<password>
connectionProtocol=s
authentication=simple
userBase="ou=Users"
userRoleName=dummyUserRoleName
userSearchMatching="(uid={0})"
userSearchSubtree=false
roleBase="ou=Users"
roleName=dummyRoleName
roleSearchMatching="(uid={1})"
roleSearchSubtree=false
;
};
* Explanations:
LoginLdapConfiguration
This is the name of the configuration. All attributes necessary to
access the relevant user Information on the LDAP server are given
between a pair of curly braces.
org.apache.activemq.jaas.LDAPLoginModule required
The Java sources of the LDAP login module.
debug=true
Activating / deactivating log messages.
initialContextFactory
The LDAP context factory used to get the initial context.
connectionURL
URL of the LDAP server [and optionally the Base DN to use]
connectionUsername
LDAP User DN (Distinguished Name)
connectionPassword
Password
connectionProtocol
The security protocol to use, ex: "s".
authentication
Authentication method to use, ex: "simple".
userRoleName
Name of attribute used for storing the user roles.
For authentication this attribute is optional; an attribute which
does not exist in the user information entry can also be used. Ex:
"dummyUserRoleName".
userBase
Name of the context to search for users entries and the values of
userRoleName.
userSearchMatching
Message format to generate the user search filter. A valid value is
obligatory for a successful user authentication.
{0} will be substituted with the full name of the user context,
example: "uid=peterb,ou=Users,o=TS". Note: This value is not usable to
search the LDAP user information service because only attributes are
allowed in the search expressions.[1]
{1} will be substituted with the username.
userSearchSubtree
Search one level of / the entire subtree rooted at userBase.
roleName
Name of another attribute used for storing user roles.
The user roles found here are added to those found as values of
userRoleName. The attribute values of userRoleName are accessed using
the security principal and credentials found in this configuration; the
values of 'roleName' are retrieved using the users password (credential)
and dn (principal).
For authentication this attribute is optional; an attribute which
does not exist in the user information entry can also be used. Ex:
dummyRoleName.
NOTE: The login of the user only succeeds if he is allowed - or, in
the case of this attribute being a dummy attribute, would be allowed -
to retrieve the values of this attribute from the Penrose Server: During
the whole login process the user password is only checked by trying to
access this attribute. If the Penrose server rejects this query the
login procedure fails.[2]
roleBase
Name of the context to search for user roles using roleName.
roleSearchMatching
Format for searching the user roles specified in the attribute given
by roleName.
{0} will be substituted with the username.
roleSearchSubtree
Search one level of / the entire subtree rooted at roleBase.
* Footnotes
[1] See the paragraph "Search Filters" in The JNDI Tutorial.
http://java.sun.com/products/jndi/tutorial/basics/directory/filter.html
, http://java.sun.com/products/jndi/tutorial/trailmap.html
[2] Compare the notes on Penrose Authentication on the Penrose
Project pages.
http://docs.safehaus.org/display/PENROSE/Penrose+0.9.9+Authentication ,
http://docs.safehaus.org/display/PENROSE/Home
nazgul wrote:
Hi Adrian, thanks for the quick reply.
Here is the exception encountered when I start the broker:
Loading message broker from: xbean:activemq.xml
ERROR: java.lang.RuntimeException: Failed to execute start task. Reason:
org.springframework.beans.factory.BeanCreationException: Error creating bean
with name 'org.apache.activemq.security.SimpleAuthenticationPlugin' defined
in class path resource [activemq.xml]: Can't resolve reference to bean
'groups' while setting property 'userGroups'; nested exception is
org.springframework.beans.factory.BeanCreationException: Error creating bean
with name 'groups' defined in class path resource [activemq.xml]: Error
setting property values; nested exception is
org.springframework.beans.NotWritablePropertyException: Invalid property
'user1' of bean class [java.util.HashMap]: Bean property 'user1' is not
writable or has an invalid setter method: Does the parameter type of the
setter match the return type of the getter?
ERROR: java.lang.Exception:
org.springframework.beans.factory.BeanCreationException: Error creating bean
with name 'org.apache.activemq.security.SimpleAuthenticationPlugin' defined
in class path resource [activemq.xml]: Can't resolve reference to bean
'groups' while setting property 'userGroups'; nested exception is
org.springframework.beans.factory.BeanCreationException: Error creating bean
with name 'groups' defined in class path resource [activemq.xml]: Error
setting property values; nested exception is
org.springframework.beans.NotWritablePropertyException: Invalid property
'user1' of bean class [java.util.HashMap]: Bean property 'user1' is not
writable or has an invalid setter method: Does the parameter type of the
setter match the return type of the getter?
What happened with my configuration? Did I configured it wrong?
All I want to do is requiring a simple authentication when clients connect
to the broker, I've tried using JAAS but client returns an error when
authenticating to the broker, the exception is JMSException, something with
user cannot authorize to create ActiveMQ.Advisory.Connection topic.
Where can I get the full reference to the XML configuration?
Regards,
Ferry
--
View this message in context:
http://www.nabble.com/Help+with+SimpleAuthenticationPlugin-t1697796.html#a4608332
Sent from the ActiveMQ - User forum at Nabble.com.
