[1/2] activemq-artemis git commit: ARTEMIS-1435 - provide default jolokia-access.xml security policy in etc to lock down cors to http.host

Mon, 25 Sep 2017 07:30:19 -0700 

Repository: activemq-artemis
Updated Branches:
  refs/heads/master d7612531f -> bb8c11b1e


ARTEMIS-1435 - provide default jolokia-access.xml security policy in etc to 
lock down cors to http.host


Project: http://git-wip-us.apache.org/repos/asf/activemq-artemis/repo
Commit: http://git-wip-us.apache.org/repos/asf/activemq-artemis/commit/574e5c8c
Tree: http://git-wip-us.apache.org/repos/asf/activemq-artemis/tree/574e5c8c
Diff: http://git-wip-us.apache.org/repos/asf/activemq-artemis/diff/574e5c8c

Branch: refs/heads/master
Commit: 574e5c8c7bb2cb4b9a99b98b5c3c512d092365fe
Parents: d761253
Author: gtully <[email protected]>
Authored: Fri Sep 22 21:31:22 2017 +0100
Committer: gtully <[email protected]>
Committed: Mon Sep 25 10:37:09 2017 +0100

----------------------------------------------------------------------
 .../activemq/artemis/cli/commands/Create.java   |  2 ++
 .../cli/commands/bin/artemis-service.xml        |  1 +
 .../artemis/cli/commands/etc/artemis.profile    |  2 +-
 .../cli/commands/etc/artemis.profile.cmd        |  2 +-
 .../artemis/cli/commands/etc/jolokia-access.xml | 33 ++++++++++++++++++++
 .../activemq/cli/test/StreamClassPathTest.java  |  1 +
 docs/user-manual/en/management-console.md       |  6 ++++
 7 files changed, 45 insertions(+), 2 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/574e5c8c/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/commands/Create.java
----------------------------------------------------------------------
diff --git 
a/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/commands/Create.java
 
b/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/commands/Create.java
index aabb3fe..bd0b4cd 100644
--- 
a/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/commands/Create.java
+++ 
b/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/commands/Create.java
@@ -104,6 +104,7 @@ public class Create extends InputAbstract {
 
    public static final String ETC_GLOBAL_MAX_SPECIFIED_TXT = 
"etc/global-max-specified.txt";
    public static final String ETC_GLOBAL_MAX_DEFAULT_TXT = 
"etc/global-max-default.txt";
+   public static final String ETC_JOLOKIA_ACCESS_XML = 
"etc/jolokia-access.xml";
 
    @Arguments(description = "The instance directory to hold the broker's 
configuration and data.  Path must be writable.", required = true)
    private File directory;
@@ -687,6 +688,7 @@ public class Create extends InputAbstract {
       // we want this variable to remain unchanged so that it will use the 
value set in the profile
       filters.remove("${artemis.instance}");
       write(ETC_BOOTSTRAP_XML, filters, false);
+      write(ETC_JOLOKIA_ACCESS_XML, filters, false);
 
       context.out.println("");
       context.out.println("You can now start the broker by executing:  ");

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/574e5c8c/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/bin/artemis-service.xml
----------------------------------------------------------------------
diff --git 
a/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/bin/artemis-service.xml
 
b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/bin/artemis-service.xml
index aab7f6c..cb98364 100644
--- 
a/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/bin/artemis-service.xml
+++ 
b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/bin/artemis-service.xml
@@ -62,6 +62,7 @@
    <argument>-Dhawtio.offline="true"</argument>
    <argument>-Dhawtio.role=${role}</argument>
    
<argument>-Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal</argument>
+   
<argument>-Djolokia.policyLocation=%ARTEMIS_INSTANCE_URI%/etc/jolokia-access.xml</argument>
 
    <!-- Debug args: Uncomment to enable debug
    
<argument>-agentlib:jdwp=transport=dt_socket,server=y,suspend=y,address=5005</argument>

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/574e5c8c/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile
----------------------------------------------------------------------
diff --git 
a/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile
 
b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile
index c982232..4173e32 100644
--- 
a/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile
+++ 
b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile
@@ -28,7 +28,7 @@ ARTEMIS_INSTANCE_URI='${artemis.instance.uri}'
 
 
 # Java Opts
-JAVA_ARGS="${java-opts} -XX:+PrintClassHistogram -XX:+UseG1GC 
-XX:+AggressiveOpts -XX:+UseFastAccessorMethods -Xms512M -Xmx2G 
-Dhawtio.realm=activemq  -Dhawtio.offline="true" -Dhawtio.role=${role} 
-Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal"
+JAVA_ARGS="${java-opts} -XX:+PrintClassHistogram -XX:+UseG1GC 
-XX:+AggressiveOpts -XX:+UseFastAccessorMethods -Xms512M -Xmx2G 
-Dhawtio.realm=activemq  -Dhawtio.offline="true" -Dhawtio.role=${role} 
-Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal
 -Djolokia.policyLocation=file:etc/jolokia-access.xml"
 
 #
 # There might be options that you only want to enable on specifc commands, 
like setting a JMX port

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/574e5c8c/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile.cmd
----------------------------------------------------------------------
diff --git 
a/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile.cmd
 
b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile.cmd
index 0d4cd46..0ed593e 100644
--- 
a/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile.cmd
+++ 
b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/artemis.profile.cmd
@@ -28,7 +28,7 @@ rem Cluster Properties: Used to pass arguments to ActiveMQ 
Artemis which can be
 rem set ARTEMIS_CLUSTER_PROPS=-Dactivemq.remoting.default.port=61617 
-Dactivemq.remoting.amqp.port=5673 -Dactivemq.remoting.stomp.port=61614 
-Dactivemq.remoting.hornetq.port=5446
 
 rem Java Opts
-set JAVA_ARGS=${java-opts} -XX:+PrintClassHistogram -XX:+UseG1GC 
-XX:+AggressiveOpts -XX:+UseFastAccessorMethods -Xms512M -Xmx1024M 
-Xbootclasspath/a:%ARTEMIS_HOME%\lib\${logmanager} 
-Djava.security.auth.login.config=%ARTEMIS_INSTANCE%\etc\login.config 
-Dhawtio.offline="true" -Dhawtio.realm=activemq -Dhawtio.role=${role} 
-Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal
 -Dartemis.instance=%ARTEMIS_INSTANCE%
+set JAVA_ARGS=${java-opts} -XX:+PrintClassHistogram -XX:+UseG1GC 
-XX:+AggressiveOpts -XX:+UseFastAccessorMethods -Xms512M -Xmx1024M 
-Xbootclasspath/a:%ARTEMIS_HOME%\lib\${logmanager} 
-Djava.security.auth.login.config=%ARTEMIS_INSTANCE%\etc\login.config 
-Dhawtio.offline="true" -Dhawtio.realm=activemq -Dhawtio.role=${role} 
-Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal
 -Djolokia.policyLocation=%ARTEMIS_INSTANCE_URI%\etc\jolokia-access.xml 
-Dartemis.instance=%ARTEMIS_INSTANCE%
 
 rem There might be options that you only want to enable on specifc commands, 
like setting a JMX port
 rem See https://issues.apache.org/jira/browse/ARTEMIS-318

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/574e5c8c/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/jolokia-access.xml
----------------------------------------------------------------------
diff --git 
a/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/jolokia-access.xml
 
b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/jolokia-access.xml
new file mode 100644
index 0000000..aff5656
--- /dev/null
+++ 
b/artemis-cli/src/main/resources/org/apache/activemq/artemis/cli/commands/etc/jolokia-access.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+<!-- This policy file controls the Jolokia JMX-HTTP bridge security options 
for the web console.
+   see: https://jolokia.org/reference/html/security.html -->
+<restrict>
+
+    <cors>
+        <!-- Allow cross origin access from ${http.host} ... -->
+        <allow-origin>*://${http.host}*</allow-origin>
+
+        <!-- Check for the proper origin on the server side, too -->
+        <strict-checking/>
+    </cors>
+
+</restrict>
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/574e5c8c/artemis-cli/src/test/java/org/apache/activemq/cli/test/StreamClassPathTest.java
----------------------------------------------------------------------
diff --git 
a/artemis-cli/src/test/java/org/apache/activemq/cli/test/StreamClassPathTest.java
 
b/artemis-cli/src/test/java/org/apache/activemq/cli/test/StreamClassPathTest.java
index c7fe76b..c802fb2 100644
--- 
a/artemis-cli/src/test/java/org/apache/activemq/cli/test/StreamClassPathTest.java
+++ 
b/artemis-cli/src/test/java/org/apache/activemq/cli/test/StreamClassPathTest.java
@@ -58,6 +58,7 @@ public class StreamClassPathTest {
       openStream(Create.ETC_COMMENTED_PING_TXT);
       openStream(Create.ETC_GLOBAL_MAX_SPECIFIED_TXT);
       openStream(Create.ETC_GLOBAL_MAX_DEFAULT_TXT);
+      openStream(Create.ETC_JOLOKIA_ACCESS_XML);
 
    }
 

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/574e5c8c/docs/user-manual/en/management-console.md
----------------------------------------------------------------------
diff --git a/docs/user-manual/en/management-console.md 
b/docs/user-manual/en/management-console.md
index d7956c8..80d22bb 100644
--- a/docs/user-manual/en/management-console.md
+++ b/docs/user-manual/en/management-console.md
@@ -13,6 +13,12 @@ A login screen will be presented, if your broker is secure, 
you will need to use
 
 ![ActiveMQ Artemis Console Login](images/console-login.png)
 
+## Security
+
+That Jolokia JMX-HTTP bridge is secured via a policy file in the broker 
configuration directory: 'etc/jolokia-access.xml'.
+The contents of that file should be modified as described in the [Jolokia 
Security Guide](https://jolokia.org/reference/html/security.html).
+By default the console is locked down
+to 'localhost', pay particular attention to the 'CORS' restrictions when 
exposing the console web endpoint over the network.
 
 ## Console

Reply via email to