Allow JAAS GuestLoginModule to fail if users specify a password
---------------------------------------------------------------
Key: AMQ-3198
URL: https://issues.apache.org/jira/browse/AMQ-3198
Project: ActiveMQ
Issue Type: Improvement
Components: Broker
Affects Versions: 5.4.2
Reporter: Gary Tully
Assignee: Gary Tully
Fix For: 5.5.0
The GuestLoginModule currently always allows login so it is a handy default. In
the case where two login modules are configured, it is nice to have the guest
login module only succeed if there are no password credentials such that the
second module gets a chance to authenticate. This ensures that only anonymous
users (or users that do not supply a password, map to guest, where as any user
that supplies a password will have to pass authorization or fail.
Without this option, and using GuestLoginModule sufficient, a failed
authentication attempt will map you to the guest user.
This enhancement will implement the credentialsInvalidate attribute.
With the following config, if you don't specify a password you are guest. If
you do specify a valid username/password pair you will authenticate, else you
are rejected.
{code}
activemq-guest-when-no-creds-only-domain {
org.apache.activemq.jaas.GuestLoginModule sufficient
debug=true
credentialsInvalidate=true
org.apache.activemq.jaas.guest.user="guest"
org.apache.activemq.jaas.guest.group="guests";
org.apache.activemq.jaas.PropertiesLoginModule requisite
debug=true
org.apache.activemq.jaas.properties.user="org/apache/activemq/security/users.properties"
org.apache.activemq.jaas.properties.group="org/apache/activemq/security/groups.properties";
};
{code}
--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
