[
https://issues.apache.org/jira/browse/AMQ-5236?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14038565#comment-14038565
]
Claus Ibsen commented on AMQ-5236:
----------------------------------
It has never been the intention for ActiveMQ Broker security plugins to
authenticate web apps.
> Shiro Authentication and Authorization for ActiveMQ's Jetty Instance
> --------------------------------------------------------------------
>
> Key: AMQ-5236
> URL: https://issues.apache.org/jira/browse/AMQ-5236
> Project: ActiveMQ
> Issue Type: New Feature
> Components: webconsole
> Affects Versions: 5.10.0
> Environment: Any
> Reporter: Justin Reock
> Priority: Minor
> Labels: security
> Fix For: Unscheduled
>
>
> Shiro support for Authentication and Authorization was added to the ActiveMQ
> 5.10.0 release. Though the documentation states "The ActiveMQ Shiro plugin
> can secure all aspects of ActiveMQ," significant work must be done to enable
> support for authenticating into the web console, jolokia, and anything else
> hosted by jetty in the broker.
> The jetty-realm.properties file is still authoritative, and the jetty.xml
> configuration creates a security handler and loginService which will have to
> be undone to allow Shiro to be authoritative.
> My initial thought is to remove this authentication, and alter the web.xml
> files of the existing webapps to use Shiro Filters, though this course of
> action may change as more research is performed.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
