ActiveMQ Artemis uses JAAS [1] which uses pluggable "login modules" [2] configured via the login.config file in the etc directory of the broker instance. We ship a handful of our own login modules which you can peruse [3] for pointers on how to implement your own. Documentation is here [4].
Justin [1] https://docs.oracle.com/en/java/javase/11/security/java-authentication-and-authorization-service-jaas-reference-guide.html [2] https://docs.oracle.com/en/java/javase/11/docs/api/java.base/javax/security/auth/spi/LoginModule.html [3] https://github.com/apache/activemq-artemis/tree/main/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/jaas [4] https://activemq.apache.org/components/artemis/documentation/latest/security.html#authentication-authorization On Sat, Mar 23, 2024 at 7:49 AM Mark Raynsford <org.apache.activ...@io7m.com> wrote: > Hello! > > I'm working with a custom authentication mechanism for a few projects. > I'd like to be able to implement that mechanism within ActiveMQ Artemis. > > Is there any documentation on adding new authentication mechanisms? It > seems like I should be able to register a new SASL mechanism somewhere > and then have ActiveMQ call my own code to do the authentication. If > not, is there another method that's better suited than SASL? > > While the new authentication mechanism is documented in a specification, > it's essentially "proprietary" and probably not of general use to others. > > For the morbidly curious: The connecting client forwards the public part > of an Ed448 keypair. The server checks to see if the public key is > registered in its own database. If not, authentication fails. If the > public key _is_ known to the server, the server sends a long random > string. The client signs the long random string, and sends it back. The > server verifies the signature on the long random string (thus seeing if > the client can prove that it owns the private key associated with the > keypair). This is basically analogous to SSH public key authentication. > > -- > Mark Raynsford | https://www.io7m.com > >
