Hi community,
I have a question regarding securing ActiveMQ web console authentication.
Here is my understanding of the current way to configure:
1. In login.config, it defines the loginModule "activemq" which is
referenced by jetty.xml (imported in activemq.xml)
2. In activemq loginModule, it uses a PropertiesLoginModule defined in
activemq.jaas.PropertiesLoginModule class, our own implementation
3. By default, there is no encryption/hashing, username and password is
stored by plain-text ("admin=admin" in users.properties)
I want to enable hashing with a strong algorithm such SHA-256
I tried a few options:
1. I tried to specify the algorithm field in
https://github.com/apache/activemq/blob/main/activemq-jaas/src/main/java/org/apache/activemq/jaas/PropertiesLoader.java#L63
but it seems like activemq.jaas.PropertiesLoginModule doesn't honor that.
Am I reading the code wrong? I.E this doesn't work
```
activemq {
org.apache.activemq.jaas.PropertiesLoginModule required
algorithm="<the hashing algorithm>"
org.apache.activemq.jaas.properties.user="users.properties"
org.apache.activemq.jaas.properties.group="groups.properties";
};
```
2. I tried to then use jetty.xml and instead of using the
org.eclipse.jetty.jaas.JAASLoginService, I use HashLoginService. However,
Jetty 9 and Jetty 11's HashLoginService
<https://javadoc.jetty.org/jetty-12/org/eclipse/jetty/security/HashLoginService.html>relies
on
https://javadoc.jetty.org/jetty-12/org/eclipse/jetty/util/security/Password.html
which can only use MD5 and DES. Those are no longer secure and broken for
collision resistance.
Any ideas of how I should proceed with that? I would also like to fix
option 1 upstream if that's the case.
Thanks,
Ken
