Hi Ken
The WebConsole uses the security constraints defined in the conf/jetty.xml.
It uses the Jetty JAASLoginService to "wrap" ActiveMQRealm and roles.
The ActiveMQRealm is defined in the login.config where you define the
JAAS login modules you want to use (with optional and required ones,
it's for instance the way to define LDAP login module).
The broker itself uses authentication/authorization plugins.
The PropertiesLoginModule (in activemq-jaas module) doesn't support
encrypted users/password, just plain password:
String password = users.getProperty(user);
I would suggest improving the PropertiesLoginModule, similar to what
we have in Apache Karaf.
Regards
JB
On Thu, Dec 12, 2024 at 9:40 AM Ken Liao <kenlia...@gmail.com> wrote:
>
> Hi community,
>
> I have a question regarding securing ActiveMQ web console authentication.
>
> Here is my understanding of the current way to configure:
> 1. In login.config, it defines the loginModule "activemq" which is
> referenced by jetty.xml (imported in activemq.xml)
> 2. In activemq loginModule, it uses a PropertiesLoginModule defined in
> activemq.jaas.PropertiesLoginModule class, our own implementation
> 3. By default, there is no encryption/hashing, username and password is
> stored by plain-text ("admin=admin" in users.properties)
>
> I want to enable hashing with a strong algorithm such SHA-256
>
> I tried a few options:
>
> 1. I tried to specify the algorithm field in
> https://github.com/apache/activemq/blob/main/activemq-jaas/src/main/java/org/apache/activemq/jaas/PropertiesLoader.java#L63
> but it seems like activemq.jaas.PropertiesLoginModule doesn't honor that.
> Am I reading the code wrong? I.E this doesn't work
> ```
> activemq {
> org.apache.activemq.jaas.PropertiesLoginModule required
> algorithm="<the hashing algorithm>"
> org.apache.activemq.jaas.properties.user="users.properties"
> org.apache.activemq.jaas.properties.group="groups.properties";
> };
> ```
>
> 2. I tried to then use jetty.xml and instead of using the
> org.eclipse.jetty.jaas.JAASLoginService, I use HashLoginService. However,
> Jetty 9 and Jetty 11's HashLoginService
> <https://javadoc.jetty.org/jetty-12/org/eclipse/jetty/security/HashLoginService.html>relies
> on
> https://javadoc.jetty.org/jetty-12/org/eclipse/jetty/util/security/Password.html
> which can only use MD5 and DES. Those are no longer secure and broken for
> collision resistance.
>
>
> Any ideas of how I should proceed with that? I would also like to fix
> option 1 upstream if that's the case.
>
> Thanks,
> Ken
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@activemq.apache.org
For additional commands, e-mail: dev-h...@activemq.apache.org
For further information, visit: https://activemq.apache.org/contact
