Re: ActiveMQ Classic web console and Jolokia authentication mechanism

Thu, 12 Dec 2024 06:00:49 -0800 

For what it's worth, the
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule in
the Artemis code-base supports hashed passwords. It's based on the
PropertiesLoginModule from Classic.


Justin

On Thu, Dec 12, 2024 at 2:49 AM Ken Liao <kenlia...@gmail.com> wrote:

> Hi community,
>
> I have a question regarding securing ActiveMQ web console authentication.
>
> Here is my understanding of the current way to configure:
> 1. In login.config, it defines the loginModule "activemq" which is
> referenced by jetty.xml (imported in activemq.xml)
> 2. In activemq loginModule, it uses a PropertiesLoginModule defined in
> activemq.jaas.PropertiesLoginModule class, our own implementation
> 3. By default, there is no encryption/hashing, username and password is
> stored by plain-text ("admin=admin" in users.properties)
>
> I want to enable hashing with a strong algorithm such SHA-256
>
> I tried a few options:
>
> 1. I tried to specify the algorithm field in
>
> https://github.com/apache/activemq/blob/main/activemq-jaas/src/main/java/org/apache/activemq/jaas/PropertiesLoader.java#L63
> but it seems like activemq.jaas.PropertiesLoginModule doesn't honor that.
> Am I reading the code wrong? I.E this doesn't work
> ```
> activemq {
>     org.apache.activemq.jaas.PropertiesLoginModule required
>         algorithm="<the hashing algorithm>"
>         org.apache.activemq.jaas.properties.user="users.properties"
>         org.apache.activemq.jaas.properties.group="groups.properties";
> };
> ```
>
> 2. I tried to then use jetty.xml and instead of using the
> org.eclipse.jetty.jaas.JAASLoginService, I use HashLoginService. However,
> Jetty 9 and Jetty 11's HashLoginService
> <
> https://javadoc.jetty.org/jetty-12/org/eclipse/jetty/security/HashLoginService.html
> >relies
> on
>
> https://javadoc.jetty.org/jetty-12/org/eclipse/jetty/util/security/Password.html
> which can only use MD5 and DES. Those are no longer secure and broken for
> collision resistance.
>
>
> Any ideas of how I should proceed with that? I would also like to fix
> option 1 upstream if that's the case.
>
> Thanks,
> Ken
>

Reply via email to