Re: ActiveMQ Classic web console and Jolokia authentication mechanism

Thu, 12 Dec 2024 07:13:00 -0800 

As others have alluded to you will just need to update the login module to
support it, JAAS is quite flexible and you can implement a custom login
module anyway you want.

On Thu, Dec 12, 2024 at 9:00 AM Justin Bertram <jbert...@apache.org> wrote:

> For what it's worth, the
> org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule in
> the Artemis code-base supports hashed passwords. It's based on the
> PropertiesLoginModule from Classic.
>
>
> Justin
>
> On Thu, Dec 12, 2024 at 2:49 AM Ken Liao <kenlia...@gmail.com> wrote:
>
> > Hi community,
> >
> > I have a question regarding securing ActiveMQ web console authentication.
> >
> > Here is my understanding of the current way to configure:
> > 1. In login.config, it defines the loginModule "activemq" which is
> > referenced by jetty.xml (imported in activemq.xml)
> > 2. In activemq loginModule, it uses a PropertiesLoginModule defined in
> > activemq.jaas.PropertiesLoginModule class, our own implementation
> > 3. By default, there is no encryption/hashing, username and password is
> > stored by plain-text ("admin=admin" in users.properties)
> >
> > I want to enable hashing with a strong algorithm such SHA-256
> >
> > I tried a few options:
> >
> > 1. I tried to specify the algorithm field in
> >
> >
> https://github.com/apache/activemq/blob/main/activemq-jaas/src/main/java/org/apache/activemq/jaas/PropertiesLoader.java#L63
> > but it seems like activemq.jaas.PropertiesLoginModule doesn't honor that.
> > Am I reading the code wrong? I.E this doesn't work
> > ```
> > activemq {
> >     org.apache.activemq.jaas.PropertiesLoginModule required
> >         algorithm="<the hashing algorithm>"
> >         org.apache.activemq.jaas.properties.user="users.properties"
> >         org.apache.activemq.jaas.properties.group="groups.properties";
> > };
> > ```
> >
> > 2. I tried to then use jetty.xml and instead of using the
> > org.eclipse.jetty.jaas.JAASLoginService, I use HashLoginService. However,
> > Jetty 9 and Jetty 11's HashLoginService
> > <
> >
> https://javadoc.jetty.org/jetty-12/org/eclipse/jetty/security/HashLoginService.html
> > >relies
> > on
> >
> >
> https://javadoc.jetty.org/jetty-12/org/eclipse/jetty/util/security/Password.html
> > which can only use MD5 and DES. Those are no longer secure and broken for
> > collision resistance.
> >
> >
> > Any ideas of how I should proceed with that? I would also like to fix
> > option 1 upstream if that's the case.
> >
> > Thanks,
> > Ken
> >
>

Reply via email to