[ https://issues.apache.org/jira/browse/ARTEMIS-1386?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16153579#comment-16153579 ]
Gary Tully commented on ARTEMIS-1386: ------------------------------------- I think there must be some other amqp acceptor in the mix that supports sasl-plain. The one on port 5672 will only advertise Gssapi > With enabled kerberos auth, acceptor allows PLAIN auth sasl users in, even > when GSSAPI is the only defined sasl mechanism on transport > -------------------------------------------------------------------------------------------------------------------------------------- > > Key: ARTEMIS-1386 > URL: https://issues.apache.org/jira/browse/ARTEMIS-1386 > Project: ActiveMQ Artemis > Issue Type: Bug > Components: AMQP, Broker > Affects Versions: 2.4.0 > Environment: Artemis built from sources > last git commit 098d69b63c81d9b2aa2c58c30d921d30472e57f8 (Sept 1) > Reporter: Michal Toth > > Enable all AMQP authentication & authorization to be performed by GSSAPI > (kerberos), so user can send and receive messages w/o problems using kerberos > credentials. > Define broker amqp acceptor to accept only GSSAPI auth mechanism. > {noformat} > <acceptor > name="amqp">tcp://0.0.0.0:5672?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=AMQP;useEpoll=true;amqpCredits=1000;amqpMinCredits=300;saslMechanisms=GSSAPI;saslLoginConfigScope=mykerberos</acceptor> > {noformat} > Users authentication over PLAIN sasl mechanism should not be allowed it. Only > Kerberized ones. This is not working actually. > I am able to send/receive a message using plain over AMQP, with such defined > saslMechanisms as above. > login.config > {noformat} > activemq { > org.apache.activemq.artemis.spi.core.security.jaas.Krb5LoginModule optional > debug=true; > org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule > sufficient > debug=true > reload=true > org.apache.activemq.jaas.properties.user="artemis-users.properties" > org.apache.activemq.jaas.properties.role="artemis-roles.properties"; > }; > mykerberos { > com.sun.security.auth.module.Krb5LoginModule required > isInitiator=false > storeKey=true > useKeyTab=true > keyTab="/opt/amqp-service.keytab" > principal="amqp/hostn...@my.realm.com" > debug=true; > }; > {noformat} > {noformat} > users properties > admin = > ENC(1024:31461C31F100DA2D4363030BD70AB79BD1693552737AB4951B9B733770B60F40:B97C0DE92D4C0A17C2FE572E206A8F8806EFDFEBA456ED96AC1570E12E3F1BEC8314FA9744AC7EFD95DA939FACA2EA829CF3F46C96268F6B9140C74A2E1EE4D3) > lala = lala > --- > roles.properties > amq = admin,al...@mqe.redhat.com,lala > readers = b...@mqe.redhat.com > {noformat} -- This message was sent by Atlassian JIRA (v6.4.14#64029)