Not to be that person, but there a valid point that it should be possible to seperate the authN for service access and service management (even though authZ can make sure some users only can access the service and some users can only access the management).
BR, - Simon ________________________________ From: Matt Pavlovich <mattr...@gmail.com> Sent: 16 April 2024 05:06:09 To: users@activemq.apache.org Subject: Re: ActiveMQ Classic v6.x - Encrypted passwords for web-based services Note — This also falls under one of the goals for ActiveMQ 7.x’s non-Spring bootstrapping to support single JAAS-provider for all services, that uses broker-wide crypto and config services to handle encrypted macro expansion across authn/authz and config params. > On Apr 13, 2024, at 11:49 PM, Jean-Baptiste Onofré <j...@nanthrax.net> wrote: > > Hi Martin > > That's normal: broker authentication and webconsole/api authentication > are two different layers (it's intentional). > If, in theory, it would be possible to configure conf/jetty.xml to use > the same authentication files as for broker, Jetty doesn't use exactly > the same authentication schema. > > A possible option would be to add a Jetty authentication plugin > supporting the authentication broker, or use the same JAAS realm. > > If you create a Jira, I can work on this :) > > Regards > JB > > On Fri, Apr 12, 2024 at 1:44 PM Zeissig, Martin > <mzeis...@gk-software.com> wrote: >> >> Dear Community >> >> I tried to setup my ActiveMQ broker with authentication which is working >> fine. But for productive usage I would like to encrypt plain passwords in >> the property files. I used the following guides: >> >> https://activemq.apache.org/components/classic/documentation/security >> https://activemq.apache.org/components/classic/documentation/encrypted-passwords >> >> The user setup with encrypted passwords is working now for the broker but >> not for the web-based services like /admin or /api. After long reading I've >> only found the possibility to use the old approach from ActiveMQ v5x using >> jetty-realm.properties which supports encrypted passwords via Jetty's >> Password Utilility. >> >> At the moment it seems when using encrypted passwords that I have to >> maintain 2 files in parallel with users and also different encryption >> algorithms. One for the broker and one for the web-based services. >> >> Is it somehow possible to use the same User/Groups from the broker also for >> the web-based services when using password encryption in file >> credentials-enc.properties? I don't want to configure 2 files. Additionally >> I am not happy with insecure hashes from Jetty Utility (OBF / MD5 / CRYPT). >> >> I look forward to your feedback. >> >> Best regards >> Martin
