This is an automated email from the ASF dual-hosted git repository. jbonofre pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/activemq.git
The following commit(s) were added to refs/heads/main by this push: new de7b2726b [AMQ-8391] Convert web to use shared JAAS realm with messaging layer new 18c74769d Merge pull request #1100 from hyteio/AMQ-8391-jaas-web de7b2726b is described below commit de7b2726b19c5be619685177f6dedcf0fd15b129 Author: Matt Pavlovich <m...@hyte.io> AuthorDate: Sun Oct 29 10:50:24 2023 -0500 [AMQ-8391] Convert web to use shared JAAS realm with messaging layer --- assembly/pom.xml | 4 + assembly/src/main/descriptors/common-bin.xml | 1 + assembly/src/release/conf/jetty.xml | 136 +++++++++++---------- assembly/src/release/examples/conf/jetty-demo.xml | 2 +- .../conf/jetty-realm-5.x.properties} | 14 ++- .../conf/jetty-realm-5.x.xml} | 8 ++ 6 files changed, 99 insertions(+), 66 deletions(-) diff --git a/assembly/pom.xml b/assembly/pom.xml index 5e3bb4a2e..b75a81237 100644 --- a/assembly/pom.xml +++ b/assembly/pom.xml @@ -301,6 +301,10 @@ <groupId>org.eclipse.jetty</groupId> <artifactId>jetty-annotations</artifactId> </dependency> + <dependency> + <groupId>org.eclipse.jetty</groupId> + <artifactId>jetty-jaas</artifactId> + </dependency> <dependency> <groupId>org.eclipse.jetty</groupId> <artifactId>jetty-jndi</artifactId> diff --git a/assembly/src/main/descriptors/common-bin.xml b/assembly/src/main/descriptors/common-bin.xml index 7561c6ff1..e5dff72c2 100644 --- a/assembly/src/main/descriptors/common-bin.xml +++ b/assembly/src/main/descriptors/common-bin.xml @@ -255,6 +255,7 @@ <include>org.eclipse.jetty:jetty-util</include> <include>org.eclipse.jetty:jetty-http</include> <include>org.eclipse.jetty:jetty-io</include> + <include>org.eclipse.jetty:jetty-jaas</include> <include>org.eclipse.jetty:jetty-jndi</include> <include>org.eclipse.jetty:jetty-plus</include> <include>org.eclipse.jetty:jetty-servlet</include> diff --git a/assembly/src/release/conf/jetty.xml b/assembly/src/release/conf/jetty.xml index 6ce53142f..dd5dcb82f 100644 --- a/assembly/src/release/conf/jetty.xml +++ b/assembly/src/release/conf/jetty.xml @@ -1,5 +1,4 @@ - - <!-- +<!-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under @@ -24,20 +23,27 @@ <property name="sendServerVersion" value="false"/> </bean> - <bean id="securityLoginService" class="org.eclipse.jetty.security.HashLoginService"> - <property name="name" value="ActiveMQRealm" /> - <property name="config" value="${activemq.conf}/jetty-realm.properties" /> + <bean id="jaasLoginService" class="org.eclipse.jetty.jaas.JAASLoginService"> + <property name="name" value="ActiveMQRealm"/> + <property name="loginModuleName" value="activemq"/> + <property name="roleClassNames"> + <list> + <value>org.apache.activemq.jaas.GroupPrincipal</value> + </list> + </property> </bean> + <bean id="identityService" class="org.eclipse.jetty.security.DefaultIdentityService"/> + <bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint"> <property name="name" value="BASIC" /> - <property name="roles" value="user,admin" /> + <property name="roles" value="user,admins" /> <!-- set authenticate=false to disable login --> <property name="authenticate" value="true" /> </bean> <bean id="adminSecurityConstraint" class="org.eclipse.jetty.util.security.Constraint"> <property name="name" value="BASIC" /> - <property name="roles" value="admin" /> + <property name="roles" value="admins" /> <!-- set authenticate=false to disable login --> <property name="authenticate" value="true" /> </bean> @@ -75,37 +81,38 @@ </property> </bean> - <bean id="secHandlerCollection" class="org.eclipse.jetty.server.handler.HandlerCollection"> - <property name="handlers"> - <list> - <ref bean="rewriteHandler"/> - <bean class="org.eclipse.jetty.webapp.WebAppContext"> - <property name="contextPath" value="/admin" /> - <property name="resourceBase" value="${activemq.home}/webapps/admin" /> - <property name="logUrlOnStart" value="true" /> - </bean> - <bean class="org.eclipse.jetty.webapp.WebAppContext"> - <property name="contextPath" value="/api" /> - <property name="resourceBase" value="${activemq.home}/webapps/api" /> - <property name="logUrlOnStart" value="true" /> - </bean> - <bean class="org.eclipse.jetty.server.handler.ResourceHandler"> - <property name="directoriesListed" value="false" /> - <property name="welcomeFiles"> - <list> - <value>index.html</value> - </list> - </property> - <property name="resourceBase" value="${activemq.home}/webapps/" /> - </bean> - <bean id="defaultHandler" class="org.eclipse.jetty.server.handler.DefaultHandler"> - <property name="serveIcon" value="false" /> - </bean> - </list> - </property> - </bean> + <bean id="secHandlerCollection" class="org.eclipse.jetty.server.handler.HandlerCollection"> + <property name="handlers"> + <list> + <ref bean="rewriteHandler"/> + <bean class="org.eclipse.jetty.webapp.WebAppContext"> + <property name="contextPath" value="/admin" /> + <property name="resourceBase" value="${activemq.home}/webapps/admin" /> + <property name="logUrlOnStart" value="true" /> + </bean> + <bean class="org.eclipse.jetty.webapp.WebAppContext"> + <property name="contextPath" value="/api" /> + <property name="resourceBase" value="${activemq.home}/webapps/api" /> + <property name="logUrlOnStart" value="true" /> + </bean> + <bean class="org.eclipse.jetty.server.handler.ResourceHandler"> + <property name="directoriesListed" value="false" /> + <property name="welcomeFiles"> + <list> + <value>index.html</value> + </list> + </property> + <property name="resourceBase" value="${activemq.home}/webapps/" /> + </bean> + <bean id="defaultHandler" class="org.eclipse.jetty.server.handler.DefaultHandler"> + <property name="serveIcon" value="false" /> + </bean> + </list> + </property> + </bean> <bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler"> - <property name="loginService" ref="securityLoginService" /> + <property name="identityService" ref="identityService" /> + <property name="loginService" ref="jaasLoginService" /> <property name="authenticator"> <bean class="org.eclipse.jetty.security.authentication.BasicAuthenticator" /> </property> @@ -144,10 +151,10 @@ </bean> <bean id="invokeConnectors" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean"> - <property name="targetObject" ref="Server" /> - <property name="targetMethod" value="setConnectors" /> - <property name="arguments"> - <list> + <property name="targetObject" ref="Server" /> + <property name="targetMethod" value="setConnectors" /> + <property name="arguments"> + <list> <bean id="Connector" class="org.eclipse.jetty.server.ServerConnector"> <constructor-arg ref="Server"/> <constructor-arg> @@ -165,35 +172,36 @@ Enable this connector if you wish to use https with web console --> <!-- bean id="SecureConnector" class="org.eclipse.jetty.server.ServerConnector"> - <constructor-arg ref="Server" /> - <constructor-arg> - <bean id="handlers" class="org.eclipse.jetty.util.ssl.SslContextFactory"> - - <property name="keyStorePath" value="${activemq.conf}/broker.ks" /> - <property name="keyStorePassword" value="password" /> - </bean> - </constructor-arg> - <property name="port" value="8162" /> - </bean --> + <constructor-arg ref="Server" /> + <constructor-arg> + <bean id="handlers" class="org.eclipse.jetty.util.ssl.SslContextFactory"> + + <property name="keyStorePath" value="${activemq.conf}/broker.ks" /> + <property name="keyStorePassword" value="password" /> + </bean> + </constructor-arg> + <property name="port" value="8162" /> + </bean --> </list> - </property> + </property> </bean> - <bean id="configureJetty" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean"> - <property name="staticMethod" value="org.apache.activemq.web.config.JspConfigurer.configureJetty" /> - <property name="arguments"> - <list> - <ref bean="Server" /> - <ref bean="secHandlerCollection" /> - </list> - </property> - </bean> + <bean id="configureJetty" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean"> + <property name="staticMethod" value="org.apache.activemq.web.config.JspConfigurer.configureJetty" /> + <property name="arguments"> + <list> + <ref bean="Server" /> + <ref bean="secHandlerCollection" /> + </list> + </property> + </bean> <bean id="invokeStart" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean" - depends-on="configureJetty, invokeConnectors"> - <property name="targetObject" ref="Server" /> - <property name="targetMethod" value="start" /> + depends-on="configureJetty, invokeConnectors"> + <property name="targetObject" ref="Server" /> + <property name="targetMethod" value="start" /> </bean> </beans> + diff --git a/assembly/src/release/examples/conf/jetty-demo.xml b/assembly/src/release/examples/conf/jetty-demo.xml index d432dee5b..ea1cbc513 100644 --- a/assembly/src/release/examples/conf/jetty-demo.xml +++ b/assembly/src/release/examples/conf/jetty-demo.xml @@ -22,7 +22,7 @@ <bean id="securityLoginService" class="org.eclipse.jetty.security.HashLoginService"> <property name="name" value="ActiveMQRealm" /> - <property name="config" value="${activemq.conf}/jetty-realm.properties" /> + <property name="config" value="${activemq.conf}/jetty-realm-5.x.properties" /> </bean> <bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint"> diff --git a/assembly/src/release/conf/jetty-realm.properties b/assembly/src/release/examples/conf/jetty-realm-5.x.properties similarity index 59% rename from assembly/src/release/conf/jetty-realm.properties rename to assembly/src/release/examples/conf/jetty-realm-5.x.properties index 1bce6aa81..464312602 100644 --- a/assembly/src/release/conf/jetty-realm.properties +++ b/assembly/src/release/examples/conf/jetty-realm-5.x.properties @@ -15,7 +15,19 @@ ## limitations under the License. ## --------------------------------------------------------------------------- +## --------------------------------------------------------------------------- +## [AMQ-8391] ActiveMQ 6.x converted jetty to use a common JAAS for users and groups. +## This version of conf/jetty.xml demonstrates how to use a dedicated JAAS realm +## for authentication and authorization of web-based services such as the web console +## and rest apis. This is the config approach that was used in ActiveMQ 5.x. +## +## Rename this file to conf/jetty-realm.properties to setup user and group +## authorization following the ActiveMQ 5.x approach +## +## Note: conf/jetty-realm.properties is used to store user, password and group data +## --------------------------------------------------------------------------- + # Defines users that can access the web (console, demo, etc.) # username: password [,rolename ...] admin: admin, admin -user: user, user \ No newline at end of file +user: user, user diff --git a/assembly/src/release/conf/jetty.xml b/assembly/src/release/examples/conf/jetty-realm-5.x.xml similarity index 95% copy from assembly/src/release/conf/jetty.xml copy to assembly/src/release/examples/conf/jetty-realm-5.x.xml index 6ce53142f..cb901f2a6 100644 --- a/assembly/src/release/conf/jetty.xml +++ b/assembly/src/release/examples/conf/jetty-realm-5.x.xml @@ -17,6 +17,14 @@ some demos Include this file in your configuration to enable ActiveMQ web components e.g. <import resource="jetty.xml"/> --> + <!-- + [AMQ-8391] ActiveMQ 6.x converted jetty to use a common JAAS for users and groups. + This version of conf/jetty.xml demonstrates how to use a dedicated JAAS realm + for authentication and authorization of web-based services such as the web console + and rest apis. This is the config approach that was used in ActiveMQ 5.x. + + Note: conf/jetty-realm.properties is used to store user, password and group data + --> <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">