Thanks everyone! Will make an upstream change soon :)
Thanks,
Ken
On Thu, Dec 12, 2024 at 7:12 AM Christopher Shannon <
christopher.l.shan...@gmail.com> wrote:
> As others have alluded to you will just need to update the login module to
> support it, JAAS is quite flexible and you can implement a custom login
> module anyway you want.
>
> On Thu, Dec 12, 2024 at 9:00 AM Justin Bertram <jbert...@apache.org>
> wrote:
>
> > For what it's worth, the
> > org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule
> in
> > the Artemis code-base supports hashed passwords. It's based on the
> > PropertiesLoginModule from Classic.
> >
> >
> > Justin
> >
> > On Thu, Dec 12, 2024 at 2:49 AM Ken Liao <kenlia...@gmail.com> wrote:
> >
> > > Hi community,
> > >
> > > I have a question regarding securing ActiveMQ web console
> authentication.
> > >
> > > Here is my understanding of the current way to configure:
> > > 1. In login.config, it defines the loginModule "activemq" which is
> > > referenced by jetty.xml (imported in activemq.xml)
> > > 2. In activemq loginModule, it uses a PropertiesLoginModule defined in
> > > activemq.jaas.PropertiesLoginModule class, our own implementation
> > > 3. By default, there is no encryption/hashing, username and password is
> > > stored by plain-text ("admin=admin" in users.properties)
> > >
> > > I want to enable hashing with a strong algorithm such SHA-256
> > >
> > > I tried a few options:
> > >
> > > 1. I tried to specify the algorithm field in
> > >
> > >
> >
> https://github.com/apache/activemq/blob/main/activemq-jaas/src/main/java/org/apache/activemq/jaas/PropertiesLoader.java#L63
> > > but it seems like activemq.jaas.PropertiesLoginModule doesn't honor
> that.
> > > Am I reading the code wrong? I.E this doesn't work
> > > ```
> > > activemq {
> > > org.apache.activemq.jaas.PropertiesLoginModule required
> > > algorithm="<the hashing algorithm>"
> > > org.apache.activemq.jaas.properties.user="users.properties"
> > > org.apache.activemq.jaas.properties.group="groups.properties";
> > > };
> > > ```
> > >
> > > 2. I tried to then use jetty.xml and instead of using the
> > > org.eclipse.jetty.jaas.JAASLoginService, I use HashLoginService.
> However,
> > > Jetty 9 and Jetty 11's HashLoginService
> > > <
> > >
> >
> https://javadoc.jetty.org/jetty-12/org/eclipse/jetty/security/HashLoginService.html
> > > >relies
> > > on
> > >
> > >
> >
> https://javadoc.jetty.org/jetty-12/org/eclipse/jetty/util/security/Password.html
> > > which can only use MD5 and DES. Those are no longer secure and broken
> for
> > > collision resistance.
> > >
> > >
> > > Any ideas of how I should proceed with that? I would also like to fix
> > > option 1 upstream if that's the case.
> > >
> > > Thanks,
> > > Ken
> > >
> >
>
