Hello,
I have been working on a custom login module using JAAS for ActiveMQ.
I got authentication to work, but when I add the authorizationPlugin, I get
the following error:
java.lang.SecurityException: User user is not authorized to create:
> topic://ActiveMQ.Advisory.Connection
> at
> org.apache.activemq.security.AuthorizationBroker.addDestination(AuthorizationBroker.java:115)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.broker.BrokerFilter.addDestination(BrokerFilter.java:174)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.broker.region.RegionBroker.send(RegionBroker.java:454)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.broker.jmx.ManagedRegionBroker.send(ManagedRegionBroker.java:293)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:909)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:836)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.advisory.AdvisoryBroker.fireAdvisory(AdvisoryBroker.java:831)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.advisory.AdvisoryBroker.addConnection(AdvisoryBroker.java:125)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:99)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:99)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:99)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.security.JaasAuthenticationBroker.addConnection(JaasAuthenticationBroker.java:71)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:99)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:99)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:849)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:77)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:139)[activemq-client-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:336)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:200)[activemq-broker-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.transport.MutexTransport.onCommand(MutexTransport.java:50)[activemq-client-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:125)[activemq-client-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.transport.AbstractInactivityMonitor.onCommand(AbstractInactivityMonitor.java:301)[activemq-client-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)[activemq-client-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233)[activemq-client-5.15.9.jar:5.15.9]
> at
> org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215)[activemq-client-5.15.9.jar:5.15.9]
> at java.lang.Thread.run(Thread.java:748)[:1.8.0_211]
>
I can't seem to figure out what's the problem. When I change my
jaasAuthenticationPlugin to "<jaasAuthenticationPlugin
configuration="activemq-domain"/>" (which uses
"org.apache.activemq.jaas.PropertiesLoginModule") everything works as
expected. However, when I use my own custom LoginModule:
activemq.xml
> <jaasAuthenticationPlugin configuration="my-custom-login"/>
>
login.config
> my-custom-login {
> x.x.x.x.x.x.PropertiesLoginModule required
> debug=true
> org.apache.activemq.jaas.properties.user="users.properties"
> org.apache.activemq.jaas.properties.group="groups.properties"
> reload=true;
> };
>
I get the error shown above. PropertiesLoginModule in "my-custom-login" is
basically a copy of (
https://github.com/apache/activemq/tree/master/activemq-jaas/src/main/java/org/apache/activemq/jaas
).
For reference, this is my authenticationPlugin:
> <authorizationPlugin>
> <map>
> <authorizationMap>
> <authorizationEntries>
> <authorizationEntry queue=">" read="admins"
> write="admins,users" admin="admins"/>
> <authorizationEntry queue="USERS.>" read="users"
> write="users" admin="users"/>
> <authorizationEntry queue="GUEST.>" read="guests"
> write="guests,users" admin="guests,users"/>
> <authorizationEntry topic=">" read="admins"
> write="admins,users" admin="admins"/>
> <authorizationEntry topic="USERS.>" read="users"
> write="users" admin="users"/>
> <authorizationEntry topic="GUEST.>" read="guests"
> write="guests,users" admin="guests,users"/>
> <authorizationEntry topic="ActiveMQ.Advisory.>"
> read="guests,users" write="guests,users" admin="guests,users"/>
> </authorizationEntries>
> <!--
> let's assign roles to temporary destinations. comment
> this entry if we don't want any roles assigned to temp destinations
> -->
> <tempDestinationAuthorizationEntry>
> <tempDestinationAuthorizationEntry
> read="tempDestinationAdmins" write="tempDestinationAdmins"
> admin="tempDestinationAdmins"/>
> </tempDestinationAuthorizationEntry>
> </authorizationMap>
> </map>
> </authorizationPlugin>
users.properties:
> admin=admin
> user=password
> publisher=password
> consumer=password
> guest=password
>
groups.properties:
> admins=admin,user
> users=user,admin
> publishers=admin,publisher
> consumers=admin,publisher,consumer
> guests=guest
Any pointers? I want to change the authentication in login from
PropertiesLoginModule.
Thanks.
