In general it's important to remember that although the broker and the hawtio console can both use the same JAAS configuration (specified in login.config) they don't necessarily support the same specific login modules.
Justin On Thu, Apr 26, 2018 at 11:33 AM, Justin Bertram <jbert...@apache.org> wrote: > In the Artemis broker the JAAS integration has code to get the certificate > from the remote connection and pass it through in the proper places. I > doubt the hawtio code has the same kind of logic to get the certificate > from the connection to the web server (assuming it's even possible). Taking > a quick look at the code [1] it appears it only supports username and > password. > > > Justin > > [1] https://github.com/hawtio/hawtio/blob/master/hawtio- > system/src/main/java/io/hawt/system/Authenticator.java#L111 > > On Thu, Apr 26, 2018 at 2:44 AM, Stefaniuk, Marcin < > marcin.stefan...@credit-suisse.com> wrote: > >> I'm struggling to configure Artemis 2.4.0 management console to use the >> same client certificate based JAAS realm. >> >> CertLogin { >> >> org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule >> required >> debug=true >> org.apache.activemq.jaas.textfiledn.user="certificate-users. >> properties" >> org.apache.activemq.jaas.textfiledn.role="certificate-roles. >> properties" >> reload=true; >> }; >> >> I've reached point where users that are not listed in >> certificate-users.properties are rejected but those that are listed here >> are prompted for user / password on default console form: >> >> 08:42:58,720 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication >> enabled, denying request for jolokia >> 08:42:59,010 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication >> enabled, but allowing request for plugin >> 08:42:59,924 DEBUG [io.hawt.system.ConfigManager] Property >> keycloakEnabled is set to value false >> 08:42:59,925 INFO [io.hawt.web.keycloak.KeycloakServlet] Keycloak >> integration is disabled >> 08:42:59,925 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication >> enabled, but allowing request for keycloak >> 08:43:00,012 DEBUG [io.hawt.system.ConfigManager] Property >> authenticationEnabled is set to value true >> 08:43:00,013 DEBUG [io.hawt.system.ConfigManager] Property >> keycloakEnabled is set to value false >> 08:43:00,013 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication >> enabled, denying request for user >> 08:43:00,157 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication >> enabled, denying request for jolokia >> 08:43:00,204 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication >> enabled, denying request for jolokia >> 08:43:01,730 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication >> enabled, but allowing request for refresh >> 08:43:02,784 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication >> enabled, but allowing request for img >> 08:43:02,853 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication >> enabled, denying request for jolokia >> 08:43:03,068 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication >> enabled, denying request for jolokia >> 08:43:11,646 DEBUG [io.hawt.web.RedirectFilter] Accessing /console/login, >> which isn't valid, returning index.html >> 08:43:12,448 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication >> enabled, denying request for jolokia >> 08:43:12,669 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication >> enabled, but allowing request for plugin >> 08:43:13,717 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication >> enabled, but allowing request for keycloak >> 08:43:13,861 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication >> enabled, denying request for user >> 08:43:13,863 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication >> enabled, denying request for jolokia >> 08:43:13,931 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication >> enabled, denying request for jolokia >> 08:43:15,215 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication >> enabled, but allowing request for img >> 08:43:15,418 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication >> enabled, denying request for jolokia >> 08:43:15,420 DEBUG [io.hawt.web.SessionExpiryFilter] Authentication >> enabled, denying request for jolokia >> >> Configuration of console seems ok with clientAuth enabled: >> >> <web keyStorePath="/tmp/host.net.jks" keyStorePassword="host.net" >> clientAuth="true" bind="https://host.net:8443"; path="web" >> trustStorePath="/opt/truststore.jks" trustStorePassword="truststore"> >> <app url="activemq-branding" war="activemq-branding.war"/> >> <app url="artemis-plugin" war="artemis-plugin.war"/> >> <app url="console" war="console.war"/> >> </web> >> >> Hawt.io is logging out actual configuration and proper realm is mentioned >> here: >> >> 08:27:06,502 DEBUG >> [io.hawt.web.tomcat.TomcatAuthenticationContainerDiscovery] >> Realm explicit configured CertLogin. Apache Tomcat userdata authentication >> integration not in use. >> 08:27:06,502 INFO [io.hawt.web.AuthenticationFilter] Starting hawtio >> authentication filter, JAAS realm: "CertLogin" authorized role(s): "amq" >> role principal classes: "org.apache.activemq.artemis.s >> pi.core.security.jaas.RolePrincipal" >> >> User that I'm testing has a amq role attached. User certificate is >> provided by default to each request. >> >> To verify if JAAS configuration is ok I've connected to a broker using >> technical certificate also listed in the same configuration file and it was >> successful. >> 09:31:06,061 DEBUG [io.netty.handler.ssl.SslHandler] [id: 0x484ffd99, L:/ >> 10.205.36.164:61617 - R:/10.195.113.9:52093] HANDSHAKEN: >> TLS_RSA_WITH_AES_128_CBC_SHA256 >> 09:31:06,153 DEBUG [org.apache.activemq.artemis.s >> pi.core.security.jaas.PropertiesLoader] Initialized debug >> 09:31:06,154 DEBUG [org.apache.activemq.artemis.s >> pi.core.security.jaas.CertificateLoginModule] Certificate for user: >> S113635 >> 09:31:06,154 DEBUG [org.apache.activemq.artemis.s >> pi.core.security.jaas.CertificateLoginModule] commit >> 09:31:06,188 DEBUG [org.apache.activemq.artemis.s >> pi.core.security.jaas.PropertiesLoader] Initialized debug >> 09:31:06,188 DEBUG [org.apache.activemq.artemis.s >> pi.core.security.jaas.CertificateLoginModule] Certificate for user: >> S113635 >> 09:31:06,188 DEBUG [org.apache.activemq.artemis.s >> pi.core.security.jaas.CertificateLoginModule] commit >> 09:31:06,441 DEBUG [org.apache.activemq.artemis.c >> ore.remoting.server.impl.RemotingServiceImpl] >> RemotingServiceImpl::removing connection ID 484ffd99 >> >> Is there a way to use certificate based user login to management console? >> If yes what I should look into to fix? >> >> Kind regards >> Marcin Stefaniuk >> >> =============================================================================== >> >> Please access the attached hyperlink for an important electronic >> communications disclaimer: >> http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html >> =============================================================================== >> >> > >
