Hi Matt! Yes, I know and don’t want to lose that feature. But it looks like I misunderstood? >single JAAS-provider sounded like you wanted to remove that and change so activemq and console must use the same (and a singular) JAAS-provider but I understand from your comment that this is not the case :)
Sorry for the noise! :) BR, - Simon ________________________________ From: Matt Pavlovich <mattr...@gmail.com> Sent: 16 April 2024 15:45:25 To: users@activemq.apache.org Subject: Re: ActiveMQ Classic v6.x - Encrypted passwords for web-based services Hi Simon- JAAS provides this and ActiveMQ services support separating authorizing via roles today. -Matt > On Apr 16, 2024, at 1:58 AM, Simon Lundström <si...@su.se.INVALID> wrote: > > Not to be that person, but there a valid point that it should be possible to > seperate the authN for service access and service management (even though > authZ can make sure some users only can access the service and some users can > only access the management). > > > BR, > > - Simon > > ________________________________ > From: Matt Pavlovich <mattr...@gmail.com> > Sent: 16 April 2024 05:06:09 > To: users@activemq.apache.org > Subject: Re: ActiveMQ Classic v6.x - Encrypted passwords for web-based > services > > Note — This also falls under one of the goals for ActiveMQ 7.x’s non-Spring > bootstrapping to support single JAAS-provider for all services, that uses > broker-wide crypto and config services to handle encrypted macro expansion > across authn/authz and config params. > >> On Apr 13, 2024, at 11:49 PM, Jean-Baptiste Onofré <j...@nanthrax.net> wrote: >> >> Hi Martin >> >> That's normal: broker authentication and webconsole/api authentication >> are two different layers (it's intentional). >> If, in theory, it would be possible to configure conf/jetty.xml to use >> the same authentication files as for broker, Jetty doesn't use exactly >> the same authentication schema. >> >> A possible option would be to add a Jetty authentication plugin >> supporting the authentication broker, or use the same JAAS realm. >> >> If you create a Jira, I can work on this :) >> >> Regards >> JB >> >> On Fri, Apr 12, 2024 at 1:44 PM Zeissig, Martin >> <mzeis...@gk-software.com> wrote: >>> >>> Dear Community >>> >>> I tried to setup my ActiveMQ broker with authentication which is working >>> fine. But for productive usage I would like to encrypt plain passwords in >>> the property files. I used the following guides: >>> >>> https://activemq.apache.org/components/classic/documentation/security >>> https://activemq.apache.org/components/classic/documentation/encrypted-passwords >>> >>> The user setup with encrypted passwords is working now for the broker but >>> not for the web-based services like /admin or /api. After long reading I've >>> only found the possibility to use the old approach from ActiveMQ v5x using >>> jetty-realm.properties which supports encrypted passwords via Jetty's >>> Password Utilility. >>> >>> At the moment it seems when using encrypted passwords that I have to >>> maintain 2 files in parallel with users and also different encryption >>> algorithms. One for the broker and one for the web-based services. >>> >>> Is it somehow possible to use the same User/Groups from the broker also for >>> the web-based services when using password encryption in file >>> credentials-enc.properties? I don't want to configure 2 files. Additionally >>> I am not happy with insecure hashes from Jetty Utility (OBF / MD5 / CRYPT). >>> >>> I look forward to your feedback. >>> >>> Best regards >>> Martin >
