Team,
I am implementing runtime reloading of authorization map settings in activemq.xml using following configuration, (http://activemq.apache.org/runtime-configuration.html)
<broker xmlns="http://activemq.apache.org/schema/core" start="false" ... >
<plugins>
<runtimeConfigurationPlugin checkPeriod="1000" />
</plugins>
...
</broker>
I performed test cases out of which one specific case (critical) is not working as expected.
Failed test case is that a User-A has read and write access over Queue-A. User-A successfully reads and writes. But, If the role is deleted for User-A, without restarting ActiveMQ, User-A is still able to read and write to Queue-A. Expected result was that ActiveMQ shall forbid user from reading and writing to Queue-A.
Detailed Steps are as follows.
Action 1 : After starting the broker with a User A without any map entry for test queue
<plugins>
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry topic="ActiveMQ.Advisory.>" read="admins" write="admins" admin="admins"/>
<authorizationEntry queue="test.queue.A>" read="admins" write="admins" admin="admins"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
Result 1: User A login Successful but not authorized to access test queue
Action 2: then I modified the authorization map and allowed user A to read and write on test queue. i.e. made User-A member of "grp_subscribers"
<plugins>
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry topic="ActiveMQ.Advisory.>" read="grp_subscribers, admins" write="grp_subscribers, admins" admin="grp_subscribers, admins"/>
<authorizationEntry queue="test.queue.A>" read="grp_subscribers" write="grp_subscribers" admin="grp_subscribers, admins"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
Result 2: User A login Successful and authorized on test queue
Action 3: then I again modified the authorization map by removing the access of user A on test queue
<plugins>
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry topic="ActiveMQ.Advisory.>" read="admins" write="admins" admin="admins"/>
<authorizationEntry queue="test.queue.A>" read="admins" write="admins" admin="admins"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
Result 3: User A login successful and still authorized on the test queue, which is here the problem is. User A should not be authorized on test queue.
I tried different ways and did a lot of troubleshooting for something if I am missing. I believe there is something I am missing
Activemq AuthorizationMap gets updated using checkPeriod attribute. After making a change in authorization roles, consumer/subscriber/producer connections need to be refreshed, which can be refreshed by stopping or starting a transport connector via jmx.
Related
When sending a message to a queue in ActiveMQ (e.g. using JmsTemplate.convertAndSend()) that is not configured the queue is dynamically created (on the fly).
Is it possible to have an exception thrown instead (e.g. if the queue wasn't create explicitly on the broker)?
Yes it is possible to have an exception thrown if the queue wasn't create explicitly on the broker. JMS destinations are automatically created for users who have the admin permission. Therefore, any user for which you don't want the broker to automatically create JMS destinations should not be in a role with the admin permission. Here's a sample configuration:
<broker>
..
<plugins>
..
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue="myQueue" read="consumers" write="producers" admin="admins" />
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
..
</plugins>
..
</broker>
In this configuration any users in the admins role will have the admin permission and the broker will automatically create JMS destinations for these users.
I have setup an activemq and configured the queue with users. I have created one queue and two users namely producer and consumer with read write permissions appropriately. I am able to post message using producer and consume the message using consumer.
When I login to the admin page of activemq using admin/admin I am not able to view the messages inside the queue. How to add admin user to access the queue.
I have added the below configuration entry in the activemq.xml
<plugins>
<simpleAuthenticationPlugin>
<users>
<authenticationUser username="producer" password="producer" groups="producers" />
<authenticationUser username="consumer" password="consumer" groups="consumers" />
<authenticationUser username="defaultUser" password="defaultPassword" groups="admins" />
</users>
</simpleAuthenticationPlugin>
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue="test.Queue" write="producers" read="consumers" admin="admins" />
<authorizationEntry topic="ActiveMQ.Advisory.>" read="producers,consumers" write="producers,producers" admin="admins,producers,consumers"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
Please let me know where I am going wrong.
Your admin user for the web console is in admins group ?
I think you need to add authenticationUser username="admin" password="admin" groups="admins" />
I need some guidance on my SSO implementation.
I have done couple of SAML2 implementations with success but there is something missing on this one :-O I believe it is minor but I am not sure what I am missing and I not seeing much information in the logs on the agent side :-/
So :
IDP Initiated
I am the SP Using OpenAm 10
Using J2EE Agent
Same configuration works on prod as well for other clients
SAML 2 implementation
The cross domain is enable
Certificate is loaded in the client IDP Metadata on my side
The issue is when I get the Response from the Vendor, they get redirected by the CDCSERVLET to the Login Page of OpenAm .. I am not getting why they are not authenticated.
Here the response:
<Response ID="_FAD290A87DB14BC4A8A8F435DEBDEBB3" Version="2.0" IssueInstant="2015-12-31T20:59:34.1012911Z" Destination="https://sso.com:443/sp/Consumer/metaAlias/xxx-test/sp" xmlns="urn:oasis:names:tc:SAML:2.0:protocol">
<Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">xxx</Issuer>
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<Reference URI="#_FAD290A87DB14BC4A8A8F435DEBDEBB3">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<DigestValue>HPTUTyPjegeyjDW5lmMb8ggbwas=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>4Ek0xpDPj5Q==</SignatureValue>
</Signature>
<Status>
<StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</Status>
<Assertion Version="2.0" ID="_BCA1E13E205E4CDCB7AB903E90606DBD" IssueInstant="2015-12-31T20:59:34.1012911Z" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<Issuer>xxx</Issuer>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified">100</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2015-12-31T21:04:34.1948917Z" Recipient="https://sso.com:443/sp/Consumer/metaAlias/xxx-test/sp"/>
</SubjectConfirmation>
</Subject>
<Conditions NotBefore="2015-12-31T20:54:34.1012911Z" NotOnOrAfter="2015-12-31T21:04:34.1012911Z">
<AudienceRestriction>
<Audience>xxx-test:saml2</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2015-12-31T20:59:34.1012911Z">
<SubjectLocality Address="000.0.0.000"/>
<AuthnContext>
<AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
<AttributeStatement>
<Attribute Name="AIN">
<AttributeValue xsi:type="xsd:string">100</AttributeValue>
</Attribute>
</AttributeStatement>
</Assertion>
What I noted in that assertion is :
There is no certificate in the Signature (All my client have the
in the signature with the certificate)
On my side for the SP, I made sure that:
The Authentication Context is set to Password to match the assertion
I Disable the Federation if the NameId is Unspecified and I use the NameId as UserId
All of that should be good on my side, and I do not understand why the client gets redirected to the login page of OpenAM
Any help would be awesome !!
Thanks !
EDIT :
So, I had the vendor modified the assertion to send the <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient">xxxx</NameID>
And I added a user to the realm, and use it as transient user in my SP configuration but it resulted in the same issue !!
When the nameid-format was set as unspecified, I created that 100 user in the realm as a subject but it still did not work :-/
EDIT 3 : Here some information on the Session:
<SessionNotification vers="1.0" notid="117627">
<Session sid="AQIC5wM2LY4SfcxfxdL6szA_aGlQEkFtHROifZHX_VpqHag.*AAJTSQACMDIAAlNLABM3OTI1OTk2NjE0MDA1MjA2MTcw*" stype="user" cid="id=user-test,ou=user,dc=openam,dc=forgerock,dc=org" cdomain="dc=openam,dc=forgerock,dc=org" maxtime="60" maxidle="30" maxcaching="5" timeidle="1800" timeleft="1529" state="destroyed">
<Property name="CharSet" value="UTF-8"></Property>
<Property name="UserId" value="user-test"></Property>
<Property name="FullLoginURL" value="/sp/UI/Login?ForceAuthn=false&MinorVersion=0&RequestID=see601a9040131cc9c9d09947cf1addab3e4df292&refererservlet=https%3A%2F%2Fs-----6ForceAuthn%3Dfalse%26ProviderID%3Dhttps%253A%252F%252Fstagingcng.inspirus365.com%253A443%252F%253FRealm%253D%25252F%26MinorVersion%3D0%26Federate%3Dfalse%26IssueInstant%3D2016-01-12T21%253A30%253A22Z%26MajorVersion%3D1&IssueInstant=2016-01-12T21%3A30%3A22Z&MajorVersion=1"></Property>
<Property name="successURL" value="/sp/console"></Property>
<Property name="cookieSupport" value="true"></Property>
<Property name="AuthLevel" value="0"></Property>
<Property name="SessionHandle" value="shandle:AQIC5wM2LY4SfcwZfnMFJVMF0olMGhmq-Nmqw_BMxoVv4AA.*AAJTSQACMDIAAlNLABM3OTI1OTk2NjE0MDA1MjA2MTcw*"></Property>
<Property name="UserToken" value="user-test"></Property>
<Property name="loginURL" value="/sp/UI/Login"></Property>
<Property name="Principals" value="user-test"></Property>
<Property name="Service" value="ldapService"></Property>
<Property name="sun.am.UniversalIdentifier" value="id=user-test,ou=user,dc=openam,dc=forgerock,dc=org"></Property>
<Property name="amlbcookie" value="01"></Property>
<Property name="Organization" value="dc=openam,dc=forgerock,dc=org"></Property>
<Property name="Locale" value="en_US"></Property>
<Property name="HostName" value="205."></Property>
<Property name="AuthType" value="DataStore"></Property>
<Property name="Host" value="205."></Property>
<Property name="UserProfile" value="Ignore"></Property>
<Property name="clientType" value="genericHTML"></Property>
<Property name="AMCtxId" value="a0749ff708bff14202"></Property>
<Property name="SessionTimedOut" value="1452636294"></Property>
<Property name="authInstant" value="2016-01-12T21:30:33Z"></Property>
<Property name="Principal" value="id=user-test,ou=user,dc=openam,dc=forgerock,dc=org"></Property>
</Session>
The thing that struck me is the <Property name="AuthType" value="DataStore"></Property> (I have Federation from other vendors :0)
I am sure that the issue is because the user cannot get authenticated against OpenAM.
I am assuming that autofederation is turned off on the Service Provider side (OpenAM) and that you are using the NameID as the User ID.
After receiving the assertion the SP Account Mapper will try to find a user with that User ID in the Data Store for the Realm where the SP is defined. You can find which LDAP attribute is mapped to the User ID by going to Access Control > YOUR REALM > Data Stores > YOUR DATASTORE. Look for a property called "LDAP Users Search Attribute".
In this particular case the NameID value is "100", thus, the Account Mapper will try to find a user in your datastore with that User Id. For example, if your "LDAP Users Search Attribute" is set to "uid", the Account Mapper will try to find a user in your Directory whose "uid" is equal to "100".
So my assumption is that the Account Mapper is not able to map the incoming assertion to a valid user and it's taking you to the OpenAM's Login Page.
Hope this helps.
I figured it out ... Turned out everything was set up right but our partner was posting the Assertion to the Relay/Target URL and not the Consumer URL .....
With reference to the ActiveMQ security documentation at http://activemq.apache.org/security.html, I'm trying to add a new user to my ActiveMQ configuration. This user should only be able to see a subset of the available queues.
I have done the following:
1) Added an entry in users.properties:
myuser=mypassword
2) Added an entry in groups.properties:
publishers=admin,myuser
consumers=admin,myuser
3) Added an entry to activemq.xml, in the plugins element of the broker element:
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue=">" read="admins" write="admins" admin="admins" />
<authorizationEntry queue="MYQUEUEPREFIX.>" read="consumers" write="publishers" admin="admins" />
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
When I restart ActiveMQ and access the admin console at myServerURL:8161/admin, I enter the newly created username and password (myuser/mypassword) in the supplied "Authentication required" box but it doesn't give me access to the console. The only way I can get in is by using the already-defined "admin" user.
There is a difference between getting access to ActiveMQ queues via the broker and accessing the ActiveMQ web console. One has to modify the conf/jetty-realm.properties file in order to grant access to the latter.
I have been trying to configure my activemq server so that anonymous clients can just subscribe to topics (they would not be able to create nor publish to topics).
I've set the rights accordingly on my broker configuration:
<plugins>
<simpleAuthenticationPlugin anonymousAccessAllowed="true">
<users>
<authenticationUser username="system" password="manager"
groups="anonymous,admins"/>
</users>
</simpleAuthenticationPlugin>
<!-- Lets configure a destination based authorization mechanism -->
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue=">" read="admins,anonymous" write="admins" admin="admins" />
<authorizationEntry topic=">" read="admins,anonymous" write="admins" admin="admins" />
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
and I have been using code below for subscribing based on a couple of tutorials I found on the web. However this topic consumer code, and all the ones I've found, creates an activemq topic to bind to (event if the topic already exists) and as a consequence it will only be authorized if I give admin rights to the user as well... Is there a way to subscribe to the topic without creating it?
ActiveMQSslConnectionFactory connectionFactory = new ActiveMQSslConnectionFactory(connectionString);
connection = connectionFactory.createConnection();
session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
destination = session.createTopic(topicName);
MessageConsumer consumer = null;
consumer = session.createConsumer(destination);
consumer.setMessageListener(this);
connection.start();
The topic has to be created by someone in order to be read from. The alternative to creation of demand is to create the topic through a <destinations> block within the <broker> block:
<destinations>
<topic physicalName="someTopic"/>
</destinations>
When you say "creates an activemq topic to bind to (event if the topic already exists)" you might be seeing advisory topics being created on demand (which is normal). You should add the following to your authorization config:
<authorizationEntry topic="ActiveMQ.Advisory.>"
read="admins"
write="admins,anonymous"
admin="admins,anonymous" />