With reference to the ActiveMQ security documentation at http://activemq.apache.org/security.html, I'm trying to add a new user to my ActiveMQ configuration. This user should only be able to see a subset of the available queues.
I have done the following:
1) Added an entry in users.properties:
myuser=mypassword
2) Added an entry in groups.properties:
publishers=admin,myuser
consumers=admin,myuser
3) Added an entry to activemq.xml, in the plugins element of the broker element:
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue=">" read="admins" write="admins" admin="admins" />
<authorizationEntry queue="MYQUEUEPREFIX.>" read="consumers" write="publishers" admin="admins" />
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
When I restart ActiveMQ and access the admin console at myServerURL:8161/admin, I enter the newly created username and password (myuser/mypassword) in the supplied "Authentication required" box but it doesn't give me access to the console. The only way I can get in is by using the already-defined "admin" user.
There is a difference between getting access to ActiveMQ queues via the broker and accessing the ActiveMQ web console. One has to modify the conf/jetty-realm.properties file in order to grant access to the latter.
Related
When sending a message to a queue in ActiveMQ (e.g. using JmsTemplate.convertAndSend()) that is not configured the queue is dynamically created (on the fly).
Is it possible to have an exception thrown instead (e.g. if the queue wasn't create explicitly on the broker)?
Yes it is possible to have an exception thrown if the queue wasn't create explicitly on the broker. JMS destinations are automatically created for users who have the admin permission. Therefore, any user for which you don't want the broker to automatically create JMS destinations should not be in a role with the admin permission. Here's a sample configuration:
<broker>
..
<plugins>
..
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue="myQueue" read="consumers" write="producers" admin="admins" />
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
..
</plugins>
..
</broker>
In this configuration any users in the admins role will have the admin permission and the broker will automatically create JMS destinations for these users.
Team,
I am implementing runtime reloading of authorization map settings in activemq.xml using following configuration, (http://activemq.apache.org/runtime-configuration.html)
<broker xmlns="http://activemq.apache.org/schema/core" start="false" ... >
<plugins>
<runtimeConfigurationPlugin checkPeriod="1000" />
</plugins>
...
</broker>
I performed test cases out of which one specific case (critical) is not working as expected.
Failed test case is that a User-A has read and write access over Queue-A. User-A successfully reads and writes. But, If the role is deleted for User-A, without restarting ActiveMQ, User-A is still able to read and write to Queue-A. Expected result was that ActiveMQ shall forbid user from reading and writing to Queue-A.
Detailed Steps are as follows.
Action 1 : After starting the broker with a User A without any map entry for test queue
<plugins>
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry topic="ActiveMQ.Advisory.>" read="admins" write="admins" admin="admins"/>
<authorizationEntry queue="test.queue.A>" read="admins" write="admins" admin="admins"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
Result 1: User A login Successful but not authorized to access test queue
Action 2: then I modified the authorization map and allowed user A to read and write on test queue. i.e. made User-A member of "grp_subscribers"
<plugins>
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry topic="ActiveMQ.Advisory.>" read="grp_subscribers, admins" write="grp_subscribers, admins" admin="grp_subscribers, admins"/>
<authorizationEntry queue="test.queue.A>" read="grp_subscribers" write="grp_subscribers" admin="grp_subscribers, admins"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
Result 2: User A login Successful and authorized on test queue
Action 3: then I again modified the authorization map by removing the access of user A on test queue
<plugins>
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry topic="ActiveMQ.Advisory.>" read="admins" write="admins" admin="admins"/>
<authorizationEntry queue="test.queue.A>" read="admins" write="admins" admin="admins"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
Result 3: User A login successful and still authorized on the test queue, which is here the problem is. User A should not be authorized on test queue.
I tried different ways and did a lot of troubleshooting for something if I am missing. I believe there is something I am missing
Activemq AuthorizationMap gets updated using checkPeriod attribute. After making a change in authorization roles, consumer/subscriber/producer connections need to be refreshed, which can be refreshed by stopping or starting a transport connector via jmx.
I have setup an activemq and configured the queue with users. I have created one queue and two users namely producer and consumer with read write permissions appropriately. I am able to post message using producer and consume the message using consumer.
When I login to the admin page of activemq using admin/admin I am not able to view the messages inside the queue. How to add admin user to access the queue.
I have added the below configuration entry in the activemq.xml
<plugins>
<simpleAuthenticationPlugin>
<users>
<authenticationUser username="producer" password="producer" groups="producers" />
<authenticationUser username="consumer" password="consumer" groups="consumers" />
<authenticationUser username="defaultUser" password="defaultPassword" groups="admins" />
</users>
</simpleAuthenticationPlugin>
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue="test.Queue" write="producers" read="consumers" admin="admins" />
<authorizationEntry topic="ActiveMQ.Advisory.>" read="producers,consumers" write="producers,producers" admin="admins,producers,consumers"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
Please let me know where I am going wrong.
Your admin user for the web console is in admins group ?
I think you need to add authenticationUser username="admin" password="admin" groups="admins" />
I have implemented my website using spring security.
I have added default-target-url in form-login tag:
<security:form-login login-page="/pages/dashboard.action" default-target-url="/welcome.action" authentication-failure-url="/pages/dashboard.action?error=true" />
So when ever user successfully logs in it will be redirected to the page which is defined by mapping given in default-target-url.
But I dont want this, I have log-in button at many places and i want user to directed to the same page from where he is logging in.
Can any one help me with this?
my dispather-servlet.xml:
<security:http use-expressions="true">
<security:intercept-url pattern="/IGG/citizen/*" access="hasRole('IGG_CITIZEN')" />
<security:form-login login-page="/pages/dashboard.action" default-target-url="/welcome.action" authentication-failure-url="/pages/dashboard.action?error=true" />
<security:logout logout-success-url="/pages/dashboard.action" delete-cookies="JSESSIONID" />
<security:anonymous username="guest" granted-authority="ROLE_GUEST"/>
<security:session-management invalid-session-url="/pages/dashboard.action"/>
<security:remember-me/>
<security:access-denied-handler delete-cookies="JSESSIONID"/>
</security:http>
Use bean SavedRequestAwareAuthenticationSuccessHandler as your success handler:
<bean id="successHandler"
class="org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler"
<property name="defaultTargetUrl" value="/welcome.action"/>
</bean>
And refer to it from the form-login using authentication-success-handler-ref parameter:
<security:form-login authentication-success-handler-ref="successHandler"/>
The SavedRequestAwareAuthenticationSuccessHandler uses page which user tried to access before initialization of the authentication process as the default landing page. When it's not available the defaultTargetUrl is used instead. The "stored page" value is set inside ExceptionTranslationFilter.
I have been trying to configure my activemq server so that anonymous clients can just subscribe to topics (they would not be able to create nor publish to topics).
I've set the rights accordingly on my broker configuration:
<plugins>
<simpleAuthenticationPlugin anonymousAccessAllowed="true">
<users>
<authenticationUser username="system" password="manager"
groups="anonymous,admins"/>
</users>
</simpleAuthenticationPlugin>
<!-- Lets configure a destination based authorization mechanism -->
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue=">" read="admins,anonymous" write="admins" admin="admins" />
<authorizationEntry topic=">" read="admins,anonymous" write="admins" admin="admins" />
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
and I have been using code below for subscribing based on a couple of tutorials I found on the web. However this topic consumer code, and all the ones I've found, creates an activemq topic to bind to (event if the topic already exists) and as a consequence it will only be authorized if I give admin rights to the user as well... Is there a way to subscribe to the topic without creating it?
ActiveMQSslConnectionFactory connectionFactory = new ActiveMQSslConnectionFactory(connectionString);
connection = connectionFactory.createConnection();
session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
destination = session.createTopic(topicName);
MessageConsumer consumer = null;
consumer = session.createConsumer(destination);
consumer.setMessageListener(this);
connection.start();
The topic has to be created by someone in order to be read from. The alternative to creation of demand is to create the topic through a <destinations> block within the <broker> block:
<destinations>
<topic physicalName="someTopic"/>
</destinations>
When you say "creates an activemq topic to bind to (event if the topic already exists)" you might be seeing advisory topics being created on demand (which is normal). You should add the following to your authorization config:
<authorizationEntry topic="ActiveMQ.Advisory.>"
read="admins"
write="admins,anonymous"
admin="admins,anonymous" />