ActiveMQ on Jetty with LDAP Issue

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

ActiveMQ on Jetty with LDAP Issue

Pankaj Ambekar
Hello,

I'm using apache-activemq-5.15.8 with Jetty and trying to get the configurations working by connecting the admin-console authentication with LDAP/AD. I've followed all the necessary configs on logon.config, activemq.xml, jetty.xml and I can see in the logs that the user is authenticated. However, on the broweser, I see following error - 

HTTP ERROR: 403

Problem accessing /admin/. Reason: 
    !role

Could you please advise if you changed anything specific in web.xml (or any other config file) to get pass this error ?

--
Thanks

Regards,
Pankaj Ambekar


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: ActiveMQ on Jetty with LDAP Issue

Olivier Lamy
Hi
In order to help you, we need more details such:
- Jetty version 
- Java version
- exact steps to reproduce your problem

cheers
Olivier


On Sat, May 11, 2019 at 10:16 AM Pankaj Ambekar <[hidden email]> wrote:
Hello,

I'm using apache-activemq-5.15.8 with Jetty and trying to get the configurations working by connecting the admin-console authentication with LDAP/AD. I've followed all the necessary configs on logon.config, activemq.xml, jetty.xml and I can see in the logs that the user is authenticated. However, on the broweser, I see following error - 

HTTP ERROR: 403

Problem accessing /admin/. Reason: 
    !role

Could you please advise if you changed anything specific in web.xml (or any other config file) to get pass this error ?

--
Thanks

Regards,
Pankaj Ambekar

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users


--
Olivier

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: ActiveMQ on Jetty with LDAP Issue

Pankaj Ambekar
Hello,

Here's more details on this -

* Jetty version - jetty-9.2.25.v20180606 (packaged with ActiveMQ-5.15.8)
* Java Version - 1.8.0_131
* Steps to reproduce - Followed the steps mentioned on the page - https://activemq.apache.org/security (LDAP Authentication Using the JAAS Plugin). The changes made to following files - 

login.config (actual values replaced by dummy)

LDAPLogin { 
    org.apache.activemq.jaas.LDAPLoginModule required 
    debug=true 
    initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory 
    connectionURL="ldap://nyc-dc01.corp.nypiua.com:389
    connectionUsername="CN=<name>,OU=Dummy Accounts,OU=Dummy Accounts and Groups,DC=corp,DC=company,DC=com" 
    connectionPassword="password"
connectionProtocol=s 
    authentication=simple 
    userBase="OU=Dummy User Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com" 
    userRoleName=dummyUserRoleName 
    userSearchMatching="(sAMAccountName={0})" 
    userSearchSubtree=true 
    roleBase="OU=Pre-Prod,OU=app,OU=Enterprise Based Applications,OU=Dummy Application Accounts and Groups,DC=corp,DC=company,DC=com" 
    roleName=cn 
    roleSearchMatching="(member={0})" 
    roleSearchSubtree=true 
    ; 
 };

activemq.xml (added following into the xml)
....
<plugins> 
        <jaasAuthenticationPlugin configuration="LDAPLogin" /> 
 </plugins>
.....

jetty.xml (added following to the xml)

<bean id="ldapLoginService" class="org.eclipse.jetty.jaas.JAASLoginService">
        <property name="name" value="LdapRealm" />
        <property name="loginModuleName" value="LDAPLogin" />
        <property name="roleClassNames" value="org.eclipse.jetty.jaas.JAASRole" />
        <property name="identityService" ref="identityService" />
    </bean>
.......
.......
<bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler">
        <property name="loginService" ref="ldapLoginService" />
        <property name="identityService" ref="identityService" />
        <property name="realmName" value="LdapRealm" />
        <property name="authenticator">
            <bean class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
        </property>
        <property name="constraintMappings">
            <list>
                <ref bean="adminSecurityConstraintMapping" />
                <ref bean="securityConstraintMapping" />
            </list>
        </property> 
        <property name="handler" ref="secHandlerCollection" />
    </bean>
    <bean id="contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection">
    </bean>

No Error in the logs -

2019-05-10 20:35:01,662 | DEBUG | Create the LDAP initial context. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,711 | DEBUG | Get the user DN. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,712 | DEBUG | Looking for the user in LDAP with  | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,712 | DEBUG |   base DN: OU=Dummy User Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,713 | DEBUG |   filter: (sAMAccountName=user1) | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,734 | DEBUG | LDAP returned a relative name: CN=test user1 | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,735 | DEBUG | Using DN [CN=test user1,OU=Dummy User Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com ] for binding. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,736 | DEBUG | Binding the user. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,780 | DEBUG | User CN=test user1,OU=Dummy User Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com successfully bound. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,782 | DEBUG | Get user roles. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,783 | DEBUG | Looking for the user roles in LDAP with  | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,785 | DEBUG |   base DN: OU=Pre-Prod,OU=app,OU=Enterprise Based Applications,OU=Dummy Application Accounts and Groups,DC=corp,DC=company,DC=com | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,786 | DEBUG |   filter: (member=CN=test user1,OU=Dummy User Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com) | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,835 | DEBUG | Roles [administrator_group] for user user1 | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:03,821 | DEBUG | Checkpoint started. | org.apache.activemq.store.kahadb.MessageDatabase | ActiveMQ Journal Checkpoint Worker
2019-05-10 20:35:03,832 | DEBUG | Checkpoint done. | org.apache.activemq.store.kahadb.MessageDatabase | ActiveMQ Journal Checkpoint Worker

Error on the browser -
HTTP ERROR: 403

Problem accessing /admin/. Reason: 
    !role  

On Fri, May 10, 2019 at 9:06 PM Olivier Lamy <[hidden email]> wrote:
Hi
In order to help you, we need more details such:
- Jetty version 
- Java version
- exact steps to reproduce your problem

cheers
Olivier


On Sat, May 11, 2019 at 10:16 AM Pankaj Ambekar <[hidden email]> wrote:
Hello,

I'm using apache-activemq-5.15.8 with Jetty and trying to get the configurations working by connecting the admin-console authentication with LDAP/AD. I've followed all the necessary configs on logon.config, activemq.xml, jetty.xml and I can see in the logs that the user is authenticated. However, on the broweser, I see following error - 

HTTP ERROR: 403

Problem accessing /admin/. Reason: 
    !role

Could you please advise if you changed anything specific in web.xml (or any other config file) to get pass this error ?

--
Thanks

Regards,
Pankaj Ambekar

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users


--
Olivier
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users


--
Thanks

Regards,
Pankaj Ambekar


_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users
Reply | Threaded
Open this post in threaded view
|

Re: ActiveMQ on Jetty with LDAP Issue

Olivier Lamy
Hi
You should ask activemq mailing list because it seems to be related to activemq.


On Sat, May 11, 2019 at 11:30 AM Pankaj Ambekar <[hidden email]> wrote:
Hello,

Here's more details on this -

* Jetty version - jetty-9.2.25.v20180606 (packaged with ActiveMQ-5.15.8)
* Java Version - 1.8.0_131
* Steps to reproduce - Followed the steps mentioned on the page - https://activemq.apache.org/security (LDAP Authentication Using the JAAS Plugin). The changes made to following files - 

login.config (actual values replaced by dummy)

LDAPLogin { 
    org.apache.activemq.jaas.LDAPLoginModule required 
    debug=true 
    initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory 
    connectionURL="ldap://nyc-dc01.corp.nypiua.com:389
    connectionUsername="CN=<name>,OU=Dummy Accounts,OU=Dummy Accounts and Groups,DC=corp,DC=company,DC=com" 
    connectionPassword="password"
connectionProtocol=s 
    authentication=simple 
    userBase="OU=Dummy User Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com" 
    userRoleName=dummyUserRoleName 
    userSearchMatching="(sAMAccountName={0})" 
    userSearchSubtree=true 
    roleBase="OU=Pre-Prod,OU=app,OU=Enterprise Based Applications,OU=Dummy Application Accounts and Groups,DC=corp,DC=company,DC=com" 
    roleName=cn 
    roleSearchMatching="(member={0})" 
    roleSearchSubtree=true 
    ; 
 };

activemq.xml (added following into the xml)
....
<plugins> 
        <jaasAuthenticationPlugin configuration="LDAPLogin" /> 
 </plugins>
.....

jetty.xml (added following to the xml)

<bean id="ldapLoginService" class="org.eclipse.jetty.jaas.JAASLoginService">
        <property name="name" value="LdapRealm" />
        <property name="loginModuleName" value="LDAPLogin" />
        <property name="roleClassNames" value="org.eclipse.jetty.jaas.JAASRole" />
        <property name="identityService" ref="identityService" />
    </bean>
.......
.......
<bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler">
        <property name="loginService" ref="ldapLoginService" />
        <property name="identityService" ref="identityService" />
        <property name="realmName" value="LdapRealm" />
        <property name="authenticator">
            <bean class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
        </property>
        <property name="constraintMappings">
            <list>
                <ref bean="adminSecurityConstraintMapping" />
                <ref bean="securityConstraintMapping" />
            </list>
        </property> 
        <property name="handler" ref="secHandlerCollection" />
    </bean>
    <bean id="contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection">
    </bean>

No Error in the logs -

2019-05-10 20:35:01,662 | DEBUG | Create the LDAP initial context. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,711 | DEBUG | Get the user DN. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,712 | DEBUG | Looking for the user in LDAP with  | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,712 | DEBUG |   base DN: OU=Dummy User Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,713 | DEBUG |   filter: (sAMAccountName=user1) | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,734 | DEBUG | LDAP returned a relative name: CN=test user1 | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,735 | DEBUG | Using DN [CN=test user1,OU=Dummy User Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com ] for binding. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,736 | DEBUG | Binding the user. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,780 | DEBUG | User CN=test user1,OU=Dummy User Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com successfully bound. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,782 | DEBUG | Get user roles. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,783 | DEBUG | Looking for the user roles in LDAP with  | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,785 | DEBUG |   base DN: OU=Pre-Prod,OU=app,OU=Enterprise Based Applications,OU=Dummy Application Accounts and Groups,DC=corp,DC=company,DC=com | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,786 | DEBUG |   filter: (member=CN=test user1,OU=Dummy User Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com) | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,835 | DEBUG | Roles [administrator_group] for user user1 | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:03,821 | DEBUG | Checkpoint started. | org.apache.activemq.store.kahadb.MessageDatabase | ActiveMQ Journal Checkpoint Worker
2019-05-10 20:35:03,832 | DEBUG | Checkpoint done. | org.apache.activemq.store.kahadb.MessageDatabase | ActiveMQ Journal Checkpoint Worker

Error on the browser -
HTTP ERROR: 403

Problem accessing /admin/. Reason: 
    !role  

On Fri, May 10, 2019 at 9:06 PM Olivier Lamy <[hidden email]> wrote:
Hi
In order to help you, we need more details such:
- Jetty version 
- Java version
- exact steps to reproduce your problem

cheers
Olivier


On Sat, May 11, 2019 at 10:16 AM Pankaj Ambekar <[hidden email]> wrote:
Hello,

I'm using apache-activemq-5.15.8 with Jetty and trying to get the configurations working by connecting the admin-console authentication with LDAP/AD. I've followed all the necessary configs on logon.config, activemq.xml, jetty.xml and I can see in the logs that the user is authenticated. However, on the broweser, I see following error - 

HTTP ERROR: 403

Problem accessing /admin/. Reason: 
    !role

Could you please advise if you changed anything specific in web.xml (or any other config file) to get pass this error ?

--
Thanks

Regards,
Pankaj Ambekar

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users


--
Olivier
_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users


--
Thanks

Regards,
Pankaj Ambekar

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users


--
Olivier

_______________________________________________
jetty-users mailing list
[hidden email]
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users