Commit Graph

83 Commits

Author SHA1 Message Date
Justin Bertram 1662bc740e
NO-JIRA small update for security manager 2022-08-02 08:59:26 -05:00
Vilius Šumskas d8af49d64c
NO-JIRA Improve ActiveMQBasicSecurityManager documentation 2022-05-23 12:26:33 -05:00
Tiago Bueno 84c1feae8c NO-JIRA fix duplicate text in security.md doc
Remove the duplicate text in CertificateLoginModule section of the
the security.md doc
2022-03-30 11:48:30 -04:00
Domenico Francesco Bruscino bac579ac25
ARTEMIS-3573 Support PropertiesLoginModule custom password codecs 2022-02-07 20:31:30 -06:00
Paul Wright ba62bc66a7 NO-JIRA: fix broken links in docs
This closes #3798
2022-02-02 16:21:10 +00:00
Justin Bertram 9ae18066b3
NO-JIRA clarify doc on security-setting with FQQN 2022-01-14 17:06:36 -06:00
Clebert Suconic 4e52758a62 NO-JIRA Updating activemq.org links 2021-12-20 14:46:01 -05:00
Marlon Müller d56d299456 ARTEMIS-3574 multiple bindings for embedded webserver
* Add BindingDTO to allow configuring multiple addresses to listen on
* Start a new ServerConnector for each binding and deploy the corresponding web-applications
* Update documentation and tests
* Add tests to verify old and new configuration style produce equal results
2021-12-14 19:16:34 -05:00
Clebert Suconic 1857017abe Revert "ARTEMIS-3574 multiple bindings for embedded webserver"
This reverts commit 182334359c.
2021-12-14 15:18:16 -05:00
Marlon Müller 182334359c ARTEMIS-3574 multiple bindings for embedded webserver
* Add BindingDTO to allow configuring multiple addresses to listen on
* Start a new ServerConnector for each binding and deploy the corresponding web-applications
* Update documentation and tests
* Add tests to verify old and new configuration style produce equal results
2021-12-14 09:38:59 -05:00
pahamala a0c4cba7e1 ARTEMIS-3140 Extra options in LDAP login module
Adds support for extra configuration options to LDAP login module to
prepare for supporting any future/custom string configuration in LDAP
directory context creation.

Details:

 - Changed LDAPLoginModule to pass any string configuration not
recognized by the module itself to the InitialDirContext contruction
environment.
 - Changed the static LDAPLoginModule configuration key fields to an
enum to be able to loop through the specified keys (e.g. to filter out
the internal LDAPLoginModule configuration keys from the keys passed to
InitialDirContext).
 - Few fixes for issues reported by static analysis tools.
 - Tested that LDAP authentication with TLS+GSSAPI works against a
recent Windows AD server with Java
OpenJDK11U-jdk_x64_windows_hotspot_11.0.13_8 by setting the property
com.sun.jndi.ldap.tls.cbtype (see ARTEMIS-3140) in JAAS login.conf.
 - Moved LDAPLoginModuleTest to the correct package to be able to
access LDAPLoginModule package privates from the test code.
 - Added a test to LDAPLoginModuleTest for the task changes.
 - Updated documentation to reflect the changes.
2021-10-29 12:19:30 -05:00
Robbie Gemmell a5b5a504e0 ARTEMIS-3038: unwind effect of defunct changes from ARTEMIS-1264
Follows earlier test removal in a3de3d4c75
2021-10-07 10:45:02 +01:00
Domenico Francesco Bruscino 371a7099a6 NO-JIRA clarify console access using certs
Co-authored-by: Paul Wright <5154224+pwright@users.noreply.github.com>
2021-09-27 07:04:50 +02:00
Robbie Gemmell 8c90068527 ARTEMIS-3106: list the actual mechanism names not just the generalisation 2021-09-24 15:23:39 +01:00
gtully 28a10450b7 ARTEMIS-3106 - add some doc for SASL SCRAM-SHA
Update docs/user-manual/en/security.md
Co-authored-by: Robbie Gemmell <robbie@apache.org>
2021-09-24 15:03:00 +01:00
Justin Bertram a3fb3ffdce
NO-JIRA fix security doc typo 2021-05-25 11:21:03 -05:00
Justin Bertram e9c94e57d9 ARTEMIS-3288 support bulk user loading with basic security manager 2021-05-25 11:13:35 -05:00
gtully 06461f146c ARTEMIS-3168 - add PrincipalConversionLoginModule feature 2021-03-23 09:51:50 +00:00
Urs Roesch 57e6d2757a NO-JIRA: Correct misspellings in documentation 2020-12-07 14:54:16 -05:00
Justin Bertram c64d4d62e3 ARTEMIS-3010 doc updates 2020-11-27 11:04:08 +00:00
Urs Roesch f491651fdb NO-JIRA: remove duplicate consecutive words
Removes duplicate consecutives words from markdown
documentation files.
2020-11-16 15:19:29 -06:00
Howard Gao 3ab5dcfc28 NO JIRA - fixing doc typo 2020-11-05 10:28:41 -05:00
Justin Bertram 75e12b5e1d ARTEMIS-2947 Implement SecurityManager that supports replication 2020-10-19 10:07:57 -04:00
Justin Bertram 9a90248f49 ARTEMIS-2889 better support for JMS topics with legacy LDAP plugin 2020-09-16 10:14:57 -04:00
gtully ec1c5a96c7 ARTEMIS-2895 - ensure propagated credentials are visible for bind and removed for subsequent mapping operations 2020-09-07 16:32:57 +01:00
Justin Bertram 90853409a0 ARTEMIS-2886 optimize security auth
Both authentication and authorization will hit the underlying security
repository (e.g. files, LDAP, etc.). For example, creating a JMS
connection and a consumer will result in 2 hits with the *same*
authentication request. This can cause unwanted (and unnecessary)
resource utilization, especially in the case of networked configuration
like LDAP.

There is already a rudimentary cache for authorization, but it is
cleared *totally* every 10 seconds by default (controlled via the
security-invalidation-interval setting), and it must be populated
initially which still results in duplicate auth requests.

This commit optimizes authentication and authorization via the following
changes:

 - Replace our home-grown cache with Google Guava's cache. This provides
simple caching with both time-based and size-based LRU eviction. See more
at https://github.com/google/guava/wiki/CachesExplained. I also thought
about using Caffeine, but we already have a dependency on Guava and the
cache implementions look to be negligibly different for this use-case.
 - Add caching for authentication. Both successful and unsuccessful
authentication attempts will be cached to spare the underlying security
repository as much as possible. Authenticated Subjects will be cached
and re-used whenever possible.
 - Authorization will used Subjects cached during authentication. If the
required Subject is not in the cache it will be fetched from the
underlying security repo.
 - Caching can be disabled by setting the security-invalidation-interval
to 0.
 - Cache sizes are configurable.
 - Management operations exist to inspect cache sizes at runtime.
2020-08-26 13:36:24 -05:00
Justin Bertram d86067a65b ARTEMIS-2872 support FQQN syntax for security-settings 2020-08-22 18:24:40 -05:00
Justin Bertram 6709883d0e ARTEMIS-2738 implement per-acceptor security domains 2020-04-28 21:45:38 -04:00
Justin Bertram fb60795b59 NO-JIRA fix user command parameter docs 2020-02-05 08:36:34 -06:00
Justin Bertram 1ad8b3c059 ARTEMIS-2590 support com.sun.jndi.ldap.read.timeout in LDAPLoginModule 2020-01-08 12:38:27 -05:00
Justin Bertram c06404406c ARTEMIS-2574 allow security manager config via XML
The test-suite has long used the broker's ability to configure the
security manager. This commit implements this functionality via XML
configuration.
2019-12-12 15:48:43 -05:00
Joshua Smith d7d11a0c6f ARTEMIS-2535 Add ignorePartialResultException option to LDAPLoginModule
Active Directory servers are unable to handle referrals automatically.
This causes a PartialResultException to be thrown if a referral is
encountered beneath the base search DN, even if the LDAPLoginModule is
set to ignore referrals.

This option may be set to 'true' to ignore these exceptions, allowing
login to proceed with the query results received before the exception
was encountered.

Note: there are no tests for this change as I could not reproduce the
issue with the ApacheDS test server. The issue is specific to directory
servers that don't support the ManageDsaIT control such as Active
Directory.
2019-10-30 13:47:50 -07:00
Sascha Dirbach 8043828e84 ARTEMIS-2521 add documentation for role-mapping 2019-10-16 18:18:04 +02:00
gtully b20c2593e9 ARTEMIS-2433 add ExternalCertificateLoginModule to surface a SASL EXTERNAL identity (subjectDN) to JAAS. 2019-08-25 23:57:20 -04:00
Justin Bertram d379cda374 ARTEMIS-2447 allow mapping admin to manage in LDAP plugin 2019-08-06 15:27:18 -05:00
Justin Bertram d125a78841 ARTEMIS-2396 improve password masking doc 2019-06-26 18:05:00 -04:00
Justin Bertram 4a1fc61fcc ARTEMIS-2243 user/role ops for PropertiesLoginModule via mgmnt 2019-02-07 10:16:01 -05:00
Ville Skyttä 3400c0d76e NO-JIRA Grammar and spelling fixes 2018-10-08 20:45:59 -04:00
Justin Bertram 7b4be5008d ARTEMIS-1974 document LDAP role expansion 2018-07-12 12:42:01 -04:00
gtully d54e5a7868 ARTEMIS-1971 Support connection pooling in LDAPLoginModule 2018-07-06 13:53:29 -05:00
Justin Bertram 2b5d8f3b80 ARTEMIS-1912 big doc refactor
- Split protocols into individual chapters
- Reorganize summary to flow more logically
- Fill in missing parameters in configuration index
- Normalize spaces for ordered and unordered lists
- Re-wrap lots of text for readability
- Fix incorrect XML snippets
- Normalize table formatting
- Improve internal links with anchors
- Update content to reflect new address model
- Resized architecture images to avoid excessive white-space
- Update some JavaDoc
- Update some schema elements
- Disambiguate AIO & ASYNCIO where necessary
- Use URIs instead of Objects in code examples
2018-06-07 11:26:36 -04:00
Lionel Cons 1e81361a88 ARTEMIS-1740: Add support for regex based certificate authentication 2018-04-12 12:55:20 -04:00
gtully 72ec6c8e0b [ARTEMIS-1758] support SASL EXTERNAL with TextCertLoginModule
- rework proton handler to use saslListener
2018-03-22 10:09:58 -04:00
Justin Bertram 86c9e7267b NO-JIRA review docs for content, style, & format 2018-03-08 22:47:10 -05:00
Justin Bertram 2123f85ea9 ARTEMIS-1717 create/delete address permissions ignored in broker.xml 2018-03-01 14:02:57 -06:00
Jiri Danek 472e429540 NO-JIRA fix warnings from w3c/link-checker in docs
also update URLs and `s/http/https` in docs wherever possible
2018-01-10 13:07:40 +01:00
Justin Bertram 84bedaf2e4 ARTEMIS-1547 support referrals in LDAP login module 2017-12-10 21:50:47 +00:00
Andy Taylor 804e12c7ce ARTEMIS-1491 - removed duplicate Jolokia instance
https://issues.apache.org/jira/browse/ARTEMIS-1491
2017-10-31 09:33:10 -05:00
gtully d402756e09 ARTEMIS-1373 - ensure roleName is in the doc config example 2017-09-07 16:14:55 +01:00
gtully 99b2e4c0fb ARTEMIS-1373 - support memberOf type query for role mapping and respect roleName attribute AMQ-3064 2017-09-07 14:11:48 +01:00