Merge pull request #1100 from hyteio/AMQ-8391-jaas-web

[AMQ-8391] Convert web to use shared JAAS realm with messaging layer

assembly/pom.xml

@@ -373,6 +373,10 @@
       <groupId>org.eclipse.jetty</groupId>
       <artifactId>jetty-annotations</artifactId>
     </dependency>
+    <dependency>
+      <groupId>org.eclipse.jetty</groupId>
+      <artifactId>jetty-jaas</artifactId>
+    </dependency>
     <dependency>
       <groupId>org.eclipse.jetty</groupId>
       <artifactId>jetty-jndi</artifactId>

assembly/src/main/descriptors/common-bin.xml

@@ -271,6 +271,7 @@
         <include>org.eclipse.jetty:jetty-util</include>
         <include>org.eclipse.jetty:jetty-http</include>
         <include>org.eclipse.jetty:jetty-io</include>
+        <include>org.eclipse.jetty:jetty-jaas</include>
         <include>org.eclipse.jetty:jetty-jndi</include>
         <include>org.eclipse.jetty:jetty-plus</include>
         <include>org.eclipse.jetty:jetty-servlet</include>

assembly/src/release/conf/jetty.xml

@@ -1,5 +1,4 @@
-
-    <!--
+<!--
         Licensed to the Apache Software Foundation (ASF) under one or more contributor
         license agreements. See the NOTICE file distributed with this work for additional
         information regarding copyright ownership. The ASF licenses this file to You under
@@ -24,20 +23,27 @@
         <property name="sendServerVersion" value="false"/>
     </bean>
 
-    <bean id="securityLoginService" class="org.eclipse.jetty.security.HashLoginService">
-        <property name="name" value="ActiveMQRealm" />
-        <property name="config" value="${activemq.conf}/jetty-realm.properties" />
+    <bean id="jaasLoginService" class="org.eclipse.jetty.jaas.JAASLoginService">
+        <property name="name" value="ActiveMQRealm"/>
+        <property name="loginModuleName" value="activemq"/>
+        <property name="roleClassNames">
+            <list>
+                <value>org.apache.activemq.jaas.GroupPrincipal</value>
+            </list>
+        </property>
     </bean>
 
+    <bean id="identityService" class="org.eclipse.jetty.security.DefaultIdentityService"/>
+
     <bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint">
         <property name="name" value="BASIC" />
-        <property name="roles" value="user,admin" />
+        <property name="roles" value="user,admins" />
         <!-- set authenticate=false to disable login -->
         <property name="authenticate" value="true" />
     </bean>
     <bean id="adminSecurityConstraint" class="org.eclipse.jetty.util.security.Constraint">
         <property name="name" value="BASIC" />
-        <property name="roles" value="admin" />
+        <property name="roles" value="admins" />
          <!-- set authenticate=false to disable login -->
         <property name="authenticate" value="true" />
     </bean>
@@ -75,37 +81,38 @@
         </property>
     </bean>
     
-	<bean id="secHandlerCollection" class="org.eclipse.jetty.server.handler.HandlerCollection">
-		<property name="handlers">
-			<list>
-   	            <ref bean="rewriteHandler"/>
-				<bean class="org.eclipse.jetty.webapp.WebAppContext">
-					<property name="contextPath" value="/admin" />
-					<property name="resourceBase" value="${activemq.home}/webapps/admin" />
-					<property name="logUrlOnStart" value="true" />
-				</bean>
-				<bean class="org.eclipse.jetty.webapp.WebAppContext">
-					<property name="contextPath" value="/api" />
-					<property name="resourceBase" value="${activemq.home}/webapps/api" />
-					<property name="logUrlOnStart" value="true" />
-				</bean>
-				<bean class="org.eclipse.jetty.server.handler.ResourceHandler">
-					<property name="directoriesListed" value="false" />
-					<property name="welcomeFiles">
-						<list>
-							<value>index.html</value>
-						</list>
-					</property>
-					<property name="resourceBase" value="${activemq.home}/webapps/" />
-				</bean>
-				<bean id="defaultHandler" class="org.eclipse.jetty.server.handler.DefaultHandler">
-					<property name="serveIcon" value="false" />
-				</bean>
-			</list>
-		</property>
-	</bean>    
+    <bean id="secHandlerCollection" class="org.eclipse.jetty.server.handler.HandlerCollection">
+        <property name="handlers">
+            <list>
+                <ref bean="rewriteHandler"/>
+                <bean class="org.eclipse.jetty.webapp.WebAppContext">
+                    <property name="contextPath" value="/admin" />
+                    <property name="resourceBase" value="${activemq.home}/webapps/admin" />
+                    <property name="logUrlOnStart" value="true" />
+                </bean>
+                <bean class="org.eclipse.jetty.webapp.WebAppContext">
+                    <property name="contextPath" value="/api" />
+                    <property name="resourceBase" value="${activemq.home}/webapps/api" />
+                    <property name="logUrlOnStart" value="true" />
+                </bean>
+                <bean class="org.eclipse.jetty.server.handler.ResourceHandler">
+                    <property name="directoriesListed" value="false" />
+                    <property name="welcomeFiles">
+                        <list>
+                            <value>index.html</value>
+                        </list>
+                    </property>
+                    <property name="resourceBase" value="${activemq.home}/webapps/" />
+                </bean>
+                <bean id="defaultHandler" class="org.eclipse.jetty.server.handler.DefaultHandler">
+                    <property name="serveIcon" value="false" />
+                </bean>
+            </list>
+        </property>
+    </bean>    
     <bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler">
-        <property name="loginService" ref="securityLoginService" />
+        <property name="identityService" ref="identityService" />
+        <property name="loginService" ref="jaasLoginService" />
         <property name="authenticator">
             <bean class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
         </property>
@@ -144,10 +151,10 @@
     </bean>
 
     <bean id="invokeConnectors" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
-    	<property name="targetObject" ref="Server" />
-    	<property name="targetMethod" value="setConnectors" />
-    	<property name="arguments">
-    	<list>
+        <property name="targetObject" ref="Server" />
+        <property name="targetMethod" value="setConnectors" />
+        <property name="arguments">
+        <list>
                <bean id="Connector" class="org.eclipse.jetty.server.ServerConnector">
                    <constructor-arg ref="Server"/>
                    <constructor-arg>
@@ -165,35 +172,36 @@
                     Enable this connector if you wish to use https with web console
                 -->
                 <!-- bean id="SecureConnector" class="org.eclipse.jetty.server.ServerConnector">
-					<constructor-arg ref="Server" />
-					<constructor-arg>
-						<bean id="handlers" class="org.eclipse.jetty.util.ssl.SslContextFactory">
-						
-							<property name="keyStorePath" value="${activemq.conf}/broker.ks" />
-							<property name="keyStorePassword" value="password" />
-						</bean>
-					</constructor-arg>
-					<property name="port" value="8162" />
-				</bean -->
+                    <constructor-arg ref="Server" />
+                    <constructor-arg>
+                        <bean id="handlers" class="org.eclipse.jetty.util.ssl.SslContextFactory">
+                        
+                            <property name="keyStorePath" value="${activemq.conf}/broker.ks" />
+                            <property name="keyStorePassword" value="password" />
+                        </bean>
+                    </constructor-arg>
+                    <property name="port" value="8162" />
+                </bean -->
             </list>
-    	</property>
+        </property>
     </bean>
 
-	<bean id="configureJetty" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
-		<property name="staticMethod" value="org.apache.activemq.web.config.JspConfigurer.configureJetty" />
-		<property name="arguments">
-			<list>
-				<ref bean="Server" />
-				<ref bean="secHandlerCollection" />
-			</list>
-		</property>
-	</bean>
+    <bean id="configureJetty" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
+        <property name="staticMethod" value="org.apache.activemq.web.config.JspConfigurer.configureJetty" />
+        <property name="arguments">
+            <list>
+                <ref bean="Server" />
+                <ref bean="secHandlerCollection" />
+            </list>
+        </property>
+    </bean>
     
     <bean id="invokeStart" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean" 
-    	depends-on="configureJetty, invokeConnectors">
-    	<property name="targetObject" ref="Server" />
-    	<property name="targetMethod" value="start" />  	
+        depends-on="configureJetty, invokeConnectors">
+        <property name="targetObject" ref="Server" />
+        <property name="targetMethod" value="start" />      
     </bean>
     
     
 </beans>
+

assembly/src/release/examples/conf/jetty-demo.xml

@@ -22,7 +22,7 @@
 
     <bean id="securityLoginService" class="org.eclipse.jetty.security.HashLoginService">
         <property name="name" value="ActiveMQRealm" />
-        <property name="config" value="${activemq.conf}/jetty-realm.properties" />
+        <property name="config" value="${activemq.conf}/jetty-realm-5.x.properties" />
     </bean>
 
     <bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint">

assembly/src/release/examples/conf/jetty-realm-5.x.properties

@@ -15,7 +15,19 @@
 ## limitations under the License.
 ## ---------------------------------------------------------------------------
 
+## ---------------------------------------------------------------------------
+## [AMQ-8391] ActiveMQ 6.x converted jetty to use a common JAAS for users and groups. 
+## This version of conf/jetty.xml demonstrates how to use a dedicated JAAS realm
+## for authentication and authorization of web-based services such as the web console
+## and rest apis. This is the config approach that was used in ActiveMQ 5.x.
+##
+## Rename this file to conf/jetty-realm.properties to setup user and group
+## authorization following the ActiveMQ 5.x approach
+##
+## Note: conf/jetty-realm.properties is used to store user, password and group data
+## ---------------------------------------------------------------------------
+
 # Defines users that can access the web (console, demo, etc.)
 # username: password [,rolename ...]
 admin: admin, admin
-user: user, user
+user: user, user

assembly/src/release/examples/conf/jetty-realm-5.x.xml

@@ -0,0 +1,207 @@
+
+    <!--
+        Licensed to the Apache Software Foundation (ASF) under one or more contributor
+        license agreements. See the NOTICE file distributed with this work for additional
+        information regarding copyright ownership. The ASF licenses this file to You under
+        the Apache License, Version 2.0 (the "License"); you may not use this file except in
+        compliance with the License. You may obtain a copy of the License at
+
+        http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or
+        agreed to in writing, software distributed under the License is distributed on an
+        "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+        implied. See the License for the specific language governing permissions and
+        limitations under the License.
+    -->
+    <!--
+        An embedded servlet engine for serving up the Admin consoles, REST and Ajax APIs and
+        some demos Include this file in your configuration to enable ActiveMQ web components
+        e.g. <import resource="jetty.xml"/>
+    -->
+    <!--
+        [AMQ-8391] ActiveMQ 6.x converted jetty to use a common JAAS for users and groups. 
+        This version of conf/jetty.xml demonstrates how to use a dedicated JAAS realm
+        for authentication and authorization of web-based services such as the web console
+        and rest apis. This is the config approach that was used in ActiveMQ 5.x.
+
+        Note: conf/jetty-realm.properties is used to store user, password and group data
+    -->
+<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
+
+    <bean id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
+        <property name="sendServerVersion" value="false"/>
+    </bean>
+
+    <bean id="securityLoginService" class="org.eclipse.jetty.security.HashLoginService">
+        <property name="name" value="ActiveMQRealm" />
+        <property name="config" value="${activemq.conf}/jetty-realm.properties" />
+    </bean>
+
+    <bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint">
+        <property name="name" value="BASIC" />
+        <property name="roles" value="user,admin" />
+        <!-- set authenticate=false to disable login -->
+        <property name="authenticate" value="true" />
+    </bean>
+    <bean id="adminSecurityConstraint" class="org.eclipse.jetty.util.security.Constraint">
+        <property name="name" value="BASIC" />
+        <property name="roles" value="admin" />
+         <!-- set authenticate=false to disable login -->
+        <property name="authenticate" value="true" />
+    </bean>
+    <bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
+        <property name="constraint" ref="securityConstraint" />
+        <!-- AMQ-9239 TODO: review jetty.xml pathSpec change
+        <property name="pathSpec" value="/,/api/*,*.jsp,*.html,*.js,*.css,*.png,*.gif,*.ico" />
+        -->
+        <property name="pathSpec" value="/,/api/*" />
+    </bean>
+    <bean id="adminSecurityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
+        <property name="constraint" ref="adminSecurityConstraint" />
+        <property name="pathSpec" value="*.action" />
+    </bean>
+    
+    <bean id="rewriteHandler" class="org.eclipse.jetty.rewrite.handler.RewriteHandler">
+        <property name="rules">
+            <list>
+                <bean id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
+                  <property name="pattern" value="*"/>
+                  <property name="name" value="X-FRAME-OPTIONS"/>
+                  <property name="value" value="SAMEORIGIN"/>
+                </bean>
+                <bean id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
+                  <property name="pattern" value="*"/>
+                  <property name="name" value="X-XSS-Protection"/>
+                  <property name="value" value="1; mode=block"/>
+                </bean>
+                <bean id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
+                  <property name="pattern" value="*"/>
+                  <property name="name" value="X-Content-Type-Options"/>
+                  <property name="value" value="nosniff"/>
+                </bean>
+            </list>
+        </property>
+    </bean>
+    
+	<bean id="secHandlerCollection" class="org.eclipse.jetty.server.handler.HandlerCollection">
+		<property name="handlers">
+			<list>
+   	            <ref bean="rewriteHandler"/>
+				<bean class="org.eclipse.jetty.webapp.WebAppContext">
+					<property name="contextPath" value="/admin" />
+					<property name="resourceBase" value="${activemq.home}/webapps/admin" />
+					<property name="logUrlOnStart" value="true" />
+				</bean>
+				<bean class="org.eclipse.jetty.webapp.WebAppContext">
+					<property name="contextPath" value="/api" />
+					<property name="resourceBase" value="${activemq.home}/webapps/api" />
+					<property name="logUrlOnStart" value="true" />
+				</bean>
+				<bean class="org.eclipse.jetty.server.handler.ResourceHandler">
+					<property name="directoriesListed" value="false" />
+					<property name="welcomeFiles">
+						<list>
+							<value>index.html</value>
+						</list>
+					</property>
+					<property name="resourceBase" value="${activemq.home}/webapps/" />
+				</bean>
+				<bean id="defaultHandler" class="org.eclipse.jetty.server.handler.DefaultHandler">
+					<property name="serveIcon" value="false" />
+				</bean>
+			</list>
+		</property>
+	</bean>    
+    <bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler">
+        <property name="loginService" ref="securityLoginService" />
+        <property name="authenticator">
+            <bean class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
+        </property>
+        <property name="constraintMappings">
+            <list>
+                <ref bean="adminSecurityConstraintMapping" />
+                <ref bean="securityConstraintMapping" />
+            </list>
+        </property>
+        <property name="handler" ref="secHandlerCollection" />
+    </bean>
+
+    <bean id="contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection">
+    </bean>
+
+    <bean id="jettyPort" class="org.apache.activemq.web.WebConsolePort" init-method="start">
+             <!-- the default port number for the web console -->
+        <property name="host" value="127.0.0.1"/>
+        <property name="port" value="8161"/>
+    </bean>
+
+    <bean id="Server" depends-on="jettyPort" class="org.eclipse.jetty.server.Server"
+        destroy-method="stop">
+
+        <property name="handler">
+            <bean id="handlers" class="org.eclipse.jetty.server.handler.HandlerCollection">
+                <property name="handlers">
+                    <list>
+                        <ref bean="contexts" />
+                        <ref bean="securityHandler" />
+                    </list>
+                </property>
+            </bean>
+        </property>
+
+    </bean>
+
+    <bean id="invokeConnectors" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
+    	<property name="targetObject" ref="Server" />
+    	<property name="targetMethod" value="setConnectors" />
+    	<property name="arguments">
+    	<list>
+               <bean id="Connector" class="org.eclipse.jetty.server.ServerConnector">
+                   <constructor-arg ref="Server"/>
+                   <constructor-arg>
+                       <list>
+                           <bean id="httpConnectionFactory" class="org.eclipse.jetty.server.HttpConnectionFactory">
+                               <constructor-arg ref="httpConfig"/>
+                           </bean>
+                       </list>
+                   </constructor-arg>
+                   <!-- see the jettyPort bean -->
+                   <property name="host" value="#{systemProperties['jetty.host']}" />
+                   <property name="port" value="#{systemProperties['jetty.port']}" />
+               </bean>
+                <!--
+                    Enable this connector if you wish to use https with web console
+                -->
+                <!-- bean id="SecureConnector" class="org.eclipse.jetty.server.ServerConnector">
+					<constructor-arg ref="Server" />
+					<constructor-arg>
+						<bean id="handlers" class="org.eclipse.jetty.util.ssl.SslContextFactory">
+						
+							<property name="keyStorePath" value="${activemq.conf}/broker.ks" />
+							<property name="keyStorePassword" value="password" />
+						</bean>
+					</constructor-arg>
+					<property name="port" value="8162" />
+				</bean -->
+            </list>
+    	</property>
+    </bean>
+
+	<bean id="configureJetty" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
+		<property name="staticMethod" value="org.apache.activemq.web.config.JspConfigurer.configureJetty" />
+		<property name="arguments">
+			<list>
+				<ref bean="Server" />
+				<ref bean="secHandlerCollection" />
+			</list>
+		</property>
+	</bean>
+    
+    <bean id="invokeStart" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean" 
+    	depends-on="configureJetty, invokeConnectors">
+    	<property name="targetObject" ref="Server" />
+    	<property name="targetMethod" value="start" />  	
+    </bean>
+    
+    
+</beans>