mirror of https://github.com/apache/activemq.git
Merge pull request #1100 from hyteio/AMQ-8391-jaas-web
[AMQ-8391] Convert web to use shared JAAS realm with messaging layer
This commit is contained in:
commit
18c74769dc
|
@ -373,6 +373,10 @@
|
|||
<groupId>org.eclipse.jetty</groupId>
|
||||
<artifactId>jetty-annotations</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.eclipse.jetty</groupId>
|
||||
<artifactId>jetty-jaas</artifactId>
|
||||
</dependency>
|
||||
<dependency>
|
||||
<groupId>org.eclipse.jetty</groupId>
|
||||
<artifactId>jetty-jndi</artifactId>
|
||||
|
|
|
@ -271,6 +271,7 @@
|
|||
<include>org.eclipse.jetty:jetty-util</include>
|
||||
<include>org.eclipse.jetty:jetty-http</include>
|
||||
<include>org.eclipse.jetty:jetty-io</include>
|
||||
<include>org.eclipse.jetty:jetty-jaas</include>
|
||||
<include>org.eclipse.jetty:jetty-jndi</include>
|
||||
<include>org.eclipse.jetty:jetty-plus</include>
|
||||
<include>org.eclipse.jetty:jetty-servlet</include>
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
|
||||
<!--
|
||||
<!--
|
||||
Licensed to the Apache Software Foundation (ASF) under one or more contributor
|
||||
license agreements. See the NOTICE file distributed with this work for additional
|
||||
information regarding copyright ownership. The ASF licenses this file to You under
|
||||
|
@ -24,20 +23,27 @@
|
|||
<property name="sendServerVersion" value="false"/>
|
||||
</bean>
|
||||
|
||||
<bean id="securityLoginService" class="org.eclipse.jetty.security.HashLoginService">
|
||||
<property name="name" value="ActiveMQRealm" />
|
||||
<property name="config" value="${activemq.conf}/jetty-realm.properties" />
|
||||
<bean id="jaasLoginService" class="org.eclipse.jetty.jaas.JAASLoginService">
|
||||
<property name="name" value="ActiveMQRealm"/>
|
||||
<property name="loginModuleName" value="activemq"/>
|
||||
<property name="roleClassNames">
|
||||
<list>
|
||||
<value>org.apache.activemq.jaas.GroupPrincipal</value>
|
||||
</list>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<bean id="identityService" class="org.eclipse.jetty.security.DefaultIdentityService"/>
|
||||
|
||||
<bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint">
|
||||
<property name="name" value="BASIC" />
|
||||
<property name="roles" value="user,admin" />
|
||||
<property name="roles" value="user,admins" />
|
||||
<!-- set authenticate=false to disable login -->
|
||||
<property name="authenticate" value="true" />
|
||||
</bean>
|
||||
<bean id="adminSecurityConstraint" class="org.eclipse.jetty.util.security.Constraint">
|
||||
<property name="name" value="BASIC" />
|
||||
<property name="roles" value="admin" />
|
||||
<property name="roles" value="admins" />
|
||||
<!-- set authenticate=false to disable login -->
|
||||
<property name="authenticate" value="true" />
|
||||
</bean>
|
||||
|
@ -75,37 +81,38 @@
|
|||
</property>
|
||||
</bean>
|
||||
|
||||
<bean id="secHandlerCollection" class="org.eclipse.jetty.server.handler.HandlerCollection">
|
||||
<property name="handlers">
|
||||
<list>
|
||||
<ref bean="rewriteHandler"/>
|
||||
<bean class="org.eclipse.jetty.webapp.WebAppContext">
|
||||
<property name="contextPath" value="/admin" />
|
||||
<property name="resourceBase" value="${activemq.home}/webapps/admin" />
|
||||
<property name="logUrlOnStart" value="true" />
|
||||
</bean>
|
||||
<bean class="org.eclipse.jetty.webapp.WebAppContext">
|
||||
<property name="contextPath" value="/api" />
|
||||
<property name="resourceBase" value="${activemq.home}/webapps/api" />
|
||||
<property name="logUrlOnStart" value="true" />
|
||||
</bean>
|
||||
<bean class="org.eclipse.jetty.server.handler.ResourceHandler">
|
||||
<property name="directoriesListed" value="false" />
|
||||
<property name="welcomeFiles">
|
||||
<list>
|
||||
<value>index.html</value>
|
||||
</list>
|
||||
</property>
|
||||
<property name="resourceBase" value="${activemq.home}/webapps/" />
|
||||
</bean>
|
||||
<bean id="defaultHandler" class="org.eclipse.jetty.server.handler.DefaultHandler">
|
||||
<property name="serveIcon" value="false" />
|
||||
</bean>
|
||||
</list>
|
||||
</property>
|
||||
</bean>
|
||||
<bean id="secHandlerCollection" class="org.eclipse.jetty.server.handler.HandlerCollection">
|
||||
<property name="handlers">
|
||||
<list>
|
||||
<ref bean="rewriteHandler"/>
|
||||
<bean class="org.eclipse.jetty.webapp.WebAppContext">
|
||||
<property name="contextPath" value="/admin" />
|
||||
<property name="resourceBase" value="${activemq.home}/webapps/admin" />
|
||||
<property name="logUrlOnStart" value="true" />
|
||||
</bean>
|
||||
<bean class="org.eclipse.jetty.webapp.WebAppContext">
|
||||
<property name="contextPath" value="/api" />
|
||||
<property name="resourceBase" value="${activemq.home}/webapps/api" />
|
||||
<property name="logUrlOnStart" value="true" />
|
||||
</bean>
|
||||
<bean class="org.eclipse.jetty.server.handler.ResourceHandler">
|
||||
<property name="directoriesListed" value="false" />
|
||||
<property name="welcomeFiles">
|
||||
<list>
|
||||
<value>index.html</value>
|
||||
</list>
|
||||
</property>
|
||||
<property name="resourceBase" value="${activemq.home}/webapps/" />
|
||||
</bean>
|
||||
<bean id="defaultHandler" class="org.eclipse.jetty.server.handler.DefaultHandler">
|
||||
<property name="serveIcon" value="false" />
|
||||
</bean>
|
||||
</list>
|
||||
</property>
|
||||
</bean>
|
||||
<bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler">
|
||||
<property name="loginService" ref="securityLoginService" />
|
||||
<property name="identityService" ref="identityService" />
|
||||
<property name="loginService" ref="jaasLoginService" />
|
||||
<property name="authenticator">
|
||||
<bean class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
|
||||
</property>
|
||||
|
@ -144,10 +151,10 @@
|
|||
</bean>
|
||||
|
||||
<bean id="invokeConnectors" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
|
||||
<property name="targetObject" ref="Server" />
|
||||
<property name="targetMethod" value="setConnectors" />
|
||||
<property name="arguments">
|
||||
<list>
|
||||
<property name="targetObject" ref="Server" />
|
||||
<property name="targetMethod" value="setConnectors" />
|
||||
<property name="arguments">
|
||||
<list>
|
||||
<bean id="Connector" class="org.eclipse.jetty.server.ServerConnector">
|
||||
<constructor-arg ref="Server"/>
|
||||
<constructor-arg>
|
||||
|
@ -165,35 +172,36 @@
|
|||
Enable this connector if you wish to use https with web console
|
||||
-->
|
||||
<!-- bean id="SecureConnector" class="org.eclipse.jetty.server.ServerConnector">
|
||||
<constructor-arg ref="Server" />
|
||||
<constructor-arg>
|
||||
<bean id="handlers" class="org.eclipse.jetty.util.ssl.SslContextFactory">
|
||||
<constructor-arg ref="Server" />
|
||||
<constructor-arg>
|
||||
<bean id="handlers" class="org.eclipse.jetty.util.ssl.SslContextFactory">
|
||||
|
||||
<property name="keyStorePath" value="${activemq.conf}/broker.ks" />
|
||||
<property name="keyStorePassword" value="password" />
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
<property name="port" value="8162" />
|
||||
</bean -->
|
||||
<property name="keyStorePath" value="${activemq.conf}/broker.ks" />
|
||||
<property name="keyStorePassword" value="password" />
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
<property name="port" value="8162" />
|
||||
</bean -->
|
||||
</list>
|
||||
</property>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<bean id="configureJetty" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
|
||||
<property name="staticMethod" value="org.apache.activemq.web.config.JspConfigurer.configureJetty" />
|
||||
<property name="arguments">
|
||||
<list>
|
||||
<ref bean="Server" />
|
||||
<ref bean="secHandlerCollection" />
|
||||
</list>
|
||||
</property>
|
||||
</bean>
|
||||
<bean id="configureJetty" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
|
||||
<property name="staticMethod" value="org.apache.activemq.web.config.JspConfigurer.configureJetty" />
|
||||
<property name="arguments">
|
||||
<list>
|
||||
<ref bean="Server" />
|
||||
<ref bean="secHandlerCollection" />
|
||||
</list>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<bean id="invokeStart" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean"
|
||||
depends-on="configureJetty, invokeConnectors">
|
||||
<property name="targetObject" ref="Server" />
|
||||
<property name="targetMethod" value="start" />
|
||||
depends-on="configureJetty, invokeConnectors">
|
||||
<property name="targetObject" ref="Server" />
|
||||
<property name="targetMethod" value="start" />
|
||||
</bean>
|
||||
|
||||
|
||||
</beans>
|
||||
|
||||
|
|
|
@ -22,7 +22,7 @@
|
|||
|
||||
<bean id="securityLoginService" class="org.eclipse.jetty.security.HashLoginService">
|
||||
<property name="name" value="ActiveMQRealm" />
|
||||
<property name="config" value="${activemq.conf}/jetty-realm.properties" />
|
||||
<property name="config" value="${activemq.conf}/jetty-realm-5.x.properties" />
|
||||
</bean>
|
||||
|
||||
<bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint">
|
||||
|
|
|
@ -15,6 +15,18 @@
|
|||
## limitations under the License.
|
||||
## ---------------------------------------------------------------------------
|
||||
|
||||
## ---------------------------------------------------------------------------
|
||||
## [AMQ-8391] ActiveMQ 6.x converted jetty to use a common JAAS for users and groups.
|
||||
## This version of conf/jetty.xml demonstrates how to use a dedicated JAAS realm
|
||||
## for authentication and authorization of web-based services such as the web console
|
||||
## and rest apis. This is the config approach that was used in ActiveMQ 5.x.
|
||||
##
|
||||
## Rename this file to conf/jetty-realm.properties to setup user and group
|
||||
## authorization following the ActiveMQ 5.x approach
|
||||
##
|
||||
## Note: conf/jetty-realm.properties is used to store user, password and group data
|
||||
## ---------------------------------------------------------------------------
|
||||
|
||||
# Defines users that can access the web (console, demo, etc.)
|
||||
# username: password [,rolename ...]
|
||||
admin: admin, admin
|
|
@ -0,0 +1,207 @@
|
|||
|
||||
<!--
|
||||
Licensed to the Apache Software Foundation (ASF) under one or more contributor
|
||||
license agreements. See the NOTICE file distributed with this work for additional
|
||||
information regarding copyright ownership. The ASF licenses this file to You under
|
||||
the Apache License, Version 2.0 (the "License"); you may not use this file except in
|
||||
compliance with the License. You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or
|
||||
agreed to in writing, software distributed under the License is distributed on an
|
||||
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||
implied. See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
-->
|
||||
<!--
|
||||
An embedded servlet engine for serving up the Admin consoles, REST and Ajax APIs and
|
||||
some demos Include this file in your configuration to enable ActiveMQ web components
|
||||
e.g. <import resource="jetty.xml"/>
|
||||
-->
|
||||
<!--
|
||||
[AMQ-8391] ActiveMQ 6.x converted jetty to use a common JAAS for users and groups.
|
||||
This version of conf/jetty.xml demonstrates how to use a dedicated JAAS realm
|
||||
for authentication and authorization of web-based services such as the web console
|
||||
and rest apis. This is the config approach that was used in ActiveMQ 5.x.
|
||||
|
||||
Note: conf/jetty-realm.properties is used to store user, password and group data
|
||||
-->
|
||||
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
|
||||
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
|
||||
|
||||
<bean id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
|
||||
<property name="sendServerVersion" value="false"/>
|
||||
</bean>
|
||||
|
||||
<bean id="securityLoginService" class="org.eclipse.jetty.security.HashLoginService">
|
||||
<property name="name" value="ActiveMQRealm" />
|
||||
<property name="config" value="${activemq.conf}/jetty-realm.properties" />
|
||||
</bean>
|
||||
|
||||
<bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint">
|
||||
<property name="name" value="BASIC" />
|
||||
<property name="roles" value="user,admin" />
|
||||
<!-- set authenticate=false to disable login -->
|
||||
<property name="authenticate" value="true" />
|
||||
</bean>
|
||||
<bean id="adminSecurityConstraint" class="org.eclipse.jetty.util.security.Constraint">
|
||||
<property name="name" value="BASIC" />
|
||||
<property name="roles" value="admin" />
|
||||
<!-- set authenticate=false to disable login -->
|
||||
<property name="authenticate" value="true" />
|
||||
</bean>
|
||||
<bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
|
||||
<property name="constraint" ref="securityConstraint" />
|
||||
<!-- AMQ-9239 TODO: review jetty.xml pathSpec change
|
||||
<property name="pathSpec" value="/,/api/*,*.jsp,*.html,*.js,*.css,*.png,*.gif,*.ico" />
|
||||
-->
|
||||
<property name="pathSpec" value="/,/api/*" />
|
||||
</bean>
|
||||
<bean id="adminSecurityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
|
||||
<property name="constraint" ref="adminSecurityConstraint" />
|
||||
<property name="pathSpec" value="*.action" />
|
||||
</bean>
|
||||
|
||||
<bean id="rewriteHandler" class="org.eclipse.jetty.rewrite.handler.RewriteHandler">
|
||||
<property name="rules">
|
||||
<list>
|
||||
<bean id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
|
||||
<property name="pattern" value="*"/>
|
||||
<property name="name" value="X-FRAME-OPTIONS"/>
|
||||
<property name="value" value="SAMEORIGIN"/>
|
||||
</bean>
|
||||
<bean id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
|
||||
<property name="pattern" value="*"/>
|
||||
<property name="name" value="X-XSS-Protection"/>
|
||||
<property name="value" value="1; mode=block"/>
|
||||
</bean>
|
||||
<bean id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
|
||||
<property name="pattern" value="*"/>
|
||||
<property name="name" value="X-Content-Type-Options"/>
|
||||
<property name="value" value="nosniff"/>
|
||||
</bean>
|
||||
</list>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<bean id="secHandlerCollection" class="org.eclipse.jetty.server.handler.HandlerCollection">
|
||||
<property name="handlers">
|
||||
<list>
|
||||
<ref bean="rewriteHandler"/>
|
||||
<bean class="org.eclipse.jetty.webapp.WebAppContext">
|
||||
<property name="contextPath" value="/admin" />
|
||||
<property name="resourceBase" value="${activemq.home}/webapps/admin" />
|
||||
<property name="logUrlOnStart" value="true" />
|
||||
</bean>
|
||||
<bean class="org.eclipse.jetty.webapp.WebAppContext">
|
||||
<property name="contextPath" value="/api" />
|
||||
<property name="resourceBase" value="${activemq.home}/webapps/api" />
|
||||
<property name="logUrlOnStart" value="true" />
|
||||
</bean>
|
||||
<bean class="org.eclipse.jetty.server.handler.ResourceHandler">
|
||||
<property name="directoriesListed" value="false" />
|
||||
<property name="welcomeFiles">
|
||||
<list>
|
||||
<value>index.html</value>
|
||||
</list>
|
||||
</property>
|
||||
<property name="resourceBase" value="${activemq.home}/webapps/" />
|
||||
</bean>
|
||||
<bean id="defaultHandler" class="org.eclipse.jetty.server.handler.DefaultHandler">
|
||||
<property name="serveIcon" value="false" />
|
||||
</bean>
|
||||
</list>
|
||||
</property>
|
||||
</bean>
|
||||
<bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler">
|
||||
<property name="loginService" ref="securityLoginService" />
|
||||
<property name="authenticator">
|
||||
<bean class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
|
||||
</property>
|
||||
<property name="constraintMappings">
|
||||
<list>
|
||||
<ref bean="adminSecurityConstraintMapping" />
|
||||
<ref bean="securityConstraintMapping" />
|
||||
</list>
|
||||
</property>
|
||||
<property name="handler" ref="secHandlerCollection" />
|
||||
</bean>
|
||||
|
||||
<bean id="contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection">
|
||||
</bean>
|
||||
|
||||
<bean id="jettyPort" class="org.apache.activemq.web.WebConsolePort" init-method="start">
|
||||
<!-- the default port number for the web console -->
|
||||
<property name="host" value="127.0.0.1"/>
|
||||
<property name="port" value="8161"/>
|
||||
</bean>
|
||||
|
||||
<bean id="Server" depends-on="jettyPort" class="org.eclipse.jetty.server.Server"
|
||||
destroy-method="stop">
|
||||
|
||||
<property name="handler">
|
||||
<bean id="handlers" class="org.eclipse.jetty.server.handler.HandlerCollection">
|
||||
<property name="handlers">
|
||||
<list>
|
||||
<ref bean="contexts" />
|
||||
<ref bean="securityHandler" />
|
||||
</list>
|
||||
</property>
|
||||
</bean>
|
||||
</property>
|
||||
|
||||
</bean>
|
||||
|
||||
<bean id="invokeConnectors" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
|
||||
<property name="targetObject" ref="Server" />
|
||||
<property name="targetMethod" value="setConnectors" />
|
||||
<property name="arguments">
|
||||
<list>
|
||||
<bean id="Connector" class="org.eclipse.jetty.server.ServerConnector">
|
||||
<constructor-arg ref="Server"/>
|
||||
<constructor-arg>
|
||||
<list>
|
||||
<bean id="httpConnectionFactory" class="org.eclipse.jetty.server.HttpConnectionFactory">
|
||||
<constructor-arg ref="httpConfig"/>
|
||||
</bean>
|
||||
</list>
|
||||
</constructor-arg>
|
||||
<!-- see the jettyPort bean -->
|
||||
<property name="host" value="#{systemProperties['jetty.host']}" />
|
||||
<property name="port" value="#{systemProperties['jetty.port']}" />
|
||||
</bean>
|
||||
<!--
|
||||
Enable this connector if you wish to use https with web console
|
||||
-->
|
||||
<!-- bean id="SecureConnector" class="org.eclipse.jetty.server.ServerConnector">
|
||||
<constructor-arg ref="Server" />
|
||||
<constructor-arg>
|
||||
<bean id="handlers" class="org.eclipse.jetty.util.ssl.SslContextFactory">
|
||||
|
||||
<property name="keyStorePath" value="${activemq.conf}/broker.ks" />
|
||||
<property name="keyStorePassword" value="password" />
|
||||
</bean>
|
||||
</constructor-arg>
|
||||
<property name="port" value="8162" />
|
||||
</bean -->
|
||||
</list>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<bean id="configureJetty" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
|
||||
<property name="staticMethod" value="org.apache.activemq.web.config.JspConfigurer.configureJetty" />
|
||||
<property name="arguments">
|
||||
<list>
|
||||
<ref bean="Server" />
|
||||
<ref bean="secHandlerCollection" />
|
||||
</list>
|
||||
</property>
|
||||
</bean>
|
||||
|
||||
<bean id="invokeStart" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean"
|
||||
depends-on="configureJetty, invokeConnectors">
|
||||
<property name="targetObject" ref="Server" />
|
||||
<property name="targetMethod" value="start" />
|
||||
</bean>
|
||||
|
||||
|
||||
</beans>
|
Loading…
Reference in New Issue