[AMQ-8391] Convert web to use shared JAAS realm with messaging layer

This commit is contained in:
Matt Pavlovich 2023-10-29 10:50:24 -05:00
parent 90768eae16
commit de7b2726b1
6 changed files with 298 additions and 66 deletions

View File

@ -301,6 +301,10 @@
<groupId>org.eclipse.jetty</groupId> <groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-annotations</artifactId> <artifactId>jetty-annotations</artifactId>
</dependency> </dependency>
<dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-jaas</artifactId>
</dependency>
<dependency> <dependency>
<groupId>org.eclipse.jetty</groupId> <groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-jndi</artifactId> <artifactId>jetty-jndi</artifactId>

View File

@ -255,6 +255,7 @@
<include>org.eclipse.jetty:jetty-util</include> <include>org.eclipse.jetty:jetty-util</include>
<include>org.eclipse.jetty:jetty-http</include> <include>org.eclipse.jetty:jetty-http</include>
<include>org.eclipse.jetty:jetty-io</include> <include>org.eclipse.jetty:jetty-io</include>
<include>org.eclipse.jetty:jetty-jaas</include>
<include>org.eclipse.jetty:jetty-jndi</include> <include>org.eclipse.jetty:jetty-jndi</include>
<include>org.eclipse.jetty:jetty-plus</include> <include>org.eclipse.jetty:jetty-plus</include>
<include>org.eclipse.jetty:jetty-servlet</include> <include>org.eclipse.jetty:jetty-servlet</include>

View File

@ -1,5 +1,4 @@
<!--
<!--
Licensed to the Apache Software Foundation (ASF) under one or more contributor Licensed to the Apache Software Foundation (ASF) under one or more contributor
license agreements. See the NOTICE file distributed with this work for additional license agreements. See the NOTICE file distributed with this work for additional
information regarding copyright ownership. The ASF licenses this file to You under information regarding copyright ownership. The ASF licenses this file to You under
@ -24,20 +23,27 @@
<property name="sendServerVersion" value="false"/> <property name="sendServerVersion" value="false"/>
</bean> </bean>
<bean id="securityLoginService" class="org.eclipse.jetty.security.HashLoginService"> <bean id="jaasLoginService" class="org.eclipse.jetty.jaas.JAASLoginService">
<property name="name" value="ActiveMQRealm" /> <property name="name" value="ActiveMQRealm"/>
<property name="config" value="${activemq.conf}/jetty-realm.properties" /> <property name="loginModuleName" value="activemq"/>
<property name="roleClassNames">
<list>
<value>org.apache.activemq.jaas.GroupPrincipal</value>
</list>
</property>
</bean> </bean>
<bean id="identityService" class="org.eclipse.jetty.security.DefaultIdentityService"/>
<bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint"> <bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint">
<property name="name" value="BASIC" /> <property name="name" value="BASIC" />
<property name="roles" value="user,admin" /> <property name="roles" value="user,admins" />
<!-- set authenticate=false to disable login --> <!-- set authenticate=false to disable login -->
<property name="authenticate" value="true" /> <property name="authenticate" value="true" />
</bean> </bean>
<bean id="adminSecurityConstraint" class="org.eclipse.jetty.util.security.Constraint"> <bean id="adminSecurityConstraint" class="org.eclipse.jetty.util.security.Constraint">
<property name="name" value="BASIC" /> <property name="name" value="BASIC" />
<property name="roles" value="admin" /> <property name="roles" value="admins" />
<!-- set authenticate=false to disable login --> <!-- set authenticate=false to disable login -->
<property name="authenticate" value="true" /> <property name="authenticate" value="true" />
</bean> </bean>
@ -75,37 +81,38 @@
</property> </property>
</bean> </bean>
<bean id="secHandlerCollection" class="org.eclipse.jetty.server.handler.HandlerCollection"> <bean id="secHandlerCollection" class="org.eclipse.jetty.server.handler.HandlerCollection">
<property name="handlers"> <property name="handlers">
<list> <list>
<ref bean="rewriteHandler"/> <ref bean="rewriteHandler"/>
<bean class="org.eclipse.jetty.webapp.WebAppContext"> <bean class="org.eclipse.jetty.webapp.WebAppContext">
<property name="contextPath" value="/admin" /> <property name="contextPath" value="/admin" />
<property name="resourceBase" value="${activemq.home}/webapps/admin" /> <property name="resourceBase" value="${activemq.home}/webapps/admin" />
<property name="logUrlOnStart" value="true" /> <property name="logUrlOnStart" value="true" />
</bean> </bean>
<bean class="org.eclipse.jetty.webapp.WebAppContext"> <bean class="org.eclipse.jetty.webapp.WebAppContext">
<property name="contextPath" value="/api" /> <property name="contextPath" value="/api" />
<property name="resourceBase" value="${activemq.home}/webapps/api" /> <property name="resourceBase" value="${activemq.home}/webapps/api" />
<property name="logUrlOnStart" value="true" /> <property name="logUrlOnStart" value="true" />
</bean> </bean>
<bean class="org.eclipse.jetty.server.handler.ResourceHandler"> <bean class="org.eclipse.jetty.server.handler.ResourceHandler">
<property name="directoriesListed" value="false" /> <property name="directoriesListed" value="false" />
<property name="welcomeFiles"> <property name="welcomeFiles">
<list> <list>
<value>index.html</value> <value>index.html</value>
</list> </list>
</property> </property>
<property name="resourceBase" value="${activemq.home}/webapps/" /> <property name="resourceBase" value="${activemq.home}/webapps/" />
</bean> </bean>
<bean id="defaultHandler" class="org.eclipse.jetty.server.handler.DefaultHandler"> <bean id="defaultHandler" class="org.eclipse.jetty.server.handler.DefaultHandler">
<property name="serveIcon" value="false" /> <property name="serveIcon" value="false" />
</bean> </bean>
</list> </list>
</property> </property>
</bean> </bean>
<bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler"> <bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler">
<property name="loginService" ref="securityLoginService" /> <property name="identityService" ref="identityService" />
<property name="loginService" ref="jaasLoginService" />
<property name="authenticator"> <property name="authenticator">
<bean class="org.eclipse.jetty.security.authentication.BasicAuthenticator" /> <bean class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
</property> </property>
@ -144,10 +151,10 @@
</bean> </bean>
<bean id="invokeConnectors" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean"> <bean id="invokeConnectors" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="targetObject" ref="Server" /> <property name="targetObject" ref="Server" />
<property name="targetMethod" value="setConnectors" /> <property name="targetMethod" value="setConnectors" />
<property name="arguments"> <property name="arguments">
<list> <list>
<bean id="Connector" class="org.eclipse.jetty.server.ServerConnector"> <bean id="Connector" class="org.eclipse.jetty.server.ServerConnector">
<constructor-arg ref="Server"/> <constructor-arg ref="Server"/>
<constructor-arg> <constructor-arg>
@ -165,35 +172,36 @@
Enable this connector if you wish to use https with web console Enable this connector if you wish to use https with web console
--> -->
<!-- bean id="SecureConnector" class="org.eclipse.jetty.server.ServerConnector"> <!-- bean id="SecureConnector" class="org.eclipse.jetty.server.ServerConnector">
<constructor-arg ref="Server" /> <constructor-arg ref="Server" />
<constructor-arg> <constructor-arg>
<bean id="handlers" class="org.eclipse.jetty.util.ssl.SslContextFactory"> <bean id="handlers" class="org.eclipse.jetty.util.ssl.SslContextFactory">
<property name="keyStorePath" value="${activemq.conf}/broker.ks" /> <property name="keyStorePath" value="${activemq.conf}/broker.ks" />
<property name="keyStorePassword" value="password" /> <property name="keyStorePassword" value="password" />
</bean> </bean>
</constructor-arg> </constructor-arg>
<property name="port" value="8162" /> <property name="port" value="8162" />
</bean --> </bean -->
</list> </list>
</property> </property>
</bean> </bean>
<bean id="configureJetty" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean"> <bean id="configureJetty" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod" value="org.apache.activemq.web.config.JspConfigurer.configureJetty" /> <property name="staticMethod" value="org.apache.activemq.web.config.JspConfigurer.configureJetty" />
<property name="arguments"> <property name="arguments">
<list> <list>
<ref bean="Server" /> <ref bean="Server" />
<ref bean="secHandlerCollection" /> <ref bean="secHandlerCollection" />
</list> </list>
</property> </property>
</bean> </bean>
<bean id="invokeStart" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean" <bean id="invokeStart" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean"
depends-on="configureJetty, invokeConnectors"> depends-on="configureJetty, invokeConnectors">
<property name="targetObject" ref="Server" /> <property name="targetObject" ref="Server" />
<property name="targetMethod" value="start" /> <property name="targetMethod" value="start" />
</bean> </bean>
</beans> </beans>

View File

@ -22,7 +22,7 @@
<bean id="securityLoginService" class="org.eclipse.jetty.security.HashLoginService"> <bean id="securityLoginService" class="org.eclipse.jetty.security.HashLoginService">
<property name="name" value="ActiveMQRealm" /> <property name="name" value="ActiveMQRealm" />
<property name="config" value="${activemq.conf}/jetty-realm.properties" /> <property name="config" value="${activemq.conf}/jetty-realm-5.x.properties" />
</bean> </bean>
<bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint"> <bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint">

View File

@ -15,7 +15,19 @@
## limitations under the License. ## limitations under the License.
## --------------------------------------------------------------------------- ## ---------------------------------------------------------------------------
## ---------------------------------------------------------------------------
## [AMQ-8391] ActiveMQ 6.x converted jetty to use a common JAAS for users and groups.
## This version of conf/jetty.xml demonstrates how to use a dedicated JAAS realm
## for authentication and authorization of web-based services such as the web console
## and rest apis. This is the config approach that was used in ActiveMQ 5.x.
##
## Rename this file to conf/jetty-realm.properties to setup user and group
## authorization following the ActiveMQ 5.x approach
##
## Note: conf/jetty-realm.properties is used to store user, password and group data
## ---------------------------------------------------------------------------
# Defines users that can access the web (console, demo, etc.) # Defines users that can access the web (console, demo, etc.)
# username: password [,rolename ...] # username: password [,rolename ...]
admin: admin, admin admin: admin, admin
user: user, user user: user, user

View File

@ -0,0 +1,207 @@
<!--
Licensed to the Apache Software Foundation (ASF) under one or more contributor
license agreements. See the NOTICE file distributed with this work for additional
information regarding copyright ownership. The ASF licenses this file to You under
the Apache License, Version 2.0 (the "License"); you may not use this file except in
compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or
agreed to in writing, software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied. See the License for the specific language governing permissions and
limitations under the License.
-->
<!--
An embedded servlet engine for serving up the Admin consoles, REST and Ajax APIs and
some demos Include this file in your configuration to enable ActiveMQ web components
e.g. <import resource="jetty.xml"/>
-->
<!--
[AMQ-8391] ActiveMQ 6.x converted jetty to use a common JAAS for users and groups.
This version of conf/jetty.xml demonstrates how to use a dedicated JAAS realm
for authentication and authorization of web-based services such as the web console
and rest apis. This is the config approach that was used in ActiveMQ 5.x.
Note: conf/jetty-realm.properties is used to store user, password and group data
-->
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="httpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
<property name="sendServerVersion" value="false"/>
</bean>
<bean id="securityLoginService" class="org.eclipse.jetty.security.HashLoginService">
<property name="name" value="ActiveMQRealm" />
<property name="config" value="${activemq.conf}/jetty-realm.properties" />
</bean>
<bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint">
<property name="name" value="BASIC" />
<property name="roles" value="user,admin" />
<!-- set authenticate=false to disable login -->
<property name="authenticate" value="true" />
</bean>
<bean id="adminSecurityConstraint" class="org.eclipse.jetty.util.security.Constraint">
<property name="name" value="BASIC" />
<property name="roles" value="admin" />
<!-- set authenticate=false to disable login -->
<property name="authenticate" value="true" />
</bean>
<bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
<property name="constraint" ref="securityConstraint" />
<!-- AMQ-9239 TODO: review jetty.xml pathSpec change
<property name="pathSpec" value="/,/api/*,*.jsp,*.html,*.js,*.css,*.png,*.gif,*.ico" />
-->
<property name="pathSpec" value="/,/api/*" />
</bean>
<bean id="adminSecurityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
<property name="constraint" ref="adminSecurityConstraint" />
<property name="pathSpec" value="*.action" />
</bean>
<bean id="rewriteHandler" class="org.eclipse.jetty.rewrite.handler.RewriteHandler">
<property name="rules">
<list>
<bean id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<property name="pattern" value="*"/>
<property name="name" value="X-FRAME-OPTIONS"/>
<property name="value" value="SAMEORIGIN"/>
</bean>
<bean id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<property name="pattern" value="*"/>
<property name="name" value="X-XSS-Protection"/>
<property name="value" value="1; mode=block"/>
</bean>
<bean id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<property name="pattern" value="*"/>
<property name="name" value="X-Content-Type-Options"/>
<property name="value" value="nosniff"/>
</bean>
</list>
</property>
</bean>
<bean id="secHandlerCollection" class="org.eclipse.jetty.server.handler.HandlerCollection">
<property name="handlers">
<list>
<ref bean="rewriteHandler"/>
<bean class="org.eclipse.jetty.webapp.WebAppContext">
<property name="contextPath" value="/admin" />
<property name="resourceBase" value="${activemq.home}/webapps/admin" />
<property name="logUrlOnStart" value="true" />
</bean>
<bean class="org.eclipse.jetty.webapp.WebAppContext">
<property name="contextPath" value="/api" />
<property name="resourceBase" value="${activemq.home}/webapps/api" />
<property name="logUrlOnStart" value="true" />
</bean>
<bean class="org.eclipse.jetty.server.handler.ResourceHandler">
<property name="directoriesListed" value="false" />
<property name="welcomeFiles">
<list>
<value>index.html</value>
</list>
</property>
<property name="resourceBase" value="${activemq.home}/webapps/" />
</bean>
<bean id="defaultHandler" class="org.eclipse.jetty.server.handler.DefaultHandler">
<property name="serveIcon" value="false" />
</bean>
</list>
</property>
</bean>
<bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler">
<property name="loginService" ref="securityLoginService" />
<property name="authenticator">
<bean class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
</property>
<property name="constraintMappings">
<list>
<ref bean="adminSecurityConstraintMapping" />
<ref bean="securityConstraintMapping" />
</list>
</property>
<property name="handler" ref="secHandlerCollection" />
</bean>
<bean id="contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection">
</bean>
<bean id="jettyPort" class="org.apache.activemq.web.WebConsolePort" init-method="start">
<!-- the default port number for the web console -->
<property name="host" value="127.0.0.1"/>
<property name="port" value="8161"/>
</bean>
<bean id="Server" depends-on="jettyPort" class="org.eclipse.jetty.server.Server"
destroy-method="stop">
<property name="handler">
<bean id="handlers" class="org.eclipse.jetty.server.handler.HandlerCollection">
<property name="handlers">
<list>
<ref bean="contexts" />
<ref bean="securityHandler" />
</list>
</property>
</bean>
</property>
</bean>
<bean id="invokeConnectors" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="targetObject" ref="Server" />
<property name="targetMethod" value="setConnectors" />
<property name="arguments">
<list>
<bean id="Connector" class="org.eclipse.jetty.server.ServerConnector">
<constructor-arg ref="Server"/>
<constructor-arg>
<list>
<bean id="httpConnectionFactory" class="org.eclipse.jetty.server.HttpConnectionFactory">
<constructor-arg ref="httpConfig"/>
</bean>
</list>
</constructor-arg>
<!-- see the jettyPort bean -->
<property name="host" value="#{systemProperties['jetty.host']}" />
<property name="port" value="#{systemProperties['jetty.port']}" />
</bean>
<!--
Enable this connector if you wish to use https with web console
-->
<!-- bean id="SecureConnector" class="org.eclipse.jetty.server.ServerConnector">
<constructor-arg ref="Server" />
<constructor-arg>
<bean id="handlers" class="org.eclipse.jetty.util.ssl.SslContextFactory">
<property name="keyStorePath" value="${activemq.conf}/broker.ks" />
<property name="keyStorePassword" value="password" />
</bean>
</constructor-arg>
<property name="port" value="8162" />
</bean -->
</list>
</property>
</bean>
<bean id="configureJetty" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod" value="org.apache.activemq.web.config.JspConfigurer.configureJetty" />
<property name="arguments">
<list>
<ref bean="Server" />
<ref bean="secHandlerCollection" />
</list>
</property>
</bean>
<bean id="invokeStart" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean"
depends-on="configureJetty, invokeConnectors">
<property name="targetObject" ref="Server" />
<property name="targetMethod" value="start" />
</bean>
</beans>