Re: [jetty-users] ActiveMQ on Jetty with LDAP Issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [jetty-users] ActiveMQ on Jetty with LDAP Issue

From: Olivier Lamy <olamy@xxxxxxxxxxx>
Date: Mon, 13 May 2019 10:28:50 +1000
Delivered-to: jetty-users@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/jetty-users>
List-help: <mailto:jetty-users-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/jetty-users>, <mailto:jetty-users-request@eclipse.org?subject=unsubscribe>

You should ask activemq mailing list because it seems to be related to activemq.

On Sat, May 11, 2019 at 11:30 AM Pankaj Ambekar <pmambekar@xxxxxxxxx> wrote:

Hello,

Here's more details on this -

* Jetty version - jetty-9.2.25.v20180606 (packaged with ActiveMQ-5.15.8)
* Java Version - 1.8.0_131
* Steps to reproduce - Followed the steps mentioned on the page - https://activemq.apache.org/security (LDAP Authentication Using the JAAS Plugin). The changes made to following files -

login.config (actual values replaced by dummy)

LDAPLogin {
org.apache.activemq.jaas.LDAPLoginModule required
debug=true
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connectionURL="ldap://nyc-dc01.corp.nypiua.com:389"
connectionUsername="CN=<name>,OU=Dummy Accounts,OU=Dummy Accounts and Groups,DC=corp,DC=company,DC=com"
connectionPassword="password"
connectionProtocol=s
authentication=simple
userBase="OU=Dummy User Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com"
userRoleName=dummyUserRoleName
userSearchMatching="(sAMAccountName={0})"
userSearchSubtree=true
roleBase="OU=Pre-Prod,OU=app,OU=Enterprise Based Applications,OU=Dummy Application Accounts and Groups,DC=corp,DC=company,DC=com"
roleName=cn
roleSearchMatching="(member={0})"
roleSearchSubtree=true
;
};

activemq.xml (added following into the xml)
....
<plugins>
<jaasAuthenticationPlugin configuration="LDAPLogin" />
</plugins>
.....

jetty.xml (added following to the xml)

<bean id="ldapLoginService" class="org.eclipse.jetty.jaas.JAASLoginService">
<property name="name" value="LdapRealm" />
<property name="loginModuleName" value="LDAPLogin" />
<property name="roleClassNames" value="org.eclipse.jetty.jaas.JAASRole" />
<property name="identityService" ref="identityService" />
</bean>
.......
.......
<bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler">
<property name="loginService" ref="ldapLoginService" />
<property name="identityService" ref="identityService" />
<property name="realmName" value="LdapRealm" />
<property name="authenticator">
<bean class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
</property>
<property name="constraintMappings">
<list>
<ref bean="adminSecurityConstraintMapping" />
<ref bean="securityConstraintMapping" />
</list>
</property>
<property name="handler" ref="secHandlerCollection" />
</bean>
<bean id="contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection">
</bean>

No Error in the logs -

2019-05-10 20:35:01,662 | DEBUG | Create the LDAP initial context. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,711 | DEBUG | Get the user DN. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,712 | DEBUG | Looking for the user in LDAP with | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,712 | DEBUG | base DN: OU=Dummy User Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,713 | DEBUG | filter: (sAMAccountName=user1) | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,734 | DEBUG | LDAP returned a relative name: CN=test user1 | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,735 | DEBUG | Using DN [CN=test user1,OU=Dummy User Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com ] for binding. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,736 | DEBUG | Binding the user. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,780 | DEBUG | User CN=test user1,OU=Dummy User Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com successfully bound. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,782 | DEBUG | Get user roles. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,783 | DEBUG | Looking for the user roles in LDAP with | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,785 | DEBUG | base DN: OU=Pre-Prod,OU=app,OU=Enterprise Based Applications,OU=Dummy Application Accounts and Groups,DC=corp,DC=company,DC=com | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,786 | DEBUG | filter: (member=CN=test user1,OU=Dummy User Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com) | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,835 | DEBUG | Roles [administrator_group] for user user1 | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:03,821 | DEBUG | Checkpoint started. | org.apache.activemq.store.kahadb.MessageDatabase | ActiveMQ Journal Checkpoint Worker
2019-05-10 20:35:03,832 | DEBUG | Checkpoint done. | org.apache.activemq.store.kahadb.MessageDatabase | ActiveMQ Journal Checkpoint Worker

Error on the browser -
HTTP ERROR: 403

Problem accessing /admin/. Reason:
!role

On Fri, May 10, 2019 at 9:06 PM Olivier Lamy <olamy@xxxxxxxxxxx> wrote:
Hi
In order to help you, we need more details such:
- Jetty version
- Java version
- exact steps to reproduce your problem

cheers
Olivier

On Sat, May 11, 2019 at 10:16 AM Pankaj Ambekar <pmambekar@xxxxxxxxx> wrote:
Hello,

I'm using apache-activemq-5.15.8 with Jetty and trying to get the configurations working by connecting the admin-console authentication with LDAP/AD. I've followed all the necessary configs on logon.config, activemq.xml, jetty.xml and I can see in the logs that the user is authenticated. However, on the broweser, I see following error -

HTTP ERROR: 403

Problem accessing /admin/. Reason:
!role

Could you please advise if you changed anything specific in web.xml (or any other config file) to get pass this error ?

--
Thanks

Regards,
Pankaj Ambekar

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

--
Olivier
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

--
Thanks

Regards,
Pankaj Ambekar

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users

Olivier

References:
- [jetty-users] ActiveMQ on Jetty with LDAP Issue
  - From: Pankaj Ambekar
- Re: [jetty-users] ActiveMQ on Jetty with LDAP Issue
  - From: Olivier Lamy
- Re: [jetty-users] ActiveMQ on Jetty with LDAP Issue
  - From: Pankaj Ambekar

Prev by Date: Re: [jetty-users] Basic Authenticator response to OPTIONS request with 401
Next by Date: [jetty-users] Renaming EE APIs from javax.* to jakarta.*
Previous by thread: Re: [jetty-users] ActiveMQ on Jetty with LDAP Issue
Next by thread: [jetty-users] Renaming EE APIs from javax.* to jakarta.*
Index(es):
- Date
- Thread

Breadcrumbs