[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] ActiveMQ on Jetty with LDAP Issue

Hi
You should ask activemq mailing list because it seems to be related to activemq.


On Sat, May 11, 2019 at 11:30 AM Pankaj Ambekar <pmambekar@xxxxxxxxx> wrote:
Hello,

Here's more details on this -

* Jetty version -Âjetty-9.2.25.v20180606 (packaged with ActiveMQ-5.15.8)
* Java Version -Â1.8.0_131
* Steps to reproduce - Followed the steps mentioned on the page -Âhttps://activemq.apache.org/securityÂ(LDAP Authentication Using the JAAS Plugin). The changes made to following files -Â

login.config (actual values replaced by dummy)

LDAPLogin {Â
  org.apache.activemq.jaas.LDAPLoginModule requiredÂ
  debug=trueÂ
  initialContextFactory=com.sun.jndi.ldap.LdapCtxFactoryÂ
  connectionURL="ldap://nyc-dc01.corp.nypiua.com:389
  connectionUsername="CN=<name>,OU=Dummy Accounts,OU=Dummy Accounts and Groups,DC=corp,DC=company,DC=com"Â
  connectionPassword="password"
connectionProtocol=sÂ
  authentication=simpleÂ
  userBase="OU=Dummy User Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com"Â
  userRoleName=dummyUserRoleNameÂ
  userSearchMatching="(sAMAccountName={0})"Â
  userSearchSubtree=trueÂ
  roleBase="OU=Pre-Prod,OU=app,OU=Enterprise Based Applications,OU=Dummy Application Accounts and Groups,DC=corp,DC=company,DC=com"Â
  roleName=cnÂ
  roleSearchMatching="(member={0})"Â
  roleSearchSubtree=trueÂ
  ;Â
Â};

activemq.xml (added following into the xml)
....
<plugins>Â
    <jaasAuthenticationPlugin configuration="LDAPLogin" />Â
Â</plugins>
.....

jetty.xml (added following to the xml)

<bean id="ldapLoginService" class="org.eclipse.jetty.jaas.JAASLoginService">
    <property name="name" value="LdapRealm" />
    <property name="loginModuleName" value="LDAPLogin" />
    <property name="roleClassNames" value="org.eclipse.jetty.jaas.JAASRole" />
    <property name="identityService" ref="identityService" />
  </bean>
.......
.......
<bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler">
    <property name="loginService" ref="ldapLoginService" />
    <property name="identityService" ref="identityService" />
    <property name="realmName" value="LdapRealm" />
    <property name="authenticator">
      <bean class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
    </property>
    <property name="constraintMappings">
      <list>
        <ref bean="adminSecurityConstraintMapping" />
        <ref bean="securityConstraintMapping" />
      </list>
    </property>Â
    <property name="handler" ref="secHandlerCollection" />
  </bean>
  <bean id="contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection">
  </bean>

No Error in the logs -

2019-05-10 20:35:01,662 | DEBUG | Create the LDAP initial context. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,711 | DEBUG | Get the user DN. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,712 | DEBUG | Looking for the user in LDAP with | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,712 | DEBUG |Â Âbase DN: OU=Dummy User Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,713 | DEBUG |Â Âfilter: (sAMAccountName=user1) | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,734 | DEBUG | LDAP returned a relative name: CN=test user1 | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,735 | DEBUG | Using DN [CN=test user1,OU=Dummy User Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com ] for binding. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,736 | DEBUG | Binding the user. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,780 | DEBUG | User CN=test user1,OU=Dummy User Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com successfully bound. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,782 | DEBUG | Get user roles. | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,783 | DEBUG | Looking for the user roles in LDAP with | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,785 | DEBUG |Â Âbase DN: OU=Pre-Prod,OU=app,OU=Enterprise Based Applications,OU=Dummy Application Accounts and Groups,DC=corp,DC=company,DC=com | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,786 | DEBUG |Â Âfilter: (member=CN=test user1,OU=Dummy User Accounts,OU=Test User Accounts,DC=corp,DC=company,DC=com) | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:01,835 | DEBUG | Roles [administrator_group] for user user1 | org.apache.activemq.jaas.LDAPLoginModule | qtp843299092-39
2019-05-10 20:35:03,821 | DEBUG | Checkpoint started. | org.apache.activemq.store.kahadb.MessageDatabase | ActiveMQ Journal Checkpoint Worker
2019-05-10 20:35:03,832 | DEBUG | Checkpoint done. | org.apache.activemq.store.kahadb.MessageDatabase | ActiveMQ Journal Checkpoint Worker

Error on the browser -
HTTP ERROR: 403

Problem accessing /admin/. Reason:Â
  !roleÂÂ

On Fri, May 10, 2019 at 9:06 PM Olivier Lamy <olamy@xxxxxxxxxxx> wrote:
Hi
In order to help you, we need more details such:
- Jetty versionÂ
- Java version
- exact steps to reproduce your problem

cheers
Olivier


On Sat, May 11, 2019 at 10:16 AM Pankaj Ambekar <pmambekar@xxxxxxxxx> wrote:
Hello,

I'm using apache-activemq-5.15.8 with Jetty and trying to get the configurations working by connecting the admin-console authentication with LDAP/AD. I've followed all the necessary configs on logon.config, activemq.xml, jetty.xml and I can see in the logs that the user is authenticated. However, on the broweser, I see following error -Â

HTTP ERROR: 403

Problem accessing /admin/. Reason:Â
  !role

Could you please advise if you changed anything specific in web.xml (or any other config file) to get pass this error ?

--
Thanks

Regards,
Pankaj Ambekar

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users


--
Olivier
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users


--
Thanks

Regards,
Pankaj Ambekar

_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/jetty-users


--
Olivier