英文:
Authorization by login / password does not work when connecting via JMX
问题
I have a method whose parameters are passed values for connecting to the ActiveMQ Artemis broker via the JMX protocol. But my username/password is not working. That is, if I leave the user and password values empty, then it will still connect, and I want an error to pop up when connecting to the queue since the user data is incorrect.
public static MBeanServerConnection connectBroker(String brokerUrl, String user, String password) {
try {
Map<String, String[]> env = new HashMap();
String[] creds = {user, password};
env.put(JMXConnector.CREDENTIALS, creds);
JMXConnector connector = JMXConnectorFactory.connect(new JMXServiceURL("service:jmx:rmi:///jndi/rmi://" + brokerUrl + ":13682/jmxrmi"), env);
return connector.getMBeanServerConnection();
} catch (IOException e) {
throw new RuntimeException(e);
}
}
It's strange that if CREDENTIALS are passed, it still works, but I want it to give an error if there is no such user.
broker.xml:
<configuration xmlns="urn:activemq" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:activemq /schema/artemis-configuration.xsd">
<core xmlns="urn:activemq:core">
<name>localhost</name>
<bindings-directory>./data/messaging/bindings</bindings-directory>
<journal-directory>./data/messaging/journal</journal-directory>
<large-messages-directory>./data/messaging/largemessages</large-messages-directory>
<paging-directory>./data/messaging/paging</paging-directory>
<!-- true to expose ActiveMQ Artemis resources through JMX -->
<jmx-management-enabled>true</jmx-management-enabled>
<!-- Acceptors -->
<acceptors>
<acceptor name="netty">tcp://localhost:61616</acceptor>
</acceptors>
<!-- Other config -->
<security-settings>
<!--security for example queue-->
<security-setting match="exampleQueue">
<permission roles="amq" type="createDurableQueue"/>
<permission roles="amq" type="deleteDurableQueue"/>
<permission roles="amq" type="createNonDurableQueue"/>
<permission roles="amq" type="deleteNonDurableQueue"/>
<permission roles="amq" type="consume"/>
<permission roles="amq" type="send"/>
<permission roles="amq" type="browse"/>
</security-setting>
<security-setting match="TestQueue">
<permission roles="amq" type="createDurableQueue"/>
<permission roles="amq" type="deleteDurableQueue"/>
<permission roles="amq" type="createNonDurableQueue"/>
<permission roles="amq" type="deleteNonDurableQueue"/>
<permission roles="amq" type="consume"/>
<permission roles="amq" type="send"/>
</security-setting>
<security-setting match="TestQueueSecond">
<permission roles="amq" type="createDurableQueue"/>
<permission roles="amq" type="deleteDurableQueue"/>
<permission roles="amq" type="createNonDurableQueue"/>
<permission roles="amq" type="deleteNonDurableQueue"/>
<permission roles="amq" type="consume"/>
<permission roles="amq" type="send"/>
</security-setting>
</security-settings>
<addresses>
<address name="exampleQueue">
<anycast>
<queue name="exampleQueue"/>
</anycast>
</address>
<address name="TestQueue">
<anycast>
<queue name="TestQueue"/>
</anycast>
</address>
<address name="TestQueueSecond">
<anycast>
<queue name="TestQueueSecond"/>
</anycast>
</address>
</addresses>
</core>
</configuration>
management.xml:
<management-context xmlns="http://activemq.apache.org/schema">
<connector connector-port="13682" connector-host="localhost"/>
<authorisation>
<allowlist>
<entry domain="hawtio"/>
</allowlist>
<default-access>
<access method="list*" roles="view,update,amq,guest"/>
<access method="get*" roles="view,update,amq,guest"/>
<access method="is*" roles="view,update,amq,guest"/>
<access method="set*" roles="update,amq,guest"/>
<access method
<details>
<summary>英文:</summary>
I have a method whose parameters are passed values for connecting to the ActiveMQ Artemis broker via the JMX protocol. But my username/password is not working. That is, if I leave the user and password values empty, then it will still connect, and I want an error to pop up when connecting to the queue since the user data is incorrect
```java
public static MBeanServerConnection connectBroker(String brokerUrl, String user, String password) {
try {
Map<String, String[]> env = new HashMap();
String[] creds = {user, password};
env.put(JMXConnector.CREDENTIALS, creds);
JMXConnector connector = JMXConnectorFactory.connect(new JMXServiceURL("service:jmx:rmi:///jndi/rmi://" + brokerUrl + ":13682/jmxrmi"), env);
return connector.getMBeanServerConnection();
} catch (IOException e) {
throw new RuntimeException(e);
}
}
It's strange that if CREDENTIALS is passed, it still works, but I want it to give an error if there is no such user
broker.xml:
<configuration xmlns="urn:activemq" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:activemq /schema/artemis-configuration.xsd">
<core xmlns="urn:activemq:core">
<name>localhost</name>
<bindings-directory>./data/messaging/bindings</bindings-directory>
<journal-directory>./data/messaging/journal</journal-directory>
<large-messages-directory>./data/messaging/largemessages</large-messages-directory>
<paging-directory>./data/messaging/paging</paging-directory>
<!-- true to expose ActiveMQ Artemis resources through JMX -->
<jmx-management-enabled>true</jmx-management-enabled>
<!-- Acceptors -->
<acceptors>
<acceptor name="netty">tcp://localhost:61616</acceptor>
</acceptors>
<!-- Other config -->
<security-settings>
<!--security for example queue-->
<security-setting match="exampleQueue">
<permission roles="amq" type="createDurableQueue"/>
<permission roles="amq" type="deleteDurableQueue"/>
<permission roles="amq" type="createNonDurableQueue"/>
<permission roles="amq" type="deleteNonDurableQueue"/>
<permission roles="amq" type="consume"/>
<permission roles="amq" type="send"/>
<permission roles="amq" type="browse"/>
</security-setting>
<security-setting match="TestQueue">
<permission roles="amq" type="createDurableQueue"/>
<permission roles="amq" type="deleteDurableQueue"/>
<permission roles="amq" type="createNonDurableQueue"/>
<permission roles="amq" type="deleteNonDurableQueue"/>
<permission roles="amq" type="consume"/>
<permission roles="amq" type="send"/>
</security-setting>
<security-setting match="TestQueueSecond">
<permission roles="amq" type="createDurableQueue"/>
<permission roles="amq" type="deleteDurableQueue"/>
<permission roles="amq" type="createNonDurableQueue"/>
<permission roles="amq" type="deleteNonDurableQueue"/>
<permission roles="amq" type="consume"/>
<permission roles="amq" type="send"/>
</security-setting>
</security-settings>
<addresses>
<address name="exampleQueue">
<anycast>
<queue name="exampleQueue"/>
</anycast>
</address>
<address name="TestQueue">
<anycast>
<queue name="TestQueue"/>
</anycast>
</address>
<address name="TestQueueSecond">
<anycast>
<queue name="TestQueueSecond"/>
</anycast>
</address>
</addresses>
</core>
</configuration>
management.xml:
<management-context xmlns="http://activemq.apache.org/schema">
<connector connector-port="13682" connector-host="localhost"/>
<authorisation>
<allowlist>
<entry domain="hawtio"/>
</allowlist>
<default-access>
<access method="list*" roles="view,update,amq,guest"/>
<access method="get*" roles="view,update,amq,guest"/>
<access method="is*" roles="view,update,amq,guest"/>
<access method="set*" roles="update,amq,guest"/>
<access method="*" roles="amq,guest"/>
</default-access>
<role-access>
<match domain="org.apache.activemq.artemis">
<access method="list*" roles="view,update,amq,guest"/>
<access method="get*" roles="view,update,amq,guest"/>
<access method="is*" roles="view,update,amq,guest"/>
<access method="set*" roles="update,amq,guest"/>
<access method="*" roles="amq,guest"/>
</match>
<!--example of how to configure a specific object-->
<!--<match domain="org.apache.activemq.artemis" key="subcomponent=queues">
<access method="list*" roles="view,update,amq"/>
<access method="get*" roles="view,update,amq"/>
<access method="is*" roles="view,update,amq"/>
<access method="set*" roles="update,amq"/>
<access method="*" roles="amq"/>
</match>-->
</role-access>
</authorisation>
</management-context>
login.config:
activemq {
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule sufficient
debug=false
reload=true
org.apache.activemq.jaas.properties.user="artemis-users.properties"
org.apache.activemq.jaas.properties.role="artemis-roles.properties";
org.apache.activemq.artemis.spi.core.security.jaas.GuestLoginModule sufficient
debug=false
org.apache.activemq.jaas.guest.user="admin"
org.apache.activemq.jaas.guest.role="amq";
};
答案1
得分: 1
Your login.config is using the GuestLoginModule, i.e.:
这表示不传递任何凭据或传递错误凭据的用户将被接受,并分配用户名admin和角色amq。详细信息请参阅文档。
If you don't want this behavior you can use this in your login.config instead:
如果您不想要这种行为,您可以在您的login.config中使用以下内容:
英文:
Your login.config is using the GuestLoginModule, i.e.:
org.apache.activemq.artemis.spi.core.security.jaas.GuestLoginModule sufficient
debug=false
org.apache.activemq.jaas.guest.user="admin"
org.apache.activemq.jaas.guest.role="amq";
This means that users who don't pass any credentials or pass the wrong credentials will be accepted and given the username admin and the role amq. See the documentation for more details.
If you don't want this behavior you can use this in your login.config instead:
activemq {
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule required
debug=false
reload=true
org.apache.activemq.jaas.properties.user="artemis-users.properties"
org.apache.activemq.jaas.properties.role="artemis-roles.properties";
};
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论