git.net

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Artemis Rest Interface JAAS


FWIW, the username and password could theoretically be retrieved from the
HTTP request with a simple block of code [1], but using it in the REST
interface isn't completely straightforward as, for example, producers (and
their sessions) are pooled as it's not a good idea to create a session &
producer for every message sent.


Justin

[1]
https://stackoverflow.com/questions/16000517/how-to-get-password-from-http-basic-authentication

On Tue, Oct 30, 2018 at 8:43 AM Justin Bertram <jbertram@xxxxxxxxxx> wrote:

> > I am hoping there is a way to pass authenticated credential from step 2
> to step 3, then 4.
>
> Looking at the code I don't see where any credentials are taken from the
> incoming HTTP requests and passed along to the messaging operations. As you
> noted, everything is hard-code to not use security.
>
> > Or better yet, avoid the 2nd authentication and authorization at Artemis
> server (with security on) all together.
>
> I believe the only way to accomplish that would be to completely rewrite
> the REST interface.
>
> > It seems to me that artemis-rest expects us to secure rest interface
> URLs with Artemis server security turned off.
>
> Yes, I believe that was an original design assumption of the REST
> interface implementation.
>
> > In my case, I am hoping to secure both rest interface URLs and tcp:61616
> so that client can post message via rest or via normal JMS protocol.  Is it
> possible?
>
> That doesn't look to be possible at this point from what I can tell.
>
> Out of curiosity, is there a reason you're wanting to use the REST
> interface (which is not standardized) vs. a lightweight protocol like STOMP
> (which is standardized)?
>
>
> Justin
>
> On Mon, Oct 29, 2018 at 10:37 PM shumin <shuminli18@xxxxxxxxx> wrote:
>
>> What I described in my previous post are securing all URLs via web.xml.
>> I am
>> using a Servlet filter to enforce basic authentication using the same
>> security realm as the Artemis server.  The issue is that the security
>> credential from war is not carried over to Artemis server as the server
>> has
>> it own security turned on although they both use the same realm.  Here is
>> the sequence (and you can see it from the stacktrace)
>>
>> 1. curl --user user:password http://localhost:8161/queue/myQueue
>> 2. the Servlet filter authenticated and authorized the access
>> 3. artemis-reat creates session at
>> org.apache.activemq.artemis.rest.queue.QueueDestinationsResource.java:102.
>>
>> 4. It passes hard-coded null for both user and password at
>>
>> org.apache.activemq.artemis.rest.queue.QueueDestinationsResource.findQueue(QueueDestinationsResource.java:102)
>> 5. Exception thrown from server that username is null.
>>
>> I am hoping there is a way to pass authenticated credential from step 2 to
>> step 3, then 4.  Or better yet, avoid the 2nd authentication and
>> authorization at Artemis server (with security on) all together.
>>
>> It seems to me that artemis-rest expects us to secure rest interface URLs
>> with Artemis server security turned off.  In my case, I am hoping to
>> secure
>> both rest interface URLs and tcp:61616 so that client can post message via
>> rest or via normal JMS protocol.  Is it possible?
>>
>>
>>
>> --
>> Sent from:
>> http://activemq.2283324.n4.nabble.com/ActiveMQ-User-f2341805.html
>>
>