Re: Artemis Rest Interface JAAS
FWIW, the username and password could theoretically be retrieved from the
HTTP request with a simple block of code , but using it in the REST
interface isn't completely straightforward as, for example, producers (and
their sessions) are pooled as it's not a good idea to create a session &
producer for every message sent.
On Tue, Oct 30, 2018 at 8:43 AM Justin Bertram <jbertram@xxxxxxxxxx> wrote:
> > I am hoping there is a way to pass authenticated credential from step 2
> to step 3, then 4.
> Looking at the code I don't see where any credentials are taken from the
> incoming HTTP requests and passed along to the messaging operations. As you
> noted, everything is hard-code to not use security.
> > Or better yet, avoid the 2nd authentication and authorization at Artemis
> server (with security on) all together.
> I believe the only way to accomplish that would be to completely rewrite
> the REST interface.
> > It seems to me that artemis-rest expects us to secure rest interface
> URLs with Artemis server security turned off.
> Yes, I believe that was an original design assumption of the REST
> interface implementation.
> > In my case, I am hoping to secure both rest interface URLs and tcp:61616
> so that client can post message via rest or via normal JMS protocol. Is it
> That doesn't look to be possible at this point from what I can tell.
> Out of curiosity, is there a reason you're wanting to use the REST
> interface (which is not standardized) vs. a lightweight protocol like STOMP
> (which is standardized)?
> On Mon, Oct 29, 2018 at 10:37 PM shumin <shuminli18@xxxxxxxxx> wrote:
>> What I described in my previous post are securing all URLs via web.xml.
>> I am
>> using a Servlet filter to enforce basic authentication using the same
>> security realm as the Artemis server. The issue is that the security
>> credential from war is not carried over to Artemis server as the server
>> it own security turned on although they both use the same realm. Here is
>> the sequence (and you can see it from the stacktrace)
>> 1. curl --user user:password http://localhost:8161/queue/myQueue
>> 2. the Servlet filter authenticated and authorized the access
>> 3. artemis-reat creates session at
>> 4. It passes hard-coded null for both user and password at
>> 5. Exception thrown from server that username is null.
>> I am hoping there is a way to pass authenticated credential from step 2 to
>> step 3, then 4. Or better yet, avoid the 2nd authentication and
>> authorization at Artemis server (with security on) all together.
>> It seems to me that artemis-rest expects us to secure rest interface URLs
>> with Artemis server security turned off. In my case, I am hoping to
>> both rest interface URLs and tcp:61616 so that client can post message via
>> rest or via normal JMS protocol. Is it possible?
>> Sent from: