使用自定义 JAAS 访问 Jolokia [英] Jolokia access with custom JAAS
问题描述
在 ActiveMQ Artemis 中,当我在自定义 JAAS 登录模块中使用 requisite 或 required 标志时,我无法登录到 Artemis 管理控制台(Jolokia,端口 <代码>8163).我在对移动设备进行身份验证的自定义 JAAS 登录模块中有特殊的业务逻辑.但同时我希望有一个管理员用户可以使用一些用户名/密码甚至没有密码登录到 Artemis 管理控制台.为了在 Artemis login.config 中同时拥有自定义和访客登录模块,我必须至少将自定义 JAAS 模块的安全标志保持为 sufficient.我该如何处理这种情况?
In ActiveMQ Artemis when I use the requisite or required flag with my custom JAAS login module I am not able to login to the Artemis management console (Jolokia, port 8163). I have special business logic in the custom JAAS login module which authenticates mobile devices. But at the same time I want to have an admin user who can login to Artemis management console with some username/password or even without password. In order to have both custom and guest login module in Artemis login.config, I have to keep the security flag of custom JAAS module as sufficient at-least. How can I handle this situation?
推荐答案
Hawtio 使用的安全领域"是通过 etc/artemis 中设置的 .例如,这里是默认值:hawtio.realm 系统属性配置的.个人资料
The security "realm" used by Hawtio is configured via the hawtio.realm system property set in etc/artemis.profile. For example, here is the default:
JAVA_ARGS=" -XX:+PrintClassHistogram -XX:+UseG1GC -Xms512M -Xmx2G -Dhawtio.realm=activemq -Dhawtio.offline=true -Dhawtio.role=amq -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal -Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml -Djon.id=amq"
此处将 hawtio.realm 设置为 activemq,它与默认 login.config 中的条目匹配,例如:
Here the hawtio.realm is set to activemq which matches the entry in the default login.config, e.g.:
activemq {
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule sufficient
debug=false
reload=true
org.apache.activemq.jaas.properties.user="artemis-users.properties"
org.apache.activemq.jaas.properties.role="artemis-roles.properties";
org.apache.activemq.artemis.spi.core.security.jaas.GuestLoginModule sufficient
debug=false
org.apache.activemq.jaas.guest.user="myUser"
org.apache.activemq.jaas.guest.role="amq";
};
我看不出有什么理由不能为您的 login.config 添加专门用于 Hawtio 的新领域/域,然后更改 artemis.profile 引用.这样您就可以根据需要自定义 Hawtio 连接和消息连接的安全性.
I don't see any reason why you couldn't add a new realm/domain specifically for Hawtio to your login.config and then change the configuration in artemis.profile to reference that. That way you can customize security for Hawtio connections and messaging connections however you wish.
另外,值得注意的是,Artemis 最近增加了对每个接受者安全域的支持.您可以在 the文档.
Also, it's worth noting that Artemis recently added support for per-acceptor security domains. You can read more about this in the documentation.
这篇关于使用自定义 JAAS 访问 Jolokia的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
