Fuse ESB - Fuse Message Broker Security Guide

JAAS Guest Login Module

Overview

The JAAS guest login module allows users without credentials (and, depending on how it is configured, possibly also users with invalid credentials) to access the broker. Normally, the guest login module is chained with another login module, such as a properties login module.

The guest login module responds to successful login requests with a principal that has a fixed username and a fixed group ID.

Guest login use cases

There are two basic use cases for the guest login module, as follows:

Guests with no credentials or invalid credentials

Example 3.7 shows how to configure a JAAS login entry for the use case where users with no credentials or invalid credentials are logged in as guests. In this example, the guest login module is used in combination with the properties login module.

Example 3.7. Guest Login Accepting No Credentials or Invalid Credentials

activemq-domain {
  org.apache.activemq.jaas.PropertiesLoginModule sufficient
      debug=true
      org.apache.activemq.jaas.properties.user="users.properties"
      org.apache.activemq.jaas.properties.group="groups.properties";

  org.apache.activemq.jaas.GuestLoginModule sufficient
      debug=true
      org.apache.activemq.jaas.guest.user="anyone"
      org.apache.activemq.jaas.guest.group="restricted";
};

Depending on the user login data, authentication proceeds as follows:

User logs in with a valid password—the properties login module sucessfully authenticates the user and returns immediately. The guest login module is not invoked.
User logs in with an invalid password—the properties login module fails to authenticate the user, and authentication proceeds to the guest login module. The guest login module successfully authenticates the user and returns the guest principal.
User logs in with a blank password—the properties login module fails to authenticate the user, and authentication proceeds to the guest login module. The guest login module successfully authenticates the user and returns the guest principal.

Guests with no credentials only

Example 3.8 shows how to configure a JAAS login entry for the use case where only those users with no credentials are logged in as guests. To support this use case, you must set the credentialsInvalidate option to true in the configuration of the guest login module. You should also note that, compared with the preceding example, the order of the login modules is reversed and the flag attached to the properties login module is changed to requisite.

Example 3.8. Guest Login Accepting No Credentials Only

activemq-guest-when-no-creds-only-domain {
    org.apache.activemq.jaas.GuestLoginModule sufficient
       debug=true
       credentialsInvalidate=true
       org.apache.activemq.jaas.guest.user="guest"
       org.apache.activemq.jaas.guest.group="guests";

    org.apache.activemq.jaas.PropertiesLoginModule requisite
        debug=true
        org.apache.activemq.jaas.properties.user="org/apache/activemq/security/users.properties"
        org.apache.activemq.jaas.properties.group="org/apache/activemq/security/groups.properties";
};

Depending on the user login data, authentication proceeds as follows:

User logs in with a valid password—the guest login module fails to authenticate the user (because the user has presented a password while the credentialsInvalidate option is enabled) and authentication proceeds to the properties login module. The properties login module sucessfully authenticates the user and returns.
User logs in with an invalid password—the guest login module fails to authenticate the user and authentication proceeds to the properties login module. The properties login module also fails to authenticate the user. The nett result is authentication failure.
User logs in with a blank password—the guest login module sucessfully authenticates the user and returns immediately. The properties login module is not invoked.

Guest login entry options

The guest login module supports the following options:

debug: (Optional) Boolean debugging flag. If true, enable debugging. This is used only for testing or debugging. Normally, it should be set to false, or omitted.
credentialsInvalidate: (Optional) Boolean flag. If true, reject login requests that include a password. In other words, with this option enabled, guest login succeeds only when the user does not provide a password. Default is false.
org.apache.activemq.jaas.guest.user: (Optional) Specifies the username assigned to guest users. Default is guest.
org.apache.activemq.jaas.guest.group: (Optional) Specifies the group ID assigned to guest users. Default is guests.

Enabling authentication with the guest login module

You can use the guest login module by combining either with the username/password authentication plug-in or with the dual authentication plug-in. For example, see JAAS Dual Authentication Plug-In.

Comments powered by Disqus

Contents
Search