The JAAS guest login module allows users without credentials (and, depending on how it is configured, possibly also users with invalid credentials) to access the broker. Normally, the guest login module is chained with another login module, such as a properties login module.
The guest login module responds to successful login requests with a principal that has a fixed username and a fixed group ID.
There are two basic use cases for the guest login module, as follows:
Example 3.7 shows how to configure a JAAS login entry for the use case where users with no credentials or invalid credentials are logged in as guests. In this example, the guest login module is used in combination with the properties login module.
Example 3.7. Guest Login Accepting No Credentials or Invalid Credentials
activemq-domain { org.apache.activemq.jaas.PropertiesLoginModule sufficient debug=true org.apache.activemq.jaas.properties.user="users.properties" org.apache.activemq.jaas.properties.group="groups.properties"; org.apache.activemq.jaas.GuestLoginModule sufficient debug=true org.apache.activemq.jaas.guest.user="anyone" org.apache.activemq.jaas.guest.group="restricted"; };
Depending on the user login data, authentication proceeds as follows:
User logs in with a valid password—the properties login module sucessfully authenticates the user and returns immediately. The guest login module is not invoked.
User logs in with an invalid password—the properties login module fails to authenticate the user, and authentication proceeds to the guest login module. The guest login module successfully authenticates the user and returns the guest principal.
User logs in with a blank password—the properties login module fails to authenticate the user, and authentication proceeds to the guest login module. The guest login module successfully authenticates the user and returns the guest principal.
Example 3.8 shows how to configure a
JAAS login entry for the use case where only those users with no
credentials are logged in as guests. To support this use case, you must set
the credentialsInvalidate
option to true
in the configuration of
the guest login module. You should also note that, compared with the preceding example,
the order of the login modules is reversed and the flag attached to the properties login
module is changed to requisite
.
Example 3.8. Guest Login Accepting No Credentials Only
activemq-guest-when-no-creds-only-domain {
org.apache.activemq.jaas.GuestLoginModule sufficient
debug=true
credentialsInvalidate=true
org.apache.activemq.jaas.guest.user="guest"
org.apache.activemq.jaas.guest.group="guests";
org.apache.activemq.jaas.PropertiesLoginModule requisite
debug=true
org.apache.activemq.jaas.properties.user="org/apache/activemq/security/users.properties"
org.apache.activemq.jaas.properties.group="org/apache/activemq/security/groups.properties";
};
Depending on the user login data, authentication proceeds as follows:
User logs in with a valid password—the guest login module fails to authenticate the user (because the user has presented a password while the
credentialsInvalidate
option is enabled) and authentication proceeds to the properties login module. The properties login module sucessfully authenticates the user and returns.User logs in with an invalid password—the guest login module fails to authenticate the user and authentication proceeds to the properties login module. The properties login module also fails to authenticate the user. The nett result is authentication failure.
User logs in with a blank password—the guest login module sucessfully authenticates the user and returns immediately. The properties login module is not invoked.
The guest login module supports the following options:
debug
(Optional) Boolean debugging flag. If
true
, enable debugging. This is used only for testing or debugging. Normally, it should be set tofalse
, or omitted.credentialsInvalidate
(Optional) Boolean flag. If
true
, reject login requests that include a password. In other words, with this option enabled, guest login succeeds only when the user does not provide a password. Default isfalse
.org.apache.activemq.jaas.guest.user
(Optional) Specifies the username assigned to guest users. Default is
guest
.org.apache.activemq.jaas.guest.group
(Optional) Specifies the group ID assigned to guest users. Default is
guests
.
You can use the guest login module by combining either with the username/password authentication plug-in or with the dual authentication plug-in. For example, see JAAS Dual Authentication Plug-In.