[keycloak-dev] Keycloak on active MQ

Andrzej Goławski andipansa at gmail.com
Mon Apr 3 03:53:16 EDT 2017


I did it in one project by adding plugin to activeMQ configuration :

       <plugins>
            <jaasAuthenticationPlugin configuration="KeycloakModule" />
            <authorizationPlugin>
                <map>
                    <authorizationMap>
                        <authorizationEntries>
                            <authorizationEntry topic=">"
                                                read="SOME_ROLE, OTHER_ROLE"
                                                write="SOME_ROLE,
OTHER_ROLE"
                                                admin="SOME_ROLE,
OTHER_ROLE"/>
                        </authorizationEntries>
                    </authorizationMap>
                </map>
            </authorizationPlugin>
        </plugins>

Keycloak module definition:

KeycloakModule {
    org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule required
    keycloak-config-file="classpath:keycloak.json"
    role-principal-class=org.apache.activemq.jaas.GroupPrincipal;
};

best regards
 Andi

2017-04-03 9:12 GMT+02:00 Marek Posolda <mposolda at redhat.com>:

> Yes, I think that for that case the second login module
> (BearerTokenLoginModule) is better choice. Your webapp has accessToken
> already, so you just need to send it as "password" to JAAS. Probably
> something like this should work:
>
> connectionFactory.createConnection(username , accessTokenString);
>
>
> Marek
>
> On 02/04/17 21:20, Shankar_Bhaskaran wrote:
> > Hi ,
> >
> > I was able to secure activemq behind keycloak using the direct access
> login module, but I specifically have to pass the username and password
> while getting a connection from active mq. The SSO aspect of keycloak is
> not fulfilled since I have to pass username , password from the
> webapplication. The activemq and my application share the same security
> domain also.
> > connection = (ActiveMQConnection) connectionFactory.createConnection(username
> , password);
> > Is there a way to get authenticated in ActiveMQ in the same user session
> as the web application that is calling the connection
> >
> > Regards,
> > Shankar
> >
> > -----Original Message-----
> > From: Marek Posolda [mailto:mposolda at redhat.com]
> > Sent: Wednesday, February 1, 2017 5:21 PM
> > To: Shankar_Bhaskaran <Shankar_Bhaskaran at infosys.com>;
> keycloak-dev at lists.jboss.org; keycloak-user at lists.jboss.org
> > Subject: Re: [keycloak-dev] Keycloak on active MQ
> >
> > I didn't try that yet. However I think it should work as ActiveMQ has
> some support for JAAS. We have some JAAS login modules, which can be used
> to secure those kind of services. See docs for details
> https://keycloak.gitbooks.io/securing-client-applications-
> guide/content/v/latest/topics/oidc/java/jaas.html
> > .
> >
> > Marek
> >
> > On 01/02/17 10:26, Shankar_Bhaskaran wrote:
> >> Hi ,
> >>
> >> We are using keycloak as SSO in our organization. I would like to know
> if securing activemq using keycloak is a valid use case. Does keycloak
> allow us to validate jms requests to the queue or topic?
> >>
> >> Regards,
> >> Shankar
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>


More information about the keycloak-dev mailing list