[keycloak-user] [keycloak-dev] Keycloak on active MQ
Andrzej Goławski
andipansa at gmail.com
Mon Apr 3 03:53:16 EDT 2017
I did it in one project by adding plugin to activeMQ configuration :
<plugins>
<jaasAuthenticationPlugin configuration="KeycloakModule" />
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry topic=">"
read="SOME_ROLE, OTHER_ROLE"
write="SOME_ROLE,
OTHER_ROLE"
admin="SOME_ROLE,
OTHER_ROLE"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
Keycloak module definition:
KeycloakModule {
org.keycloak.adapters.jaas.DirectAccessGrantsLoginModule required
keycloak-config-file="classpath:keycloak.json"
role-principal-class=org.apache.activemq.jaas.GroupPrincipal;
};
best regards
Andi
2017-04-03 9:12 GMT+02:00 Marek Posolda <mposolda at redhat.com>:
> Yes, I think that for that case the second login module
> (BearerTokenLoginModule) is better choice. Your webapp has accessToken
> already, so you just need to send it as "password" to JAAS. Probably
> something like this should work:
>
> connectionFactory.createConnection(username , accessTokenString);
>
>
> Marek
>
> On 02/04/17 21:20, Shankar_Bhaskaran wrote:
> > Hi ,
> >
> > I was able to secure activemq behind keycloak using the direct access
> login module, but I specifically have to pass the username and password
> while getting a connection from active mq. The SSO aspect of keycloak is
> not fulfilled since I have to pass username , password from the
> webapplication. The activemq and my application share the same security
> domain also.
> > connection = (ActiveMQConnection) connectionFactory.createConnection(username
> , password);
> > Is there a way to get authenticated in ActiveMQ in the same user session
> as the web application that is calling the connection
> >
> > Regards,
> > Shankar
> >
> > -----Original Message-----
> > From: Marek Posolda [mailto:mposolda at redhat.com]
> > Sent: Wednesday, February 1, 2017 5:21 PM
> > To: Shankar_Bhaskaran <Shankar_Bhaskaran at infosys.com>;
> keycloak-dev at lists.jboss.org; keycloak-user at lists.jboss.org
> > Subject: Re: [keycloak-dev] Keycloak on active MQ
> >
> > I didn't try that yet. However I think it should work as ActiveMQ has
> some support for JAAS. We have some JAAS login modules, which can be used
> to secure those kind of services. See docs for details
> https://keycloak.gitbooks.io/securing-client-applications-
> guide/content/v/latest/topics/oidc/java/jaas.html
> > .
> >
> > Marek
> >
> > On 01/02/17 10:26, Shankar_Bhaskaran wrote:
> >> Hi ,
> >>
> >> We are using keycloak as SSO in our organization. I would like to know
> if securing activemq using keycloak is a valid use case. Does keycloak
> allow us to validate jms requests to the queue or topic?
> >>
> >> Regards,
> >> Shankar
> >> _______________________________________________
> >> keycloak-dev mailing list
> >> keycloak-dev at lists.jboss.org
> >> https://lists.jboss.org/mailman/listinfo/keycloak-dev
> >
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
More information about the keycloak-user
mailing list