I have an ActiveMQ Server that receives messages from a client. I need to make sure I'm only accepting messages from validated users. It seems like JAAS is the way to go. I'm confused as to where I'm supposed to put the login.config file that I create to use JAAS. Does this go in the ActiveMQ server or on the client? I also need to use a remote server to authenticate users, so I have to make my own LoginModule as well and also don't know where that is supposed to go.
The login.config file goes on the broker as the broker is the one authenticating users. As the ActiveMQ documentation states:
Typically you configure JAAS using a config file like this one and set the java.security.auth.login.config system property to point to it. If no system property is specified then by default the ActiveMQ JAAS plugin will look for login.config on the classpath and use that.
The default login.config is in the conf directory.
Any LoginModule you implement needs to be packaged into a jar file and put on the broker's classpath.