In ActiveMQ Artemis when I use the requisite or required flag with my custom JAAS login module I am not able to login to the Artemis management console (Jolokia, port 8163). I have special business logic in the custom JAAS login module which authenticates mobile devices. But at the same time I want to have an admin user who can login to Artemis management console with some username/password or even without password. In order to have both custom and guest login module in Artemis login.config, I have to keep the security flag of custom JAAS module as sufficient at-least. How can I handle this situation?
The security "realm" used by Hawtio is configured via the hawtio.realm system property set in etc/artemis.profile. For example, here is the default:
JAVA_ARGS=" -XX:+PrintClassHistogram -XX:+UseG1GC -Xms512M -Xmx2G -Dhawtio.realm=activemq -Dhawtio.offline=true -Dhawtio.role=amq -Dhawtio.rolePrincipalClasses=org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal -Djolokia.policyLocation=${ARTEMIS_INSTANCE_ETC_URI}jolokia-access.xml -Djon.id=amq"
Here the hawtio.realm is set to activemq which matches the entry in the default login.config, e.g.:
activemq {
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule sufficient
debug=false
reload=true
org.apache.activemq.jaas.properties.user="artemis-users.properties"
org.apache.activemq.jaas.properties.role="artemis-roles.properties";
org.apache.activemq.artemis.spi.core.security.jaas.GuestLoginModule sufficient
debug=false
org.apache.activemq.jaas.guest.user="myUser"
org.apache.activemq.jaas.guest.role="amq";
};
I don't see any reason why you couldn't add a new realm/domain specifically for Hawtio to your login.config and then change the configuration in artemis.profile to reference that. That way you can customize security for Hawtio connections and messaging connections however you wish.
Also, it's worth noting that Artemis recently added support for per-acceptor security domains. You can read more about this in the documentation.