I have created a custom Security Manager in ActiveMQ Artemis by implementing ActiveMQSecurityManager5. I have created this to authenticate the client by passing jwttoken through the password field. The authentication is working fine when the clustered connections are not set up in the broker.xml. But when I set up clustered connections the overriden authenticate method in my custom class itself is not called as I cannot see any logs in artemis.log file from authenticate method but can see logs in init method. Surprisingly, the authentication is successful when valid user name and password is used. But if what I assume about the authenticate method not being called is correct the authentication should fail for valid user name and password also. There something else I need to do here.
Here's my code:
@Override
public Subject authenticate(String user, String password, RemotingConnection remotingConnection, String securityDomain) throws NoCacheLoginException
{
logger.info("authenticate(" + user + ", " + password + ", " + remotingConnection.getRemoteAddress() + ", " + securityDomain + ")");
Subject sub = null;
try
{
sub = activeMQJAASSecurityManager.authenticate(user, password, remotingConnection, securityDomain);
}
catch(Exception ex)
{
logger.info(ex.getLocalizedMessage());
logger.info("EXCEPTION IN NORMAL AUTH");
}
logger.info("sub is:"+sub);
if(sub == null)
{
boolean isValid = false;
try
{
isValid = IsValidJWTToken(password);
}
catch(Exception e)
{
logger.info("JWT Authentication Failed");
logger.error(e.getStackTrace().toString());
}
if(isValid == true)
{
try
{
logger.info("validUser is : "+validUser);
logger.info("validPassword is : "+validPassword);
sub = activeMQJAASSecurityManager.authenticate(validUser, validPassword, remotingConnection, securityDomain);
}
catch(Exception ex)
{
logger.info("Second JAAS Authentication Failed");
}
}
}
return sub;
}
The Apache ActiveMQ Artemis security store bypass authentication and permission checks for management cluster user, see