diff --git a/assembly/src/docker/Dockerfile b/assembly/src/docker/Dockerfile
index e5092d1a9aa..f6a7640bf2b 100644
--- a/assembly/src/docker/Dockerfile
+++ b/assembly/src/docker/Dockerfile
@@ -15,31 +15,87 @@
# See the License for the specific language governing permissions and
# limitations under the License.
################################################################################
+FROM debian:bookworm-slim AS amq_tpl
+# activemq_dist can point to a directory or a tarball on the local system
+ARG activemq_dist=NOT_SET
+ARG ACTIVEMQ_WEB_DEFAULT_USER=admin
+ARG ACTIVEMQ_WEB_DEFAULT_PASSWORD=admin
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Prepare ActiveMQ distribution
+ADD $activemq_dist /
+
+RUN mv /apache-activemq-* /apache-activemq
+WORKDIR /apache-activemq
+RUN apt-get update && apt-get install xmlstarlet -y
+RUN xmlstarlet ed -L \
+ -N d='http://www.springframework.org/schema/beans' \
+ -N a='http://activemq.apache.org/schema/core' \
+ -d '//comment()' \
+ -s '/d:beans/a:broker' -t elem -n plugins \
+ -s '/d:beans/a:broker/plugins' -t elem -n simpleAuthenticationPlugin \
+ -s '/d:beans/a:broker/plugins/simpleAuthenticationPlugin' -t elem -n users \
+ -a '/d:beans/a:broker/plugins/simpleAuthenticationPlugin' -t attr -name anonymousAccessAllowed -v true \
+ -s '/d:beans/a:broker/plugins/simpleAuthenticationPlugin/users' -t elem -n authenticationUser \
+ -a '/d:beans/a:broker/plugins/simpleAuthenticationPlugin/users/authenticationUser' -t attr -n username -v '${activemq.username}' \
+ -a '/d:beans/a:broker/plugins/simpleAuthenticationPlugin/users/authenticationUser' -t attr -name password -v '${activemq.password}' \
+ -a '/d:beans/a:broker/plugins/simpleAuthenticationPlugin/users/authenticationUser' -t attr -name groups -v '${activemq.groups}' \
+ conf/activemq.xml
+RUN xmlstarlet ed -L \
+ -N d='http://www.springframework.org/schema/beans' \
+ -N a='http://activemq.apache.org/schema/core' \
+ -u '/d:beans/a:broker/a:managementContext/a:managementContext/@createConnector' -v '${activemq.jmx.enabled}' \
+ conf/activemq.xml
+# Configure default web console authentication for ActiveMQ 5.x and 6.x
+RUN if [ -n "$ACTIVEMQ_WEB_DEFAULT_USER" ]; then \
+ sed -i "s/admin=/${ACTIVEMQ_WEB_DEFAULT_USER}=/g" conf/users.properties; \
+ sed -i "s/=admin/=${ACTIVEMQ_WEB_DEFAULT_USER}/g" conf/groups.properties; \
+ fi; \
+ if [ -n "$ACTIVEMQ_WEB_DEFAULT_PASSWORD" ]; then \
+ sed -i "s/=admin/=${ACTIVEMQ_WEB_DEFAULT_PASSWORD}/g" conf/users.properties; \
+ fi; \
+ if [ -f conf/jetty-realm.properties ]; then \
+ sed -i "s/admin: admin/${ACTIVEMQ_WEB_DEFAULT_USER}: ${ACTIVEMQ_WEB_DEFAULT_PASSWORD}/" conf/jetty-realm.properties; \
+ fi
+RUN rm conf/credentials.properties && touch conf/credentials.properties && \
+ mkdir tmp && \
+ chmod -R g+w conf data tmp
FROM eclipse-temurin:17-jre
+ARG ACTIVEMQ_USERNAME=activemq
+ARG ACTIVEMQ_GROUPNAME=activemq
+ARG ACTIVEMQ_WEB_DEFAULT_USER=admin
+ARG ACTIVEMQ_WEB_DEFAULT_PASSWORD=admin
# ActiveMQ environment variables
-ENV ACTIVEMQ_INSTALL_PATH /opt
-ENV ACTIVEMQ_HOME $ACTIVEMQ_INSTALL_PATH/apache-activemq
-ENV ACTIVEMQ_CONF $ACTIVEMQ_HOME/conf
-ENV ACTIVEMQ_OPTS_MEMORY -Xms64M -Xmx1G
-ENV ACTIVEMQ_EXEC exec
-ENV PATH $PATH:$ACTIVEMQ_HOME/bin
+ENV ACTIVEMQ_INSTALL_PATH=/opt
+ENV ACTIVEMQ_HOME=$ACTIVEMQ_INSTALL_PATH/apache-activemq
+ENV ACTIVEMQ_CONF=$ACTIVEMQ_HOME/conf
+ENV ACTIVEMQ_OPTS_MEMORY="-Xms64M -Xmx1G"
+ENV ACTIVEMQ_EXEC=exec
+ENV PATH=$PATH:$ACTIVEMQ_HOME/bin
+ENV ACTIVEMQ_CONNECTION_USER=system
+ENV ACTIVEMQ_CONNECTION_GROUPS=users
+ENV ACTIVEMQ_CONNECTION_PASSWORD=manager
+ENV ACTIVEMQ_JMX_ENABLED=false
+ENV ACTIVEMQ_WEB_DEFAULT_USER=$ACTIVEMQ_WEB_DEFAULT_USER
+ENV ACTIVEMQ_WEB_DEFAULT_PASSWORD=$ACTIVEMQ_WEB_DEFAULT_PASSWORD
+
# Make the Web console accesible from outside the container
-ENV ACTIVEMQ_OPTS $ACTIVEMQ_OPTS_MEMORY -Djava.util.logging.config.file=logging.properties -Djava.security.auth.login.config=$ACTIVEMQ_CONF/login.config -Djetty.host=0.0.0.0
+ENV ACTIVEMQ_OPTS='$ACTIVEMQ_OPTS_MEMORY -Djava.util.logging.config.file=logging.properties -Djava.security.auth.login.config=$ACTIVEMQ_CONF/login.config -Djetty.host=0.0.0.0 -Dactivemq.username=$ACTIVEMQ_CONNECTION_USER -Dactivemq.groups=$ACTIVEMQ_CONNECTION_GROUPS -Dactivemq.password=$ACTIVEMQ_CONNECTION_PASSWORD -Dactivemq.jmx.enabled=$ACTIVEMQ_JMX_ENABLED'
#WORKDIR $ACTIVEMQ_HOME
-# activemq_dist can point to a directory or a tarball on the local system
-ARG activemq_dist=NOT_SET
+RUN groupadd --system ${ACTIVEMQ_GROUPNAME} && \
+ useradd -l --system -g ${ACTIVEMQ_GROUPNAME} -d ${ACTIVEMQ_HOME} -s /bin/false ${ACTIVEMQ_USERNAME}
COPY entrypoint.sh /usr/local/bin/entrypoint.sh
+COPY --from=amq_tpl --chown=:${ACTIVEMQ_GROUPNAME} /apache-activemq $ACTIVEMQ_INSTALL_PATH/apache-activemq
-# Install build dependencies and activemq
-ADD $activemq_dist $ACTIVEMQ_INSTALL_PATH
-RUN set -x && \
- cp -r $ACTIVEMQ_INSTALL_PATH/apache-activemq-* $ACTIVEMQ_HOME && \
- rm -r $ACTIVEMQ_INSTALL_PATH/apache-activemq-*
+RUN chmod 600 ${ACTIVEMQ_HOME}/conf/jmx.password && \
+ chown ${ACTIVEMQ_USERNAME}:${ACTIVEMQ_GROUPNAME} ${ACTIVEMQ_HOME}/conf/jmx.password
+USER ${ACTIVEMQ_USERNAME}
EXPOSE 8161 61616 5672 61613 1883 61614 1099
ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
CMD ["activemq", "console"]
diff --git a/assembly/src/docker/README.md b/assembly/src/docker/README.md
index ae6edf645f3..c776bdb1fce 100644
--- a/assembly/src/docker/README.md
+++ b/assembly/src/docker/README.md
@@ -158,9 +158,13 @@ Edit the `docker-compose.yml` file to edit port settings.
| Environment Variable | Description |
|----------------------|-------------|
-| `ACTIVEMQ_CONNECTION_USER` | Username to access transport connector on the broker (JMS, ...). If not set, no user and password are required |
+| `ACTIVEMQ_CONNECTION_USER` | Username to access transport connector on the broker (JMS, ...). If not set, no user and password are required. |
| `ACTIVEMQ_CONNECTION_PASSWORD` | Password to access transport connector on the broker (JMS, ...). It should be used with `ACTIVEMQ_CONNECTION_USER`. |
+| `ACTIVEMQ_CONNECTION_GROUPS` | Comma-separated list of groups to which the user belongs. |
| `ACTIVEMQ_JMX_USER` | Username to access the JMX MBean server of the broker. If set, ActiveMQ accepts remote JMX connection, else, only local connection are allowed. |
-| `ACTIVEMQ_JMX_PASSWORD` | Password to access the JMX MBean server of the broker. It should be used with `ACTIVEMQ_JMX_USER`/ |
+| `ACTIVEMQ_JMX_PASSWORD` | Password to access the JMX MBean server of the broker. It should be used with `ACTIVEMQ_JMX_USER`. |
+| `ACTIVEMQ_JMX_ENABLED` | Toggle ActiveMQ's JMX connector (without authentication). |
+| `ACTIVEMQ_WEB_DEFAULT_USER` | Default username to access the ActiveMQ WebConsole (used at build time). |
+| `ACTIVEMQ_WEB_DEFAULT_PASSWORD` | Default password to access the ActiveMQ WebConsole (used at build time). |
| `ACTIVEMQ_WEB_USER` | Username to access the ActiveMQ WebConsole. |
-| `ACTIVEMQ_WEB_PASSWORD` | Password to access the ActiveMQ WebConsole. |
\ No newline at end of file
+| `ACTIVEMQ_WEB_PASSWORD` | Password to access the ActiveMQ WebConsole. |
diff --git a/assembly/src/docker/entrypoint.sh b/assembly/src/docker/entrypoint.sh
index ad6ce1cf715..e203e8ff7e1 100755
--- a/assembly/src/docker/entrypoint.sh
+++ b/assembly/src/docker/entrypoint.sh
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/bash -e
################################################################################
# Licensed to the Apache Software Foundation (ASF) under one
@@ -18,48 +18,12 @@
# limitations under the License.
################################################################################
-# Transport/connection security
-if [ -n "${ACTIVEMQ_CONNECTION_USER}" ]; then
- if [ -f "${ACTIVEMQ_HOME}/conf/connection.security.enabled" ]; then
- echo "ActiveMQ Connection Security enabled"
- else
- echo "Enabling ActiveMQ Connection Security"
- sed -i "s/activemq.username=system/activemq.username=${ACTIVEMQ_CONNECTION_USER}/" ${ACTIVEMQ_HOME}/conf/credentials.properties
- sed -i "s/activemq.password=manager/activemq.password=${ACTIVEMQ_CONNECTION_PASSWORD}/" ${ACTIVEMQ_HOME}/conf/credentials.properties
- read -r -d '' REPLACE << END
-
-
-
-
-
-
-
-
-END
- REPLACE=${REPLACE//$\\/$}
- REPLACE=${REPLACE//\//\\\/}
- REPLACE=$(echo $REPLACE | tr '\n' ' ')
- sed -i "s/<\/broker>/$REPLACE/" ${ACTIVEMQ_HOME}/conf/activemq.xml
- touch "${ACTIVEMQ_HOME}/conf/connection.security.enabled"
- fi
-fi
-
# JMX security
if [ -n "${ACTIVEMQ_JMX_USER}" ]; then
if [ -f "${ACTIVEMQ_HOME}/conf/jmx.security.enabled" ]; then
echo "JMX Security already enabled"
else
echo "Enabling ActiveMQ JMX security"
- read -r -d '' REPLACE << END
-
-
-
-
-END
- REPLACE=${REPLACE//\//\\\/}
- REPLACE=${REPLACE//$\\/$}
- REPLACE=$(echo $REPLACE | tr '\n' ' ')
- sed -i "s/<\/broker>/$REPLACE/" ${ACTIVEMQ_HOME}/conf/activemq.xml
sed -i "s/admin/${ACTIVEMQ_JMX_USER}/" ${ACTIVEMQ_HOME}/conf/jmx.access
sed -i "s/admin/${ACTIVEMQ_JMX_USER}/" ${ACTIVEMQ_HOME}/conf/jmx.password
if [ -n "${ACTIVEMQ_JMX_PASSWORD}" ]; then
@@ -72,9 +36,16 @@ fi
# WebConsole security
if [ -n "${ACTIVEMQ_WEB_USER}" ]; then
echo "Enabling ActiveMQ WebConsole security"
- sed -i s/admin=/${ACTIVEMQ_WEB_USER}=/g ${ACTIVEMQ_HOME}/conf/users.properties
+ sed -i s/$ACTIVEMQ_WEB_DEFAULT_USER=/${ACTIVEMQ_WEB_USER}=/g ${ACTIVEMQ_HOME}/conf/users.properties
if [ -n "${ACTIVEMQ_WEB_PASSWORD}" ]; then
- sed -i s/=admin/=${ACTIVEMQ_WEB_PASSWORD}/g ${ACTIVEMQ_HOME}/conf/users.properties
+ sed -i s/=$ACTIVEMQ_WEB_DEFAULT_PASSWORD/=${ACTIVEMQ_WEB_PASSWORD}/g ${ACTIVEMQ_HOME}/conf/users.properties
+ fi
+ # ACTIVEMQ 5.x
+ if [ -f "${ACTIVEMQ_HOME}/conf/jetty-realm.properties" ]; then
+ sed -i "s/${ACTIVEMQ_WEB_DEFAULT_USER}: /${ACTIVEMQ_WEB_DEFAULT_USER}: /" ${ACTIVEMQ_HOME}/conf/jetty-realm.properties
+ if [ -n "${ACTIVEMQ_WEB_PASSWORD}" ]; then
+ sed -i "s/${ACTIVEMQ_WEB_DEFAULT_USER}: ${ACTIVEMQ_WEB_DEFAULT_PASSWORD}/${ACTIVEMQ_WEB_USER}: ${ACTIVEMQ_WEB_PASSWORD}/" ${ACTIVEMQ_HOME}/conf/jetty-realm.properties
+ fi
fi
fi