From 7715b5ee128d2a629c2e5940247e86be91a694fc Mon Sep 17 00:00:00 2001
From: jbertram <jbertram@apache.org>
Date: Thu, 26 May 2016 09:18:11 -0500
Subject: [PATCH] ARTEMIS-529 support dual auth

A new feature whereby 2-way SSL connections can be authenticated differently
than non-SSL connections.
---
 .../artemis/factory/JaasSecurityHandler.java  |   2 +-
 .../activemq/artemis/dto/JaasSecurityDTO.java |   3 +
 .../security/ActiveMQJAASSecurityManager.java |  38 ++++-
 docs/user-manual/en/security.md               |  49 ++++--
 examples/features/standard/pom.xml            |   2 +
 .../ssl-enabled-dual-authentication/pom.xml   | 110 ++++++++++++++
 .../readme.html                               |  75 +++++++++
 .../example/SSLDualAuthenticationExample.java |  99 ++++++++++++
 .../activemq/server0/artemis-roles.properties |  17 +++
 .../activemq/server0/artemis-users.properties |  17 +++
 .../resources/activemq/server0/bootstrap.xml  |  28 ++++
 .../resources/activemq/server0/broker.xml     |  57 +++++++
 .../activemq/server0/cert-roles.properties    |  18 +++
 .../activemq/server0/cert-users.properties    |  18 +++
 .../activemq/server0/client-side-keystore.jks | Bin 0 -> 1303 bytes
 .../server0/client-side-truststore.jks        | Bin 0 -> 963 bytes
 .../resources/activemq/server0/login.config   |  30 ++++
 .../activemq/server0/server-side-keystore.jks | Bin 0 -> 2253 bytes
 .../server0/server-side-truststore.jks        | Bin 0 -> 1732 bytes
 .../src/main/resources/jndi.properties        |  21 +++
 .../ssl/CoreClientOverTwoWaySSLTest.java      |   6 +-
 .../ssl/DualAuthenticationTest.java           | 142 ++++++++++++++++++
 .../dual-authentication-cert-roles.properties |  18 +++
 .../dual-authentication-cert-users.properties |  18 +++
 .../dual-authentication-roles.properties      |  18 +++
 .../dual-authentication-users.properties      |  18 +++
 .../src/test/resources/login.config           |  14 ++
 27 files changed, 802 insertions(+), 16 deletions(-)
 create mode 100644 examples/features/standard/ssl-enabled-dual-authentication/pom.xml
 create mode 100644 examples/features/standard/ssl-enabled-dual-authentication/readme.html
 create mode 100644 examples/features/standard/ssl-enabled-dual-authentication/src/main/java/org/apache/activemq/artemis/jms/example/SSLDualAuthenticationExample.java
 create mode 100644 examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/artemis-roles.properties
 create mode 100644 examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/artemis-users.properties
 create mode 100644 examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/bootstrap.xml
 create mode 100644 examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/broker.xml
 create mode 100644 examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/cert-roles.properties
 create mode 100644 examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/cert-users.properties
 create mode 100644 examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-keystore.jks
 create mode 100644 examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-truststore.jks
 create mode 100644 examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/login.config
 create mode 100644 examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-keystore.jks
 create mode 100644 examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-truststore.jks
 create mode 100644 examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/jndi.properties
 create mode 100644 tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/DualAuthenticationTest.java
 create mode 100644 tests/integration-tests/src/test/resources/dual-authentication-cert-roles.properties
 create mode 100644 tests/integration-tests/src/test/resources/dual-authentication-cert-users.properties
 create mode 100644 tests/integration-tests/src/test/resources/dual-authentication-roles.properties
 create mode 100644 tests/integration-tests/src/test/resources/dual-authentication-users.properties

diff --git a/artemis-cli/src/main/java/org/apache/activemq/artemis/factory/JaasSecurityHandler.java b/artemis-cli/src/main/java/org/apache/activemq/artemis/factory/JaasSecurityHandler.java
index 2f45f94b1ce..dc677e094a5 100644
--- a/artemis-cli/src/main/java/org/apache/activemq/artemis/factory/JaasSecurityHandler.java
+++ b/artemis-cli/src/main/java/org/apache/activemq/artemis/factory/JaasSecurityHandler.java
@@ -25,7 +25,7 @@ public class JaasSecurityHandler implements SecurityHandler {
    @Override
    public ActiveMQSecurityManager createSecurityManager(SecurityDTO security) throws Exception {
       JaasSecurityDTO jaasSecurity = (JaasSecurityDTO) security;
-      ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager(jaasSecurity.domain);
+      ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager(jaasSecurity.domain, jaasSecurity.certificateDomain);
       return securityManager;
    }
 }
diff --git a/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JaasSecurityDTO.java b/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JaasSecurityDTO.java
index a988bff51f0..2aa0e00784d 100644
--- a/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JaasSecurityDTO.java
+++ b/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JaasSecurityDTO.java
@@ -27,4 +27,7 @@ public class JaasSecurityDTO extends SecurityDTO {
 
    @XmlAttribute(name = "domain", required = true)
    public String domain;
+
+   @XmlAttribute(name = "certificate-domain", required = false)
+   public String certificateDomain;
 }
diff --git a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java
index 6e28e913063..cd380ec394f 100644
--- a/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java
+++ b/artemis-server/src/main/java/org/apache/activemq/artemis/spi/core/security/ActiveMQJAASSecurityManager.java
@@ -50,7 +50,9 @@ public class ActiveMQJAASSecurityManager implements ActiveMQSecurityManager2 {
    private static final String WILDCARD = "*";
 
    private String configurationName;
+   private String certificateConfigurationName;
    private SecurityConfiguration configuration;
+   private SecurityConfiguration certificateConfiguration;
    private String rolePrincipalClass = "org.apache.activemq.artemis.spi.core.security.jaas.RolePrincipal";
 
    public ActiveMQJAASSecurityManager() {
@@ -60,11 +62,23 @@ public ActiveMQJAASSecurityManager(String configurationName) {
       this.configurationName = configurationName;
    }
 
+   public ActiveMQJAASSecurityManager(String configurationName, String certificateConfigurationName) {
+      this.configurationName = configurationName;
+      this.certificateConfigurationName = certificateConfigurationName;
+   }
+
    public ActiveMQJAASSecurityManager(String configurationName, SecurityConfiguration configuration) {
       this.configurationName = configurationName;
       this.configuration = configuration;
    }
 
+   public ActiveMQJAASSecurityManager(String configurationName, String certificateConfigurationName, SecurityConfiguration configuration, SecurityConfiguration certificateConfiguration) {
+      this.configurationName = configurationName;
+      this.configuration = configuration;
+      this.certificateConfigurationName = certificateConfigurationName;
+      this.certificateConfiguration = certificateConfiguration;
+   }
+
    @Override
    public boolean validateUser(String user, String password) {
       return validateUser(user, password, null);
@@ -144,7 +158,13 @@ public boolean validateUserAndRole(final String user,
    }
 
    private Subject getAuthenticatedSubject(final String user, final String password, final X509Certificate[] certificates) throws LoginException {
-      LoginContext lc = new LoginContext(configurationName, null, new JaasCallbackHandler(user, password, certificates), configuration);
+      LoginContext lc;
+      if (certificateConfigurationName != null && certificateConfigurationName.length() > 0 && certificates != null) {
+         lc = new LoginContext(certificateConfigurationName, null, new JaasCallbackHandler(user, password, certificates), certificateConfiguration);
+      }
+      else {
+         lc = new LoginContext(configurationName, null, new JaasCallbackHandler(user, password, certificates), configuration);
+      }
       lc.login();
       return lc.getSubject();
    }
@@ -172,6 +192,14 @@ public void setConfiguration(SecurityConfiguration configuration) {
       this.configuration = configuration;
    }
 
+   public void setCertificateConfigurationName(final String certificateConfigurationName) {
+      this.certificateConfigurationName = certificateConfigurationName;
+   }
+
+   public void setCertificateConfiguration(SecurityConfiguration certificateConfiguration) {
+      this.certificateConfiguration = certificateConfiguration;
+   }
+
    public SecurityConfiguration getConfiguration() {
       if (configuration == null) {
          configuration = new SecurityConfiguration();
@@ -180,6 +208,14 @@ public SecurityConfiguration getConfiguration() {
       return configuration;
    }
 
+   public SecurityConfiguration getCertificateConfiguration() {
+      if (certificateConfiguration == null) {
+         certificateConfiguration = new SecurityConfiguration();
+      }
+
+      return certificateConfiguration;
+   }
+
    public String getRolePrincipalClass() {
       return rolePrincipalClass;
    }
diff --git a/docs/user-manual/en/security.md b/docs/user-manual/en/security.md
index f6e654d084d..a0abb3d0026 100644
--- a/docs/user-manual/en/security.md
+++ b/docs/user-manual/en/security.md
@@ -238,10 +238,9 @@ As mentioned, there are a few places where a translation was performed to achiev
 
 ## Secure Sockets Layer (SSL) Transport
 
-When messaging clients are connected to servers, or servers are
-connected to other servers (e.g. via bridges) over an untrusted network
-then Apache ActiveMQ Artemis allows that traffic to be encrypted using the Secure
-Sockets Layer (SSL) transport.
+When messaging clients are connected to servers, or servers are connected to other servers (e.g. via bridges) over an
+untrusted network then Apache ActiveMQ Artemis allows that traffic to be encrypted using the Secure Sockets Layer (SSL)
+transport.
 
 For more information on configuring the SSL transport, please see [Configuring the Transport](configuring-transports.md).
 
@@ -250,12 +249,11 @@ For more information on configuring the SSL transport, please see [Configuring t
 Apache ActiveMQ Artemis ships with two security manager implementations:
  
 -   The legacy, deprecated `ActiveMQSecurityManager` that reads user credentials, i.e. user names, passwords and role 
-information from properties files on the classpath called `artemis-users.properties` and `artemis-roles.properties`. 
-This is the default security manager.
+information from properties files on the classpath called `artemis-users.properties` and `artemis-roles.properties`.
 
 -   The flexible, pluggable `ActiveMQJAASSecurityManager` which supports any standard JAAS login module. Artemis ships 
-with several login modules which will be discussed further down. 
-    
+with several login modules which will be discussed further down. This is the default security manager.
+
 ### JAAS Security Manager
 
 When using JAAS much of the configuration depends on which login module is used. However, there are a few commonalities
@@ -278,17 +276,46 @@ The `login.config` file is a standard JAAS configuration file. You can read more
 [Oracle's website](https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html).
 In short, the file defines:
 
--   an alias for a configuration (e.g. `PropertiesLogin`)
+-   an alias for an entry (e.g. `PropertiesLogin`)
 
--   the implementation class (e.g. `org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule`)
+-   the implementation class for the login module (e.g. `org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule`)
 
--   a flag which indicates whether the success of the LoginModule is `required`, `requisite`, `sufficient`, or `optional`
+-   a flag which indicates whether the success of the login module is `required`, `requisite`, `sufficient`, or `optional`
+(see more details on these flags in the [JavaDoc](http://docs.oracle.com/javase/8/docs/api/javax/security/auth/login/Configuration.html)
 
 -   a list of configuration options specific to the login module implementation
 
 By default, the location and name of `login.config` is specified on the Artemis command-line which is set by 
 `etc/artemis.profile` on linux and `etc\artemis.profile.cmd` on Windows.
 
+#### Dual Authentication
+
+The JAAS Security Manager also supports another configuration parameter - `certificate-domain`. This is useful when you 
+want to authenticate clients connecting with SSL connections based on their SSL certificates (e.g. using the `CertificateLoginModule`
+discussed below) but you still want to authenticate clients connecting with non-SSL connections with, e.g., username and
+password. Here's an example of what would go in `bootstrap.xml`:
+
+    <jaas-security domain="PropertiesLogin" certificate-domain="CertLogin"/>
+    
+And here's the corresponding `login.config`:
+
+    PropertiesLogin {
+       org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule required
+           debug=false
+           org.apache.activemq.jaas.properties.user="artemis-users.properties"
+           org.apache.activemq.jaas.properties.role="artemis-roles.properties";
+    };
+    
+    CertLogin {
+       org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule required
+           debug=true
+           org.apache.activemq.jaas.textfiledn.user="cert-users.properties"
+           org.apache.activemq.jaas.textfiledn.role="cert-roles.properties";
+    };
+
+When the broker is configured this way then any client connecting with SSL and a client certificate will be authenticated
+using `CertLogin` and any client connecting without SSL will be authenticated using `PropertiesLogin`.
+
 ### JAAS Login Modules
 
 #### GuestLoginModule
diff --git a/examples/features/standard/pom.xml b/examples/features/standard/pom.xml
index 05d1b64eb14..88a5823be57 100644
--- a/examples/features/standard/pom.xml
+++ b/examples/features/standard/pom.xml
@@ -86,6 +86,7 @@ under the License.
             <module>send-acknowledgements</module>
             <module>spring-integration</module>
             <module>ssl-enabled</module>
+            <module>ssl-enabled-dual-authentication</module>
             <module>static-selector</module>
             <module>temp-queue</module>
             <module>topic</module>
@@ -147,6 +148,7 @@ under the License.
             <module>send-acknowledgements</module>
             <module>spring-integration</module>
             <module>ssl-enabled</module>
+            <module>ssl-enabled-dual-authentication</module>
             <module>static-selector</module>
 
             <!--this needs to be run standalone as it needs manual intervention-->
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/pom.xml b/examples/features/standard/ssl-enabled-dual-authentication/pom.xml
new file mode 100644
index 00000000000..a13d33a9433
--- /dev/null
+++ b/examples/features/standard/ssl-enabled-dual-authentication/pom.xml
@@ -0,0 +1,110 @@
+<?xml version='1.0'?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+   <modelVersion>4.0.0</modelVersion>
+
+   <parent>
+      <groupId>org.apache.activemq.examples.broker</groupId>
+      <artifactId>jms-examples</artifactId>
+      <version>1.3.0-SNAPSHOT</version>
+   </parent>
+
+   <artifactId>ssl-enabled-dual-authentication</artifactId>
+   <packaging>jar</packaging>
+   <name>ActiveMQ Artemis JMS SSL Enabled Dual Authentication Example</name>
+
+   <properties>
+      <activemq.basedir>${project.basedir}/../../../..</activemq.basedir>
+   </properties>
+
+   <dependencies>
+      <dependency>
+         <groupId>org.apache.activemq</groupId>
+         <artifactId>artemis-jms-client</artifactId>
+         <version>${project.version}</version>
+      </dependency>
+   </dependencies>
+
+   <build>
+      <plugins>
+         <plugin>
+            <groupId>org.apache.activemq</groupId>
+            <artifactId>artemis-maven-plugin</artifactId>
+            <executions>
+               <execution>
+                  <id>create</id>
+                  <goals>
+                     <goal>create</goal>
+                  </goals>
+                  <configuration>
+                     <ignore>${noServer}</ignore>
+                  </configuration>
+               </execution>
+               <execution>
+                  <id>start</id>
+                  <goals>
+                     <goal>cli</goal>
+                  </goals>
+                  <configuration>
+                     <ignore>${noServer}</ignore>
+                     <spawn>true</spawn>
+                     <testURI>tcp://localhost:61616</testURI>
+                     <testUser>consumer</testUser>
+                     <testPassword>activemq</testPassword>
+                     <args>
+                        <param>run</param>
+                     </args>
+                  </configuration>
+               </execution>
+               <execution>
+                  <id>runClient</id>
+                  <goals>
+                     <goal>runClient</goal>
+                  </goals>
+                  <configuration>
+                     <clientClass>org.apache.activemq.artemis.jms.example.SSLDualAuthenticationExample</clientClass>
+                  </configuration>
+               </execution>
+               <execution>
+                  <id>stop</id>
+                  <goals>
+                     <goal>cli</goal>
+                  </goals>
+                  <configuration>
+                     <ignore>${noServer}</ignore>
+                     <args>
+                        <param>stop</param>
+                     </args>
+                  </configuration>
+               </execution>
+            </executions>
+            <dependencies>
+               <dependency>
+                  <groupId>org.apache.activemq.examples.broker</groupId>
+                  <artifactId>ssl-enabled-dual-authentication</artifactId>
+                  <version>${project.version}</version>
+               </dependency>
+            </dependencies>
+         </plugin>
+      </plugins>
+   </build>
+
+</project>
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/readme.html b/examples/features/standard/ssl-enabled-dual-authentication/readme.html
new file mode 100644
index 00000000000..93d7c72afdc
--- /dev/null
+++ b/examples/features/standard/ssl-enabled-dual-authentication/readme.html
@@ -0,0 +1,75 @@
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+<html>
+  <head>
+    <title>ActiveMQ Artemis JMS SSL Example</title>
+    <link rel="stylesheet" type="text/css" href="../../../common/common.css" />
+    <link rel="stylesheet" type="text/css" href="../../../common/prettify.css" />
+    <script type="text/javascript" src="../../../common/prettify.js"></script>
+  </head>
+  <body onload="prettyPrint()">
+     <h1>JMS SSL Dual Authentication Example</h1>
+
+     <pre>To run the example, simply type <b>mvn verify</b> from this directory, <br>or <b>mvn -PnoServer verify</b> if you want to start and create the server manually.</pre>
+
+     <p>This example shows you how to configure 2-way SSL along with 2 different authentications mechanisms so that SSL and non-SSL clients can send and consume messages to/from ActiveMQ Artemis.
+     The non-SSL authentication mechanism simply uses username and password. The SSL authentication mechanism uses the client's certificate.</p>
+
+     <p>To configure 2-way SSL you need to configure the acceptor as follows:</p>
+
+     <p>
+        <pre class="prettyprint">
+           <code>
+      &lt;!-- Acceptor --&gt;
+
+      &lt;acceptor name=&quot;netty-ssl-acceptor&quot;&gt;tcp://localhost:5500?sslEnabled=true;needClientAuth=true;keyStorePath=${data.dir}/../etc/server-side-keystore.jks;keyStorePassword=secureexample;trustStorePath=${data.dir}/../etc/server-side-truststore.jks;trustStorePassword=secureexample&lt;/acceptor&gt;
+           </code>
+        </pre>
+     </p>
+
+     <p>In the server-side URL, the server-side-keystore.jks is the key store file holding the server's certificate. The server-side-truststore.jks is the file holding the certificates which the server trusts. Notice also the "sslEnabled" and "needClientAuth" parameters which enable SSL and require clients to present their own certificate respectively. Here's the URL the client uses to connect over SSL:</p>
+
+     <p>
+        <pre class="prettyprint">
+           <code>
+      tcp://localhost:5500?sslEnabled=true&trustStorePath=activemq/server0/client-side-truststore.jks&trustStorePassword=secureexample&keyStorePath=activemq/server0/client-side-keystore.jks&keyStorePassword=secureexample
+           </code>
+        </pre>
+     </p>
+
+     <p>In the client-side URL, the client-side-keystore.jks is the key store file holding the client's certificate. The client-side-truststore.jks is the file holding the certificates which the client trusts. The "sslEnabled" parameter is present here as well just as it is on the server.</p>
+
+     <p>The various keystore files are generated using the following commands:</p>
+
+     <p>
+        <pre class="prettyprint">
+           <code>
+keytool -genkey -keystore server-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Server, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
+keytool -export -keystore server-side-keystore.jks -file server-side-cert.cer -storepass secureexample
+keytool -import -keystore client-side-truststore.jks -file server-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
+keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
+keytool -export -keystore client-side-keystore.jks -file client-side-cert.cer -storepass secureexample
+keytool -import -keystore server-side-truststore.jks -file client-side-cert.cer -storepass secureexample -keypass secureexample -noprompt
+           </code>
+        </pre>
+     </p>
+
+  </body>
+</html>
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/java/org/apache/activemq/artemis/jms/example/SSLDualAuthenticationExample.java b/examples/features/standard/ssl-enabled-dual-authentication/src/main/java/org/apache/activemq/artemis/jms/example/SSLDualAuthenticationExample.java
new file mode 100644
index 00000000000..a3c928e5867
--- /dev/null
+++ b/examples/features/standard/ssl-enabled-dual-authentication/src/main/java/org/apache/activemq/artemis/jms/example/SSLDualAuthenticationExample.java
@@ -0,0 +1,99 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.jms.example;
+
+import javax.jms.Connection;
+import javax.jms.ConnectionFactory;
+import javax.jms.MessageConsumer;
+import javax.jms.MessageProducer;
+import javax.jms.Queue;
+import javax.jms.Session;
+import javax.jms.TextMessage;
+import javax.naming.InitialContext;
+
+/**
+ * A simple JMS Queue example that uses dual broker authentication mechanisms for SSL and non-SSL connections.
+ */
+public class SSLDualAuthenticationExample {
+
+   public static void main(final String[] args) throws Exception {
+      Connection producerConnection = null;
+      Connection consumerConnection = null;
+      InitialContext initialContext = null;
+      try {
+         // Step 1. Create an initial context to perform the JNDI lookup.
+         initialContext = new InitialContext();
+
+         // Step 2. Perfom a lookup on the queue
+         Queue queue = (Queue) initialContext.lookup("queue/exampleQueue");
+
+         // Step 3. Perform a lookup on the producer's SSL Connection Factory
+         ConnectionFactory producerConnectionFactory = (ConnectionFactory) initialContext.lookup("SslConnectionFactory");
+
+         // Step 4. Perform a lookup on the consumer's Connection Factory
+         ConnectionFactory consumerConnectionFactory = (ConnectionFactory) initialContext.lookup("ConnectionFactory");
+
+         // Step 5.Create a JMS Connection for the producer
+         producerConnection = producerConnectionFactory.createConnection();
+
+         // Step 6.Create a JMS Connection for the consumer
+         consumerConnection = consumerConnectionFactory.createConnection("consumer", "activemq");
+
+         // Step 7. Create a JMS Session for the producer
+         Session producerSession = producerConnection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+
+         // Step 8. Create a JMS Session for the consumer
+         Session consumerSession = consumerConnection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+
+         // Step 9. Create a JMS Message Producer
+         MessageProducer producer = producerSession.createProducer(queue);
+
+         // Step 10. Create a Text Message
+         TextMessage message = producerSession.createTextMessage("This is a text message");
+
+         System.out.println("Sent message: " + message.getText());
+
+         // Step 11. Send the Message
+         producer.send(message);
+
+         // Step 12. Create a JMS Message Consumer
+         MessageConsumer messageConsumer = consumerSession.createConsumer(queue);
+
+         // Step 13. Start the Connection
+         consumerConnection.start();
+
+         // Step 14. Receive the message
+         TextMessage messageReceived = (TextMessage) messageConsumer.receive(5000);
+
+         System.out.println("Received message: " + messageReceived.getText());
+
+         initialContext.close();
+      }
+      finally {
+         // Step 15. Be sure to close our JMS resources!
+         if (initialContext != null) {
+            initialContext.close();
+         }
+         if (producerConnection != null) {
+            producerConnection.close();
+         }
+         if (consumerConnection != null) {
+            consumerConnection.close();
+         }
+      }
+   }
+}
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/artemis-roles.properties b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/artemis-roles.properties
new file mode 100644
index 00000000000..643dfc37d16
--- /dev/null
+++ b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/artemis-roles.properties
@@ -0,0 +1,17 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements.  See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License.  You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+consumers=consumer
\ No newline at end of file
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/artemis-users.properties b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/artemis-users.properties
new file mode 100644
index 00000000000..1c68f505ddd
--- /dev/null
+++ b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/artemis-users.properties
@@ -0,0 +1,17 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements.  See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License.  You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+consumer=activemq
\ No newline at end of file
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/bootstrap.xml b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/bootstrap.xml
new file mode 100644
index 00000000000..2d753e7de10
--- /dev/null
+++ b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/bootstrap.xml
@@ -0,0 +1,28 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<!--
+  ~ Licensed to the Apache Software Foundation (ASF) under one or more
+  ~ contributor license agreements. See the NOTICE file distributed with
+  ~ this work for additional information regarding copyright ownership.
+  ~ The ASF licenses this file to You under the Apache License, Version 2.0
+  ~ (the "License"); you may not use this file except in compliance with
+  ~ the License. You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<broker xmlns="http://activemq.org/schema">
+
+   <jaas-security domain="activemq" certificate-domain="activemq-cert"/>
+
+   <server configuration="file:${artemis.instance}/etc/broker.xml"/>
+
+
+
+</broker>
+
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/broker.xml b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/broker.xml
new file mode 100644
index 00000000000..14fa849c773
--- /dev/null
+++ b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/broker.xml
@@ -0,0 +1,57 @@
+<?xml version='1.0'?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+<configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xmlns="urn:activemq"
+               xsi:schemaLocation="urn:activemq /schema/artemis-server.xsd">
+
+   <jms xmlns="urn:activemq:jms">
+      <!--the queue used by the example-->
+      <queue name="exampleQueue"/>
+   </jms>
+
+   <core xmlns="urn:activemq:core">
+
+      <bindings-directory>./data/messaging/bindings</bindings-directory>
+
+      <journal-directory>./data/messaging/journal</journal-directory>
+
+      <large-messages-directory>./data/messaging/largemessages</large-messages-directory>
+
+      <paging-directory>./data/messaging/paging</paging-directory>
+
+      <!-- Acceptors -->
+      <acceptors>
+         <acceptor name="netty-acceptor">tcp://localhost:61616</acceptor>
+         <acceptor name="netty-ssl-acceptor">tcp://localhost:5500?sslEnabled=true;needClientAuth=true;keyStorePath=${data.dir}/../etc/server-side-keystore.jks;keyStorePassword=secureexample;trustStorePath=${data.dir}/../etc/server-side-truststore.jks;trustStorePassword=secureexample</acceptor>
+      </acceptors>
+
+      <!-- Other config -->
+
+      <security-settings>
+         <!--security for example queue-->
+         <security-setting match="jms.queue.exampleQueue">
+            <permission type="consume" roles="consumers"/>
+            <permission type="send" roles="producers"/>
+         </security-setting>
+      </security-settings>
+
+   </core>
+</configuration>
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/cert-roles.properties b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/cert-roles.properties
new file mode 100644
index 00000000000..f52fa217531
--- /dev/null
+++ b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/cert-roles.properties
@@ -0,0 +1,18 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+producers=producer
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/cert-users.properties b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/cert-users.properties
new file mode 100644
index 00000000000..06874dc5e97
--- /dev/null
+++ b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/cert-users.properties
@@ -0,0 +1,18 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+producer=CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AMQ
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-keystore.jks b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-keystore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..cb65a44ddc868383e07e700b941d9ac0709daf58
GIT binary patch
literal 1303
zcmezO_TO6u1_mY|W&~r_+{*0KN+2&_z1sy2Al+}!#Mo`X$Ht}2#>m2`#U#kc$jZRd
z#903PyT#h@IPs9J5x3RWJvkMa<u5GL7s}4$t#RVN<ep3AyCwY-%T_g)TsZ#0|4yx$
z`sqJs_;i=t_U2k0F6{bPzjOM#M?W|?HXYyM{9b=TtMAbtXU~2v(wXvmNj-n4N6_ch
ztk<lnkEd<ldt{=v{1tg?{ZHa=>o!|^cgJXbP~&rKw3WXmtk#sink!k~r2bsZtnRxq
zlbF1@GPb>#=puS4LgYpNeOINWEf3}{X3x7k*|KgH_o=I|w?4db!fN`RJMwi5k39}L
zX6)6Hd?{eN?WvX9|D@@Pzl$_joEDm1opopd`@0I0UlUoZmoWX`<fb0}>CPm<%dVT&
z+ld{q+Uii6bVKsq9n({h74y8Z&i*{ZR5#Cz&3*q&f5zM?=f$IE)M%=S?OLT7;`aFU
z6yJFtr+>dE)9h??n296K=J@#)UUpIYk4348gtzZud3pYF)ayA9i{z40({1P1?$g#6
z?PT|!ysAIU<K;t!kEg7c3T)e;_2BllY4IB_J&Uev`mhobOA&ge29^vA%uWVP%ytG%
zOn(+IGchtTu_#I$h%(@2W7lf)IA_7a%*tR;Xvky0#l{@U!Y0h@=o<**aiH+nAv{3?
zevnEoVGhUSlFYJHpmG6V)B}aMh1ng8N>Xz(iwzYF<Uk_K!s0MR3Q#Ep=bX&cyb=RB
zab81HLjxlVLo*|D6VoUl*UZ4s$PCII2q!f$ZU?4g9az9H0y*+bjg1U{>w_C*ONBIp
z?t9JAd-LS^H^J>eHt$^+4$Ij$YztJ&bd7aT3j7^u+Z*v~|Ix3z48EP79h!5!(Yis_
zB>z)d!uIT$0ZW(6pZ|iTT0rTL|L&F7|7|}e{lhx^`LPwtMEO~MH-Ec)RPHd7X^3!?
z*hHgmrJvVnCtlZj|4E5ia_&VB#^X$)4AT<=`bCww&up5svuV-m7VZxbGG9SX`~Gl2
z>$Tao_fGFw9b>j5d}rm9^}Byry=wXy?!#@%-jp5~8Q!<+N~Hg@LUw`1hAp0Ag~~5{
zG{l6rpXW5{IkD`ajaXH8NKLQCgT?FQv^Os+otU?{p8J=gY0}5vNmYz0)@PP{+_xfd
zLg$L+`wyd@&S#s{ofg+n9jcnb=wtowyr&j(V+#XQV?)s~+5CQI;iS;)p4oc!kN0cY
zZd<*dUtrpOX#?iMImV0LU7d1rPO%8<pSF#Y@?NZ5%kKMO4p)cHvD&?R`+Or+*IYg0
z$T4FFzk$L&1EFo}6^^m3iVsk|^Yu+)wpCXmhf8wF<?<Cl&wq!6i3Mt~ZrYo*QK4OD
zjn}HUH#;LIyby?dvRKhT-ar<Z;$-<)#8^abte(C2soc_vH)b36wmppfk;7DU2_?ZZ
z>oXYWFo~$HDUtbi!Q0ufZ=QC6{toV=3z~tVvYLw}L)s#B<y?JzOAlP*?2DRnX5QK3
WGL{=Eqis6;7$)U)B*lelD**s2*7&Ia

literal 0
HcmV?d00001

diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-truststore.jks b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/client-side-truststore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..7eb1d5634dda1ef34844eff58cdcf44266acef8f
GIT binary patch
literal 963
zcmezO_TO6u1_mY|W(3o$xs}<el|Wv=Mia#o46G4)rUsS_49u+tP0Wo3O-z{!n3))v
zm{=4x#uOOvvT<s)d9;1!Wn|=LWiTi-<T2o4V-96u6J~bw4TSMHP<ZSRo}d9gNF|pr
zhhuU{W?3pwxqty5NQhgQ-La@7H8-=^P{BYBB*H8#4pXE6l~M>!Eh<YbGLRGJH8eFe
zFtRi-G%__cj{<VdfJ}2JcOab9#HfTEFpR7W%uS5^3<gb%Tue=jj0}w}!IxHqb>7c#
zY5d83%;ReHzWNmYgG(Q-_2x;B`F1)!YoAw5deG^=9+R$pk}-IEbyj50l8^mmk0z-|
zD=mNLc6sIe&-e8A7AH<QJIQ->!i>=3^>scCCC6u7`XRfp#D8o1>mL(b*B)7=UgyqI
zo8rq+{Na+y`<<m`E1rFnHK~!w=iC=-I&JE5`QsfXnvE?lC+a;tA-ZR>!U37@*3Fs9
zGQNLnCNfP?5v(%w&f3)%cfhm!2g9nY<`3da=X*<91oa2E#J^o+DHgKmqI&$59<yYD
z;NLuE3QJ^-JxtYVmd0*;@gcaf_N>hPRWD^Yd*2tX{NuH7scp1N&#bvy<aYn}tlPSt
ziJ6gsaj~L-yn!q*a%K5g#8^a*GApRGZ@=x<#haU3_Uyv3`p^wB$bkq<UBEzOWT?~8
ze7#WYoGbgu&GkL+F8#H<rf-!xjp=!dS^U~w_3gf`Y!&>sY@a)^KR2A3*wEcosC90U
z087$R_J)UT;+?4)ziZ__b*w!YRq^$uZ;~I^6x}TA<4kD}v@Rc7qSqN<BK)-T#rv)N
z7f;>jK7Gz4qPA<A<Ei88&Ps8Z9G#iJ;R?f6$sZ@Vn!ZeK3F+^ZTDm7{vfJVCy!8*d
zb{^W<BCur7%}MKZ9r;(-N6u`syQHbBaAU=*x@9#Ix_7s@+}Us==yBn;6+hIqlV+~B
z`PARCt9<!I^<7K4uX%o*SAR<0URt!|c$am+zQ)gSPvdyayF-ip6lJZG0~&l<-d=vD
gd}e}wf#Jh#Dif7U8Uh4U8*l92buQOj&bnI}02t$A{{R30

literal 0
HcmV?d00001

diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/login.config b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/login.config
new file mode 100644
index 00000000000..9bd479d2046
--- /dev/null
+++ b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/login.config
@@ -0,0 +1,30 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+activemq {
+   org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule required
+       debug=false
+       org.apache.activemq.jaas.properties.user="artemis-users.properties"
+       org.apache.activemq.jaas.properties.role="artemis-roles.properties";
+};
+
+activemq-cert {
+   org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule required
+       debug=true
+       org.apache.activemq.jaas.textfiledn.user="cert-users.properties"
+       org.apache.activemq.jaas.textfiledn.role="cert-roles.properties";
+};
\ No newline at end of file
diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-keystore.jks b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-keystore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..6089c6ee13e7e163561a17ba11bd45cdd755cf8b
GIT binary patch
literal 2253
zcmc(g`8yP98^>qH7<=}8XfS0d%rHhsQI=tB#TX<q*_X<UILSKprN*97q=`no#uBm>
zMG<OV+gMUWjWzokrPq1SIoEa0UvPf7uj~1IpYIRP^}X-we)bpl7XbhO=%9fAFV3JF
z0bVx_$gWzOG6(>0f)HfzKH?CB_ZS2S2C9LCfj~|Gm<*opF;lu|jT=7V;`C@?5&_}u
zYK=(7(luT3FOLbZsgr`m>P>~kHCuBJ5j#hWA1-h*!x>Z9lT29*-_x*b?~at=i?fp)
zdi=L{piIMX_dfb8fx%UP!)to-c^7jIL(|`m$|~fuH}w{+JG$1#^uQ_sl)KwF;tK=F
z67}Pu!dlne)Lxwr?S&;J^6(;086MfH;*yxgO%EKGc(oG=KN@a0hY3<=2#q#;%|+jM
zT$>2t!8?LJ#sw;^tr4&2owN49PNbNVikLBXro<h*Z{s{bNt0-Ls$*Y|%}9$P-p%$j
z!mF7k$kZeVs7*E|=$nZ~seESBlwPCPn+LjXRtGfrV7pIbij3VHF7!SXTw}<8#utK~
zN(4KnJ^t8;RJVVLKjq9?_7jrqDCg<8cV6U4bNlgD@z}zdj=dxw{Z1f@Z%cWc?Vb5c
zh(OY2hCSUaw!Ot~NiABrdm(gj1B%8cY&+)&C;AS=jLK`UTEQ2H*i#c0KQtZ9^2-a)
zW}BNo$5iG0cd>aMZ?`|LuhOmRq`h%$4yB~gR&HyM|J5@jD9Iqz+ib3WJy?uoe}p!z
zK}pUT$oO{YTeKz1JT6HkfiMM?sW6HZuw`Kv>!XfS%hb5QV{&?ekEB${cR|{Wimhjo
zP5JcGUVB{&@5>oyGBQ+(IR_0eXA{bXHFHK<@0Ac=J70@P7=5AorY3jV8J@lJvsT@$
zY})?9(JV}nJGr~Go3`I-+M8^3<AhM(*OaH#pLFRp@1+ATYMbf@Z`RRByU5I=!laxm
z7TA#z-X7<o;k;8x;w{(EUUg3~`80LKbmr{r{A^j*yMRK65p~n07gF#`A(UXPhwD-T
zxWE9rXlY$^f?0!(^+h3|>|G-_qmJ>naK+kP_#Ig#!*9Six%p=5xpq-qWyhnl=x>C3
zJ*W_D%dmN*xyF@dU)|;?{ZCzUC70li)Kl`Ww0z7TE2KN105;7;)?AH7R4+%v6b&Qc
zwb#~4pWQd5z>n4kaQc48hLX~J_a8(mjV&EotXhz`p6y>_L=0W*o8_w>ptWN8m`qBc
z*snd~<^I-?cnbGbK?8KSgSq%tO4kArkHjagTPx)F%t$<tZnk-G{fBa^;djrM1gi~c
zdn33jojR|WRv9qQhQ74dGwK|d4ypKZXztaL)+TRQcU-NkxBmRvTZ;SmtGaU}Nr-r9
z9y7Djy8uUshtNH(K&0BRfaOU^E(~lHEb|80?I@=I15~4mT5!QzaZlGS$l;5uIxLav
zfzA+#u!-*LgBnDLrtt8DNUD5HTyJTlv6P5QhRb(g(``xi$q(TQ37qW=#8`Q98x%<>
zjF$F7gxd@R866u~IZHSPW3XjkuX=1Zs=zGkt;$=VYZ4p#W8{LFXgc~#ON?Qo2+Q-!
zd<{o#6mBGyY^2^+_Aan_sOVngRsRgQsOwXSJm64T|MSB|Iw<h&?oauXm3iOou)XW(
zJ5*q&>%c83?Fs*9PbH>QhUzRCYt{`vB24%T$dmVlOl}HEjiNqS!fMQh#2R9@PAd%_
zlYvg1r%5)6L3YbwA@_7kzf{ZznwTZ0x>I=tv@OJ)eaFwR&IS)JZbVs#NY@TYbl0bR
zw9Sh~Rao7QHq4dNTwO&c(qV8dPfztDo_-}3VKp~hmjJoBZxuEFSd2~@ItV=gfFl7x
z=7>d*L4L&?ARq_?hE=;>LkK{4)Dkg?+X6r!A1442jO0h~LO5_>h$x4#^|`-@`ya&h
z2MHqte|PeVavNU`@eB1junQgR+XIPDl*^bH;uYjaLc$R8zbhP~l7E?Ce_p}ty@;V+
zM1;Jg08$5u(9%O7wRCiJT@Da^aMb-1|BWY+fr@_*=HTDpAOi&f2r`ftL<Rx@vGMl(
zWsWHmz9zBX`8qJHn=R3vg0D&^8CZTF*R39R{}#&#pYuIGF<C=vP{bEjfpdDvDkXF(
z3offjUosnbe1Cmh^99Kx=Y1CTKbP`xq{=9(n2^qb{vEjoA+~i%3p*L6jMq<;qs+mP
zp4Qx?m45hg<8^e|^r{>x0(zCF<)ThrF8y$4GD<ZzelAmk{Z{;WHtZ#I+aS(Q32OZ_
zA`_GY7Y;{a{hMyPy|f710X*@KTahfikCi@go?;*GzDU!PaG>=myAP(LFALf4@uOiS
za@rW3qY<SSt7lj2Z$!R_PCS`|^4wYue*DAoL8;*dlk|eZTKVQ*7EyJTAPyh^_)r0H
z7$JAiT)9JF39#534j4SCe#|UYASftwy0;@5R|WlhhzHYk5F!u|bzF7ffdtc(tE(nD
zeX0Ma-jJrgR~~349_`M!rCe{F0QpVugW=2>t{G&mM@(93uo{yl1SXVn#Y`qjrg*9B
zMar)wGhVs;wmD}_u;I;7_c!PSd4E<LXe-f3u|tWnQ)ZXz1pB&2(t4OEr^wVi<L=Ii
z_cGk5H`J?DgMd2eoi1MTMs~ad<(5q8bC+zhcKnsf&#8@VjqySy&quQ=)r|$qPCHW*
zPxY&+!$!*HqaH;_seh_9`B*h_{!8$)vK{4P1Zw5UHA;L_7`;!qsU&U4VzVf^`|xR5
z@sQ3`1G|>kbvL$~fNmO&WTPNwaM>=#Dt>WbTIpSe?KR{ik+zDz#s)blTpsbi@+jOW
IlooIIKQG79H~;_u

literal 0
HcmV?d00001

diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-truststore.jks b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/activemq/server0/server-side-truststore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..0b7e224163358aef1f20d04f5c6720f98b97679a
GIT binary patch
literal 1732
zcmezO_TO6u1_mZLW=={>VPIek*!;DvkAXEp&(y$@fq_}Wpov+<po!_x0%j&gCMFin
zkh~WL+-&SxZ64<=SeRKE3{nhv47k{sLs{5_nH_xtVLT2L9y^35XuuCr$tBF;m|T)s
zmI_oZV890w;udCiEGkLO%`7$)HV_1fFbi`zC8j7i=VYell^Dp0^BS5O8W>p`ni!fH
z8AJiOW(I~v=1?x3T+zh1-Jpq42j+c7AV;35v610#eQ={}sgP#SeXlusZ=O8=Cb&Jw
z=DiEUVLAJTZGmc;uCWeEfxjbddn11BKl*i-!MD@1LvyY-S~tj=<bO&_*q%KzVCj<i
z^Ix!33n(4(-@WqszwO7Qe^`e<Kel3-C_l^Z=5Lpe${l7h4H1qKn`rc{^z%CH#Oqq`
zKPfRw&b{ctc$`U;VR}M9zo;_znN5>+HZ6MH!u=sa<}1i)-ybe$y*AtS-swH7W6XAh
z@2s4%e)lh{S4}^|eYkDeo6-X#!~1q!iS&O~$S%;>u*FlXQ2B+AhM4g7^PEOKCzd_5
z5v%GBsp-{tuy~!E_U2`!6Z00=bN^B_P5Ssdsftm>`plA#`&I-_=v>i!|6$bA`D~NA
z)8ZPcLse54eXReT_tau;Y++z(Y%r=kbN_I)aQjBz7apnmULCHGthwoYIiq;Vm%RmV
z?@n47b>?ra)6b>tSrY0=%WwEk-FIip&c&-Y+<x=COk1$`y|TbrnHLAHF?_XqUU>G@
zt&Qi`{8=yFqpKpTwk+J%ihWU}<<Hte*C%ryT*}ni7`PxS&F$}wY;k|vnrF4<Cv<nQ
zb}v>mkT;M8rYl)K7BLo)MB_7#Mv^mDt4;Yl_xFC?=tt8y4N;Ocvp$1?4wHy=*^=l6
zw!k~;c?Q#?BJOs1TP)kkB*NsMsjZi_Qb6d)+Gd^R=1KCew@n1+Bi7u??9@t7E?Vy{
z@eh%UoPfE=4w#GnKy#6z#DORj>kJBE`G#7#NWnl3l8eM)Sxo_&!O*jm1u#RIo0!6~
zlo^ye5KbD+U*zVmqGPi8{m#Nkq1ipN_39t**RtKVdOyFwwENNq%!PA|7rnbW<>Z`V
z5!OF#8z<$xSh<$n_rn~n4xMAQd-wMFMyjs4dd87s#twc1g?$D>+tw=_V_Ov;pnB))
zo5XCZu0#%(<dVzfD}tW?4ha(r)L`ATH*2FpyUrS~RdH{2MoxGk5cvcxf8AI;d+}4b
zr4?_?HtubE82clKspt|)f`{fW)iotD|1NktJNC`fF3{h>eRM%HFxSayE|v^wi`12K
k_4O@1aE-GsYR(x({$u$93H;)JLJaM8R<Bwrr5j`f04OGD<NyEw

literal 0
HcmV?d00001

diff --git a/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/jndi.properties b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/jndi.properties
new file mode 100644
index 00000000000..12fbef627e3
--- /dev/null
+++ b/examples/features/standard/ssl-enabled-dual-authentication/src/main/resources/jndi.properties
@@ -0,0 +1,21 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+java.naming.factory.initial=org.apache.activemq.artemis.jndi.ActiveMQInitialContextFactory
+connectionFactory.SslConnectionFactory=tcp://localhost:5500?sslEnabled=true&trustStorePath=activemq/server0/client-side-truststore.jks&trustStorePassword=secureexample&keyStorePath=activemq/server0/client-side-keystore.jks&keyStorePassword=secureexample
+connectionFactory.ConnectionFactory=tcp://localhost:61616
+queue.queue/exampleQueue=exampleQueue
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java
index 1ced54f4842..0d553adce9d 100644
--- a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/CoreClientOverTwoWaySSLTest.java
@@ -70,15 +70,15 @@ public CoreClientOverTwoWaySSLTest(String storeType) {
    public static final SimpleString QUEUE = new SimpleString("QueueOverSSL");
 
    /**
-    * These artifacts are required for testing 2-way SSL in addition to the artifacts for 1-way SSL
+    * These artifacts are required for testing 2-way SSL in addition to the artifacts for 1-way SSL from {@link CoreClientOverOneWaySSLTest}
     *
     * Commands to create the JKS artifacts:
-    * keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ"
+    * keytool -genkey -keystore client-side-keystore.jks -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
     * keytool -export -keystore client-side-keystore.jks -file activemq-jks.cer -storepass secureexample
     * keytool -import -keystore server-side-truststore.jks -file activemq-jks.cer -storepass secureexample -keypass secureexample -noprompt
     *
     * Commands to create the JCEKS artifacts:
-    * keytool -genkey -keystore client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ"
+    * keytool -genkey -keystore client-side-keystore.jceks -storetype JCEKS -storepass secureexample -keypass secureexample -dname "CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, S=AMQ, C=AMQ" -keyalg RSA
     * keytool -export -keystore client-side-keystore.jceks -file activemq-jceks.cer -storetype jceks -storepass secureexample
     * keytool -import -keystore server-side-truststore.jceks -storetype JCEKS -file activemq-jceks.cer -storepass secureexample -keypass secureexample -noprompt
     */
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/DualAuthenticationTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/DualAuthenticationTest.java
new file mode 100644
index 00000000000..d3c67671ab9
--- /dev/null
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/ssl/DualAuthenticationTest.java
@@ -0,0 +1,142 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.tests.integration.ssl;
+
+import java.lang.management.ManagementFactory;
+import java.net.URL;
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.activemq.artemis.api.core.Message;
+import org.apache.activemq.artemis.api.core.SimpleString;
+import org.apache.activemq.artemis.api.core.TransportConfiguration;
+import org.apache.activemq.artemis.api.core.client.ActiveMQClient;
+import org.apache.activemq.artemis.api.core.client.ClientConsumer;
+import org.apache.activemq.artemis.api.core.client.ClientMessage;
+import org.apache.activemq.artemis.api.core.client.ClientProducer;
+import org.apache.activemq.artemis.api.core.client.ClientSession;
+import org.apache.activemq.artemis.api.core.client.ClientSessionFactory;
+import org.apache.activemq.artemis.api.core.client.ServerLocator;
+import org.apache.activemq.artemis.core.config.impl.ConfigurationImpl;
+import org.apache.activemq.artemis.core.remoting.impl.netty.TransportConstants;
+import org.apache.activemq.artemis.core.security.Role;
+import org.apache.activemq.artemis.core.server.ActiveMQServer;
+import org.apache.activemq.artemis.core.server.ActiveMQServers;
+import org.apache.activemq.artemis.core.settings.HierarchicalRepository;
+import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
+import org.apache.activemq.artemis.spi.core.security.ActiveMQSecurityManager;
+import org.apache.activemq.artemis.tests.integration.security.SecurityTest;
+import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
+import org.apache.activemq.artemis.utils.RandomUtil;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Test;
+
+/**
+ * See {@link CoreClientOverTwoWaySSLTest} for details about the keystores required for this test.
+ */
+public class DualAuthenticationTest extends ActiveMQTestBase {
+
+   public static final SimpleString QUEUE = new SimpleString("QueueOverSSL");
+
+   static {
+      String path = System.getProperty("java.security.auth.login.config");
+      if (path == null) {
+         URL resource = SecurityTest.class.getClassLoader().getResource("login.config");
+         if (resource != null) {
+            path = resource.getFile();
+            System.setProperty("java.security.auth.login.config", path);
+         }
+      }
+   }
+
+   private String SERVER_SIDE_KEYSTORE = "server-side-keystore.jks";
+   private String SERVER_SIDE_TRUSTSTORE = "server-side-truststore.jks";
+   private String CLIENT_SIDE_TRUSTSTORE = "client-side-truststore.jks";
+   private String CLIENT_SIDE_KEYSTORE = "client-side-keystore.jks";
+   private final String PASSWORD = "secureexample";
+
+   private ActiveMQServer server;
+
+   private TransportConfiguration tc;
+
+   @Test
+   public void testDualAuthentication() throws Exception {
+      String text = RandomUtil.randomString();
+
+      tc.getParams().put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, CLIENT_SIDE_TRUSTSTORE);
+      tc.getParams().put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
+      tc.getParams().put(TransportConstants.KEYSTORE_PATH_PROP_NAME, CLIENT_SIDE_KEYSTORE);
+      tc.getParams().put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
+      tc.getParams().put(TransportConstants.PORT_PROP_NAME, "61617");
+
+      ServerLocator producerLocator = addServerLocator(ActiveMQClient.createServerLocatorWithoutHA(tc));
+      ClientSessionFactory producerSessionFactory = createSessionFactory(producerLocator);
+      ClientSession producerSession = producerSessionFactory.createSession(false, true, true);
+      producerSession.createQueue(DualAuthenticationTest.QUEUE, DualAuthenticationTest.QUEUE, false);
+      ClientProducer producer = producerSession.createProducer(DualAuthenticationTest.QUEUE);
+
+      ClientMessage message = createTextMessage(producerSession, text);
+      producer.send(message);
+
+      ServerLocator consumerLocator = addServerLocator(ActiveMQClient.createServerLocator("tcp://localhost:61616"));
+      ClientSessionFactory consumerSessionFactory = createSessionFactory(consumerLocator);
+      ClientSession consumerSession = consumerSessionFactory.createSession("consumer", "consumerPassword", false, true, true, consumerLocator.isPreAcknowledge(), consumerLocator.getAckBatchSize());
+      ClientConsumer consumer = consumerSession.createConsumer(DualAuthenticationTest.QUEUE);
+      consumerSession.start();
+
+      Message m = consumer.receive(1000);
+      Assert.assertNotNull(m);
+      Assert.assertEquals(text, m.getBodyBuffer().readString());
+   }
+
+   @Override
+   @Before
+   public void setUp() throws Exception {
+      super.setUp();
+      Map<String, Object> params = new HashMap<>();
+      params.put(TransportConstants.SSL_ENABLED_PROP_NAME, true);
+      params.put(TransportConstants.KEYSTORE_PATH_PROP_NAME, SERVER_SIDE_KEYSTORE);
+      params.put(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME, PASSWORD);
+      params.put(TransportConstants.TRUSTSTORE_PATH_PROP_NAME, SERVER_SIDE_TRUSTSTORE);
+      params.put(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME, PASSWORD);
+      params.put(TransportConstants.NEED_CLIENT_AUTH_PROP_NAME, true);
+      params.put(TransportConstants.PORT_PROP_NAME, "61617");
+      ConfigurationImpl config = createBasicConfig();
+      config.addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY, params));
+      config.addAcceptorConfiguration(new TransportConfiguration(NETTY_ACCEPTOR_FACTORY));
+      config.setSecurityEnabled(true);
+
+      ActiveMQSecurityManager securityManager = new ActiveMQJAASSecurityManager("DualAuthenticationPropertiesLogin", "DualAuthenticationCertLogin");
+      server = addServer(ActiveMQServers.newActiveMQServer(config, ManagementFactory.getPlatformMBeanServer(), securityManager, false));
+
+      HierarchicalRepository<Set<Role>> securityRepository = server.getSecurityRepository();
+      Role sendRole = new Role("producers", true, false, true, false, true, false, false);
+      Role receiveRole = new Role("consumers", false, true, false, false, false, false, false);
+      Set<Role> roles = new HashSet<>();
+      roles.add(sendRole);
+      roles.add(receiveRole);
+      securityRepository.addMatch(DualAuthenticationTest.QUEUE.toString(), roles);
+
+      server.start();
+      waitForServerToStart(server);
+      tc = new TransportConfiguration(NETTY_CONNECTOR_FACTORY);
+   }
+}
diff --git a/tests/integration-tests/src/test/resources/dual-authentication-cert-roles.properties b/tests/integration-tests/src/test/resources/dual-authentication-cert-roles.properties
new file mode 100644
index 00000000000..f52fa217531
--- /dev/null
+++ b/tests/integration-tests/src/test/resources/dual-authentication-cert-roles.properties
@@ -0,0 +1,18 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+producers=producer
diff --git a/tests/integration-tests/src/test/resources/dual-authentication-cert-users.properties b/tests/integration-tests/src/test/resources/dual-authentication-cert-users.properties
new file mode 100644
index 00000000000..06874dc5e97
--- /dev/null
+++ b/tests/integration-tests/src/test/resources/dual-authentication-cert-users.properties
@@ -0,0 +1,18 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+producer=CN=ActiveMQ Artemis Client, OU=Artemis, O=ActiveMQ, L=AMQ, ST=AMQ, C=AMQ
diff --git a/tests/integration-tests/src/test/resources/dual-authentication-roles.properties b/tests/integration-tests/src/test/resources/dual-authentication-roles.properties
new file mode 100644
index 00000000000..9c931731a4d
--- /dev/null
+++ b/tests/integration-tests/src/test/resources/dual-authentication-roles.properties
@@ -0,0 +1,18 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+consumers=consumer
\ No newline at end of file
diff --git a/tests/integration-tests/src/test/resources/dual-authentication-users.properties b/tests/integration-tests/src/test/resources/dual-authentication-users.properties
new file mode 100644
index 00000000000..7b61983e3aa
--- /dev/null
+++ b/tests/integration-tests/src/test/resources/dual-authentication-users.properties
@@ -0,0 +1,18 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+consumer=consumerPassword
diff --git a/tests/integration-tests/src/test/resources/login.config b/tests/integration-tests/src/test/resources/login.config
index 7c160c50d41..6bc3498994d 100644
--- a/tests/integration-tests/src/test/resources/login.config
+++ b/tests/integration-tests/src/test/resources/login.config
@@ -123,3 +123,17 @@ CertLogin {
         org.apache.activemq.jaas.textfiledn.user="cert-users.properties"
         org.apache.activemq.jaas.textfiledn.role="cert-roles.properties";
 };
+
+DualAuthenticationCertLogin {
+    org.apache.activemq.artemis.spi.core.security.jaas.TextFileCertificateLoginModule required
+        debug=true
+        org.apache.activemq.jaas.textfiledn.user="dual-authentication-cert-users.properties"
+        org.apache.activemq.jaas.textfiledn.role="dual-authentication-cert-roles.properties";
+};
+
+DualAuthenticationPropertiesLogin {
+    org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule required
+        debug=true
+        org.apache.activemq.jaas.properties.user="dual-authentication-users.properties"
+        org.apache.activemq.jaas.properties.role="dual-authentication-roles.properties";
+};