ACTIVEMQ MQTT connection authentication based on DB __ACTIVEMQ

The purpose of this paper is to realize ACTIVEMQ login authentication by developing customized Plug-ins.

Of course, ACTIVEMQ can do simple authentication by setting up a user, password, and connection in the configuration file.

Think about this scenario:

1. Each MQTT client has its own clientid, user, and password

2. Over time, the original MQTT client no longer allowed access to broker, while the new MQTT client continued to increase

If hundreds of MQTT clients require connection Broker, updating the configuration of these users and passwords in a ACTIVEMQ configuration file can be a heavy and error-prone process.

That there is a scheme, will need to access the user, password stored in DB, and then through the query DB way to do connection certification. The answer is yes, there is.

ACTIVEMQ provides a plug-in way to let us flexible connection certification, below let's see how to achieve this scenario.

1. Create a dependency package that adds activemq to a Java application,mvn file. The version of the jar package is aligned with the deployed ACTIVEMQ.

<dependency>
<groupId>org.apache.activemq</groupId>
<artifactId>activemq-broker</artifactId>
<version>5.15.0</version>
</dependency>

2. Create a broker Plunin class, which basically returns a brokerfilter when the plug-in is installed. This example returns AuthFilter, this class please refer to step 3rd

Package com.study.mqttatuh;

Import Org.apache.activemq.broker.Broker;
Import Org.apache.activemq.broker.BrokerFilter;
Import Org.apache.activemq.broker.BrokerPlugin;

public class Loginauthplugin implements Brokerplugin {

Public broker Installplugin (broker broker) throws Exception {
return new AuthFilter (broker);
}

}

3. Create a broker filter. The key place is to overload the addconnection method, adding user password authentication, if the validation fails, throw the SecurityException, which will cause the MQTT client-side connection to fail. So as to achieve the purpose of certification.

Package com.study.mqttatuh;

Import Org.apache.activemq.broker.Broker;
Import Org.apache.activemq.broker.BrokerFilter;

Import Org.apache.activemq.broker.ConnectionContext;
Import Org.apache.activemq.command.ConnectionInfo;

public class AuthFilter extends Brokerfilter {

Public AuthFilter (Broker next) {
Super (next);
}

@Override
public void Addconnection (ConnectionContext context,
ConnectionInfo info) throws Exception {
Auth (Info.getusername (), Info.getpassword ());
Super.addconnection (context, info);
}

private void auth (String username,string password)
{

In order to demonstrate the convenience of writing the user password to verify, the actual implementation of the DB verification
if (!) UserName1 ". Equals (userName) | | !" Password1 ". Equals (password))
{
throw new SecurityException ("Invalid userName or password!");
}
}

}

4. Export jar packages. For example, the name of the jar package exported in this example is:Mqttatuh-0.0.1-snapshot.jar

5. Upload jar packages to the Lib directory of the ACTIVEMQ deployment directory

[Root@localhost lib]# pwd

/usr/apache-activemq-5.15.0/lib

[Root@localhost lib]# ls

Activemq-broker-5.15.0.jar Activemq-rar.txt Geronimo-jta_1.0.1b_spec-1.0.1.jar

Activemq-client-5.15.0.jar Activemq-spring-5.15.0.jar Hawtbuf-1.11.jar

Activemq-console-5.15.0.jar Activemq-web-5.15.0.jar Jcl-over-slf4j-1.7.25.jar

Activemq-jaas-5.15.0.jar Camel Mqttatuh-0.0.1-snapshot.jar

Activemq-kahadb-store-5.15.0.jar Extra Optional

Activemq-openwire-legacy-5.15.0.jar Geronimo-j2ee-management_1.1_spec-1.0.1.jar Slf4j-api-1.7.25.jar

Activemq-protobuf-1.1.jar Geronimo-jms_1.1_spec-1.1.1.jar Web

6. Modify the ACTIVEMQ profile activemq.xml, add the custom plug-in configuration in the broker section (added plugins)

<broker xmlns= "http://activemq.apache.org/schema/core" brokername= "localhost" datadirectory= "${activemq.data}" >

... (Omitting other configuration information)

<plugins>

<bean xmlns= "Http://www.springframework.org/schema/beans"

Id= "Loginauthplugin" class= "Com.study.mqttatuh.LoginAuthPlugin" >

</bean>

</plugins>

... (Omitting other configuration information)

</broker>

7. Restart Activemq

At this point, our certification plug-in installed configuration. MQTT client attempts to establish a connection, if the supplied account password does not match, the failure is verified in AuthFilter Securityexception:invalid UserName or password!

Of course, the purpose of this article is only to make a point, in the AuthFilter Auth authentication method, you can invoke other authentication interface services to do login authentication; There are other ways in brokerfilter that can be used for mining extensions, such as message interception, logging, etc.