Reprint-ACTIVEMQ security mechanisms implemented through JAAS

Source: Internet
Author: User
Tags stomp

JAAS (Java Authentication and Authorization service) is also the Java Authentication/authorization services. Here are two different services, and here are some differences:
Verification (authentication) is to verify the validity of a user, that is, the user name, password is correct;
Authorization (Authorization) is a role that is granted to a user so that the user can only access resources that have the appropriate role.
The use of Jaas in ACTIVEMQ for message security and control is achieved by using a configuration file.
First, we discuss certification services:
Write a login.config file that reads as follows
Activemq-domain {
Org.apache.activemq.jaas.PropertiesLoginModule Required
Debug=true
Org.apache.activemq.jaas.properties.user= "Users.properties"
org.apache.activemq.jaas.properties.group= "Groups.properties";
};
Put this file under Classpath, I chose to put it under the%activemq_home%/conf/, so I don't have to set it up. Then write the users.properties and groups.properties files, which can be referenced in the following example:
#users. Properties
System=manager
User=password
Guest=password
#groups. Properties
Admins=system
Users=system,user
Guests=guest
The content is obvious, the Users.properties file contains three users, and their respective passwords were developed. The Groups.properties file contains three groups, and the users within each group. These two files and login.config are placed in the same directory.

Then discuss the licensing service:
Modify the Activemq.xml file to increase the number of actions that can be performed by users in different group.

<beans xmlns= "http://activemq.org/config/1.0" >
<!--allows us to use system properties as variables on this configuration file--
<bean class= "Org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>

<broker usejmx= "true" >
<!--in ActiveMQ 4, you can setup destination policies--
<destinationPolicy>
<policyMap><policyEntries>

<policyentry topic= "Foo.>" >
<dispatchPolicy>
<strictorderdispatchpolicy/>
</dispatchPolicy>
<subscriptionRecoveryPolicy>
<lastimagesubscriptionrecoverypolicy/>
</subscriptionRecoveryPolicy>
</policyEntry>
</policyEntries></policyMap>
</destinationPolicy>


<persistenceAdapter>
&LT;JOURNALEDJDBC journallogfiles= "5" datadirectory= "${activemq.home}/activemq-data"/>
<!--to use a different datasource, use th following syntax:-
<!--
&LT;JOURNALEDJDBC journallogfiles= "5" datadirectory= ". /activemq-data "datasource=" #postgres-ds "/>
-
</persistenceAdapter>

<transportConnectors>
<transportconnector name= "Default" uri= "tcp://localhost:61616" discoveryuri= "Multicast://default"/>
<transportconnector name= "Stomp" uri= "stomp://localhost:61613"/>
</transportConnectors>

<networkConnectors>
<!--by default just auto discover the other brokers--
<networkconnector name= "Default" uri= "Multicast://default"/>
<!--
<networkconnector name= "host1 and Host2" uri= "static://(tcp://host1:61616,tcp://host2:61616)" failover= "true"/ >
-
</networkConnectors>

<plugins>
<!--use JAAS to authenticate using the Login.config file on the classpath to configure JAAS-
<jaasauthenticationplugin configuration= "Activemq-domain"/>
<!--lets configure a destination based authorization mechanism-
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationentry queue= ">" read= "admins,guests" write= "guests" admin= "admins,guests"/>
<authorizationentry queue= "users.>" read= "Users" write= "users" admin= "users"/>
<authorizationentry queue= "guest.>" read= "guests" write= "Guests,users" admin= "Guests,users"/>

<authorizationentry topic= ">" read= "admins" write= "admins" admin= "admins"/>
<authorizationentry topic= "users.>" read= "Users" write= "users" admin= "users"/>
<authorizationentry topic= "guest.>" read= "guests" write= "Guests,users" admin= "Guests,users"/>

<authorizationentry topic= "activemq.advisory.>" read= "Guests,users" write= "Guests,users" admin= "guests,users "/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
</broker>
</beans>

The <authorizationPlugin> tag contains content that authorizes the preparation of the information.
As can be seen from the above configuration file, ACTIVEMQ users set up groups that can operate on different queue or topic. Here are the main three operating rights: Read, Write, admin, detailed below.
READ: Can receive messages from queue or topic
Write: Can send message to queue or topic
Admin: Can create queue or topic (there may be other features)
When these files are prepared, ACTIVEMQ has a basic security mechanism, and it is also important to note that in Activemq 4.0.1 release version, there is no activemq-jaas.jar and you need to download it yourself. However, in the Apache-activemq-4.1.1release version has been added Activemq-jaas-4.1.1.jar, in the Activemq Lib directory.
The above is a activemq based on the Jaas security mechanism analysis, as to whether this method is flexible, convenient, security, and the implementation of the security mechanism of the programming mode is also necessary to further analysis and comparison.

Reprint-ACTIVEMQ security mechanisms implemented through JAAS

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.