ActiveMQ in Action(4) - Security
关键字: activemq
2.4 Security
ActiveMQ支持可插拔的安全机制,用以在不同的provider之间切换。
2.4.1 Simple Authentication Plugin
Simple Authentication Plugin适用于简单的认证需求,或者用于建立测试环境。它允许在XML配置文件中指定用户、用户组和密码等信息。以下是ActiveMQ配置的一个例子:
- <plugins>
- ...
- <simpleAuthenticationPlugin>
- <users>
- <authenticationUser username="system" password="manager" groups="users,admins"/>
- <authenticationUser username="user" password="password" groups="users"/>
- <authenticationUser username="guest" password="password" groups="guests"/>
- </users>
- </simpleAuthenticationPlugin>
- </plugins>
2.4.2 JAAS Authentication Plugin
JAAS Authentication Plugin依赖标准的JAAS机制来实现认证。通常情况下,你需要通过设置java.security.auth.login.config系统属性来配置login modules的配置文件。如果没有指定这个系统属性,那么JAAS Authentication Plugin会缺省使用login.config作为文件名。以下是一个login.config文件的例子:
activemq-domain {
org.apache.activemq.jaas.PropertiesLoginModule required debug=true org.apache.activemq.jaas.properties.user="users.properties" org.apache.activemq.jaas.properties.group="groups.properties";
};
这个login.config文件中设置了两个属性:org.apache.activemq.jaas.properties.user和org.apache.activemq.jaas.properties.group分别用来指向user.properties和group.properties文件。需要注意的是,PropertiesLoginModule使用本地文件的查找方式,而且查找时采用的base directory是login.config文件所在的目录。因此这个login.config说明user.properties和group.properties文件存放在跟login.config文件相同的目录里。
以下是ActiveMQ配置的一个例子:
- <plugins>
- ...
- <jaasAuthenticationPlugin configuration="activemq-domain" />
- </plugins>
ActiveMQ JAAS还支持LDAPLoginModule、CertificateLoginModule、TextFileCertificateLoginModule等login module。
2.4.3 Custom Authentication Implementation
可以通过编码的方式为ActiveMQ增加认证功能。例如编写一个类继承自XBeanBrokerService。
- package com.yourpackage;
- import java.net.URI;
- import java.util.HashMap;
- import java.util.Map;
- import org.apache.activemq.broker.Broker;
- import org.apache.activemq.broker.BrokerFactory;
- import org.apache.activemq.broker.BrokerService;
- import org.apache.activemq.security.SimpleAuthenticationBroker;
- import org.apache.activemq.xbean.XBeanBrokerService;
- public class SimpleAuthBroker extends XBeanBrokerService {
- //
- private String user;
- private String password;
- @SuppressWarnings("unchecked")
- protected Broker addInterceptors(Broker broker) throws Exception {
- broker = super.addInterceptors(broker);
- Map passwords = new HashMap();
- passwords.put(getUser(), getPassword());
- broker = new SimpleAuthenticationBroker(broker, passwords, new HashMap());
- return broker;
- }
- public String getUser() {
- return user;
- }
- public void setUser(String user) {
- this.user = user;
- }
- public String getPassword() {
- return password;
- }
- public void setPassword(String password) {
- this.password = password;
- }
- }
- <beans>
- …
- <auth:SimpleAuthBroker
- xmlns:auth="java://com.yourpackage"
- xmlns="http://activemq.org/config/1.0" brokerName="SimpleAuthBroker1" user="user" password="password" useJmx="true">
- <transportConnectors>
- <transportConnector uri="tcp://localhost:61616"/>
- </transportConnectors>
- </auth:SimpleAuthBroker>
- …
- </beans>
2.4.4 Authorization Plugin
可以通过Authorization Plugin为认证后的用户授权,以下ActiveMQ配置文件的一个例子:
- <plugins>
- <jaasAuthenticationPlugin configuration="activemq-domain"/>
- <authorizationPlugin>
- <map>
- <authorizationMap>
- <authorizationEntries>
- <authorizationEntry queue=">" read="admins" write="admins" admin="admins" />
- <authorizationEntry queue="USERS.>" read="users" write="users" admin="users" />
- <authorizationEntry queue="GUEST.>" read="guests" write="guests,users" admin="guests,users" />
- <authorizationEntry topic=">" read="admins" write="admins" admin="admins" />
- <authorizationEntry topic="USERS.>" read="users" write="users" admin="users" />
- <authorizationEntry topic="GUEST.>" read="guests" write="guests,users" admin="guests,users" />
- <authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,users" write="guests,users" admin="guests,users"/>
- </authorizationEntries>
- </authorizationMap>
- </map>
- </authorizationPlugin>
- </plugins>