ActiveMQ应用笔记三:安全性

需求:
1.Client(生产者和消费者)连接ActiveMQ需要使用账号;
2.限制具体的Client对于某个/某些Topic/Queue的操作权限.
 
一、具体配置
1.conf/activemq.xml中增加如下配置,实现消息授权
        <plugins>
            <!--  use JAAS to authenticate using the login.config file on the classpath to configure JAAS -->
            <jaasAuthenticationPlugin configuration="activemq-domain" />
            <!--  lets configure a destination based authorization mechanism -->
            <authorizationPlugin>
                <map>
                    <authorizationMap>
                        <authorizationEntries>
                            <authorizationEntry topic="FirstTopic" read="smeall,smeadmin" write="smeadmin" admin="smeall,smeadmin" />
                            <authorizationEntry topic="ActiveMQ.Advisory.>" read="smeall,smeadmin" write="smeadmin" admin="smeall,smeadmin"/>
                        </authorizationEntries>
                    </authorizationMap>
                </map>
            </authorizationPlugin>
        </plugins>
 
该配置指定了
1.<jaasAuthenticationPlugin configuration="activemq-domain" />指定了实用JAAS插件管理权限
2.<authorizationEntry topic="FirstTopic" read="smeall,smeadmin" write="smeadmin" admin="smeall,smeadmin" />指定了具体的Topic/Queue与用户组的授权关系
3.<authorizationEntry topic="ActiveMQ.Advisory.>" read="smeall,smeadmin" write="smeadmin" admin="smeall,smeadmin"/>这个是必须的配置,不能少
 
2.基于JAAS机制,conf目录下增加3个文件,实现登录认证和用户组
login.config,内容如下,无需修改:
activemq-domain{
    org.apache.activemq.jaas.PropertiesLoginModule required
    debug=true
    org.apache.activemq.jaas.properties.user="users.properties"
    org.apache.activemq.jaas.properties.group="groups.properties";
};
 
users.properties,内容格式username=password,根据实际情况修改:
#userName=password
smeshandong=fulong
smechina=fulong
 
 
groups.properties,内容格式groupname=username1,username2,username3,根据实际情况修改:
#group=userName
smeall=smeshandong
smeadmin=smechina
 
 
二、Tips
 
需要将�TIVEMQ_HOME%\conf\加入CLASSPATH
配置文件都放在classpath下就行
 
三种权限,注意admin权限只是创建权限,不包括写:
read:可以从queue或者topic里面接收消息
write:可以向queue或者topic发送消息
admin:可以创建queue或者topic(可能还有别的功能)
 
配置权限时必须加上:
<authorizationEntry topic="ActiveMQ.Advisory.>" read="smeall,smeadmin" write="smeadmin" admin="smeall,smeadmin"/>
 
注意,实用过程中可动态添加用户,配置用户组,无需重启MQ!

 

posted @ 2013-06-11 23:04  爱生活,爱编程  阅读(268)  评论(0编辑  收藏  举报