2.4 Security
ActiveMQ支持可插拔的安全机制,用以在不同的provider之间切换。
2.4.1
Simple Authentication Plugin
Simple Authentication
Plugin适用于简单的认证需求,或者用于建立测试环境。它允许在XML配置文件中指定用户、用户组和密码等信息。以下是ActiveMQ配置的一个例
子:
- <
plugins
>
- ...
-
<
simpleAuthenticationPlugin
>
-
<
users
>
-
<
authenticationUser
username
=
"system"
password
=
"manager"
groups
=
"users,admins"
/>
-
<
authenticationUser
username
=
"user"
password
=
"password"
groups
=
"users"
/>
-
<
authenticationUser
username
=
"guest"
password
=
"password"
groups
=
"guests"
/>
-
</
users
>
-
</
simpleAuthenticationPlugin
>
- </
plugins
>
- <
plugins
>
- ...
- <
simpleAuthenticationPlugin
>
- <
users
>
- <
authenticationUser
username
=
"system"
password
=
"manager"
groups
=
"users,admins"
/>
- <
authenticationUser
username
=
"user"
password
=
"password"
groups
=
"users"
/>
- <
authenticationUser
username
=
"guest"
password
=
"password"
groups
=
"guests"
/>
- </
users
>
- </
simpleAuthenticationPlugin
>
- </
plugins
>
2.4.2 JAAS Authentication Plugin
JAAS Authentication
Plugin依赖标准的JAAS机制来实现认证。通常情况下,你需要通过设置java.security.auth.login.config系统属性来
配置login modules的配置文件。如果没有指定这个系统属性,那么JAAS Authentication
Plugin会缺省使用login.config作为文件名。以下是一个login.config文件的例子:
activemq-domain {
org.apache.activemq.jaas.PropertiesLoginModule required
debug=true
org.apache.activemq.jaas.properties.user="users.properties"
org.apache.activemq.jaas.properties.group="groups.properties";
};
这个login.config文件中设置了两个属性:org.apache.activemq.jaas.properties.user和
org.apache.activemq.jaas.properties.group分别用来指向user.properties和
group.properties文件。需要注意的是,PropertiesLoginModule使用本地文件的查找方式,而且查找时采用的base
directory是login.config文件所在的目录。因此这个login.config说明user.properties和
group.properties文件存放在跟login.config文件相同的目录里。
以下是ActiveMQ配置的一个例子:
- <
plugins
>
- ...
-
<
jaasAuthenticationPlugin
configuration
=
"activemq-domain"
/>
- </
plugins
>
- <
plugins
>
- ...
- <
jaasAuthenticationPlugin
configuration
=
"activemq-domain"
/>
- </
plugins
>
基于以上的配置,在JAAS的LoginContext中会使用activemq-domain中配置的PropertiesLoginModule来进
行登陆。
ActiveMQ
JAAS还支持LDAPLoginModule、CertificateLoginModule、
TextFileCertificateLoginModule等login module。
2.4.3 Custom Authentication Implementation
可以通过编码的方式为ActiveMQ增加认证功能。例如编写一个类继承自XBeanBrokerService。
- package
com.yourpackage;
- import
java.net.URI;
- import
java.util.HashMap;
- import
java.util.Map;
- import
org.apache.activemq.broker.Broker;
- import
org.apache.activemq.broker.BrokerFactory;
- import
org.apache.activemq.broker.BrokerService;
- import
org.apache.activemq.security.SimpleAuthenticationBroker;
- import
org.apache.activemq.xbean.XBeanBrokerService;
- public
class
SimpleAuthBroker
extends
XBeanBrokerService {
-
//
-
private
String user; -
private
String password;
-
@SuppressWarnings
(
"unchecked"
)
-
protected
Broker addInterceptors(Broker broker)
throws
Exception {
- broker =
super
.addInterceptors(broker);
- Map passwords =
new
HashMap();
- passwords.put(getUser(), getPassword());
- broker =
new
SimpleAuthenticationBroker(broker, passwords,
new
HashMap());
-
return
broker;
- }
-
public
String getUser() {
-
return
user;
- }
-
public
void
setUser(String user) {
-
this
.user = user;
- }
-
public
String getPassword() {
-
return
password;
- }
-
public
void
setPassword(String password) {
-
this
.password = password;
- }
- }
- package
com.yourpackage;
- import
java.net.URI;
- import
java.util.HashMap;
- import
java.util.Map;
- import
org.apache.activemq.broker.Broker;
- import
org.apache.activemq.broker.BrokerFactory;
- import
org.apache.activemq.broker.BrokerService;
- import
org.apache.activemq.security.SimpleAuthenticationBroker;
- import
org.apache.activemq.xbean.XBeanBrokerService;
- public
class
SimpleAuthBroker
extends
XBeanBrokerService {
- //
- private
String user;
- private
String password;
- @SuppressWarnings
(
"unchecked"
)
- protected
Broker addInterceptors(Broker broker)
throws
Exception {
- broker = super
.addInterceptors(broker);
- Map passwords = new
HashMap();
- passwords.put(getUser(), getPassword());
- broker = new
SimpleAuthenticationBroker(broker, passwords,
new
HashMap());
- return
broker;
- }
- public
String getUser() {
- return
user;
- }
- public
void
setUser(String user) {
- this
.user = user;
- }
- public
String getPassword() {
- return
password;
- }
- public
void
setPassword(String password) {
- this
.password = password;
- }
- }
以下是ActiveMQ配置文件的一个例子:
- <
beans
>
- …
-
<
auth:SimpleAuthBroker
-
xmlns:auth
=
"java://com.yourpackage"
-
xmlns
=
"http://activemq.org/config/1.0"
brokerName
=
"SimpleAuthBroker1"
user
=
"user"
password
=
"password"
useJmx
=
"true"
>
-
<
transportConnectors
>
-
<
transportConnector
uri
=
"tcp://localhost:61616"
/>
-
</
transportConnectors
>
-
</
auth:SimpleAuthBroker
>
- …
- </
beans
>
- <
beans
>
- …
- <
auth:SimpleAuthBroker
- xmlns:auth
=
"java://com.yourpackage"
- xmlns
=
"http://activemq.org/config/1.0"
brokerName
=
"SimpleAuthBroker1"
user
=
"user"
password
=
"password"
useJmx
=
"true"
>
- <
transportConnectors
>
- <
transportConnector
uri
=
"tcp://localhost:61616"
/>
- </
transportConnectors
>
- </
auth:SimpleAuthBroker
>
- …
- </
beans
>
在这个配置文件中增加了一个namespace
auth,用于指向之前编写的哪个类。同时为SimpleAuthBroker注入了两个属性值user和password,因此在被
SimpleAuthBroker改写的addInterceptors方法里,可以使用这两个属性进行认证了。ActiveMQ提供的
SimpleAuthenticationBroker类继承自BrokerFilter(可以简单的看成是Broker的Adaptor),它的构造函
数中的两个Map分别是userPasswords和userGroups。 SimpleAuthenticationBroker在
addConnection方法中使用userPasswords进行认证,同时会把userGroups的信息保存到
ConnectionContext中 。
2.4.4 Authorization Plugin
可以通过Authorization
Plugin为认证后的用户授权,以下ActiveMQ配置文件的一个例子:
- <
plugins
>
-
<
jaasAuthenticationPlugin
configuration
=
"activemq-domain"
/>
-
<
authorizationPlugin
>
-
<
map
>
-
<
authorizationMap
>
-
<
authorizationEntries
>
-
<
authorizationEntry
queue
=
">"
read
=
"admins"
write
=
"admins"
admin
=
"admins"
/>
-
<
authorizationEntry
queue
=
"USERS.>"
read
=
"users"
write
=
"users"
admin
=
"users"
/>
-
<
authorizationEntry
queue
=
"GUEST.>"
read
=
"guests"
write
=
"guests,users"
admin
=
"guests,users"
/>
-
<
authorizationEntry
topic
=
">"
read
=
"admins"
write
=
"admins"
admin
=
"admins"
/>
-
<
authorizationEntry
topic
=
"USERS.>"
read
=
"users"
write
=
"users"
admin
=
"users"
/>
-
<
authorizationEntry
topic
=
"GUEST.>"
read
=
"guests"
write
=
"guests,users"
admin
=
"guests,users"
/>
-
<
authorizationEntry
topic
=
"ActiveMQ.Advisory.>"
read
=
"guests,users"
write
=
"guests,users"
admin
=
"guests,users"
/>
-
</
authorizationEntries
>
-
</
authorizationMap
>
-
</
map
>
-
</
authorizationPlugin
>
- </
plugins
>