activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r865804 - in /websites/production/activemq/content: cache/main.pageCache shiro.html
Date Sun, 16 Jun 2013 07:21:35 GMT
Author: buildbot
Date: Sun Jun 16 07:21:34 2013
New Revision: 865804

Log:
Production update by buildbot for activemq

Modified:
    websites/production/activemq/content/cache/main.pageCache
    websites/production/activemq/content/shiro.html

Modified: websites/production/activemq/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/activemq/content/shiro.html
==============================================================================
--- websites/production/activemq/content/shiro.html (original)
+++ websites/production/activemq/content/shiro.html Sun Jun 16 07:21:34 2013
@@ -260,497 +260,93 @@ broker.setPlugins(<span class="code-keyw
 </pre>
 </div></div>
 
-<h2><a shape="rect" name="Shiro-TheShiroSubject"></a>The Shiro Subject</h2>
+<h3><a shape="rect" name="Shiro-Enabling%2FDisabling"></a>Enabling/Disabling</h3>
 
+<p>You can enable or disable the ShiroPlugin entirely without having to remove it from
your configuration.  This is convenient when testing, or when you want to enable or disable
it based on a configuration parameter at startup.</p>
 
-<h3><a shape="rect" name="Shiro-Authentication"></a>Authentication</h3>
-
-<p>The default <a shape="rect" class="external-link" href="http://java.sun.com/products/jaas/"
rel="nofollow">JAAS</a> plugin relies on the standard JAAS mechanism for authentication.
Refer to the <a shape="rect" class="external-link" href="http://java.sun.com/products/jaas/reference/docs/index.html"
rel="nofollow">documentation</a> for more detail.</p>
-
-<p>Typically you configure JAAS using a config file like <a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/activemq/trunk/activemq-core/src/test/resources/login.config">this
one</a> and set the <b>java.security.auth.login.config</b> system property
to point to it. If no system property is specified then by default the ActiveMQ JAAS plugin
will look for <b>login.config</b> on the classpath and use that.</p>
-
-<h4><a shape="rect" name="Shiro-AuthenticationExample"></a>Authentication
Example</h4>
-
-<p>Here is an example <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/activemq/trunk/activemq-core/src/test/resources/login.config">login.config</a>
which then points to these files</p>
-<ul><li><a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/users.properties">users.properties</a></li><li><a
shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/groups.properties">groups.properties</a></li></ul>
-
-
-<h4><a shape="rect" name="Shiro-SimpleAuthenticationPlugin"></a>Simple
Authentication Plugin</h4>
-
-<p>If you have modest authentication requirements (or just want to quickly set up your
testing environment) you can use SimpleAuthenticationPlugin. With this plugin you can define
users and groups directly in the broker's XML configuration. Take a look at the following
snippet for example:</p>
-<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-xml">
-<span class="code-tag">&lt;simpleAuthenticationPlugin&gt;</span>
-	<span class="code-tag">&lt;users&gt;</span>
-		&lt;authenticationUser username=<span class="code-quote">"system"</span>
password=<span class="code-quote">"manager"</span>
-			groups=<span class="code-quote">"users,admins"</span>/&gt;
-		&lt;authenticationUser username=<span class="code-quote">"user"</span>
password=<span class="code-quote">"password"</span>
-			groups=<span class="code-quote">"users"</span>/&gt;
-		<span class="code-tag">&lt;authenticationUser username=<span class="code-quote">"guest"</span>
password=<span class="code-quote">"password"</span> groups=<span class="code-quote">"guests"</span>/&gt;</span>
-	<span class="code-tag">&lt;/users&gt;</span>
-<span class="code-tag">&lt;/simpleAuthenticationPlugin&gt;</span>
-</pre>
-</div></div>
-<p>Users and groups defined in this way can be later used with the appropriate authorization
plugin.</p>
-
-<h5><a shape="rect" name="Shiro-Anonymousaccess"></a>Anonymous access</h5>
-
-<p>From version 5.4.0 onwards, you can configure simple authentication plugin to allow
anonymous access to the broker.</p>
-
-<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-xml">
-<span class="code-tag">&lt;simpleAuthenticationPlugin anonymousAccessAllowed=<span
class="code-quote">"true"</span>&gt;</span>
-    <span class="code-tag">&lt;users&gt;</span>
-        &lt;authenticationUser username=<span class="code-quote">"system"</span>
password=<span class="code-quote">"manager"</span>
-            groups=<span class="code-quote">"users,admins"</span>/&gt;
-        &lt;authenticationUser username=<span class="code-quote">"user"</span>
password=<span class="code-quote">"password"</span>
-            groups=<span class="code-quote">"users"</span>/&gt;
-        <span class="code-tag">&lt;authenticationUser username=<span class="code-quote">"guest"</span>
password=<span class="code-quote">"password"</span> groups=<span class="code-quote">"guests"</span>/&gt;</span>
-    <span class="code-tag">&lt;/users&gt;</span>
-<span class="code-tag">&lt;/simpleAuthenticationPlugin&gt;</span>
-</pre>
-</div></div>
-
-<p>To allow anonymous access to the broker, use <tt>anonymousAccessAllowed</tt>
attribute and set it to <tt>true</tt> as shown above. Now, when the client connects
without username and password provided, a default username (<tt>anonymous</tt>)
and group (<tt>anonymous</tt>) will be assigned to its security context. You can
use this username and password to authorize client's access to appropriate broker resources
(see the next section). You can also change username and group that will be assigned to <em>anonymous</em>
users by using <tt>anonymousUser</tt> and <tt>anonymousGroup</tt>
attributes.</p>
-
-<h3><a shape="rect" name="Shiro-Authorization"></a>Authorization</h3>
-
-<p>In ActiveMQ we use a number of operations which you can associate with user roles
and either individual queues or topics or you can use wildcards to attach to hierarchies of
topics and queues.</p>
-<div class="table-wrap">
-<table class="confluenceTable"><tbody><tr><th colspan="1" rowspan="1"
class="confluenceTh"> Operation </th><th colspan="1" rowspan="1" class="confluenceTh">
Description </th></tr><tr><td colspan="1" rowspan="1" class="confluenceTd">
read </td><td colspan="1" rowspan="1" class="confluenceTd"> You can browse and
consume from the destination </td></tr><tr><td colspan="1" rowspan="1"
class="confluenceTd"> write </td><td colspan="1" rowspan="1" class="confluenceTd">
You can send messages to the destination </td></tr><tr><td colspan="1"
rowspan="1" class="confluenceTd"> admin </td><td colspan="1" rowspan="1" class="confluenceTd">
You can lazily create the destination if it does not yet exist. This allows you fine grained
control over which new destinations can be dynamically created in what part of the queue/topic
hierarchy </td></tr></tbody></table>
-</div>
-
-<p>Queues/Topics can specified using the ActiveMQ <a shape="rect" href="wildcards.html"
title="Wildcards">Wildcards</a> syntax.</p>
-
-
-<h4><a shape="rect" name="Shiro-AuthorizationExample"></a>Authorization
Example</h4>
-
-<p>The following <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/activemq/trunk/activemq-core/src/test/resources/org/apache/activemq/security/jaas-broker.xml">example</a>
shows these 2 plugins in operation. Though note its very easy to write your own plugin.</p>
-<div class="error"><span class="error">Error formatting macro: snippet: java.lang.IndexOutOfBoundsException:
Index: 20, Size: 20</span> </div>
-
-<p><b>Note</b> that full access rights should generally be given to the
ActiveMQ.Advisory destinations because by default an ActiveMQConnection uses destination advisories
to get early knowledge of temp destination creation and deletion. In addition, dynamic network
connectors use advisories to determine consumer demand.<br clear="none">
-If necessary, the use of advisories in this manner can be disabled via the <em>watchTopicAdvisories</em>
boolean attribute of ActiveMQConnectionFactory and for a networkConnector, via the network
connector <em>staticBridge</em>(5.6) boolean attribute.</p>
-
-<h3><a shape="rect" name="Shiro-BrokertoBrokerAuthenticationandAuthorization"></a>Broker-to-Broker
Authentication and Authorization</h3>
-
-<p>If you have enabled authentication for a particular message broker, then other brokers
that wish to connect to that broker must provide the proper authentication credentials via
their &lt;networkConnector&gt; element. For example, suppose that we have a network
of brokers with the following configuration:</p>
-<ul class="alternate" type="square"><li>The network of brokers  comprises two
brokers (BrokerA and BrokerB)</li><li>Authentication for BrokerA has been enabled
via the example &lt;simpleAuthenticationPlugin&gt; element.</li><li>Authentication
for BrokerB has not been enabled.</li><li>BrokerA only listens for connections.
In other words, BrokerA has a &lt;transportConnector&gt; element, but no &lt;networkConnector&gt;
elements.</li></ul>
-
-
-<p>In order for BrokerB to connect to BrokerA, the corresponding &lt;networkConnector&gt;
element in BrokerB's XML configuration file must be set up as follows.</p>
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-xml">
-<span class="code-tag">&lt;networkConnectors&gt;</span>
-   &lt;networkConnector name=<span class="code-quote">"brokerAbridge"</span>
-                     userName=<span class="code-quote">"user"</span>
-                     password=<span class="code-quote">"password"</span>
-                     uri=<span class="code-quote">"static://(tcp://brokerA:61616)"</span>/&gt;
-   <span class="code-tag">&lt;/networkConnectors&gt;</span>
-</pre>
-</div></div>
-<p>Note how BrokerB's &lt;networkConnector&gt; element must provide the proper
credentials in order to connect to BrokerA. If authorization has been enabled on BrokerA,
then the userName assigned to the &lt;networkConnector&gt; element must also have
the proper authorization credentials. Messages cannot be forwarded from BrokerB to BrokerA
if BrokerA has authorization enabled and BrokerB's corresponding &lt;networkConnector&gt;
element's userName has not been given the proper authorization credentials.</p>
-
-<p>Also, if BrokerA is given a &lt;networkConnector&gt; element so that it
can initiate a connection to BrokerB, then that &lt;networkConnector&gt; must be given
a userName/password combination that is defined in the &lt;simpleAuthenticationPlugin&gt;
element; this is required even though BrokerB does not have authentication services enabled.</p>
-
-<h3><a shape="rect" name="Shiro-ControllingAccessToTemporaryDestinations"></a>Controlling
Access To Temporary Destinations</h3>
-
-<p>To control access to temporary destinations, you will need to add a &lt;tempDestinationAuthorizationEntry&gt;
element to the authorizationMap.  Through this element, you control access to all temporary
destinations. If this element is not present, read, write, and admin privileges for temporary
destinations will be granted to all. In the example below,  read, write, and admin privileges
for temporary destinations are only granted to those clients that have been assigned to the
'admin' group.</p>
-<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-xml">
-<span class="code-tag">&lt;broker&gt;</span>
-  ..
-   <span class="code-tag">&lt;plugins&gt;</span>
-      ..
-   <span class="code-tag">&lt;authorizationPlugin&gt;</span>
-       <span class="code-tag">&lt;map&gt;</span>
-         <span class="code-tag">&lt;authorizationMap&gt;</span>
-           <span class="code-tag">&lt;authorizationEntries&gt;</span>
-             <span class="code-tag">&lt;authorizationEntry queue=<span class="code-quote">"TEST.Q"</span>
read=<span class="code-quote">"users"</span> write=<span class="code-quote">"users"</span>
admin=<span class="code-quote">"users"</span> /&gt;</span>
-             <span class="code-tag">&lt;authorizationEntry topic=<span class="code-quote">"ActiveMQ.Advisory.&gt;</span>"</span>
read=<span class="code-quote">"all"</span> write=<span class="code-quote">"all"</span>
admin=<span class="code-quote">"all"</span>/&gt;
-           <span class="code-tag">&lt;/authorizationEntries&gt;</span>
-           <span class="code-tag">&lt;tempDestinationAuthorizationEntry&gt;</span>
-             <span class="code-tag">&lt;tempDestinationAuthorizationEntry read=<span
class="code-quote">"admin"</span> write=<span class="code-quote">"admin"</span>
admin=<span class="code-quote">"admin"</span>/&gt;</span>
-           <span class="code-tag">&lt;/tempDestinationAuthorizationEntry&gt;</span>
-        <span class="code-tag">&lt;/authorizationMap&gt;</span>
-      <span class="code-tag">&lt;/map&gt;</span>
-   <span class="code-tag">&lt;/authorizationPlugin&gt;</span>
-     ..
-  <span class="code-tag">&lt;/plugins&gt;</span>
-  ..
-<span class="code-tag">&lt;/broker&gt;</span>
+<pre class="code-java">
+&lt;bean id=<span class="code-quote">"shiroPlugin"</span> class=<span
class="code-quote">"org.apache.activemq.shiro.ShiroPlugin"</span> xmlns=<span
class="code-quote">"http:<span class="code-comment">//www.springframework.org/schema/beans"</span>&gt;
+</span>    &lt;!-- enabled by <span class="code-keyword">default</span>.
 To disable, uncomment:
+    &lt;property name=<span class="code-quote">"enabled"</span> value=<span
class="code-quote">"<span class="code-keyword">false</span>"</span>/&gt;
--&gt;
+&lt;/bean&gt;
 </pre>
 </div></div>
 
-<h3><a shape="rect" name="Shiro-LDAPAuthenticationUsingtheJAASPlugin"></a>LDAP
Authentication Using the JAAS Plugin </h3>
-
-<div class="panelMacro"><table class="infoMacro"><colgroup span="1"><col
span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1"
valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/information.gif"
width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1">A
new/better ldap authorization module is available since 5.6. See <a shape="rect" href="cached-ldap-authorization-module.html"
title="Cached LDAP Authorization Module">Cached LDAP Authorization Module</a> for
more info.</td></tr></table></div>
-
-<p>1. Configure the JAAS LDAPLoginModule and the LDAPAuthorizationMap in activemq.xml:
</p>
-
-<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-xml">
-    <span class="code-tag">&lt;plugins&gt;</span> 
-      <span class="code-tag"><span class="code-comment">&lt;!--  use JAAS
to authenticate using the login.config file on the classpath to configure JAAS --&gt;</span></span>

-      <span class="code-tag">&lt;jaasAuthenticationPlugin configuration=<span
class="code-quote">"LdapConfiguration"</span> /&gt;</span> 
-      <span class="code-tag"><span class="code-comment">&lt;!--  lets configure
a destination based role/group authorization mechanism --&gt;</span></span>

-      <span class="code-tag">&lt;authorizationPlugin&gt;</span> 
-        <span class="code-tag">&lt;map&gt;</span> 
-          &lt;bean xmlns=<span class="code-quote">"http://www.springframework.org/schema/beans"</span>
id=<span class="code-quote">"lDAPAuthorizationMap"</span> 
-                class=<span class="code-quote">"org.apache.activemq.security.LDAPAuthorizationMap"</span>&gt;

-            <span class="code-tag">&lt;property name=<span class="code-quote">"initialContextFactory"</span>
value=<span class="code-quote">"com.sun.jndi.ldap.LdapCtxFactory"</span>/&gt;</span>

-            <span class="code-tag">&lt;property name=<span class="code-quote">"connectionURL"</span>
value=<span class="code-quote">"ldap://ldap.acme.com:389"</span>/&gt;</span>

-            <span class="code-tag">&lt;property name=<span class="code-quote">"authentication"</span>
value=<span class="code-quote">"simple"</span>/&gt;</span> 
-            <span class="code-tag">&lt;property name=<span class="code-quote">"connectionUsername"</span>
value=<span class="code-quote">"cn=mqbroker,ou=Services,dc=acme,dc=com"</span>/&gt;</span>

-            <span class="code-tag">&lt;property name=<span class="code-quote">"connectionPassword"</span>
value=<span class="code-quote">"password"</span>/&gt;</span> 
-            <span class="code-tag">&lt;property name=<span class="code-quote">"connectionProtocol"</span>
value=<span class="code-quote">"s"</span>/&gt;</span> 
-            <span class="code-tag">&lt;property name=<span class="code-quote">"topicSearchMatching"</span>
value=<span class="code-quote">"cn={0},ou=Topic,ou=Destination,ou=ActiveMQ,ou=systems,dc=acme,dc=com"</span>/&gt;</span>

-            <span class="code-tag">&lt;property name=<span class="code-quote">"topicSearchSubtreeBool"</span>
value=<span class="code-quote">"true"</span>/&gt;</span> 
-            <span class="code-tag">&lt;property name=<span class="code-quote">"queueSearchMatching"</span>
value=<span class="code-quote">"cn={0},ou=Queue,ou=Destination,ou=ActiveMQ,ou=systems,dc=acme,dc=com"</span>/&gt;</span>

-            <span class="code-tag">&lt;property name=<span class="code-quote">"queueSearchSubtreeBool"</span>
value=<span class="code-quote">"true"</span>/&gt;</span> 
-            <span class="code-tag">&lt;property name=<span class="code-quote">"adminBase"</span>
value=<span class="code-quote">"(cn=admin)"</span>/&gt;</span> 
-            <span class="code-tag">&lt;property name=<span class="code-quote">"adminAttribute"</span>
value=<span class="code-quote">"member"</span>/&gt;</span> 
-            <span class="code-tag">&lt;property name=<span class="code-quote">"adminAttributePrefix"</span>
value=<span class="code-quote">"cn="</span>/&gt;</span> 
-            <span class="code-tag">&lt;property name=<span class="code-quote">"readBase"</span>
value=<span class="code-quote">"(cn=read)"</span>/&gt;</span> 
-            <span class="code-tag">&lt;property name=<span class="code-quote">"readAttribute"</span>
value=<span class="code-quote">"member"</span>/&gt;</span> 
-            <span class="code-tag">&lt;property name=<span class="code-quote">"readAttributePrefix"</span>
value=<span class="code-quote">"cn="</span>/&gt;</span> 
-            <span class="code-tag">&lt;property name=<span class="code-quote">"writeBase"</span>
value=<span class="code-quote">"(cn=write)"</span>/&gt;</span> 
-            <span class="code-tag">&lt;property name=<span class="code-quote">"writeAttribute"</span>
value=<span class="code-quote">"member"</span>/&gt;</span> 
-            <span class="code-tag">&lt;property name=<span class="code-quote">"writeAttributePrefix"</span>
value=<span class="code-quote">"cn="</span>/&gt;</span> 
-          <span class="code-tag">&lt;/bean&gt;</span> 
-        <span class="code-tag">&lt;/map&gt;</span> 
-      <span class="code-tag">&lt;/authorizationPlugin&gt;</span> 
-    <span class="code-tag">&lt;/plugins&gt;</span> 
-</pre>
-</div></div> 
-
-<p>2. Configure the JAAS login.config (I haven't de-duplicated the config yet): </p>
-
-<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-java"> 
-LdapConfiguration { 
-   org.apache.activemq.jaas.LDAPLoginModule required 
-       debug=<span class="code-keyword">true</span> 
-       initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory 
-       connectionURL=<span class="code-quote">"ldap:<span class="code-comment">//ldap.acme.com:389"</span>

-</span>       connectionUsername=<span class="code-quote">"cn=mqbroker,ou=Services,dc=acme,dc=com"</span>

-       connectionPassword=password 
-       connectionProtocol=s 
-       authentication=simple 
-       userBase=<span class="code-quote">"ou=User,ou=ActiveMQ,ou=systems,dc=acme,dc=com"</span>

-       userRoleName=dummyUserRoleName 
-       userSearchMatching=<span class="code-quote">"(uid={0})"</span> 
-       userSearchSubtree=<span class="code-keyword">false</span> 
-       roleBase=<span class="code-quote">"ou=Group,ou=ActiveMQ,ou=systems,dc=acme,dc=com"</span>

-       roleName=cn 
-       roleSearchMatching=<span class="code-quote">"(member:=uid={1})"</span>

-       roleSearchSubtree=<span class="code-keyword">true</span> 
-       ; 
-}; 
-</pre>
-</div></div> 
-
-<p>3. Import the following LDIF file into the LDAP server: </p>
+<p>A nice technique is to use Spring's <a shape="rect" class="external-link" href="http://static.springsource.org/spring/docs/3.2.x/javadoc-api/org/springframework/context/support/PropertySourcesPlaceholderConfigurer.html"
rel="nofollow">PropertySourcesPlaceholderConfigurer</a> and placeholder tokens (set
<tt>shiro.enabled = true</tt> in one of your placeholder property files):</p>
 
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-java">
-version: 1
-
-#
-# Sample LDIF <span class="code-keyword">for</span> ActiveMQ LDAP authentication
and authorisation
-# Passwords are defaulted to <span class="code-quote">"password"</span> - it
is your responsibility to change them!
-#
-# Sets up:
-# 1. Bind user
-# 2. A sample queue with admin,read,write permission assignments
-# 3. ActiveMQ advisory topics
-# 4. Two groups - admin and webapp
-# 5. Two users - admin and webapp
-# 6. Role assignments - admin-&gt;admin, webapp-&gt;webapp
-#
-# (c) Robin Bramley 2008
-# Provided as is without any warranty of any kind
-# 
-
-dn: dc=acme,dc=com
-dc: acme
-objectClass: domain
-objectClass: top
-
-dn: ou=Services,dc=acme,dc=com
-ou: Services
-objectClass: organizationalUnit
-objectClass: top
-
-dn: cn=mqbroker,ou=Services,dc=acme,dc=com
-cn: mqbroker
-objectClass: organizationalRole
-objectClass: top
-objectClass: simpleSecurityObject
-userPassword: {SSHA}j0NpveEO0YD5rgI5kY8OxSRiN5KQ/kE4
-description: Bind user <span class="code-keyword">for</span> MQ broker
-
-dn: ou=systems,dc=acme,dc=com
-ou: systems
-objectClass: organizationalUnit
-objectClass: top
-
-dn: ou=ActiveMQ,ou=systems,dc=acme,dc=com
-objectClass: organizationalUnit
-objectClass: top
-ou: ActiveMQ
-
-dn: ou=Destination,ou=ActiveMQ,ou=systems,dc=acme,dc=com
-objectClass: organizationalUnit
-objectClass: top
-ou: Destination
-
-dn: ou=Queue,ou=Destination,ou=ActiveMQ,ou=systems,dc=acme,dc=com
-objectClass: organizationalUnit
-objectClass: top
-ou: Queue
-
-dn: cn=com.acme.myfirstrealqueue,ou=Queue,ou=Destination,ou=ActiveMQ,ou=syst
- ems,dc=acme,dc=com
-cn: com.acme.myfirstrealqueue
-description: A queue
-objectClass: applicationProcess
-objectClass: top
-
-dn: cn=admin,cn=com.acme.myfirstrealqueue,ou=Queue,ou=Destination,ou=ActiveM
- Q,ou=systems,dc=acme,dc=com
-cn: admin
-description: Admin privilege group, members are roles
-member: cn=admin
-member: cn=webapp
-objectClass: groupOfNames
-objectClass: top
-
-dn: cn=read,cn=com.acme.myfirstrealqueue,ou=Queue,ou=Destination,ou=ActiveMQ
- ,ou=systems,dc=acme,dc=com
-cn: read
-member: cn=webapp
-objectClass: groupOfNames
-objectClass: top
-
-dn: cn=write,cn=com.acme.myfirstrealqueue,ou=Queue,ou=Destination,ou=ActiveM
- Q,ou=systems,dc=acme,dc=com
-cn: write
-objectClass: groupOfNames
-objectClass: top
-member: cn=webapp
-
-dn: ou=Topic,ou=Destination,ou=ActiveMQ,ou=systems,dc=acme,dc=co
- m
-objectClass: organizationalUnit
-objectClass: top
-ou: Topic
-
-dn: cn=ActiveMQ.Advisory.Consumer,ou=Topic,ou=Destination,ou=ActiveMQ,ou=sys
- tems,dc=acme,dc=com
-cn: ActiveMQ.Advisory.Consumer
-objectClass: applicationProcess
-objectClass: top
-description: Advisory topic about consumers
-
-dn: cn=read,cn=ActiveMQ.Advisory.Consumer,ou=Topic,ou=Destination,ou=ActiveM
- Q,ou=systems,dc=acme,dc=com
-cn: read
-member: cn=webapp
-objectClass: groupOfNames
-objectClass: top
-
-dn: cn=ActiveMQ.Advisory.TempQueue,ou=Topic,ou=Destination,ou=ActiveMQ,ou=sy
- stems,dc=acme,dc=com
-cn: ActiveMQ.Advisory.TempQueue
-description: Advisory topic about temporary queues
-objectClass: applicationProcess
-objectClass: top
-
-dn: cn=read,cn=ActiveMQ.Advisory.TempQueue,ou=Topic,ou=Destination,ou=Active
- MQ,ou=systems,dc=acme,dc=com
-cn: read
-member: cn=webapp
-objectClass: groupOfNames
-objectClass: top
-
-dn: cn=ActiveMQ.Advisory.TempTopic,ou=Topic,ou=Destination,ou=ActiveMQ,ou=sy
- stems,dc=acme,dc=com
-cn: ActiveMQ.Advisory.TempTopic
-objectClass: applicationProcess
-objectClass: top
-description: Advisory topic about temporary topics
-
-dn: cn=read,cn=ActiveMQ.Advisory.TempTopic,ou=Topic,ou=Destination,ou=Active
- MQ,ou=systems,dc=acme,dc=com
-cn: read
-member: cn=webapp
-objectClass: groupOfNames
-objectClass: top
-
-dn: ou=Group,ou=ActiveMQ,ou=systems,dc=acme,dc=com
-objectClass: organizationalUnit
-objectClass: top
-ou: Group
-
-dn: cn=admin,ou=Group,ou=ActiveMQ,ou=systems,dc=acme,dc=com
-cn: admin
-member: uid=admin
-objectClass: groupOfNames
-objectClass: top
-
-dn: cn=webapp,ou=Group,ou=ActiveMQ,ou=systems,dc=acme,dc=com
-cn: webapp
-member: uid=webapp
-objectClass: groupOfNames
-objectClass: top
-
-dn: ou=User,ou=ActiveMQ,ou=systems,dc=acme,dc=com
-objectClass: organizationalUnit
-objectClass: top
-ou: User
-
-dn: uid=admin,ou=User,ou=ActiveMQ,ou=systems,dc=acme,dc=com
-uid: admin
-userPassword: {SSHA}j0NpveEO0YD5rgI5kY8OxSRiN5KQ/kE4
-objectClass: account
-objectClass: simpleSecurityObject
-objectClass: top
-
-dn: uid=webapp,ou=User,ou=ActiveMQ,ou=systems,dc=acme,dc=com
-uid: webapp
-userPassword: {SSHA}j0NpveEO0YD5rgI5kY8OxSRiN5KQ/kE4
-objectClass: account
-objectClass: simpleSecurityObject
-objectClass: top
-</pre>
-</div></div> 
-
-<p>4. Start up ActiveMQ </p>
-
-<p>5. Test it out</p>
-
-
-<h3><a shape="rect" name="Shiro-SecurityandActiveMQComponents"></a>Security
and ActiveMQ Components</h3>
-
-<p>Along with the message broker, you can optionally execute several additional "components",
such as Camel and/or the Web console. These components establish connections with the broker;
therefore, if you have secured your broker (i.e., enabled authentication), you will have to
configure these components in order to have them provide the required security credentials
(username, password) when they connect to the broker. </p>
-
-<h4><a shape="rect" name="Shiro-Camel"></a>Camel</h4>
+&lt;beans ...&gt;
 
-<p>You may have the following Camel context defined in your broker's XML configuration
file.</p>
-<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-xml">
-&lt;!--
-  ** Lets deploy some Enterprise Integration Patterns inside the ActiveMQ Message Broker
-  ** For more details see
-  **
-  ** http://activemq.apache.org/enterprise-integration-patterns.html --&gt;
-
-  <span class="code-tag">&lt;camelContext id=<span class="code-quote">"camel"</span>
xmlns=<span class="code-quote">"http://activemq.apache.org/camel/schema/spring"</span>&gt;</span>
-       <span class="code-tag">&lt;package&gt;</span>org.foo.bar<span
class="code-tag">&lt;/package&gt;</span>
-        <span class="code-tag">&lt;route&gt;</span>
-            <span class="code-tag">&lt;from uri=<span class="code-quote">"activemq:example.A"</span>/&gt;</span>
-            <span class="code-tag">&lt;to uri=<span class="code-quote">"activemq:example.B"</span>/&gt;</span>
-        <span class="code-tag">&lt;/route&gt;</span>
-  <span class="code-tag">&lt;/camelContext&gt;</span>
-</pre>
-</div></div>
-<p>The above configuration is not set up to work within a secure environment.</p>
+    &lt;bean class=<span class="code-quote">"org.springframework.context.support.PropertySourcesPlaceholderConfigurer"</span>&gt;
+       ...
+    &lt;/bean&gt;
 
-<p>If the application is running in an OSGi container, add the following line before
the CamelContext definition:</p>
-<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-xml">
-<span class="code-tag">&lt;osgi:reference id=<span class="code-quote">"activemq"</span>
interface=<span class="code-quote">"org.apache.camel.Component"</span> /&gt;</span>
-</pre>
-</div></div>
-<p>This allows any pre-configured instance of the ActiveMQComponent deployed in the
container to take precedence on the default ActiveMQComponent.</p>
+    &lt;broker ...&gt;
+        &lt;plugins ...&gt;
 
-<p>That is, with the above configuration, Camel will establish a connection with ActiveMQ,
but will not provide a username and password. Therefore, when ActiveMQ security is enabled,
the above configuration results in a security exception. The exception will be thrown multiple
times, because Camel will continue to retry the connection. If you're not using Camel, comment
out the above XML code. If you are using Camel, add the following bean definition to your
broker's XML configuration:</p>
-<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-xml">
-<span class="code-tag"><span class="code-comment">&lt;!-- configure the camel
activemq component to use the current broker --&gt;</span></span>
-    <span class="code-tag">&lt;bean id=<span class="code-quote">"activemq"</span>
class=<span class="code-quote">"org.apache.activemq.camel.component.ActiveMQComponent"</span>
&gt;</span>
-        <span class="code-tag">&lt;property name=<span class="code-quote">"connectionFactory"</span>&gt;</span>
-          <span class="code-tag">&lt;bean class=<span class="code-quote">"org.apache.activemq.ActiveMQConnectionFactory"</span>&gt;</span>
-            <span class="code-tag">&lt;property name=<span class="code-quote">"brokerURL"</span>
value=<span class="code-quote">"vm://localhost?create=false&amp;amp;waitForStart=10000"</span>
/&gt;</span>
-            <span class="code-tag">&lt;property name=<span class="code-quote">"userName"</span>
value=<span class="code-quote">"system"</span>/&gt;</span>
-            <span class="code-tag">&lt;property name=<span class="code-quote">"password"</span>
value=<span class="code-quote">"manager"</span>/&gt;</span>
-          <span class="code-tag">&lt;/bean&gt;</span>
-        <span class="code-tag">&lt;/property&gt;</span>
-    <span class="code-tag">&lt;/bean&gt;</span>
+            &lt;bean id=<span class="code-quote">"shiroPlugin"</span> class=<span
class="code-quote">"org.apache.activemq.shiro.ShiroPlugin"</span> xmlns=<span
class="code-quote">"http:<span class="code-comment">//www.springframework.org/schema/beans"</span>&gt;
+</span>                &lt;property name=<span class="code-quote">"enabled"</span>
value=<span class="code-quote">"${shiro.enabled}"</span>/&gt;
+            &lt;/bean&gt;
+ 
+        &lt;/plugins&gt;
+    &lt;/broker&gt;
+&lt;/beans&gt;
 </pre>
 </div></div>
 
-<p>With the above bean definition, Camel will pass the specified security credentials
when it connects to the broker. </p>
+<h2><a shape="rect" name="Shiro-SubjectFilter"></a>SubjectFilter</h2>
 
-<p>If the broker is running in an OSGi container, add the following line after the
ActiveMQComponent bean definition:</p>
-<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-xml">
-<span class="code-tag">&lt;service ref=<span class="code-quote">"activemq"</span>
interface=<span class="code-quote">"org.apache.camel.Component"</span>/&gt;</span>
-</pre>
-</div></div>
+<p>The ShiroPlugin installs and executes the <tt>SubjectFilter</tt> before
all other Shiro-related broker filters in the broker filter chain.  The <tt>SubjectFilter</tt>
constructs a Shiro <a shape="rect" class="external-link" href="http://shiro.apache.org/subject.html">Subject</a>
instance reflecting the broker client and ensures the <tt>Subject</tt> instance
is available for all downstream broker filters that may need to use the <tt>Subject</tt>
to perform security operations.</p>
 
-<h4><a shape="rect" name="Shiro-WebConsole"></a>Web Console</h4>
+<p>The <tt>SubjectFilter</tt> is mostly a 'behind the scenes' component
of the SubjectFilter, but it does offer some customization for advanced use cases: </p>
+<ul><li>the ability to customize exactly how broker clients' <tt>Subject</tt>
instances are created via a <tt>ConnectionSubjectFactory</tt> and</li><li>the
ability to customize how the ActiveMQ ConnectionContext's <a shape="rect" class="external-link"
href="http://activemq.apache.org/maven/apidocs/org/apache/activemq/security/SecurityContext.html">SecurityContext</a>
is constructed.</li></ul>
 
-<p>If you want to use the Web Console with a secured broker, you have to change <tt>connectionFactory</tt>
bean in your <tt>webapps/admin/WEB-INF/webconsole-embeded.xml</tt> to something
like this:</p>
 
-<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-xml">
-<span class="code-tag">&lt;bean id=<span class="code-quote">"connectionFactory"</span>
class=<span class="code-quote">"org.apache.activemq.ActiveMQConnectionFactory"</span>&gt;</span>
-    <span class="code-tag">&lt;property name=<span class="code-quote">"brokerURL"</span>
value=<span class="code-quote">"vm://localhost"</span>/&gt;</span>
-    <span class="code-tag">&lt;property name=<span class="code-quote">"userName"</span>
value=<span class="code-quote">"system"</span>/&gt;</span>
-    <span class="code-tag">&lt;property name=<span class="code-quote">"password"</span>
value=<span class="code-quote">"manager"</span>/&gt;</span>
-  <span class="code-tag">&lt;/bean&gt;</span>
-</pre>
-</div></div>
+<p>Unless you're deeply familiar with ActiveMQ's security model, you can safely skip
to <b>Authentication</b> below.</p>
 
-<h4><a shape="rect" name="Shiro-CommandAgent"></a>Command Agent</h4>
+<h3><a shape="rect" name="Shiro-ConnectionSubjectFactory"></a>ConnectionSubjectFactory</h3>
 
-<p>Starting with version 5.3, the Command Agent can be configured to communicate with
a secured broker. Simply, assign the <tt>username</tt> and <tt>password</tt>
attributes to your command agent definition tag:</p>
-<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-xml">
-<span class="code-tag">&lt;commandAgent xmlns=<span class="code-quote">"http://activemq.apache.org/schema/core"</span>
brokerUrl=<span class="code-quote">"vm://localhost"</span> username=<span class="code-quote">"system"</span>
password=<span class="code-quote">"manager"</span>/&gt;</span>
-</pre>
-</div></div>
-<p>and you are ready to go.</p>
+<p>A <tt>ConnectionSubjectFactory</tt> creates a <tt>Subject</tt>
instance that represents the broker client's identity.  The <tt>SubjectFilter</tt>'s
default instance is a <tt>DefaultConnectionSubjectFactory</tt>  </p>
 
-<h4><a shape="rect" name="Shiro-DefaultCredentials"></a>Default Credentials</h4>
+<p>Most <tt>ConnectionSubjectFactory</tt> implementations will simply use
Shiro's <tt>Subject.Builder</tt> to create an anonymous Subject instance and let
the downstream <tt>AuthenticationFilter</tt> authenticate the Subject based on
any credentials associated with the connection.  After authentication, the Subject will have
an identity, and this is the expected flow for most connection clients.</p>
 
-<p>Starting with version 5.3, all of the above configuration details are included in
the default ActiveMQ configuration. Also, there is a central place where you can set credentials
that these components will use to connect to the broker. Just set your desired username and
password in the <tt>conf/credentials.properties</tt> file, which by default looks
like this:</p>
+<p>However, if there is some other data associated with the connection that can be
inspected to create a Subject instance beyond what the <tt>DefaultConnectionSubjectFactory</tt>,
you can implement the <tt>ConnectionSubjectFactory</tt> interface and plug it
in to the <tt>SubjectFilter</tt>:</p>
 
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <pre class="code-java">
-activemq.username=system
-activemq.password=manager
+&lt;bean id=<span class="code-quote">"shiroPlugin"</span> class=<span
class="code-quote">"org.apache.activemq.shiro.ShiroPlugin"</span> xmlns=<span
class="code-quote">"http:<span class="code-comment">//www.springframework.org/schema/beans"</span>&gt;
+</span>    &lt;property name=<span class="code-quote">"subjectFilter.connectionSubjectFactory"</span>&gt;
+        &lt;bean class=<span class="code-quote">"com.my.ConnectionSubjectFactory"</span>
.../&gt;
+    &lt;/property&gt;
+&lt;/bean&gt;
 </pre>
 </div></div>
 
-<h4><a shape="rect" name="Shiro-EncryptedPasswords"></a>Encrypted Passwords</h4>
+<h3><a shape="rect" name="Shiro-SecurityContextFactory"></a>SecurityContextFactory</h3>
 
-<p>As of version 5.4.1 you can also use <a shape="rect" href="encrypted-passwords.html"
title="Encrypted passwords">Encrypted passwords</a> with your broker</p>
+<p>The ActiveMQ <tt>ConnectionContext</tt> associated with broker client
connections utilizes a <tt>SecurityContext</tt> object.  When the <tt>SubjectFilter</tt>
executes, it needs to create a Shiro-specific <tt>SecurityContext</tt> and associate
it with the <tt>ConnectionContext</tt> so the Subject may be accessed downstream
for all subsequent security operations.</p>
 
-<h3><a shape="rect" name="Shiro-MessagelevelAuthorization"></a>Message
level Authorization</h3>
+<p>The <tt>SubjectFilter</tt> delegates <tt>SecurityContext</tt>
creation to a <tt>SecurityContextFactory</tt> instance.  The <tt>DefaultSecurityContextFactory</tt>
implementation returns <tt>SubjectSecurityContext</tt> instances based on the
connection's associated <tt>Subject</tt>.  It should be an extremely rare thing
to change, but if you must configure a custom <tt>SecurityContextFactory</tt>,
you can do as follows:</p>
 
-<p>We have a configurable MessageAuthorizationPolicy to allow you to authorize each
message using some content based authorization policy of your choosing. To enable this policy
configure on the broker directly using the * messageAuthorizationPolicy* property or add it
to the XML as follows</p>
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<pre class="code-xml">
-<span class="code-tag">&lt;broker&gt;</span>
-  ..
-  <span class="code-tag">&lt;messageAuthorizationPolicy&gt;</span>
-    <span class="code-tag">&lt;bean class=<span class="code-quote">"com.acme.MyMessageAuthorizationPolicy"</span>
xmlns=""/&gt;</span>
-  <span class="code-tag">&lt;/messageAuthorizationPolicy&gt;</span>
-  ..
-<span class="code-tag">&lt;/broker&gt;</span>
+<pre class="code-java">
+&lt;bean id=<span class="code-quote">"shiroPlugin"</span> class=<span
class="code-quote">"org.apache.activemq.shiro.ShiroPlugin"</span> xmlns=<span
class="code-quote">"http:<span class="code-comment">//www.springframework.org/schema/beans"</span>&gt;
+</span>    &lt;property name=<span class="code-quote">"subjectFilter.securityContextFactory"</span>&gt;
+        &lt;bean class=<span class="code-quote">"com.my.SecurityContextFactory"</span>
.../&gt;
+    &lt;/property&gt;
+&lt;/bean&gt;
 </pre>
 </div></div>
 
-<h2><a shape="rect" name="Shiro-ImplementingyourowncustomSecurityPlugin"></a>Implementing
your own custom Security Plugin</h2>
-
-<p>All of the various security implementations are implemented as <a shape="rect"
href="interceptors.html" title="Interceptors">Interceptors</a> so its very easy to
add your own custom implementation. Its probably easier to start with one of the <a shape="rect"
class="external-link" href="http://activemq.apache.org/maven/activemq-core/apidocs/org/apache/activemq/security/package-summary.html">simple
implementations</a> though if you are using JAAS you could derive from the <a shape="rect"
class="external-link" href="http://activemq.apache.org/maven/activemq-jaas/apidocs/">JAAS
implementation</a>.</p>
+<p>Note however that much of the plugin's functionality and downstream filters expect
created <tt>SecurityContext</tt> instances to be <tt>SubjectSecurityContext</tt>
instances.</p>
 
-<h3><a shape="rect" name="Shiro-ThirdPartyTools"></a>Third Party Tools
</h3>
+<h2><a shape="rect" name="Shiro-Authentication"></a>Authentication</h2>
 
-<ul><li><a shape="rect" class="external-link" href="http://www.ttmsolutions.com/Apache_Software/ActiveMQ_LDAP_JDBC_Security_Plugins.php"
rel="nofollow">ActiveMQ LDAP and JDBC Security Plugins from TTM Solutions</a></li></ul>
+<p>The ShiroPlugin installs the <tt>AuthenticationFilter</tt> immediately
after the <tt>SubjectFilter</tt> in the broker filter chain.  The <tt>AuthenticationFilter</tt>
ensures that the broker client <tt>Subject</tt> is authenticated if necessary
before allowing the chain to continue.  If authentication is required and the <tt>Subject</tt>
is not authenticated, the broker filter chain will not be executed, ensuring only verified
identities may perform further behavior.</p>
 
+<p>WORK IN PROGRESS - STILL AUTHORING</p>
           </div>
         </td>
         <td valign="top">



Mime
View raw message