activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r865809 - in /websites/production/activemq/content: cache/main.pageCache shiro.html
Date Sun, 16 Jun 2013 08:21:37 GMT
Author: buildbot
Date: Sun Jun 16 08:21:37 2013
New Revision: 865809

Log:
Production update by buildbot for activemq

Modified:
    websites/production/activemq/content/cache/main.pageCache
    websites/production/activemq/content/shiro.html

Modified: websites/production/activemq/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/activemq/content/shiro.html
==============================================================================
--- websites/production/activemq/content/shiro.html (original)
+++ websites/production/activemq/content/shiro.html Sun Jun 16 08:21:37 2013
@@ -76,23 +76,76 @@
 
 <p>The ActiveMQ Shiro plugin can secure all aspects of ActiveMQ, from authenticating
transport connections to authorizing behavior with topics and queues and everything in between.</p>
 
-<h2><a shape="rect" name="Shiro-Overview"></a>Overview</h2>
+<h2><a shape="rect" name="Shiro-Usage"></a>Usage</h2>
 
-<p>The Shiro plugin is a <a shape="rect" class="external-link" href="http://activemq.apache.org/maven/apidocs/org/apache/activemq/broker/BrokerPlugin.html">BrokerPlugin</a>
that inserts 3 <a shape="rect" class="external-link" href="http://activemq.apache.org/maven/apidocs/org/apache/activemq/broker/BrokerFilter.html">BrokerFilter</a>s
in the broker filter chain: the <tt>SubjectFilter</tt>, the <tt>AuthenticationFilter</tt>
and the <tt>AuthorizationFilter</tt></p>
-
-<p><b>SubjectFilter</b></p>
+<p>The fastest/simplest way to enable the ShiroPlugin is to define it as a Spring bean
in the <tt>broker</tt> <tt>plugins</tt> section and use Shiro's <a
shape="rect" class="external-link" href="http://shiro.apache.org/configuration.html">ini
configuration</a>:</p>
 
-<p>The <tt>SubjectFilter</tt> exists before all other Shiro-related broker
filters in the broker filter chain.  It constructs a Shiro <a shape="rect" class="external-link"
href="http://shiro.apache.org/subject.html">Subject</a> instance reflecting the broker
client and ensures the <tt>Subject</tt> instance is available for all downstream
broker filters that may need to use the <tt>Subject</tt> to perform security operations.</p>
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-java">
+&lt;beans xmlns=<span class="code-quote">"http:<span class="code-comment">//www.springframework.org/schema/beans"</span>
+</span>       xmlns:amq=<span class="code-quote">"http:<span class="code-comment">//activemq.apache.org/schema/core"</span>
+</span>       xmlns:xsi=<span class="code-quote">"http:<span class="code-comment">//www.w3.org/2001/XMLSchema-instance"</span>
+</span>       xsi:schemaLocation="
+       http:<span class="code-comment">//www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+</span>       http:<span class="code-comment">//activemq.apache.org/schema/core
http://activemq.apache.org/schema/core/activemq-core.xsd"&gt;
+</span>
+    &lt;broker xmlns=<span class="code-quote">"http:<span class="code-comment">//activemq.apache.org/schema/core"</span>
... other attributes here ...&gt;
+</span>        &lt;plugins&gt;
+            &lt;bean id=<span class="code-quote">"shiroPlugin"</span> class=<span
class="code-quote">"org.apache.activemq.shiro.ShiroPlugin"</span> xmlns=<span
class="code-quote">"http:<span class="code-comment">//www.springframework.org/schema/beans"</span>&gt;
+</span>                &lt;property name=<span class="code-quote">"iniConfig"</span>&gt;&lt;value&gt;
 
-<p><b>AuthenticationFilter</b></p>
+                [main]
+                # Shiro object graph configuration here <span class="code-keyword">if</span>
desired/necessary
 
-<p>The <tt>AuthenticationFilter</tt> exists immediately after the <tt>SubjectFilter</tt>
in the broker filter chain.  It ensures that the broker client <tt>Subject</tt>
is authenticated if necessary before allowing the chain to continue.  If authentication is
required and the <tt>Subject</tt> is not authenticated, the broker filter chain
will not be executed, ensuring only verified identities may perform further behavior.</p>
+                [users]
+                # users section format:
+                #
+                # username = password [, assignedRole1, assignedRole2, ..., assignedRoleN]
+                #
+                # <span class="code-keyword">for</span> example:
+                #
+                # scott = tiger, advisory, users, administrators
+                #
+                # Roles and permissions assigned to roles are defined in the [roles] section
+                # below. By transitive association, any user assigned a role is granted the
+                # role's permissions.
+                
+                # ActiveMQ <span class="code-object">System</span> User
+                # needed <span class="code-keyword">for</span> in-VM/local connections
when authentication is enabled:
+                system = manager, system
+
+                [roles]
+                # roles section format:
+                #
+                # roleName = wildcardPermission1, wildcardPermission2, ..., wildcardPermissionN
+                #
+                # The 'system' role is assigned all permissions (*).  Be careful when assigning
+                # <span class="code-keyword">this</span> to actual users other
than then system user:
+                system = *
+
+                # Full access rights should generally be given to the ActiveMQ.Advisory.*
+                # destinations because by <span class="code-keyword">default</span>
an ActiveMQConnection uses advisory topics to
+                # get early knowledge of temp destination creation and deletion. For more
info:
+                #
+                #   http:<span class="code-comment">//activemq.apache.org/security.html
+</span>                #
+                # So we create an 'advisory' role here with a wildcard/<span class="code-keyword">catch</span>-all
permissions
+                # <span class="code-keyword">for</span> all advisory topics.
 To make your life easy, ensure you assign <span class="code-keyword">this</span>
to
+                # any/all users in the [users] section above, e.g.
+                #
+                #   jsmith = jsmithsPassword, advisory, ...
 
-<p><b>AuthorizationFilter</b></p>
+                advisory = topic:ActiveMQ.Advisory*
 
-<p>The <tt>AuthorizationFilter</tt> exists immediately after the <tt>AuthenticationFilter</tt>
in the broker filter chain.  It ensures that the <tt>Subject</tt> associated with
the filter chain is authorized (permitted) to perform the action being attempted before allowing
the action to execute.  </p>
+                &lt;/value&gt;&lt;/property&gt;
+            &lt;/bean&gt;
+        &lt;/plugins&gt;
+    &lt;/broker&gt;
+&lt;/beans&gt;
+</pre>
+</div></div>
 
-<p>For example, it would ensure that the <tt>Subject</tt> is allowed to
send a message to a particular topic before allowing the send operation to execute.  If authorization
is enabled and the <tt>Subject</tt> is not authorized to perform the desired action,
the broker filter chain will not be executed.</p>
+<p>This config assumes you have a simple/small set of static users that access your
ActiveMQ broker.  We'll cover enabling more advanced user repositories later.</p>
 
 <h2><a shape="rect" name="Shiro-Configuration"></a>Configuration</h2>
 
@@ -296,6 +349,24 @@ broker.setPlugins(<span class="code-keyw
 </pre>
 </div></div>
 
+<h2><a shape="rect" name="Shiro-Design"></a>Design</h2>
+
+<p>The Shiro plugin is a <a shape="rect" class="external-link" href="http://activemq.apache.org/maven/apidocs/org/apache/activemq/broker/BrokerPlugin.html">BrokerPlugin</a>
that inserts 3 <a shape="rect" class="external-link" href="http://activemq.apache.org/maven/apidocs/org/apache/activemq/broker/BrokerFilter.html">BrokerFilter</a>s
in the broker filter chain: the <tt>SubjectFilter</tt>, the <tt>AuthenticationFilter</tt>
and the <tt>AuthorizationFilter</tt></p>
+
+<p><b>SubjectFilter</b></p>
+
+<p>The <tt>SubjectFilter</tt> exists before all other Shiro-related broker
filters in the broker filter chain.  It constructs a Shiro <a shape="rect" class="external-link"
href="http://shiro.apache.org/subject.html">Subject</a> instance reflecting the broker
client and ensures the <tt>Subject</tt> instance is available for all downstream
broker filters that may need to use the <tt>Subject</tt> to perform security operations.</p>
+
+<p><b>AuthenticationFilter</b></p>
+
+<p>The <tt>AuthenticationFilter</tt> exists immediately after the <tt>SubjectFilter</tt>
in the broker filter chain.  It ensures that the broker client <tt>Subject</tt>
is authenticated if necessary before allowing the chain to continue.  If authentication is
required and the <tt>Subject</tt> is not authenticated, the broker filter chain
will not be executed, ensuring only verified identities may perform further behavior.</p>
+
+<p><b>AuthorizationFilter</b></p>
+
+<p>The <tt>AuthorizationFilter</tt> exists immediately after the <tt>AuthenticationFilter</tt>
in the broker filter chain.  It ensures that the <tt>Subject</tt> associated with
the filter chain is authorized (permitted) to perform the action being attempted before allowing
the action to execute.  </p>
+
+<p>For example, it would ensure that the <tt>Subject</tt> is allowed to
send a message to a particular topic before allowing the send operation to execute.  If authorization
is enabled and the <tt>Subject</tt> is not authorized to perform the desired action,
the broker filter chain will not be executed.</p>
+
 <h2><a shape="rect" name="Shiro-SubjectFilter"></a>SubjectFilter</h2>
 
 <p>The ShiroPlugin installs and executes the <tt>SubjectFilter</tt> before
all other Shiro-related broker filters in the broker filter chain.  The <tt>SubjectFilter</tt>
constructs a Shiro <a shape="rect" class="external-link" href="http://shiro.apache.org/subject.html">Subject</a>
instance reflecting the broker client and ensures the <tt>Subject</tt> instance
is available for all downstream broker filters that may need to use the <tt>Subject</tt>
to perform security operations.</p>



Mime
View raw message