activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r876857 - in /websites/production/activemq/content: cache/main.pageCache shiro.html
Date Sat, 31 Aug 2013 23:21:32 GMT
Author: buildbot
Date: Sat Aug 31 23:21:32 2013
New Revision: 876857

Log:
Production update by buildbot for activemq

Modified:
    websites/production/activemq/content/cache/main.pageCache
    websites/production/activemq/content/shiro.html

Modified: websites/production/activemq/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/activemq/content/shiro.html
==============================================================================
--- websites/production/activemq/content/shiro.html (original)
+++ websites/production/activemq/content/shiro.html Sat Aug 31 23:21:32 2013
@@ -32,15 +32,6 @@
     </style>
     <![endif]-->
 
-          <link href='http://activemq.apache.org/styles/highlighter/styles/shCore.css'
rel='stylesheet' type='text/css' /> 
-      <link href='http://activemq.apache.org/styles/highlighter/styles/shThemeEclipse.css'
rel='stylesheet' type='text/css' /> 
-      <script src='http://activemq.apache.org/styles/highlighter/scripts/shCore.js' type='text/javascript'></script>

-              <script src='http://activemq.apache.org/styles/highlighter/scripts/shBrushJava.js'
type='text/javascript'></script> 
-         
-      <script type="text/javascript"> 
-        SyntaxHighlighter.defaults['toolbar'] = false; 
-        SyntaxHighlighter.all(); 
-      </script> 
     
     <title>
     Apache ActiveMQ &#8482; -- Shiro
@@ -82,13 +73,15 @@
         <tr>
         <td valign="top" width="100%">
           <div class="wiki-content maincontent">
+<div class="panelMacro"><table class="warningMacro"><colgroup span="1"><col
span="1" width="24"><col span="1"></colgroup><tr><td colspan="1" rowspan="1"
valign="top"><img align="middle" src="https://cwiki.apache.org/confluence/images/icons/emoticons/forbidden.gif"
width="16" height="16" alt="" border="0"></td><td colspan="1" rowspan="1"><b>Version
Compatibility</b><br clear="none">Not yet released.  Will be available in ActiveMQ
5.9.0.</td></tr></table></div>
+
 <p>ActiveMQ 5.9 and later provides a fully customizable security experience using <a
shape="rect" class="external-link" href="http://shiro.apache.org">Apache Shiro</a>.</p>
 
 <p>The ActiveMQ Shiro plugin can secure all aspects of ActiveMQ, from authenticating
transport connections to authorizing behavior with topics and queues and everything in between.</p>
 
-<h2><a shape="rect" name="Shiro-Usage"></a>Usage</h2>
+<h2><a shape="rect" name="Shiro-Quickstart"></a>Quickstart</h2>
 
-<p>The fastest/simplest way to enable the ShiroPlugin is to define it as a Spring bean
in the <tt>broker</tt> <tt>plugins</tt> section and use Shiro's <a
shape="rect" class="external-link" href="http://shiro.apache.org/configuration.html">ini
configuration</a>:</p>
+<p>The fastest/simplest way to enable the ShiroPlugin is to define it as a Spring bean
in the <tt>broker</tt> <tt>plugins</tt> section and embed <a shape="rect"
class="external-link" href="http://shiro.apache.org/configuration.html">Shiro ini configuration</a>:</p>
 
 <div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
 <script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
@@ -123,6 +116,12 @@
                 # ActiveMQ System User
                 # needed for in-VM/local connections when authentication is enabled:
                 system = manager, system
+                
+                # Other users here.  You should almost always add the `advisory` role for
each
+                # user to make your life easy!  See the [roles] comments below for more info.
+                # jsmith = jsmithsPassword, advisory
+                # djones = djonesPassword, advisory, ...
+                # etc.
 
                 [roles]
                 # roles section format:
@@ -157,6 +156,73 @@
 
 <p>This config assumes you have a simple/small set of static users that access your
ActiveMQ broker.  We'll cover enabling more advanced user repositories later.</p>
 
+<h4><a shape="rect" name="Shiro-EncryptedPasswords"></a>Encrypted Passwords</h4>
+
+<p>The above example uses plaintext passwords, which is simple to set up and easy to
use for testing, but not really secure.  Most production deployments will likely want to use
encrypted passwords.  For example:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
+&lt;bean id="shiroPlugin" class="org.apache.activemq.shiro.ShiroPlugin" xmlns="http://www.springframework.org/schema/beans"&gt;
+    &lt;!-- enabled by default.  To disable, uncomment:
+    &lt;property name="iniConfig"&gt;&lt;value&gt;
+
+    [main]
+    # Shiro object graph configuration here
+    passwordMatcher = org.apache.shiro.authc.credential.PasswordMatcher
+    iniRealm.credentialsMatcher = $passwordMatcher
+ 
+    [users]
+    scott = $shiro1$SHA-256$500000$eWpVX2tGX7WCP2J+jMCNqw==$it/NRclMOHrfOvhAEFZ0mxIZRdbcfqIBdwdwdDXW2dM=,
advisory
+    system = $shiro1$SHA-256$500000$eUyGwMGr9GYzB/gg/MoNgw==$WGc0yWFWv8+hLqjzVLgW7Hat2FQTywDXBl5izpqaLSY=,
system
+
+    [roles]
+    system = *
+    advisory = topic:ActiveMQ.Advisory*
+    &lt;/value&gt;&lt;/property&gt;
+&lt;/bean&gt;
+]]></script>
+</div></div>
+
+<p>As you can see, two things are different than the simpler/default configuration:</p>
+
+<ol><li>The <tt>[main]</tt> section configured a <tt>PasswordMatcher</tt>
on the implicit <tt>iniRealm</tt>.  This indicates that all <tt>.ini</tt>-configured
users are expected to have proper hashed/secure passwords.</li><li>The <tt>[users]</tt>
lines now have hash values in the <tt>password</tt> location instead of plaintext
values.</li></ol>
+
+
+<p>To get the hashed password text values, you will want to <a shape="rect" class="external-link"
href="http://search.maven.org/remotecontent?filepath=org/apache/shiro/tools/shiro-tools-hasher/1.2.2/shiro-tools-hasher-1.2.2-cli.jar"
rel="nofollow">Download Shiro's Command Line Hasher</a> from Maven Central.  Once
downloaded, you can use it to create secure password hashes that you can safely copy-and-paste
in to the <tt>[users]</tt> section:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
+$ java -jar shiro-tools-hasher-X.X.X-cli.jar -p
+]]></script>
+</div></div>
+
+<p>It will then ask you to enter the password and then confirm it:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
+Password to hash:
+Password to hash (confirm):
+]]></script>
+</div></div>
+
+<p>When this command executes, it will print out the securely-salted-iterated-and-hashed
password. For example:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
+$shiro1$SHA-256$500000$eWpVX2tGX7WCP2J+jMCNqw==$it/NRclMOHrfOvhAEFZ0mxIZRdbcfqIBdwdwdDXW2dM=
+]]></script>
+</div></div>
+
+<p>Take this value and place it as the password in the user definition line (followed
by any desired roles, such as the <tt>advisory</tt> role). For example:</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
+[users]
+scott = $shiro1$SHA-256$500000$eWpVX2tGX7WCP2J+jMCNqw==$it/NRclMOHrfOvhAEFZ0mxIZRdbcfqIBdwdwdDXW2dM=,
advisory
+system = $shiro1$SHA-256$500000$eUyGwMGr9GYzB/gg/MoNgw==$WGc0yWFWv8+hLqjzVLgW7Hat2FQTywDXBl5izpqaLSY=,
system
+]]></script>
+</div></div>
+
 <h2><a shape="rect" name="Shiro-Configuration"></a>Configuration</h2>
 
 <p>The ActiveMQ Shiro plugin can be configured in a number of ways.  For example, with
Java:</p>
@@ -201,6 +267,44 @@ broker.setPlugins(new BrokerPlugin[]{shi
 
 <p>The remaining configuration examples on this page will be shown as bean XML, but
know that the same configuration can be done in Java as standard JavaBeans-compatible getter
and setter methods.</p>
 
+<h3><a shape="rect" name="Shiro-Enabling%2FDisabling"></a>Enabling/Disabling</h3>
+
+<p>You can enable or disable the ShiroPlugin entirely without having to remove it from
your configuration.  This is convenient when testing, or when you want to enable or disable
it based on a configuration parameter at startup.</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
+&lt;bean id="shiroPlugin" class="org.apache.activemq.shiro.ShiroPlugin" xmlns="http://www.springframework.org/schema/beans"&gt;
+    &lt;!-- enabled by default.  To disable, uncomment:
+    &lt;property name="enabled" value="false"/&gt; --&gt;
+&lt;/bean&gt;
+]]></script>
+</div></div>
+
+<p>A nice technique is to use Spring's <a shape="rect" class="external-link" href="http://static.springsource.org/spring/docs/3.2.x/javadoc-api/org/springframework/context/support/PropertySourcesPlaceholderConfigurer.html"
rel="nofollow">PropertySourcesPlaceholderConfigurer</a> and placeholder tokens (set
<tt>shiro.enabled = true</tt> in one of your placeholder property files):</p>
+
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
+&lt;beans ...&gt;
+
+    &lt;bean class="org.springframework.context.support.PropertySourcesPlaceholderConfigurer"&gt;
+       ...
+    &lt;/bean&gt;
+
+    &lt;broker ...&gt;
+        &lt;plugins ...&gt;
+
+            &lt;bean id="shiroPlugin" class="org.apache.activemq.shiro.ShiroPlugin" xmlns="http://www.springframework.org/schema/beans"&gt;
+                &lt;property name="enabled" value="${shiro.enabled}"/&gt;
+            &lt;/bean&gt;
+ 
+        &lt;/plugins&gt;
+    &lt;/broker&gt;
+&lt;/beans&gt;
+]]></script>
+</div></div>
+
+<p>This allows you to enable or disable the Shiro plugin by simply setting a property
in a <tt>.properties</tt> file without having to change your XML config.</p>
+
 <h3><a shape="rect" name="Shiro-ShiroEnvironment"></a>Shiro Environment</h3>
 
 <p>The <tt>shiroPlugin</tt> requires a Shiro <a shape="rect" class="external-link"
href="http://shiro.apache.org/static/current/apidocs/org/apache/shiro/env/Environment.html">Environment</a>
to function.  You must either configure the plugin with:</p>
@@ -323,42 +427,6 @@ broker.setPlugins(new BrokerPlugin[]{shi
 ]]></script>
 </div></div>
 
-<h3><a shape="rect" name="Shiro-Enabling%2FDisabling"></a>Enabling/Disabling</h3>
-
-<p>You can enable or disable the ShiroPlugin entirely without having to remove it from
your configuration.  This is convenient when testing, or when you want to enable or disable
it based on a configuration parameter at startup.</p>
-
-<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-&lt;bean id="shiroPlugin" class="org.apache.activemq.shiro.ShiroPlugin" xmlns="http://www.springframework.org/schema/beans"&gt;
-    &lt;!-- enabled by default.  To disable, uncomment:
-    &lt;property name="enabled" value="false"/&gt; --&gt;
-&lt;/bean&gt;
-]]></script>
-</div></div>
-
-<p>A nice technique is to use Spring's <a shape="rect" class="external-link" href="http://static.springsource.org/spring/docs/3.2.x/javadoc-api/org/springframework/context/support/PropertySourcesPlaceholderConfigurer.html"
rel="nofollow">PropertySourcesPlaceholderConfigurer</a> and placeholder tokens (set
<tt>shiro.enabled = true</tt> in one of your placeholder property files):</p>
-
-<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
-<script class="theme: Default; brush: java; gutter: false" type="syntaxhighlighter"><![CDATA[
-&lt;beans ...&gt;
-
-    &lt;bean class="org.springframework.context.support.PropertySourcesPlaceholderConfigurer"&gt;
-       ...
-    &lt;/bean&gt;
-
-    &lt;broker ...&gt;
-        &lt;plugins ...&gt;
-
-            &lt;bean id="shiroPlugin" class="org.apache.activemq.shiro.ShiroPlugin" xmlns="http://www.springframework.org/schema/beans"&gt;
-                &lt;property name="enabled" value="${shiro.enabled}"/&gt;
-            &lt;/bean&gt;
- 
-        &lt;/plugins&gt;
-    &lt;/broker&gt;
-&lt;/beans&gt;
-]]></script>
-</div></div>
-
 <h2><a shape="rect" name="Shiro-Design"></a>Design</h2>
 
 <p>The Shiro plugin is a <a shape="rect" class="external-link" href="http://activemq.apache.org/maven/apidocs/org/apache/activemq/broker/BrokerPlugin.html">BrokerPlugin</a>
that inserts 3 <a shape="rect" class="external-link" href="http://activemq.apache.org/maven/apidocs/org/apache/activemq/broker/BrokerFilter.html">BrokerFilter</a>s
in the broker filter chain: the <tt>SubjectFilter</tt>, the <tt>AuthenticationFilter</tt>
and the <tt>AuthorizationFilter</tt></p>



Mime
View raw message