activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From clebertsuco...@apache.org
Subject [2/5] activemq-artemis git commit: ARTEMIS-74 import JAAS auth from 5.x
Date Fri, 09 Oct 2015 19:58:10 GMT
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/docs/user-manual/en/security.md
----------------------------------------------------------------------
diff --git a/docs/user-manual/en/security.md b/docs/user-manual/en/security.md
index eeb36c1..34e1a49 100644
--- a/docs/user-manual/en/security.md
+++ b/docs/user-manual/en/security.md
@@ -129,17 +129,21 @@ Sockets Layer (SSL) transport.
 
 For more information on configuring the SSL transport, please see [Configuring the Transport](configuring-transports.md).
 
-## Basic user credentials
+## User credentials
 
-Apache ActiveMQ Artemis ships with a security manager implementation that reads user
-credentials, i.e. user names, passwords and role information from properties
-files on the classpath called `artemis-users.properties` and `artemis-roles.properties`. This is the default security manager.
+Apache ActiveMQ Artemis ships with two security manager implementations:
+ 
+-   The legacy, deprecated `ActiveMQSecurityManager` that reads user credentials, i.e. user names, passwords and role 
+information from properties files on the classpath called `artemis-users.properties` and `artemis-roles.properties`. 
+This is the default security manager.
 
-If you wish to use this security manager, then users, passwords and
-roles can easily be added into these files.
+-   The flexible, pluggable `ActiveMQJAASSecurityManager` which supports any standard JAAS login module. Artemis ships 
+with several login modules which will be discussed further down. 
 
-To configure this manager then it needs to be added to the `bootstrap.xml` configuration.
-Lets take a look at what this might look like:
+### Non-JAAS Security Manager
+
+If you wish to use the legacy, deprecated `ActiveMQSecurityManager`, then it needs to be added to the `bootstrap.xml` 
+configuration. Lets take a look at what this might look like:
 
     <basic-security>
       <users>file:${activemq.home}/config/non-clustered/artemis-users.properties</users>
@@ -149,28 +153,276 @@ Lets take a look at what this might look like:
 
 The first 2 elements `users` and `roles` define what properties files should be used to load in the users and passwords.
 
-The next thing to note is the element `defaultuser`. This defines what
-user will be assumed when the client does not specify a
-username/password when creating a session. In this case they will be the
-user `guest`. Multiple roles can be specified for a default user in the
-`artemis-roles.properties`.
+The next thing to note is the element `defaultuser`. This defines what user will be assumed when the client does not 
+specify a username/password when creating a session. In this case they will be the user `guest`. Multiple roles can be 
+specified for a default user in the `artemis-roles.properties`.
 
-Lets now take alook at the `artemis-users.properties` file, this is basically
-just a set of key value pairs that define the users and their password, like so:
+Lets now take a look at the `artemis-users.properties` file, this is basically just a set of key value pairs that define
+the users and their password, like so:
 
     bill=activemq
     andrew=activemq1
     frank=activemq2
     sam=activemq3
 
-The `artemis-roles.properties` defines what groups these users belong too
-where the key is the user and the value is a comma separated list of the groups
-the user belongs to, like so:
+The `artemis-roles.properties` defines what groups these users belong too where the key is the user and the value is a 
+comma separated list of the groups the user belongs to, like so:
 
     bill=user
     andrew=europe-user,user
     frank=us-user,news-user,user
     sam=news-user,user
+    
+### JAAS Security Manager
+
+When using JAAS much of the configuration depends on which login module is used. However, there are a few commonalities
+for every case. Just like in the non-JAAS use-case, the first place to look is in `bootstrap.xml`. Here is an example
+using the `PropertiesLogin` JAAS login module which reads user, password, and role information from properties files
+much like the non-JAAS security manager implementation:
+
+    <jaas-security login-module="PropertiesLogin"/>
+    
+No matter what login module you're using, you'll need to specify it here in `bootstrap.xml`. The `login-module` attribute
+here refers to the relevant login module entry in `login.config`. For example:
+
+    PropertiesLogin {
+        org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule required
+            debug=true
+            org.apache.activemq.jaas.properties.user="artemis-users.properties"
+            org.apache.activemq.jaas.properties.role="artemis-roles.properties";
+    };
+
+The `login.config` file is a standard JAAS configuration file. You can read more about this file on 
+[Oracle's website](https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html).
+In short, the file defines:
+
+-   an alias for a configuration (e.g. `PropertiesLogin`)
+
+-   the implementation class (e.g. `org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule`)
+
+-   a flag which indicates whether the success of the LoginModule is `required`, `requisite`, `sufficient`, or `optional`
+
+-   a list of configuration options specific to the login module implementation
+
+By default, the location and name of `login.config` is specified on the Artemis command-line which is set by 
+`etc/artemis.profile` on linux and `etc\artemis.profile.cmd` on Windows.
+
+### JAAS Login Modules
+
+#### GuestLoginModule
+Allows users without credentials (and, depending on how it is configured, possibly also users with invalid credentials) 
+to access the broker. Normally, the guest login module is chained with another login module, such as a properties login 
+module. It is implemented by `org.apache.activemq.artemis.spi.core.security.jaas.GuestLoginModule`.
+
+-   `org.apache.activemq.jaas.guest.user` - the user name to assign; default is "guest"
+
+-   `org.apache.activemq.jaas.guest.role` - the role name to assign; default is "guests"
+
+-   `credentialsInvalidate` - boolean flag; if `true`, reject login requests that include a password (i.e. guest login
+succeeds only when the user does not provide a password); default is `false`
+
+-   `debug` - boolean flag; if `true`, enable debugging; this is used only for testing or debugging; normally, it 
+should be set to `false`, or omitted; default is `false`
+
+There are two basic use cases for the guest login module, as follows:
+
+-   Guests with no credentials or invalid credentials.
+
+-   Guests with no credentials only.
+
+The following snippet shows how to configure a JAAS login entry for the use case where users with no credentials or 
+invalid credentials are logged in as guests. In this example, the guest login module is used in combination with the 
+properties login module.
+
+    activemq-domain {
+      org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule sufficient
+          debug=true
+          org.apache.activemq.jaas.properties.user="artemis-users.properties"
+          org.apache.activemq.jaas.properties.role="artemis-roles.properties";
+    
+      org.apache.activemq.artemis.spi.core.security.jaas.GuestLoginModule sufficient
+          debug=true
+          org.apache.activemq.jaas.guest.user="anyone"
+          org.apache.activemq.jaas.guest.role="restricted";
+    };
+
+Depending on the user login data, authentication proceeds as follows:
+
+-   User logs in with a valid password — the properties login module successfully authenticates the user and returns 
+    immediately. The guest login module is not invoked.
+
+-   User logs in with an invalid password — the properties login module fails to authenticate the user, and authentication 
+    proceeds to the guest login module. The guest login module successfully authenticates the user and returns the guest principal.
+
+-   User logs in with a blank password — the properties login module fails to authenticate the user, and authentication 
+    proceeds to the guest login module. The guest login module successfully authenticates the user and returns the guest principal.
+
+The following snipped shows how to configure a JAAS login entry for the use case where only those users with no 
+credentials are logged in as guests. To support this use case, you must set the credentialsInvalidate option to true in 
+the configuration of the guest login module. You should also note that, compared with the preceding example, the order 
+of the login modules is reversed and the flag attached to the properties login module is changed to requisite.
+
+    activemq-guest-when-no-creds-only-domain {
+        org.apache.activemq.artemis.spi.core.security.jaas.GuestLoginModule sufficient
+            debug=true
+           credentialsInvalidate=true
+           org.apache.activemq.jaas.guest.user="guest"
+           org.apache.activemq.jaas.guest.role="guests";
+    
+        org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule requisite
+            debug=true
+            org.apache.activemq.jaas.properties.user="artemis-users.properties"
+            org.apache.activemq.jaas.properties.role="artemis-roles.properties";
+    };
+
+Depending on the user login data, authentication proceeds as follows:
+
+-   User logs in with a valid password — the guest login module fails to authenticate the user (because the user has 
+    presented a password while the credentialsInvalidate option is enabled) and authentication proceeds to the properties 
+    login module. The properties login module sucessfully authenticates the user and returns.
+
+-   User logs in with an invalid password — the guest login module fails to authenticate the user and authentication proceeds
+    to the properties login module. The properties login module also fails to authenticate the user. The nett result is 
+    authentication failure.
+ 
+-   User logs in with a blank password — the guest login module successfully authenticates the user and returns immediately.
+    The properties login module is not invoked.
+    
+#### PropertiesLoginModule
+The JAAS properties login module provides a simple store of authentication data, where the relevant user data is stored 
+in a pair of flat files. This is convenient for demonstrations and testing, but for an enterprise system, the integration 
+with LDAP is preferable. It is implemented by `org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule`.
+
+-   `org.apache.activemq.jaas.properties.user` - the path to the file which contains user and password properties
+
+-   `org.apache.activemq.jaas.properties.role` - the path to the file which contains user and role properties
+
+-   `debug` - boolean flag; if `true`, enable debugging; this is used only for testing or debugging; normally, it 
+should be set to `false`, or omitted; default is `false`
+
+In the context of the properties login module, the `artemis-users.properties` file consists of a list of properties of the 
+form, `UserName=Password`. For example, to define the users `system`, `user`, and `guest`, you could create a file like 
+the following:
+
+    system=manager
+    user=password
+    guest=password
+
+The `artemis-roles.properties` file consists of a list of properties of the form, `Role=UserList`, where UserList is a 
+comma-separated list of users. For example, to define the roles `admins`, `users`, and `guests`, you could create a file 
+like the following:
+
+    admins=system
+    users=system,user
+    guests=guest
+    
+#### LDAPLoginModule
+The LDAP login module enables you to perform authentication and authorization by checking the incoming credentials against 
+user data stored in a central X.500 directory server. For systems that already have an X.500 directory server in place, 
+this means that you can rapidly integrate ActiveMQ Artemis with the existing security database and user accounts can be 
+managed using the X.500 system. It is implemented by `org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule`.
+
+-   `initialContextFactory` - must always be set to `com.sun.jndi.ldap.LdapCtxFactory`    
+
+-   `connectionURL` - specify the location of the directory server using an ldap URL, ldap://Host:Port. You can 
+    optionally qualify this URL, by adding a forward slash, `/`, followed by the DN of a particular node in the directory
+    tree. For example, ldap://ldapserver:10389/ou=system.    
+        
+-   `authentication` - specifies the authentication method used when binding to the LDAP server. Can take either of 
+    the values, `simple` (username and password) or `none` (anonymous). 
+            
+-   `connectionUsername` - the DN of the user that opens the connection to the directory server. For example, 
+    `uid=admin,ou=system`. Directory servers generally require clients to present username/password credentials in order
+    to open a connection.      
+      
+-   `connectionPassword` - the password that matches the DN from `connectionUsername`. In the directory server, 
+    in the DIT, the password is normally stored as a `userPassword` attribute in the corresponding directory entry.    
+         
+-   `connectionProtocol` - currently, the only supported value is a blank string. In future, this option will allow 
+    you to select the Secure Socket Layer (SSL) for the connection to the directory server. This option must be set 
+    explicitly to an empty string, because it has no default value.        
+    
+-   `userBase` - selects a particular subtree of the DIT to search for user entries. The subtree is specified by a 
+    DN, which specifes the base node of the subtree. For example, by setting this option to `ou=User,ou=ActiveMQ,ou=system`,
+    the search for user entries is restricted to the subtree beneath the `ou=User,ou=ActiveMQ,ou=system` node.   
+         
+-   `userSearchMatching` - specifies an LDAP search filter, which is applied to the subtree selected by `userBase`. 
+    Before passing to the LDAP search operation, the string value you provide here is subjected to string substitution, 
+    as implemented by the `java.text.MessageFormat` class. Essentially, this means that the special string, `{0}`, is 
+    substituted by the username, as extracted from the incoming client credentials.  
+      
+    After substitution, the string is interpreted as an LDAP search filter, where the LDAP search filter syntax is 
+    defined by the IETF standard, RFC 2254. A short introduction to the search filter syntax is available from Oracle's 
+    JNDI tutorial, [Search Filters](http://download.oracle.com/javase/jndi/tutorial/basics/directory/filter.html). 
+       
+    For example, if this option is set to `(uid={0})` and the received username is `jdoe`, the search filter becomes
+    `(uid=jdoe)` after string substitution. If the resulting search filter is applied to the subtree selected by the 
+    user base, `ou=User,ou=ActiveMQ,ou=system`, it would match the entry, `uid=jdoe,ou=User,ou=ActiveMQ,ou=system`
+    (and possibly more deeply nested entries, depending on the specified search depth—see the `userSearchSubtree` option). 
+           
+-   `userSearchSubtree` - specify the search depth for user entries, relative to the node specified by `userBase`. 
+    This option is a boolean. `false` indicates it will try to match one of the child entries of the `userBase` node 
+    (maps to `javax.naming.directory.SearchControls.ONELEVEL_SCOPE`). `true` indicates it will try to match any entry 
+    belonging to the subtree of the `userBase` node (maps to `javax.naming.directory.SearchControls.SUBTREE_SCOPE`). 
+           
+-   `userRoleName` - specifies the name of the multi-valued attribute of the user entry that contains a list of 
+    role names for the user (where the role names are interpreted as group names by the broker's authorization plug-in).
+    If you omit this option, no role names are extracted from the user entry.         
+    
+-   `roleBase` - if you want to store role data directly in the directory server, you can use a combination of role 
+    options (`roleBase`, `roleSearchMatching`, `roleSearchSubtree`, and `roleName`) as an alternative to (or in addition 
+    to) specifying the `userRoleName` option. This option selects a particular subtree of the DIT to search for role/group 
+    entries. The subtree is specified by a DN, which specifes the base node of the subtree. For example, by setting this 
+    option to `ou=Group,ou=ActiveMQ,ou=system`, the search for role/group entries is restricted to the subtree beneath 
+    the `ou=Group,ou=ActiveMQ,ou=system` node.        
+    
+-   `roleName` - specifies the attribute type of the role entry that contains the name of the role/group (e.g. C, O,
+    OU, etc.). If you omit this option, the role search feature is effectively disabled.        
+    
+-   `roleSearchMatching` - specifies an LDAP search filter, which is applied to the subtree selected by `roleBase`. 
+    This works in a similar manner to the `userSearchMatching` option, except that it supports two substitution strings,
+    as follows:        
+    
+    -   `{0}` - substitutes the full DN of the matched user entry (that is, the result of the user search). For 
+        example, for the user, `jdoe`, the substituted string could be `uid=jdoe,ou=User,ou=ActiveMQ,ou=system`.
+        
+    -   `{1}` - substitutes the received username. For example, `jdoe`.    
+    
+    For example, if this option is set to `(member=uid={1})` and the received username is `jdoe`, the search filter 
+    becomes `(member=uid=jdoe)` after string substitution (assuming ApacheDS search filter syntax). If the resulting 
+    search filter is applied to the subtree selected by the role base, `ou=Group,ou=ActiveMQ,ou=system`, it matches all 
+    role entries that have a `member` attribute equal to `uid=jdoe` (the value of a `member` attribute is a DN).  
+      
+    This option must always be set, even if role searching is disabled, because it has no default value. 
+       
+    If you use OpenLDAP, the syntax of the search filter is `(member:=uid=jdoe)`.
+    
+-   `roleSearchSubtree` - specify the search depth for role entries, relative to the node specified by `roleBase`. 
+    This option can take boolean values, as follows:
+    
+    -   `false` (default) - try to match one of the child entries of the roleBase node (maps to 
+        `javax.naming.directory.SearchControls.ONELEVEL_SCOPE`).    
+                                   
+    -   `true` — try to match any entry belonging to the subtree of the roleBase node (maps to 
+        `javax.naming.directory.SearchControls.SUBTREE_SCOPE`).
+
+-   `debug` - boolean flag; if `true`, enable debugging; this is used only for testing or debugging; normally, it 
+should be set to `false`, or omitted; default is `false`
+
+Add user entries under the node specified by the `userBase` option. When creating a new user entry in the directory, 
+choose an object class that supports the `userPassword` attribute (for example, the `person` or `inetOrgPerson` object 
+classes are typically suitable). After creating the user entry, add the `userPassword` attribute, to hold the user's 
+password.
+
+If you want to store role data in dedicated role entries (where each node represents a particular role), create a role 
+entry as follows. Create a new child of the `roleBase` node, where the `objectClass` of the child is `groupOfNames`. Set 
+the `cn` (or whatever attribute type is specified by `roleName`) of the new child node equal to the name of the 
+role/group. Define a `member` attribute for each member of the role/group, setting the `member` value to the DN of the 
+corresponding user (where the DN is specified either fully, `uid=jdoe,ou=User,ou=ActiveMQ,ou=system`, or partially, 
+`uid=jdoe`).
+
+If you want to add roles to user entries, you would need to customize the directory schema, by adding a suitable 
+attribute type to the user entry's object class. The chosen attribute type must be capable of handling multiple values.
 
 ## Changing the username/password for clustering
 

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/examples/features/standard/pom.xml
----------------------------------------------------------------------
diff --git a/examples/features/standard/pom.xml b/examples/features/standard/pom.xml
index fe56e87..eaf9b38 100644
--- a/examples/features/standard/pom.xml
+++ b/examples/features/standard/pom.xml
@@ -82,6 +82,7 @@ under the License.
             <module>request-reply</module>
             <module>scheduled-message</module>
             <module>security</module>
+            <module>security-jaas</module>
             <module>send-acknowledgements</module>
             <module>spring-integration</module>
             <module>ssl-enabled</module>
@@ -142,6 +143,7 @@ under the License.
             <module>rest</module>
             <module>scheduled-message</module>
             <module>security</module>
+            <module>security-jaas</module>
             <module>send-acknowledgements</module>
             <module>spring-integration</module>
 

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/examples/features/standard/security-jaas/pom.xml
----------------------------------------------------------------------
diff --git a/examples/features/standard/security-jaas/pom.xml b/examples/features/standard/security-jaas/pom.xml
new file mode 100644
index 0000000..ff975a3
--- /dev/null
+++ b/examples/features/standard/security-jaas/pom.xml
@@ -0,0 +1,111 @@
+<?xml version='1.0'?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+   <modelVersion>4.0.0</modelVersion>
+
+   <parent>
+      <groupId>org.apache.activemq.examples.broker</groupId>
+      <artifactId>jms-examples</artifactId>
+      <version>1.1.1-SNAPSHOT</version>
+   </parent>
+
+   <artifactId>security-jaas</artifactId>
+   <packaging>jar</packaging>
+   <name>ActiveMQ Artemis JMS JAAS Security Example</name>
+
+   <properties>
+      <activemq.basedir>${project.basedir}/../../../..</activemq.basedir>
+   </properties>
+
+   <dependencies>
+      <dependency>
+         <groupId>org.apache.activemq</groupId>
+         <artifactId>artemis-jms-client</artifactId>
+         <version>${project.version}</version>
+      </dependency>
+   </dependencies>
+
+   <build>
+      <plugins>
+         <plugin>
+            <groupId>org.apache.activemq</groupId>
+            <artifactId>artemis-maven-plugin</artifactId>
+            <executions>
+               <execution>
+                  <id>create</id>
+                  <goals>
+                     <goal>create</goal>
+                  </goals>
+                  <configuration>
+                     <ignore>${noServer}</ignore>
+                     <brokerSecurity>jaas</brokerSecurity>
+                  </configuration>
+               </execution>
+               <execution>
+                  <id>start</id>
+                  <goals>
+                     <goal>cli</goal>
+                  </goals>
+                  <configuration>
+                     <ignore>${noServer}</ignore>
+                     <spawn>true</spawn>
+                     <testURI>tcp://localhost:61616</testURI>
+                     <testUser>bill</testUser>
+                     <testPassword>activemq</testPassword>
+                     <args>
+                        <param>run</param>
+                     </args>
+                  </configuration>
+               </execution>
+               <execution>
+                  <id>runClient</id>
+                  <goals>
+                     <goal>runClient</goal>
+                  </goals>
+                  <configuration>
+                     <clientClass>org.apache.activemq.artemis.jms.example.JaasSecurityExample</clientClass>
+                  </configuration>
+               </execution>
+               <execution>
+                  <id>stop</id>
+                  <goals>
+                     <goal>cli</goal>
+                  </goals>
+                  <configuration>
+                     <ignore>${noServer}</ignore>
+                     <args>
+                        <param>stop</param>
+                     </args>
+                  </configuration>
+               </execution>
+            </executions>
+            <dependencies>
+               <dependency>
+                  <groupId>org.apache.activemq.examples.broker</groupId>
+                  <artifactId>security-jaas</artifactId>
+                  <version>${project.version}</version>
+               </dependency>
+            </dependencies>
+         </plugin>
+      </plugins>
+   </build>
+
+</project>

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/examples/features/standard/security-jaas/readme.html
----------------------------------------------------------------------
diff --git a/examples/features/standard/security-jaas/readme.html b/examples/features/standard/security-jaas/readme.html
new file mode 100644
index 0000000..9a678f6
--- /dev/null
+++ b/examples/features/standard/security-jaas/readme.html
@@ -0,0 +1,324 @@
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+<html>
+  <head>
+    <title>ActiveMQ Artemis JMS Security Example</title>
+    <link rel="stylesheet" type="text/css" href="../../../common/common.css" />
+    <link rel="stylesheet" type="text/css" href="../../../common/prettify.css" />
+    <script type="text/javascript" src="../../../common/prettify.js"></script>
+  </head>
+  <body onload="prettyPrint()">
+     <h1>JMS JAAS Security Example</h1>
+
+     <pre>To run the example, simply type <b>mvn verify</b> from this directory, <br>or <b>mvn -PnoServer verify</b> if you want to start and create the server manually.</pre>
+
+
+     <p>This example shows how to configure and use JAAS security using ActiveMQ Artemis.</p>
+
+     <p>With security properly configured, ActiveMQ Artemis can restrict client access to its resources, including
+     connection creation, message sending/receiving, etc. This is done by configuring users and roles as well as permissions in
+     the configuration files.</p>
+
+     <p>ActiveMQ Artemis supports wild-card security configuration. This feature makes security configuration very
+     flexible and enables fine-grained control over permissions in an efficient way.</p>
+
+     <p>For a full description of how to configure security with ActiveMQ Artemis, please consult the user
+     manual.</p>
+
+     <p>This example demonstrates how to configure users/roles using a JAAS login module, how to configure topics with
+     proper permissions using wild-card expressions, and how they take effects in a simple program. </p>
+
+     <p>First we need to configure users with roles. Since this example is using the <code>PropertiesLogin</code> JAAS
+     login module the users and roles are configured in <code>artemis-users.properties</code> and
+     <code>artemis-roles.properties</code> which are referenced from the login module's configuration in <code>login.config</code>.
+     This example has four users configured as below:</p>
+
+     <pre class="prettyprint">
+     <code>
+         bill=activemq
+         andrew=activemq1
+         frank=activemq2
+         sam=activemq3
+     </code>
+     </pre>
+
+     <p>And various roles for those users:</p>
+
+     <pre class="prettyprint">
+     <code>
+         user=bill,andrew,frank,sam
+         europe-user=andrew
+         us-user=frank
+         news-user=frank,sam
+     </code>
+     </pre>
+
+     <p>
+     Each user has three properties available: user name, password, and roles it belongs to. It should be noted that
+     a user can belong to more than one role. In the above configuration, all users belong to role 'user'. User 'andrew' also
+     belongs to role 'europe-user', user 'frank' also belongs to 'us-user' and 'news-user' and user 'sam' also belongs to 'news-user'.
+     </p>
+     <p>
+     User name and password consists of a valid account that can be used to establish connections to a ActiveMQ Artemis server, while
+     roles are used in controlling the access privileges against ActiveMQ Artemis topics and queues. You can achieve this control by
+     configuring proper permissions in <code>broker.xml</code>, like the following
+     </p>
+     <pre class="prettyprint"><code>
+      &lt;security-settings&gt;
+         &lt;!-- any user can have full control of generic topics --&gt;
+		   &lt;security-setting match=&quot;jms.topic.#&quot;&gt;
+		      &lt;permission type=&quot;createDurableQueue&quot; roles=&quot;user&quot;/&gt;
+		      &lt;permission type=&quot;deleteDurableQueue&quot; roles=&quot;user&quot;/&gt;
+		      &lt;permission type=&quot;createNonDurableQueue&quot; roles=&quot;user&quot;/&gt;
+		      &lt;permission type=&quot;deleteNonDurableQueue&quot; roles=&quot;user&quot;/&gt;
+		      &lt;permission type=&quot;send&quot; roles=&quot;user&quot;/&gt;
+		      &lt;permission type=&quot;consume&quot; roles=&quot;user&quot;/&gt;
+		   &lt;/security-setting&gt;
+
+		   &lt;security-setting match=&quot;jms.topic.news.europe.#&quot;&gt;
+		      &lt;permission type=&quot;createDurableQueue&quot; roles=&quot;user&quot;/&gt;
+		      &lt;permission type=&quot;deleteDurableQueue&quot; roles=&quot;user&quot;/&gt;
+		      &lt;permission type=&quot;createNonDurableQueue&quot; roles=&quot;user&quot;/&gt;
+		      &lt;permission type=&quot;deleteNonDurableQueue&quot; roles=&quot;user&quot;/&gt;
+		      &lt;permission type=&quot;send&quot; roles=&quot;europe-user&quot;/&gt;
+		      &lt;permission type=&quot;consume&quot; roles=&quot;news-user&quot;/&gt;
+		   &lt;/security-setting&gt;
+
+		   &lt;security-setting match=&quot;jms.topic.news.us.#&quot;&gt;
+		      &lt;permission type=&quot;createDurableQueue&quot; roles=&quot;user&quot;/&gt;
+		      &lt;permission type=&quot;deleteDurableQueue&quot; roles=&quot;user&quot;/&gt;
+		      &lt;permission type=&quot;createNonDurableQueue&quot; roles=&quot;user&quot;/&gt;
+		      &lt;permission type=&quot;deleteNonDurableQueue&quot; roles=&quot;user&quot;/&gt;
+		      &lt;permission type=&quot;send&quot; roles=&quot;us-user&quot;/&gt;
+		      &lt;permission type=&quot;consume&quot; roles=&quot;news-user&quot;/&gt;
+		   &lt;/security-setting&gt;
+     &lt;/security-settings&gt;
+     </code></pre>
+
+     <p>Permissions can be defined on any group of queues, by using a wildcard. You can easily specify
+     wildcards to apply certain permissions to a set of matching queues and topics. In the above configuration
+     we have created four sets of permissions, each set matches against a special group of targets, indicated by wild-card match attributes.</p>
+
+     <p>You can provide a very broad permission control as a default and then add more strict control
+     over specific addresses. By the above we define the following access rules:</p>
+
+         <li>Only role 'us-user' can create/delete and pulish messages to topics whose names match wild-card pattern 'news.us.#'.</li>
+         <li>Only role 'europe-user' can create/delete and publish messages to topics whose names match wild-card pattern 'news.europe.#'.</li>
+         <li>Only role 'news-user' can subscribe messages to topics whose names match wild-card pattern 'news.us.#' and 'news.europe.#'.</li>
+         <li>For any other topics that don't match any of the above wild-card patterns, permissions are granted to users of role 'user'.</li>
+
+     <p>To illustrate the effect of permissions, three topics are deployed. Topic 'genericTopic' matches 'jms.topic.#' wild-card, topic 'news.europe.europeTopic' matches
+     jms.topic.news.europe.#' wild-cards, and topic 'news.us.usTopic' matches 'jms.topic.news.us.#'.</p>
+
+     <p>With ActiveMQ Artemis, the security manager is also configurable. You can use JAASSecurityManager or JBossASSecurityManager based on you need. Please
+     check out the activemq-beans.xml for how to do. In this example we just use the basic ActiveMQSecurityManagerImpl which reads users/roles/passwords from the xml
+     file <code>activemq-users.xml</code>.
+
+
+     <h2>Example step-by-step</h2>
+     <p><i>To run the example, simply type <code>mvn verify -Pexample</code> from this directory</i></p>
+
+     <ol>
+        <li>First we need to get an initial context so we can look-up the JMS connection factory and destination objects from JNDI. This initial context will get it's properties from the <code>client-jndi.properties</code> file in the directory <code>../common/config</code></li>
+        <pre class="prettyprint">
+           <code>
+           InitialContext initialContext = getContext(0);
+           </code>
+        </pre>
+
+        <li>We perform lookup on the topics</li>
+        <pre class="prettyprint">
+           <code>
+           Topic genericTopic = (Topic) initialContext.lookup("/topic/genericTopic");
+           Topic europeTopic = (Topic) initialContext.lookup("/topic/europeTopic");
+           Topic usTopic = (Topic) initialContext.lookup("/topic/usTopic");
+           </code>
+        </pre>
+
+        <li>We perform a lookup on the Connection Factory</li>
+        <pre class="prettyprint">
+           <code>
+           ConnectionFactory cf = (ConnectionFactory) initialContext.lookup("/ConnectionFactory");
+           </code>
+        </pre>
+
+        <li>We try to create a JMS Connection without user/password. It will fail.</li>
+        <pre class="prettyprint">
+           <code>
+           try
+           {
+              cf.createConnection();
+              result = false;
+           }
+           catch (JMSSecurityException e)
+           {
+              System.out.println("Default user cannot get a connection. Details: " + e.getMessage());
+           }
+           </code>
+        </pre>
+
+        <li>Bill tries to make a connection using wrong password</li>
+        <pre class="prettyprint">
+           <code>
+           billConnection = null;
+           try
+           {
+              billConnection = createConnection("bill", "activemq1", cf);
+              result = false;
+           }
+           catch (JMSException e)
+           {
+              System.out.println("User bill failed to connect. Details: " + e.getMessage());
+           }
+           </code>
+        </pre>
+
+        <li>Bill makes a good connection.</li>
+        <pre class="prettyprint">
+          <code>
+           billConnection = createConnection("bill", "activemq", cf);
+           billConnection.start();
+          </code>
+       </pre>
+
+        <li>Andrew makes a good connection</li>
+         <pre class="prettyprint">
+           <code>
+           andrewConnection = createConnection("andrew", "activemq1", cf);
+           andrewConnection.start();
+           </code>
+         </pre>
+
+        <li>Frank makes a good connection</li>
+        <pre class="prettyprint">
+           <code>
+           frankConnection = createConnection("frank", "activemq2", cf);
+           frankConnection.start();
+           </code>
+        </pre>
+
+        <li>Sam makes a good connection</li>
+        <pre class="prettyprint">
+           <code>
+           samConnection = createConnection("sam", "activemq3", cf);
+           samConnection.start();
+           </code>
+        </pre>
+
+        <li>We check every user can publish/subscribe genericTopics</li>
+        <pre class="prettyprint">
+           <code>
+           checkUserSendAndReceive(genericTopic, billConnection, "bill");
+           checkUserSendAndReceive(genericTopic, andrewConnection, "andrew");
+           checkUserSendAndReceive(genericTopic, frankConnection, "frank");
+           checkUserSendAndReceive(genericTopic, samConnection, "sam");
+           </code>
+        </pre>
+
+        <li>We check permissions on news.europe.europeTopic for bill: can't send and can't receive</li>
+        <pre class="prettyprint">
+           <code>
+           checkUserNoSendNoReceive(europeTopic, billConnection, "bill", andrewConnection, frankConnection);
+           </code>
+        </pre>
+
+        <li>We check permissions on news.europe.europeTopic for andrew: can send but can't receive</li>
+        <pre class="prettyprint">
+           <code>
+           checkUserSendNoReceive(europeTopic, andrewConnection, "andrew", frankConnection);
+           </code>
+        </pre>
+
+        <li>We check permissions on news.europe.europeTopic for frank: can't send but can receive</li>
+        <pre class="prettyprint">
+           <code>
+           checkUserReceiveNoSend(europeTopic, frankConnection, "frank", andrewConnection);
+           </code>
+        </pre>
+
+        <li>We check permissions on news.europe.europeTopic for sam: can't send but can receive</li>
+        <pre class="prettyprint">
+           <code>
+           checkUserReceiveNoSend(europeTopic, samConnection, "sam", andrewConnection);
+           </code>
+        </pre>
+
+        <li>We check permissions on news.us.usTopic for bill: can't send and can't receive</li>
+        <pre class="prettyprint">
+           <code>
+           checkUserNoSendNoReceive(usTopic, billConnection, "bill");
+           </code>
+        </pre>
+
+        <li>We check permissions on news.us.usTopic for andrew: can't send and can't receive</li>
+        <pre class="prettyprint">
+           <code>
+           checkUserNoSendNoReceive(usTopic, andrewConnection, "andrew");
+           </code>
+        </pre>
+
+        <li>We check permissions on news.us.usTopic for frank: can both send and receive</li>
+        <pre class="prettyprint">
+           <code>
+           checkUserSendAndReceive(usTopic, frankConnection, "frank");
+           </code>
+        </pre>
+
+        <li>We check permissions on news.us.usTopic for sam: can't send but can receive</li>
+        <pre class="prettyprint">
+           <code>
+           checkUserReceiveNoSend(usTopic, samConnection, "sam", frankConnection);
+           </code>
+        </pre>
+
+        <li>And finally, <b>always</b> remember to close your JMS connections and resources after use, in a <code>finally</code> block. Closing a JMS connection will automatically close all of its sessions, consumers, producer and browser objects</li>
+
+        <pre class="prettyprint">
+           <code>
+           finally
+           {
+              if (billConnection != null)
+              {
+                 billConnection.close();
+              }
+              if (andrewConnection != null)
+              {
+                 andrewConnection.close();
+              }
+              if (frankConnection != null)
+              {
+                 frankConnection.close();
+              }
+              if (samConnection != null)
+              {
+                 samConnection.close();
+              }
+
+              // Also the initialContext
+              if (initialContext != null)
+              {
+                 initialContext.close();
+              }
+           }
+           </code>
+        </pre>
+     </ol>
+  </body>
+</html>

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/examples/features/standard/security-jaas/src/main/java/org/apache/activemq/artemis/jms/example/JaasSecurityExample.java
----------------------------------------------------------------------
diff --git a/examples/features/standard/security-jaas/src/main/java/org/apache/activemq/artemis/jms/example/JaasSecurityExample.java b/examples/features/standard/security-jaas/src/main/java/org/apache/activemq/artemis/jms/example/JaasSecurityExample.java
new file mode 100644
index 0000000..eae3fdd
--- /dev/null
+++ b/examples/features/standard/security-jaas/src/main/java/org/apache/activemq/artemis/jms/example/JaasSecurityExample.java
@@ -0,0 +1,282 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.jms.example;
+
+import javax.jms.Connection;
+import javax.jms.ConnectionFactory;
+import javax.jms.JMSException;
+import javax.jms.JMSSecurityException;
+import javax.jms.MessageConsumer;
+import javax.jms.MessageProducer;
+import javax.jms.Session;
+import javax.jms.TextMessage;
+import javax.jms.Topic;
+import javax.naming.InitialContext;
+
+public class JaasSecurityExample {
+
+   public static void main(final String[] args) throws Exception {
+      boolean result = true;
+      Connection failConnection = null;
+      Connection billConnection = null;
+      Connection andrewConnection = null;
+      Connection frankConnection = null;
+      Connection samConnection = null;
+
+      InitialContext initialContext = null;
+      try {
+         // /Step 1. Create an initial context to perform the JNDI lookup.
+         initialContext = new InitialContext();
+
+         // Step 2. perform lookup on the topics
+         Topic genericTopic = (Topic) initialContext.lookup("topic/genericTopic");
+         Topic europeTopic = (Topic) initialContext.lookup("topic/europeTopic");
+         Topic usTopic = (Topic) initialContext.lookup("topic/usTopic");
+
+         // Step 3. perform a lookup on the Connection Factory
+         ConnectionFactory cf = (ConnectionFactory) initialContext.lookup("ConnectionFactory");
+
+         // Step 4. Try to create a JMS Connection without user/password. It will fail.
+         try {
+            failConnection = cf.createConnection();
+            result = false;
+         }
+         catch (JMSSecurityException e) {
+            System.out.println("Default user cannot get a connection. Details: " + e.getMessage());
+         }
+
+         // Step 5. bill tries to make a connection using wrong password
+         billConnection = null;
+         try {
+            billConnection = createConnection("bill", "activemq1", cf);
+            result = false;
+         }
+         catch (JMSException e) {
+            System.out.println("User bill failed to connect. Details: " + e.getMessage());
+         }
+
+         // Step 6. bill makes a good connection.
+         billConnection = createConnection("bill", "activemq", cf);
+         billConnection.start();
+
+         // Step 7. andrew makes a good connection.
+         andrewConnection = createConnection("andrew", "activemq1", cf);
+         andrewConnection.start();
+
+         // Step 8. frank makes a good connection.
+         frankConnection = createConnection("frank", "activemq2", cf);
+         frankConnection.start();
+
+         // Step 9. sam makes a good connection.
+         samConnection = createConnection("sam", "activemq3", cf);
+         samConnection.start();
+
+         // Step 10. Check every user can publish/subscribe genericTopics.
+         System.out.println("------------------------Checking permissions on " + genericTopic + "----------------");
+         checkUserSendAndReceive(genericTopic, billConnection, "bill");
+         checkUserSendAndReceive(genericTopic, andrewConnection, "andrew");
+         checkUserSendAndReceive(genericTopic, frankConnection, "frank");
+         checkUserSendAndReceive(genericTopic, samConnection, "sam");
+         System.out.println("-------------------------------------------------------------------------------------");
+
+         System.out.println("------------------------Checking permissions on " + europeTopic + "----------------");
+
+         // Step 11. Check permissions on news.europe.europeTopic for bill: can't send and can't receive
+         checkUserNoSendNoReceive(europeTopic, billConnection, "bill");
+
+         // Step 12. Check permissions on news.europe.europeTopic for andrew: can send but can't receive
+         checkUserSendNoReceive(europeTopic, andrewConnection, "andrew", frankConnection);
+
+         // Step 13. Check permissions on news.europe.europeTopic for frank: can't send but can receive
+         checkUserReceiveNoSend(europeTopic, frankConnection, "frank", andrewConnection);
+
+         // Step 14. Check permissions on news.europe.europeTopic for sam: can't send but can receive
+         checkUserReceiveNoSend(europeTopic, samConnection, "sam", andrewConnection);
+         System.out.println("-------------------------------------------------------------------------------------");
+
+         System.out.println("------------------------Checking permissions on " + usTopic + "----------------");
+
+         // Step 15. Check permissions on news.us.usTopic for bill: can't send and can't receive
+         checkUserNoSendNoReceive(usTopic, billConnection, "bill");
+
+         // Step 16. Check permissions on news.us.usTopic for andrew: can't send and can't receive
+         checkUserNoSendNoReceive(usTopic, andrewConnection, "andrew");
+
+         // Step 17. Check permissions on news.us.usTopic for frank: can both send and receive
+         checkUserSendAndReceive(usTopic, frankConnection, "frank");
+
+         // Step 18. Check permissions on news.us.usTopic for sam: can't send but can receive
+         checkUserReceiveNoSend(usTopic, samConnection, "sam", frankConnection);
+         System.out.println("-------------------------------------------------------------------------------------");
+      }
+      finally {
+         // Step 19. Be sure to close our JMS resources!
+         if (failConnection != null) {
+            failConnection.close();
+         }
+         if (billConnection != null) {
+            billConnection.close();
+         }
+         if (andrewConnection != null) {
+            andrewConnection.close();
+         }
+         if (frankConnection != null) {
+            frankConnection.close();
+         }
+         if (samConnection != null) {
+            samConnection.close();
+         }
+
+         // Also the initialContext
+         if (initialContext != null) {
+            initialContext.close();
+         }
+      }
+   }
+
+   // Check the user can receive message but cannot send message.
+   private static void checkUserReceiveNoSend(final Topic topic,
+                                              final Connection connection,
+                                              final String user,
+                                              final Connection sendingConn) throws JMSException {
+      Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+      MessageProducer producer = session.createProducer(topic);
+      MessageConsumer consumer = session.createConsumer(topic);
+      TextMessage msg = session.createTextMessage("hello-world-1");
+
+      try {
+         producer.send(msg);
+         throw new IllegalStateException("Security setting is broken! User " + user +
+                                            " can send message [" +
+                                            msg.getText() +
+                                            "] to topic " +
+                                            topic);
+      }
+      catch (JMSException e) {
+         System.out.println("User " + user + " cannot send message [" + msg.getText() + "] to topic: " + topic);
+      }
+
+      // Now send a good message
+      Session session1 = sendingConn.createSession(false, Session.AUTO_ACKNOWLEDGE);
+      producer = session1.createProducer(topic);
+      producer.send(msg);
+
+      TextMessage receivedMsg = (TextMessage) consumer.receive(2000);
+
+      if (receivedMsg != null) {
+         System.out.println("User " + user + " can receive message [" + receivedMsg.getText() + "] from topic " + topic);
+      }
+      else {
+         throw new IllegalStateException("Security setting is broken! User " + user + " cannot receive message from topic " + topic);
+      }
+
+      session1.close();
+      session.close();
+   }
+
+   // Check the user can send message but cannot receive message
+   private static void checkUserSendNoReceive(final Topic topic,
+                                              final Connection connection,
+                                              final String user,
+                                              final Connection receivingConn) throws JMSException {
+      Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+      MessageProducer producer = session.createProducer(topic);
+      try {
+         session.createConsumer(topic);
+      }
+      catch (JMSException e) {
+         System.out.println("User " + user + " cannot receive any message from topic " + topic);
+      }
+
+      Session session1 = receivingConn.createSession(false, Session.AUTO_ACKNOWLEDGE);
+      MessageConsumer goodConsumer = session1.createConsumer(topic);
+
+      TextMessage msg = session.createTextMessage("hello-world-2");
+      producer.send(msg);
+
+      TextMessage receivedMsg = (TextMessage) goodConsumer.receive(2000);
+      if (receivedMsg != null) {
+         System.out.println("User " + user + " can send message [" + receivedMsg.getText() + "] to topic " + topic);
+      }
+      else {
+         throw new IllegalStateException("Security setting is broken! User " + user +
+                                            " cannot send message [" +
+                                            msg.getText() +
+                                            "] to topic " +
+                                            topic);
+      }
+
+      session.close();
+      session1.close();
+   }
+
+   // Check the user has neither send nor receive permission on topic
+   private static void checkUserNoSendNoReceive(final Topic topic,
+                                                final Connection connection,
+                                                final String user) throws JMSException {
+      Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+      MessageProducer producer = session.createProducer(topic);
+
+      try {
+         session.createConsumer(topic);
+      }
+      catch (JMSException e) {
+         System.out.println("User " + user + " cannot create consumer on topic " + topic);
+      }
+
+      TextMessage msg = session.createTextMessage("hello-world-3");
+      try {
+         producer.send(msg);
+         throw new IllegalStateException("Security setting is broken! User " + user +
+                                            " can send message [" +
+                                            msg.getText() +
+                                            "] to topic " +
+                                            topic);
+      }
+      catch (JMSException e) {
+         System.out.println("User " + user + " cannot send message [" + msg.getText() + "] to topic: " + topic);
+      }
+
+      session.close();
+   }
+
+   // Check the user connection has both send and receive permissions on the topic
+   private static void checkUserSendAndReceive(final Topic topic,
+                                               final Connection connection,
+                                               final String user) throws JMSException {
+      Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);
+      TextMessage msg = session.createTextMessage("hello-world-4");
+      MessageProducer producer = session.createProducer(topic);
+      MessageConsumer consumer = session.createConsumer(topic);
+      producer.send(msg);
+      TextMessage receivedMsg = (TextMessage) consumer.receive(5000);
+      if (receivedMsg != null) {
+         System.out.println("User " + user + " can send message: [" + msg.getText() + "] to topic: " + topic);
+         System.out.println("User " + user + " can receive message: [" + msg.getText() + "] from topic: " + topic);
+      }
+      else {
+         throw new IllegalStateException("Error! User " + user + " cannot receive the message! ");
+      }
+      session.close();
+   }
+
+   private static Connection createConnection(final String username,
+                                              final String password,
+                                              final ConnectionFactory cf) throws JMSException {
+      return cf.createConnection(username, password);
+   }
+}

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/examples/features/standard/security-jaas/src/main/resources/activemq/server0/artemis-roles.properties
----------------------------------------------------------------------
diff --git a/examples/features/standard/security-jaas/src/main/resources/activemq/server0/artemis-roles.properties b/examples/features/standard/security-jaas/src/main/resources/activemq/server0/artemis-roles.properties
new file mode 100644
index 0000000..243b341
--- /dev/null
+++ b/examples/features/standard/security-jaas/src/main/resources/activemq/server0/artemis-roles.properties
@@ -0,0 +1,20 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements.  See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License.  You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+user=bill,andrew,frank,sam
+europe-user=andrew
+us-user=frank
+news-user=frank,sam
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/examples/features/standard/security-jaas/src/main/resources/activemq/server0/artemis-users.properties
----------------------------------------------------------------------
diff --git a/examples/features/standard/security-jaas/src/main/resources/activemq/server0/artemis-users.properties b/examples/features/standard/security-jaas/src/main/resources/activemq/server0/artemis-users.properties
new file mode 100644
index 0000000..0a206c6
--- /dev/null
+++ b/examples/features/standard/security-jaas/src/main/resources/activemq/server0/artemis-users.properties
@@ -0,0 +1,20 @@
+## ---------------------------------------------------------------------------
+## Licensed to the Apache Software Foundation (ASF) under one or more
+## contributor license agreements.  See the NOTICE file distributed with
+## this work for additional information regarding copyright ownership.
+## The ASF licenses this file to You under the Apache License, Version 2.0
+## (the "License"); you may not use this file except in compliance with
+## the License.  You may obtain a copy of the License at
+##
+## http://www.apache.org/licenses/LICENSE-2.0
+##
+## Unless required by applicable law or agreed to in writing, software
+## distributed under the License is distributed on an "AS IS" BASIS,
+## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+## See the License for the specific language governing permissions and
+## limitations under the License.
+## ---------------------------------------------------------------------------
+bill=activemq
+andrew=activemq1
+frank=activemq2
+sam=activemq3
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/examples/features/standard/security-jaas/src/main/resources/activemq/server0/broker.xml
----------------------------------------------------------------------
diff --git a/examples/features/standard/security-jaas/src/main/resources/activemq/server0/broker.xml b/examples/features/standard/security-jaas/src/main/resources/activemq/server0/broker.xml
new file mode 100644
index 0000000..e2dc187
--- /dev/null
+++ b/examples/features/standard/security-jaas/src/main/resources/activemq/server0/broker.xml
@@ -0,0 +1,81 @@
+<?xml version='1.0'?>
+<!--
+Licensed to the Apache Software Foundation (ASF) under one
+or more contributor license agreements.  See the NOTICE file
+distributed with this work for additional information
+regarding copyright ownership.  The ASF licenses this file
+to you under the Apache License, Version 2.0 (the
+"License"); you may not use this file except in compliance
+with the License.  You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing,
+software distributed under the License is distributed on an
+"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied.  See the License for the
+specific language governing permissions and limitations
+under the License.
+-->
+
+<configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+               xmlns="urn:activemq"
+               xsi:schemaLocation="urn:activemq /schema/artemis-server.xsd">
+
+   <jms xmlns="urn:activemq:jms">
+      <topic name="genericTopic"/>
+
+      <topic name="news.europe.europeTopic"/>
+
+      <topic name="news.us.usTopic"/>
+   </jms>
+
+   <core xmlns="urn:activemq:core">
+
+      <bindings-directory>./data/messaging/bindings</bindings-directory>
+
+      <journal-directory>./data/messaging/journal</journal-directory>
+
+      <large-messages-directory>./data/messaging/largemessages</large-messages-directory>
+
+      <paging-directory>./data/messaging/paging</paging-directory>
+
+      <!-- Acceptors -->
+      <acceptors>
+         <acceptor name="netty-acceptor">tcp://localhost:61616</acceptor>
+      </acceptors>
+
+      <!-- Other config -->
+
+      <security-settings>
+         <!-- any user can have full control of generic topics -->
+         <security-setting match="jms.topic.#">
+            <permission type="createDurableQueue" roles="user"/>
+            <permission type="deleteDurableQueue" roles="user"/>
+            <permission type="createNonDurableQueue" roles="user"/>
+            <permission type="deleteNonDurableQueue" roles="user"/>
+            <permission type="send" roles="user"/>
+            <permission type="consume" roles="user"/>
+         </security-setting>
+
+         <security-setting match="jms.topic.news.europe.#">
+            <permission type="createDurableQueue" roles="user"/>
+            <permission type="deleteDurableQueue" roles="user"/>
+            <permission type="createNonDurableQueue" roles="user"/>
+            <permission type="deleteNonDurableQueue" roles="user"/>
+            <permission type="send" roles="europe-user"/>
+            <permission type="consume" roles="news-user"/>
+         </security-setting>
+
+         <security-setting match="jms.topic.news.us.#">
+            <permission type="createDurableQueue" roles="user"/>
+            <permission type="deleteDurableQueue" roles="user"/>
+            <permission type="createNonDurableQueue" roles="user"/>
+            <permission type="deleteNonDurableQueue" roles="user"/>
+            <permission type="send" roles="us-user"/>
+            <permission type="consume" roles="news-user"/>
+         </security-setting>
+      </security-settings>
+
+   </core>
+</configuration>

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/examples/features/standard/security-jaas/src/main/resources/jndi.properties
----------------------------------------------------------------------
diff --git a/examples/features/standard/security-jaas/src/main/resources/jndi.properties b/examples/features/standard/security-jaas/src/main/resources/jndi.properties
new file mode 100644
index 0000000..0a3b640
--- /dev/null
+++ b/examples/features/standard/security-jaas/src/main/resources/jndi.properties
@@ -0,0 +1,22 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+java.naming.factory.initial=org.apache.activemq.artemis.jndi.ActiveMQInitialContextFactory
+connectionFactory.ConnectionFactory=tcp://localhost:61616
+topic.topic/genericTopic=genericTopic
+topic.topic/europeTopic=news.europe.europeTopic
+topic.topic/usTopic=news.us.usTopic

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/pom.xml
----------------------------------------------------------------------
diff --git a/pom.xml b/pom.xml
index def5ea2..f1fd068 100644
--- a/pom.xml
+++ b/pom.xml
@@ -123,6 +123,8 @@
       <geronimo.jms.2.spec.version>1.0-alpha-2</geronimo.jms.2.spec.version>
 
       <javac-compiler-id>javac-with-errorprone</javac-compiler-id>
+
+      <directory-version>1.5.7</directory-version>
    </properties>
 
    <scm>

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/tests/integration-tests/pom.xml
----------------------------------------------------------------------
diff --git a/tests/integration-tests/pom.xml b/tests/integration-tests/pom.xml
index de8ca77..bb4ec15 100644
--- a/tests/integration-tests/pom.xml
+++ b/tests/integration-tests/pom.xml
@@ -261,6 +261,24 @@
          <version>1.0.1</version>
          <scope>test</scope>
       </dependency>
+      <dependency>
+         <groupId>org.apache.directory.server</groupId>
+         <artifactId>apacheds-server-integ</artifactId>
+         <version>${directory-version}</version>
+         <scope>test</scope>
+      </dependency>
+      <dependency>
+         <groupId>org.apache.directory.server</groupId>
+         <artifactId>apacheds-core-integ</artifactId>
+         <version>${directory-version}</version>
+         <scope>test</scope>
+         <exclusions>
+            <exclusion>
+               <groupId>bouncycastle</groupId>
+               <artifactId>bcprov-jdk15</artifactId>
+            </exclusion>
+         </exclusions>
+      </dependency>
    </dependencies>
 
    <build>

http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/LDAPSecurityTest.java
----------------------------------------------------------------------
diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/LDAPSecurityTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/LDAPSecurityTest.java
new file mode 100644
index 0000000..f5aeec5
--- /dev/null
+++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/LDAPSecurityTest.java
@@ -0,0 +1,347 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.activemq.artemis.tests.integration.security;
+
+import javax.naming.Context;
+import javax.naming.NameClassPair;
+import javax.naming.NamingEnumeration;
+import javax.naming.directory.DirContext;
+import javax.naming.directory.InitialDirContext;
+import java.io.File;
+import java.lang.management.ManagementFactory;
+import java.net.URL;
+import java.util.HashSet;
+import java.util.Hashtable;
+import java.util.Set;
+
+import org.apache.activemq.artemis.api.core.ActiveMQException;
+import org.apache.activemq.artemis.api.core.SimpleString;
+import org.apache.activemq.artemis.api.core.TransportConfiguration;
+import org.apache.activemq.artemis.api.core.client.ActiveMQClient;
+import org.apache.activemq.artemis.api.core.client.ClientConsumer;
+import org.apache.activemq.artemis.api.core.client.ClientProducer;
+import org.apache.activemq.artemis.api.core.client.ClientSession;
+import org.apache.activemq.artemis.api.core.client.ClientSessionFactory;
+import org.apache.activemq.artemis.api.core.client.ServerLocator;
+import org.apache.activemq.artemis.core.config.Configuration;
+import org.apache.activemq.artemis.core.config.impl.ConfigurationImpl;
+import org.apache.activemq.artemis.core.remoting.impl.invm.InVMAcceptorFactory;
+import org.apache.activemq.artemis.core.remoting.impl.invm.InVMConnectorFactory;
+import org.apache.activemq.artemis.core.security.Role;
+import org.apache.activemq.artemis.core.server.ActiveMQServer;
+import org.apache.activemq.artemis.core.server.ActiveMQServers;
+import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
+import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
+import org.apache.directory.server.annotations.CreateLdapServer;
+import org.apache.directory.server.annotations.CreateTransport;
+import org.apache.directory.server.core.annotations.ApplyLdifFiles;
+import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
+import org.apache.directory.server.core.integ.FrameworkRunner;
+import org.junit.Assert;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TemporaryFolder;
+import org.junit.runner.RunWith;
+
+@RunWith(FrameworkRunner.class)
+@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port = 1024)})
+@ApplyLdifFiles("test.ldif")
+public class LDAPSecurityTest extends AbstractLdapTestUnit {
+
+   static {
+      String path = System.getProperty("java.security.auth.login.config");
+      if (path == null) {
+         URL resource = LDAPSecurityTest.class.getClassLoader().getResource("login.config");
+         if (resource != null) {
+            path = resource.getFile();
+            System.setProperty("java.security.auth.login.config", path);
+         }
+      }
+   }
+
+   private ServerLocator locator;
+
+   public static final String TARGET_TMP = "./target/tmp";
+   private static final String PRINCIPAL = "uid=admin,ou=system";
+   private static final String CREDENTIALS = "secret";
+
+
+   public LDAPSecurityTest() {
+      File parent = new File(TARGET_TMP);
+      parent.mkdirs();
+      temporaryFolder = new TemporaryFolder(parent);
+   }
+
+   @Rule
+   public TemporaryFolder temporaryFolder;
+   private String testDir;
+
+   @Before
+   public void setUp() throws Exception {
+      locator = ActiveMQClient.createServerLocatorWithHA(new TransportConfiguration(InVMConnectorFactory.class.getCanonicalName()));
+      testDir = temporaryFolder.getRoot().getAbsolutePath();
+   }
+
+   @SuppressWarnings("unchecked")
+   @Test
+   public void testRunning() throws Exception {
+      Hashtable env = new Hashtable();
+      env.put(Context.PROVIDER_URL, "ldap://localhost:1024");
+      env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
+      env.put(Context.SECURITY_AUTHENTICATION, "simple");
+      env.put(Context.SECURITY_PRINCIPAL, PRINCIPAL);
+      env.put(Context.SECURITY_CREDENTIALS, CREDENTIALS);
+      DirContext ctx = new InitialDirContext(env);
+
+      HashSet set = new HashSet();
+
+      NamingEnumeration list = ctx.list("ou=system");
+
+      while (list.hasMore()) {
+         NameClassPair ncp = (NameClassPair) list.next();
+         set.add(ncp.getName());
+      }
+
+      Assert.assertTrue(set.contains("uid=admin"));
+      Assert.assertTrue(set.contains("ou=users"));
+      Assert.assertTrue(set.contains("ou=groups"));
+      Assert.assertTrue(set.contains("ou=configuration"));
+      Assert.assertTrue(set.contains("prefNodeName=sysPrefRoot"));
+   }
+
+   @Test
+   public void testJAASSecurityManagerAuthentication() throws Exception {
+      ActiveMQServer server = getActiveMQServer();
+      server.start();
+      ClientSessionFactory cf = locator.createSessionFactory();
+
+      try {
+         ClientSession session = cf.createSession("first", "secret", false, true, true, false, 0);
+         session.close();
+      }
+      catch (ActiveMQException e) {
+         e.printStackTrace();
+         Assert.fail("should not throw exception");
+      }
+
+      cf.close();
+      locator.close();
+      server.stop();
+   }
+
+   @Test
+   public void testJAASSecurityManagerAuthenticationBadPassword() throws Exception {
+      ActiveMQServer server = getActiveMQServer();
+      server.start();
+      ClientSessionFactory cf = locator.createSessionFactory();
+
+      try {
+         cf.createSession("first", "badpassword", false, true, true, false, 0);
+         Assert.fail("should throw exception here");
+      }
+      catch (Exception e) {
+         // ignore
+      }
+
+      cf.close();
+      locator.close();
+      server.stop();
+   }
+
+   @Test
+   public void testJAASSecurityManagerAuthorizationNegative() throws Exception {
+      final SimpleString ADDRESS = new SimpleString("address");
+      final SimpleString DURABLE_QUEUE = new SimpleString("durableQueue");
+      final SimpleString NON_DURABLE_QUEUE = new SimpleString("nonDurableQueue");
+
+      ActiveMQServer server = getActiveMQServer();
+      Set<Role> roles = new HashSet<>();
+      roles.add(new Role("programmers", false, false, false, false, false, false, false));
+      server.getConfiguration().getSecurityRoles().put("#", roles);
+      server.start();
+      server.createQueue(ADDRESS, DURABLE_QUEUE, null, true, false);
+      server.createQueue(ADDRESS, NON_DURABLE_QUEUE, null, false, false);
+
+      ClientSessionFactory cf = locator.createSessionFactory();
+      ClientSession session = cf.createSession("first", "secret", false, true, true, false, 0);
+
+      // CREATE_DURABLE_QUEUE
+      try {
+         session.createQueue(ADDRESS, DURABLE_QUEUE, true);
+         Assert.fail("should throw exception here");
+      }
+      catch (ActiveMQException e) {
+         // ignore
+      }
+
+      // DELETE_DURABLE_QUEUE
+      try {
+         session.deleteQueue(DURABLE_QUEUE);
+         Assert.fail("should throw exception here");
+      }
+      catch (ActiveMQException e) {
+         // ignore
+      }
+
+      // CREATE_NON_DURABLE_QUEUE
+      try {
+         session.createQueue(ADDRESS, NON_DURABLE_QUEUE, false);
+         Assert.fail("should throw exception here");
+      }
+      catch (ActiveMQException e) {
+         // ignore
+      }
+
+      // DELETE_NON_DURABLE_QUEUE
+      try {
+         session.deleteQueue(NON_DURABLE_QUEUE);
+         Assert.fail("should throw exception here");
+      }
+      catch (ActiveMQException e) {
+         // ignore
+      }
+
+      // PRODUCE
+      try {
+         ClientProducer producer = session.createProducer(ADDRESS);
+         producer.send(session.createMessage(true));
+         Assert.fail("should throw exception here");
+      }
+      catch (ActiveMQException e) {
+         // ignore
+      }
+
+      // CONSUME
+      try {
+         ClientConsumer consumer = session.createConsumer(DURABLE_QUEUE);
+         Assert.fail("should throw exception here");
+      }
+      catch (ActiveMQException e) {
+         // ignore
+      }
+
+      // MANAGE
+      try {
+         ClientProducer producer = session.createProducer(server.getConfiguration().getManagementAddress());
+         producer.send(session.createMessage(true));
+         Assert.fail("should throw exception here");
+      }
+      catch (ActiveMQException e) {
+         // ignore
+      }
+
+      session.close();
+      cf.close();
+      locator.close();
+      server.stop();
+   }
+
+   @Test
+   public void testJAASSecurityManagerAuthorizationPositive() throws Exception {
+      final SimpleString ADDRESS = new SimpleString("address");
+      final SimpleString DURABLE_QUEUE = new SimpleString("durableQueue");
+      final SimpleString NON_DURABLE_QUEUE = new SimpleString("nonDurableQueue");
+
+      ActiveMQServer server = getActiveMQServer();
+      Set<Role> roles = new HashSet<>();
+      roles.add(new Role("admins", true, true, true, true, true, true, true));
+      server.getConfiguration().getSecurityRoles().put("#", roles);
+      server.start();
+
+      ClientSessionFactory cf = locator.createSessionFactory();
+      ClientSession session = cf.createSession("first", "secret", false, true, true, false, 0);
+
+      // CREATE_DURABLE_QUEUE
+      try {
+         session.createQueue(ADDRESS, DURABLE_QUEUE, true);
+      }
+      catch (ActiveMQException e) {
+         e.printStackTrace();
+         Assert.fail("should not throw exception here");
+      }
+
+      // DELETE_DURABLE_QUEUE
+      try {
+         session.deleteQueue(DURABLE_QUEUE);
+      }
+      catch (ActiveMQException e) {
+         e.printStackTrace();
+         Assert.fail("should not throw exception here");
+      }
+
+      // CREATE_NON_DURABLE_QUEUE
+      try {
+         session.createQueue(ADDRESS, NON_DURABLE_QUEUE, false);
+      }
+      catch (ActiveMQException e) {
+         Assert.fail("should not throw exception here");
+      }
+
+      // DELETE_NON_DURABLE_QUEUE
+      try {
+         session.deleteQueue(NON_DURABLE_QUEUE);
+      }
+      catch (ActiveMQException e) {
+         Assert.fail("should not throw exception here");
+      }
+
+      session.createQueue(ADDRESS, DURABLE_QUEUE, true);
+
+      // PRODUCE
+      try {
+         ClientProducer producer = session.createProducer(ADDRESS);
+         producer.send(session.createMessage(true));
+      }
+      catch (ActiveMQException e) {
+         Assert.fail("should not throw exception here");
+      }
+
+      // CONSUME
+      try {
+         session.createConsumer(DURABLE_QUEUE);
+      }
+      catch (ActiveMQException e) {
+         Assert.fail("should not throw exception here");
+      }
+
+      // MANAGE
+      try {
+         ClientProducer producer = session.createProducer(server.getConfiguration().getManagementAddress());
+         producer.send(session.createMessage(true));
+      }
+      catch (ActiveMQException e) {
+         Assert.fail("should not throw exception here");
+      }
+
+      session.close();
+      cf.close();
+      locator.close();
+      server.stop();
+   }
+
+   private ActiveMQServer getActiveMQServer() {
+      ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager();
+      securityManager.setConfigurationName("LDAPLogin");
+      Configuration configuration = new ConfigurationImpl().setSecurityEnabled(true).addAcceptorConfiguration(new TransportConfiguration(InVMAcceptorFactory.class.getCanonicalName()))
+         .setJournalDirectory(ActiveMQTestBase.getJournalDir(testDir, 0, false))
+         .setBindingsDirectory(ActiveMQTestBase.getBindingsDir(testDir, 0, false))
+         .setPagingDirectory(ActiveMQTestBase.getPageDir(testDir, 0, false))
+         .setLargeMessagesDirectory(ActiveMQTestBase.getLargeMessagesDir(testDir, 0, false));
+      return ActiveMQServers.newActiveMQServer(configuration, ManagementFactory.getPlatformMBeanServer(), securityManager, false);
+   }
+}


Mime
View raw message