activemq-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r980951 - in /websites/production/activemq/content: cache/main.pageCache security.html
Date Mon, 22 Feb 2016 14:22:03 GMT
Author: buildbot
Date: Mon Feb 22 14:22:03 2016
New Revision: 980951

Log:
Production update by buildbot for activemq

Modified:
    websites/production/activemq/content/cache/main.pageCache
    websites/production/activemq/content/security.html

Modified: websites/production/activemq/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.

Modified: websites/production/activemq/content/security.html
==============================================================================
--- websites/production/activemq/content/security.html (original)
+++ websites/production/activemq/content/security.html Mon Feb 22 14:22:03 2016
@@ -83,7 +83,15 @@
   <tbody>
         <tr>
         <td valign="top" width="100%">
-<div class="wiki-content maincontent"><p>ActiveMQ 4.x and greater provides pluggable
security through various different providers.</p><p>The most common providers
are</p><ul><li><a shape="rect" class="external-link" href="http://java.sun.com/products/jaas/"
rel="nofollow">JAAS</a> for authentication</li><li>a default authorization
mechanism using a simple XML configuration file.</li></ul><h3 id="Security-Authentication">Authentication</h3><p>The
default <a shape="rect" class="external-link" href="http://java.sun.com/products/jaas/"
rel="nofollow">JAAS</a> plugin relies on the standard JAAS mechanism for authentication.
Refer to the <a shape="rect" class="external-link" href="http://java.sun.com/products/jaas/reference/docs/index.html"
rel="nofollow">documentation</a> for more detail.</p><p>Typically you
configure JAAS using a config file like <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/activemq/trunk/activemq-unit-tests/src/test/resources/login.config
 ">this one</a> and set the <strong>java.security.auth.login.config</strong>
system property to point to it. If no system property is specified then by default the ActiveMQ
JAAS plugin will look for <strong>login.config</strong> on the classpath and use
that.</p><h4 id="Security-AuthenticationExample">Authentication Example</h4><p>Here
is an example <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/activemq/trunk/activemq-unit-tests/src/test/resources/login.config">login.config</a>
which then points to these files</p><ul><li><a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/activemq/trunk/activemq-unit-tests/src/test/resources/org/apache/activemq/security/users.properties">users.properties</a></li><li><a
shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/activemq/trunk/activemq-unit-tests/src/test/resources/org/apache/activemq/security/groups.properties">groups.properties</a></li></ul><h4
id="Security-SimpleAut
 henticationPlugin">Simple Authentication Plugin</h4><p>If you have modest
authentication requirements (or just want to quickly set up your testing environment) you
can use SimpleAuthenticationPlugin. With this plugin you can define users and groups directly
in the broker's XML configuration. Take a look at the following snippet for example:</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
+<div class="wiki-content maincontent"><p>ActiveMQ 4.x and greater provides pluggable
security through various different providers.</p><p>The most common providers
are</p><ul><li><a shape="rect" class="external-link" href="http://java.sun.com/products/jaas/"
rel="nofollow">JAAS</a> for authentication</li><li>a default authorization
mechanism using a simple XML configuration file.</li></ul><h3 id="Security-Authentication">Authentication</h3><p>The
default <a shape="rect" class="external-link" href="http://java.sun.com/products/jaas/"
rel="nofollow">JAAS</a> plugin relies on the standard JAAS mechanism for authentication.
Refer to the <a shape="rect" class="external-link" href="http://java.sun.com/products/jaas/reference/docs/index.html"
rel="nofollow">documentation</a> for more detail.</p><p>Typically you
configure JAAS using a config file like <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/activemq/trunk/activemq-unit-tests/src/test/resources/login.config
 ">this one</a> and set the <strong>java.security.auth.login.config</strong>
system property to point to it. If no system property is specified then by default the ActiveMQ
JAAS plugin will look for <strong>login.config</strong> on the classpath and use
that.</p><h4 id="Security-AuthenticationExample">Authentication Example</h4><p>Here
is an example <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/activemq/trunk/activemq-unit-tests/src/test/resources/login.config">login.config</a>
which then points to these files</p><ul><li><a shape="rect" class="external-link"
href="http://svn.apache.org/repos/asf/activemq/trunk/activemq-unit-tests/src/test/resources/org/apache/activemq/security/users.properties">users.properties</a></li><li><a
shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/activemq/trunk/activemq-unit-tests/src/test/resources/org/apache/activemq/security/groups.properties">groups.properties</a></li></ul><p><strong>Note:</strong>

 Until version 5.11.1, these property files got reloaded on every authentication request by
default. So updates to users, password and groups were loaded immediately. From 5.12 onward
they only get reloaded if reload=true is set in your LoginModule configuration, e.g.</p><div
class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent
pdl">
+<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">activemq
{
+    org.apache.activemq.jaas.PropertiesLoginModule required
+        org.apache.activemq.jaas.properties.user="users.properties"
+        org.apache.activemq.jaas.properties.group="groups.properties"
+        reload=true;
+};
+</pre>
+</div></div><p>If reload=true is not set, these property files get loaded
on broker startup only!! See AMQ-5876 for details.</p><h4 id="Security-SimpleAuthenticationPlugin">Simple
Authentication Plugin</h4><p>If you have modest authentication requirements (or
just want to quickly set up your testing environment) you can use SimpleAuthenticationPlugin.
With this plugin you can define users and groups directly in the broker's XML configuration.
Take a look at the following snippet for example:</p><div class="code panel pdl"
style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;simpleAuthenticationPlugin&gt;
 	&lt;users&gt;
 		&lt;authenticationUser username="system" password="manager"
@@ -105,7 +113,7 @@
     &lt;/users&gt;
 &lt;/simpleAuthenticationPlugin&gt;
 </pre>
-</div></div><p>To allow anonymous access to the broker, use <code>anonymousAccessAllowed</code>
attribute and set it to <code>true</code> as shown above. Now, when the client
connects without username and password provided, a default username (<code>anonymous</code>)
and group (<code>anonymous</code>) will be assigned to its security context. You
can use this username and password to authorize client's access to appropriate broker resources
(see the next section). You can also change username and group that will be assigned to <em>anonymous</em>
users by using <code>anonymousUser</code> and <code>anonymousGroup</code>
attributes.</p><h3 id="Security-Authorization">Authorization</h3><p>In
ActiveMQ we use a number of operations which you can associate with user roles and either
individual queues or topics or you can use wildcards to attach to hierarchies of topics and
queues.</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="conflu
 enceTh"><p>Operation</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>read</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>You can browse and consume from the destination</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>write</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>You can send messages to the destination</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>admin</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>You can lazily create the destination
if it does not yet exist. This allows you fine grained control over which new destinations
can be dynamically created in what part of the queue/topic hierarchy</p></td></tr></tbody></table></div><p>Queues/Topics
can specified using the ActiveMQ <a shape="rect" href="wildcards.html">Wildcards</a>
syntax.</p><h4 id="Security-AuthorizationExample">Authorization Example</h4>
 <p>The following <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/activemq/trunk/activemq-unit-tests/src/test/resources/org/apache/activemq/security/jaas-broker.xml">example</a>
shows these 2 plugins in operation. Though note its very easy to write your own plugin.</p><div
class="error"><span class="error">Error formatting macro: snippet: java.lang.IndexOutOfBoundsException:
Index: 20, Size: 20</span> </div><p><strong>Note</strong> that
full access rights should generally be given to the ActiveMQ.Advisory destinations because
by default an ActiveMQConnection uses destination advisories to get early knowledge of temp
destination creation and deletion. In addition, dynamic network connectors use advisories
to determine consumer demand.<br clear="none"> If necessary, the use of advisories in
this manner can be disabled via the <em>watchTopicAdvisories</em> boolean attribute
of ActiveMQConnectionFactory and for a networkConnector, via the network connector <em
 >staticBridge</em>(5.6) boolean attribute.</p><h3 id="Security-Broker-to-BrokerAuthenticationandAuthorization">Broker-to-Broker
Authentication and Authorization</h3><p>If you have enabled authentication for
a particular message broker, then other brokers that wish to connect to that broker must provide
the proper authentication credentials via their &lt;networkConnector&gt; element.
For example, suppose that we have a network of brokers with the following configuration:</p><ul
class="alternate"><li>The network of brokers comprises two brokers (BrokerA and BrokerB)</li><li>Authentication
for BrokerA has been enabled via the example &lt;simpleAuthenticationPlugin&gt; element.</li><li>Authentication
for BrokerB has not been enabled.</li><li>BrokerA only listens for connections.
In other words, BrokerA has a &lt;transportConnector&gt; element, but no &lt;networkConnector&gt;
elements.</li></ul><p>In order for BrokerB to connect to BrokerA, the corresponding
&lt;networkConnector&gt; elem
 ent in BrokerB's XML configuration file must be set up as follows.</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
+</div></div><p>To allow anonymous access to the broker, use <code>anonymousAccessAllowed</code>
attribute and set it to <code>true</code> as shown above. Now, when the client
connects without username and password provided, a default username (<code>anonymous</code>)
and group (<code>anonymous</code>) will be assigned to its security context. You
can use this username and password to authorize client's access to appropriate broker resources
(see the next section). You can also change username and group that will be assigned to <em>anonymous</em>
users by using <code>anonymousUser</code> and <code>anonymousGroup</code>
attributes.</p><h3 id="Security-Authorization">Authorization</h3><p>In
ActiveMQ we use a number of operations which you can associate with user roles and either
individual queues or topics or you can use wildcards to attach to hierarchies of topics and
queues.</p><div class="table-wrap"><table class="confluenceTable"><tbody><tr><th
colspan="1" rowspan="1" class="conflu
 enceTh"><p>Operation</p></th><th colspan="1" rowspan="1" class="confluenceTh"><p>Description</p></th></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>read</p></td><td colspan="1"
rowspan="1" class="confluenceTd"><p>You can browse and consume from the destination</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>write</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>You can send messages to the destination</p></td></tr><tr><td
colspan="1" rowspan="1" class="confluenceTd"><p>admin</p></td><td
colspan="1" rowspan="1" class="confluenceTd"><p>You can lazily create the destination
if it does not yet exist. This allows you fine grained control over which new destinations
can be dynamically created in what part of the queue/topic hierarchy</p></td></tr></tbody></table></div><p>Queues/Topics
can specified using the ActiveMQ <a shape="rect" href="wildcards.html">Wildcards</a>
syntax.</p><h4 id="Security-AuthorizationExample">Authorization Example</h4>
 <p>The following <a shape="rect" class="external-link" href="http://svn.apache.org/repos/asf/activemq/trunk/activemq-unit-tests/src/test/resources/org/apache/activemq/security/jaas-broker.xml">example</a>
shows these 2 plugins in operation. Though note its very easy to write your own plugin.</p><div
class="error"><span class="error">Error formatting macro: snippet: java.lang.IndexOutOfBoundsException:
Index: 20, Size: 20</span> </div><strong>Note</strong> that full access
rights should generally be given to the ActiveMQ.Advisory destinations because by default
an ActiveMQConnection uses destination advisories to get early knowledge of temp destination
creation and deletion. In addition, dynamic network connectors use advisories to determine
consumer demand.<br clear="none"> If necessary, the use of advisories in this manner
can be disabled via the <em>watchTopicAdvisories</em> boolean attribute of ActiveMQConnectionFactory
and for a networkConnector, via the network connector <em>st
 aticBridge</em>(5.6) boolean attribute.<h3 id="Security-Broker-to-BrokerAuthenticationandAuthorization">Broker-to-Broker
Authentication and Authorization</h3><p>If you have enabled authentication for
a particular message broker, then other brokers that wish to connect to that broker must provide
the proper authentication credentials via their &lt;networkConnector&gt; element.
For example, suppose that we have a network of brokers with the following configuration:</p><ul
class="alternate"><li>The network of brokers comprises two brokers (BrokerA and BrokerB)</li><li>Authentication
for BrokerA has been enabled via the example &lt;simpleAuthenticationPlugin&gt; element.</li><li>Authentication
for BrokerB has not been enabled.</li><li>BrokerA only listens for connections.
In other words, BrokerA has a &lt;transportConnector&gt; element, but no &lt;networkConnector&gt;
elements.</li></ul><p>In order for BrokerB to connect to BrokerA, the corresponding
&lt;networkConnector&gt; element in 
 BrokerB's XML configuration file must be set up as follows.</p><div class="code
panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <pre class="brush: xml; gutter: false; theme: Default" style="font-size:12px;">&lt;networkConnectors&gt;
    &lt;networkConnector name="brokerAbridge"
                      userName="user"



Mime
View raw message