activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jfcharles <john.char...@ttmsolutions.com>
Subject Re: use AMQ to transfer, about Security problem
Date Thu, 23 Oct 2008 04:05:40 GMT



Dave Stanley wrote:
> 
> Hi Gui,
> The attached file seems to work ok. Can you copy out the relevant parts
> and
> give it a try.
> 
> /Dave
> 
> 
> On Thu, Oct 16, 2008 at 10:15 PM, gui pei <guipei.java@gmail.com> wrote:
> 
>> Hi,  Stanley
>>
>> I think that is not true.
>>
>> the duplex option is use to indicate message transfer direction, though
>> broker A connect with broker B, if you set it, the message can transfer
>> from
>> B to A.
>>
>> my understand is 'networkConnector' need to connect two broker, such as A
>> and B, but you can only input one authentication info, if the broker A
>> and
>> B
>> have different authentication, you will fail it.
>>
>> here I have tow suggestion:a) AMQ should this network connector to
>> authenticate remote broker, if connect itself, don't need authentication
>> info.
>> b) AMQ should provide two authentication info, to use connect two broker,
>> itself and remote broker.
>>
>>
>> how do u think this?
>>
>>
>>
>>
>> On Thu, Oct 16, 2008 at 11:18 PM, Dave Stanley <dstanleyd@gmail.com>
>> wrote:
>>
>> > If the authorization is different for both ends of the network
>> connector,
>> I
>> > think you would need to remove the duplex="true"
>> >
>> > On Wed, Oct 15, 2008 at 11:46 PM, gui pei <guipei.java@gmail.com>
>> wrote:
>> >
>> > > Hi, all
>> > > Here is a problem, does anyone know how to resolve it?
>> > >
>> > > I have two ActiveMQ broker, A and B, A has authorization,  But B
>> don't
>> > has.
>> > >
>> > > and A has a connection to B. the configuration is this:
>> > >
>> > >        <networkConnector name="amq_B"
>> > uri="static://(tcp://server_B:61616)"
>> > > userName="user" password="password"  duplex="true">
>> > > </networkConnector>
>> > >
>> > > according to Active mq document, you must add authorization info.
>> > >
>> > > this test is ok.
>> > >
>> > > but if B has authorization too, and it is different with A.
>> > >
>> > > I know this connection need authorization A and authorization B, I
>> think
>> > > it's no use authorization info connect itself. How should I config
>> this
>> > > connection?
>> > >
>> > >
>> > > Thanks in advance.
>> > >
>> > > --
>> > > It's winter now, let's hibernate.
>> > >
>> >
>>
>>
>>
>> --
>> It's winter now, let's hibernate.
>>
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <!--
> http://activemq.org/config/1.0
> http://activemq.apache.org/snapshot-schema/activemq-core-5.0-SNAPSHOT.xsd"
> -->
> 
> 
> <beans 
>   xmlns="http://www.springframework.org/schema/beans" 
>   xmlns:amq="http://activemq.org/config/1.0"
>   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>   xsi:schemaLocation="http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
>   
>   <bean
> class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
> 
>   </bean>
> 
> 
>   <!-- Broker1 -->
>   <amq:broker brokerName="broker1" id="broker1" useJmx="true"
> persistent="true" start="true">
>  
>     <amq:transportConnectors>
>       <amq:transportConnector uri="tcp://localhost:61616" />
>     </amq:transportConnectors>
> 
>   
> 
>     <amq:persistenceAdapter>
>       <amq:amqPersistenceAdapter directory="file:broker1/data"
> syncOnWrite="false"/>
>     </amq:persistenceAdapter>
> 
>    <amq:plugins>
>       <amq:simpleAuthenticationPlugin>
>          <amq:users>
>            <amq:authenticationUser username="broker1sa" password="manager"
> groups="producers,consumers,admins" />
>            <amq:authenticationUser username="broker1frontend"
> password="broker1frontendpwd" groups="producers,consumers" />
>            <amq:authenticationUser username="broker1networkconnector"
> password="broker1ncpwd" groups="consumers,producers,admins" />
> 	   <amq:authenticationUser username="broker2networkconnector"
> password="broker1ncpwd" groups="consumers,producers,admins" />
> 
> 	   <!-- this is our password to to broker2 -->
> 	   <amq:authenticationUser username="broker2networkconnector"
> password="broker2ncpwd" groups="consumers,producers,admins" />
>          </amq:users>
>        </amq:simpleAuthenticationPlugin>
>        <amq:authorizationPlugin>
>          <amq:map>
>            <amq:authorizationMap>
>              <amq:authorizationEntries>
>                <amq:authorizationEntry queue=">" write="producers"
> read="consumers" admin="admins" />
>                <amq:authorizationEntry topic=">" write="producers"
> read="consumers" admin="admins" />
>              </amq:authorizationEntries>
>            </amq:authorizationMap>
>          </amq:map>
>        </amq:authorizationPlugin>
>     </amq:plugins>
>  
>      <amq:managementContext>
>        <amq:managementContext connectorPort="1100"
> jmxDomainName="org.apache.activemq"/>
>     </amq:managementContext>
> 
>     <amq:networkConnectors>
>     	<amq:networkConnector name="broker1tobroker2" 
> 		     userName="broker2networkconnector" password="broker2ncpwd" 
>                      uri="static://(tcp://localhost:62616)" duplex="false"
> />
>     </amq:networkConnectors>
> 
> 
>   </amq:broker>
>   
>   
>   <!-- Broker2 -->
>   <amq:broker brokerName="broker2" id="broker2" useJmx="true"
> persistent="true" start="true" xmlns="http://activemq.org/config/1.0">
>     
>     <amq:transportConnectors>
>       <amq:transportConnector uri="tcp://localhost:62616" />
>     </amq:transportConnectors>
> 
>   
> 
>     <amq:persistenceAdapter>
>       <amq:amqPersistenceAdapter directory="file:broker2/data"
> syncOnWrite="false" />
>     </amq:persistenceAdapter>
> 
>     <amq:plugins>
>       <amq:simpleAuthenticationPlugin>
>          <amq:users>
>            <amq:authenticationUser username="broker2sa" password="manager"
> groups="producers,consumers,admins" />
>            <amq:authenticationUser username="broker2frontend"
> password="broker2frontendpwd" groups="producers,consumers" />
>            <amq:authenticationUser username="broker2networkconnector"
> password="broker2ncpwd" groups="consumers,producers,admins" />
> 	   
>  	   <!-- this is our password to connect back to broker1 -->
> 	   <amq:authenticationUser username="broker1networkconnector"
> password="broker1ncpwd" groups="consumers,producers,admins" />
> 
>          </amq:users>
>        </amq:simpleAuthenticationPlugin>
>        <amq:authorizationPlugin>
>          <amq:map>
>            <amq:authorizationMap>
>              <amq:authorizationEntries>
>                <amq:authorizationEntry queue=">" write="producers"
> read="consumers" admin="admins" />
>                <amq:authorizationEntry topic=">" write="producers"
> read="consumers" admin="admins" />
>              </amq:authorizationEntries>
>            </amq:authorizationMap>
>          </amq:map>
>        </amq:authorizationPlugin>
>     </amq:plugins>
> 
>     <amq:managementContext>
>        <amq:managementContext connectorPort="1099"
> jmxDomainName="org.apache.activemq"/>
>     </amq:managementContext>
> 
>     <amq:networkConnectors>
>     	<amq:networkConnector name="broker2tobroker1"
>                      userName="broker1networkconnector"
> password="broker1ncpwd" 
>                      uri="static://(tcp://localhost:61616)"
> duplex="false"/>
>     </amq:networkConnectors>
> 
>   </amq:broker>
> 
>    
> </beans>
> 
> 

I don't believe it's necessary to add broker1's authentication details to
broker2 and vice-versa, within the broker simpleAuthenticationPlugin
element, in addition to adding their username/password combination to the
networkConnector . Simply add it to the networkConnector element as
attributes. When one broker connects to another, the network connector
passes authentication attributes to the target broker and it authenticates
the connection using the passed-in credentials against the target brokers
authorised users list.

John Charles - For a more detailed free AMQ 5.1 User Guide see
www.ttmsolutions.com
-- 
View this message in context: http://www.nabble.com/use-AMQ-to-transfer%2C-about-Security-problem-tp20006596p20124075.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.


Mime
View raw message