ActiveMQ 安全配置相关说明
说明:
activeMQ分为2个安全配置。一个是web控制台的安全配置;另外一个是对于队列/主题的访问安全配置。
安装好ActiveMQ后,其默认没有任何安全控制,任何人都可以通过8161端口登录Web控制台,任何人都可以通过61616端口发送和接收JMS消息。在实际应用中,需要由我们自己对ActiveMQ进行安全性配置。
一:web控制台安全控制
ActiveMQ使用的是jetty服务器, 打开conf/jetty.xml文件,找到
<bean id="securityConstraint" class="org.eclipse.jetty.http.security.Constrint"> <property name="name" value="BASIC" /> <property name="roles" value="admin" /> <property name="authenticate" value="false" /> </bean> |
将property name为authenticate的属性value="false" 改为"true"。
控制台的登录用户名密码保存在conf/jetty-realm.properties文件中,内容如下:
## --------------------------------------------------------------------------- ## Licensed to the Apache Software Foundation (ASF) under one or more ## contributor license agreements. See the NOTICE file distributed with ## this work for additional information regarding copyright ownership. ## The ASF licenses this file to You under the Apache License, Version 2.0 ## (the "License"); you may not use this file except in compliance with ## the License. You may obtain a copy of the License at ## ## http://www.apache.org/licenses/LICENSE-2.0 ## ## Unless required by applicable law or agreed to in writing, software ## distributed under the License is distributed on an "AS IS" BASIS, ## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ## See the License for the specific language governing permissions and ## limitations under the License. ## --------------------------------------------------------------------------- # Defines users that can access the web (console, demo, etc.) # username: password [,rolename ...] admin: admin, admin |
用户格式定义: 用户名:密码[,角色...] , 以上配置就是用户名为admin,密码为admin,角色为admin的用户
重启,访问 http://127.0.0.1:8161/admin/ 将弹出要求输入用户名密码的弹出框。
二:对于队列/主题的访问安全配置
通过MQ中间件,发送和接收消息这一过程,也需要进行安全控制。
Authorization
In ActiveMQ we use a number of operations which you can associate with user roles and either individual queues or topics or you can use wildcards to attach to hierarchies of topics and queues.
Operation | Description |
read | You can browse and consume from the destination |
write | You can send messages to the destination |
admin | You can lazily create the destination if it does not yet exist. This allows you fine grained control over which new destinations can be dynamically created in what part of the queue/topic hierarchy |
以上是apache官网的描述.这里稍微解释下.
对于队列/主题的访问只有3个操作类型,read:浏览并接收消息;write:发送消息;admin:这是我们在写我们自己客户端程序访问activeMQ时候,如果队列/主题不存在.则admin就可指定该"角色"是否有权限建立这个队列(没错,不像weblogic的jms那样,队列/主题没有从后台建立,则客户端无法访问.)
对于JMS的安全配置这里又介绍两种。现在先做关于“角色/权限”的一个介绍:
a. simpleAuthentication(简单的身份验证)
在conf/activemq.xml文件中加入以下内容即可(注意如果文件有systemUsage,应该放到systemUsage前):
<plugins>
<!-- Configure authentication; Username, passwords and groups -->
<simpleAuthenticationPlugin>
<users>
<authenticationUser username="system" password="${activemq.password}" groups="users,admins"/>
<authenticationUser username="user" password="${guest.password}" groups="users"/>
<authenticationUser username="guest" password="${guest.password}" groups="guests"/>
</users>
</simpleAuthenticationPlugin>
</plugins>
以上占位引用可在conf/credential.properties中配置
b. JAAS身份验证
1.在conf/activemq.xml文件中加上:
<plugins> <!-- Configure authentication; Username, passwords and groups 添加jaas认证插件activemq-domain 在login.config里面定义,详细见login.config --> <jaasAuthenticationPlugin configuration="activemq-domain" /> <!-- Lets configure a destination based authorization mechanism 配置队列用户权限,>表示任意字符 --> <authorizationPlugin> <map> <authorizationMap> <authorizationEntries> <authorizationEntry queue=">" read="admins" write="admins" admin="admins" /> <authorizationEntry queue="USERS.>" read="users" write="users" admin="users" /> <authorizationEntry queue="GUEST.>" read="guests" write="guests,users" admin="guests,users" />
<authorizationEntry queue="TEST.Q" read="guests" write="guests" />
<authorizationEntry topic=">" read="admins" write="admins" admin="admins" /> <authorizationEntry topic="USERS.>" read="users" write="users" admin="users" /> <authorizationEntry topic="GUEST.>" read="guests" write="guests,users" admin="guests,users" />
<authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,users" write="guests,users" admin="guests,users"/> </authorizationEntries> </authorizationMap> </map> </authorizationPlugin> </plugins> |
在配置中 ">" 代表所有的意思. 而 "ActiveMQ.Advisory.>" 则代表.名为 "ActiveMQ.Advisory."下的所有.
2. 在conf目录下增加login.config,groups.properties,users.properties
login.config 内容如下:
activemq-domain { org.apache.activemq.jaas.PropertiesLoginModule required debug=true org.apache.activemq.jaas.properties.user="users.properties" org.apache.activemq.jaas.properties.group="groups.properties"; }; |
groups.properties 内容如下:
#group=userName admins=system |
users.properties 内容如下:
#userName=password system=manager |
以上两种配置方式到conf下activemq-security.xml文件都能看到
以上为参考内容,链接http://blog.csdn.net/ichsonx/article/details/8540004
###################################
web控制台安全控制比较基础
其中,对于队列/主题的访问安全配置,修改完配置文件后。代码中也要进行相应用户名和密码的设置。
测试使用的是点对点方式,刚开始与MQ交互时没有进行设置用户名和密码。
以下为获取session时的操作修改:
// 1.获取Mq连接的url String BROKER_URL = MqServerFactory.getMqServerUrl(str); log.info("要进行的Mq的连接的url: "+BROKER_URL); log.info("获取session工具类中,重建MQ连接,获取session"); // 2.创建链接工厂 ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory(BROKER_URL); // 与MQ进行连接时的用户和密码设置 factory.setUserName("userName"); factory.setPassword("password"); // 3.通过工厂创建一个连接 connection = factory.createQueueConnection(); // 4.启动连接 connection.start(); // 5.创建一个session会话 session = connection.createQueueSession(true, Session.CLIENT_ACKNOWLEDGE); |
最后,附上官网的配置连接:http://activemq.apache.org/security.html