2.4 Security
ActiveMQ支持可插拔的安全机制,用以在不同的provider之间切换。
2.4.1 Simple Authentication Plugin
Simple Authentication Plugin适用于简单的认证需求,或者用于建立测试环境。它允许在XML配置文件中指定用户、用户组和密码等信息。以下是ActiveMQ配置的一个例子:
<plugins> ... <simpleAuthenticationPlugin> <users> <authenticationUser username="system" password="manager" groups="users,admins"/> <authenticationUser username="user" password="password" groups="users"/> <authenticationUser username="guest" password="password" groups="guests"/> </users> </simpleAuthenticationPlugin> </plugins>2.4.2 JAAS Authentication Plugin
JAAS Authentication Plugin依赖标准的JAAS机制来实现认证。通常情况下,你需要通过设置java.security.auth.login.config系统属性来配置login modules的配置文件。如果没有指定这个系统属性,那么JAAS Authentication Plugin会缺省使用login.config作为文件名。以下是一个login.config文件的例子:
activemq-domain {
org.apache.activemq.jaas.PropertiesLoginModule required debug=true org.apache.activemq.jaas.properties.user="users.properties" org.apache.activemq.jaas.properties.group="groups.properties";
};
这个login.config文件中设置了两个属性:org.apache.activemq.jaas.properties.user和org.apache.activemq.jaas.properties.group分别用来指向user.properties和group.properties文件。需要注意的是,PropertiesLoginModule使用本地文件的查找方式,而且查找时采用的base directory是login.config文件所在的目录。因此这个login.config说明user.properties和group.properties文件存放在跟login.config文件相同的目录里。
以下是ActiveMQ配置的一个例子:
<plugins> ... <jaasAuthenticationPlugin configuration="activemq-domain" /> </plugins>基于以上的配置,在JAAS的LoginContext中会使用activemq-domain中配置的PropertiesLoginModule来进行登陆。
ActiveMQ JAAS还支持LDAPLoginModule、CertificateLoginModule、TextFileCertificateLoginModule等login module。
2.4.3 Custom Authentication Implementation
可以通过编码的方式为ActiveMQ增加认证功能。例如编写一个类继承自XBeanBrokerService。
package com.yourpackage;
import java.net.URI;
import java.util.HashMap;
import java.util.Map;
import org.apache.activemq.broker.Broker;
import org.apache.activemq.broker.BrokerFactory;
import org.apache.activemq.broker.BrokerService;
import org.apache.activemq.security.SimpleAuthenticationBroker;
import org.apache.activemq.xbean.XBeanBrokerService;
public class SimpleAuthBroker extends XBeanBrokerService {
//
private String user;
private String password;
@SuppressWarnings("unchecked")
protected Broker addInterceptors(Broker broker) throws Exception {
broker = super.addInterceptors(broker);
Map passwords = new HashMap();
passwords.put(getUser(), getPassword());
broker = new SimpleAuthenticationBroker(broker, passwords, new HashMap());
return broker;
}
public String getUser() {
return user;
}
public void setUser(String user) {
this.user = user;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
}
Java代码
package com.yourpackage;
import java.net.URI;
import java.util.HashMap;
import java.util.Map;
import org.apache.activemq.broker.Broker;
import org.apache.activemq.broker.BrokerFactory;
import org.apache.activemq.broker.BrokerService;
import org.apache.activemq.security.SimpleAuthenticationBroker;
import org.apache.activemq.xbean.XBeanBrokerService;
public class SimpleAuthBroker extends XBeanBrokerService {
//
private String user;
private String password;
@SuppressWarnings("unchecked")
protected Broker addInterceptors(Broker broker) throws Exception {
broker = super.addInterceptors(broker);
Map passwords = new HashMap();
passwords.put(getUser(), getPassword());
broker = new SimpleAuthenticationBroker(broker, passwords, new HashMap());
return broker;
}
public String getUser() {
return user;
}
public void setUser(String user) {
this.user = user;
}
public String getPassword() {
return password;
}
public void setPassword(String password) {
this.password = password;
}
}
以下是ActiveMQ配置文件的一个例子:
Xml代码
<beans>
…
<auth:SimpleAuthBroker
xmlns:auth="java://com.yourpackage"
xmlns="http://activemq.org/config/1.0" brokerName="SimpleAuthBroker1" user="user" password="password" useJmx="true">
<transportConnectors>
<transportConnector uri="tcp://localhost:61616"/>
</transportConnectors>
</auth:SimpleAuthBroker>
…
</beans>
<beans>
… <auth:SimpleAuthBroker xmlns:auth="java://com.yourpackage" xmlns="http://activemq.org/config/1.0" brokerName="SimpleAuthBroker1" user="user" password="password" useJmx="true"> <transportConnectors> <transportConnector uri="tcp://localhost:61616"/> </transportConnectors> </auth:SimpleAuthBroker> … </beans>
在这个配置文件中增加了一个namespace auth,用于指向之前编写的哪个类。同时为SimpleAuthBroker注入了两个属性值user和password,因此在被SimpleAuthBroker改写的addInterceptors方法里,可以使用这两个属性进行认证了。ActiveMQ提供的SimpleAuthenticationBroker类继承自BrokerFilter(可以简单的看成是Broker的Adaptor),它的构造函数中的两个Map分别是userPasswords和userGroups。 SimpleAuthenticationBroker在 addConnection方法中使用userPasswords进行认证,同时会把userGroups的信息保存到ConnectionContext中 。
2.4.4 Authorization Plugin
可以通过Authorization Plugin为认证后的用户授权,以下ActiveMQ配置文件的一个例子:
<plugins> <jaasAuthenticationPlugin configuration="activemq-domain"/> <authorizationPlugin> <map> <authorizationMap> <authorizationEntries> <authorizationEntry queue=">" read="admins" write="admins" admin="admins" /> <authorizationEntry queue="USERS.>" read="users" write="users" admin="users" /> <authorizationEntry queue="GUEST.>" read="guests" write="guests,users" admin="guests,users" /> <authorizationEntry topic=">" read="admins" write="admins" admin="admins" /> <authorizationEntry topic="USERS.>" read="users" write="users" admin="users" /> <authorizationEntry topic="GUEST.>" read="guests" write="guests,users" admin="guests,users" /> <authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,users" write="guests,users" admin="guests,users"/> </authorizationEntries> </authorizationMap> </map> </authorizationPlugin> </plugins>