Home > Java > javaTutorial > body text

Detailed explanation of the security mechanism of JMS Active MQ

怪我咯
Release: 2017-06-26 11:44:53
Original
1898 people have browsed it

1. Authentication

Authentication: Verify whether an entity or user has permission to access protected resources.

MQ provides two plug-ins for authority authentication:
(1), Simple authentication plug-in: Directly configure the relevant authority authentication information to XML file.

Configure the broker element of conf/activemq.xml to add a plug-in:

        <plugins><simpleAuthenticationPlugin><users><authenticationUser username="admin" password="password" groups="admins,publishers,consumers"/><authenticationUser username="publisher" password="password"  groups="publishers,consumers"/><authenticationUser username="consumer" password="password" groups="consumers"/><authenticationUser username="guest" password="password"  groups="guests"/></users></simpleAuthenticationPlugin></plugins>
Copy after login

There are two authentication methods in the code:

1. When creating a Connection When authenticating

//用户认证Connection conn = connFactory.createConnection("admin","password");
Copy after login

2, you can also authenticate when creating the ConnectionFactory factory

ConnectionFactory connFactory = new ActiveMQConnectionFactory("admin","password",url);
Copy after login

(2) JAAS authentication plug-in: implements the JAAS API and provides a more powerful and customizable permission scheme.

Configuration method:

1. Create the login.config file in the conf directory User configuration PropertiesLoginModule:

activemq-domain {
    org.apache.activemq.jaas.PropertiesLoginModule required debug=trueorg.apache.activemq.jaas.properties.user="users.properties"org.apache.activemq.jaas.properties.group="groups.properties";
};
Copy after login

2. Create it in the conf directory users.properties file user configuration user:

# 创建四个用户
admin=password  
publisher=password 
consumer=password  
guest=password
Copy after login

3. Create groups.properties file user configuration user group in the conf directory:

#创建四个组并分配用户
admins=admin
publishers=admin,publisher
consumers=admin,publisher,consumer
guests=guest
Copy after login

4. Insert the configuration into activemq.xml:

<!-- JAAS authentication plug-in --><plugins><jaasAuthenticationPlugin configuration="activemq-domain" /></plugins>
Copy after login

5. Configure the startup parameters of MQ:

Use the dos command to start:

D:\tools\apache-activemq-5.6.0-bin\apache-activemq-5.6.0\bin\win64>activemq.bat -Djava.security.auth.login.config=D:/tools/apache-activemq-5.6.0-bin/apache-activemq-5.6.0/conf/login.config
Copy after login

6. The authentication method in the code is the same as the Simple authentication plug-in.

2. Authorization

Based on authentication, corresponding permissions can be granted based on the actual user role. For example, some users have queue write permissions, some can only read, etc.
Two authorization methods
(1) Destination level authorization

Three operation levels of JMS destination:
Read: Permission to read destination messages
Write: Permission to send messages to the destination
Admin: Permission to manage the destination

Configuration method conf/activemq.xml:

<plugins><jaasAuthenticationPlugin configuration="activemq-domain" /><authorizationPlugin><map><authorizationMap><authorizationEntries><authorizationEntry topic="topic.ch09" read="consumers" write="publishers" admin="publishers" /></authorizationEntries></authorizationMap></map></authorizationPlugin></plugins>
Copy after login

(2) Message level authorization

Authorize specific messages.

Development steps:
1. To implement the message authorization plug-in, you need to implement the MessageAuthorizationPolicy interface

public class AuthorizationPolicy implements MessageAuthorizationPolicy {private static final Log LOG = LogFactory.
        getLog(AuthorizationPolicy.class);public boolean isAllowedToConsume(ConnectionContext context,
        Message message) {
        LOG.info(context.getConnection().getRemoteAddress());
        String remoteAddress = context.getConnection().getRemoteAddress();if (remoteAddress.startsWith("/127.0.0.1")) {
            LOG.info("Permission to consume granted");return true;
        } else {
        LOG.info("Permission to consume denied");return false;
    }
    }
}
Copy after login

2. Type the plug-in implementation class into a JAR package and put it into In the lib directory of activeMq

3. Set the element in activemq.xml

<messageAuthorizationPolicy><bean class="org.apache.activemq.book.ch6.AuthorizationPolicy" xmlns="http://www.springframework.org/schema/beans" /></messageAuthorizationPolicy>
Copy after login

3. Customize the security plug-in

Plug-in logic needs to implement the BrokerFilter class and install it through the BrokerPlugin implementation class for interception and Broker-level operations:

  • Access consumption Authors and producers

  • Commit transactions

  • Add and delete broker connections

demo: Restrict Broker connections based on IP address.

package ch02.ptp;import java.util.List;import org.apache.activemq.broker.Broker;import org.apache.activemq.broker.BrokerFilter;import org.apache.activemq.broker.ConnectionContext;import org.apache.activemq.command.ConnectionInfo;public class IPAuthenticationBroker extends BrokerFilter {
    List<String> allowedIPAddresses;public IPAuthenticationBroker(Broker next, List<String>allowedIPAddresses) {super(next);this.allowedIPAddresses = allowedIPAddresses;
    }public void addConnection(ConnectionContext context, ConnectionInfo info) throws Exception {
        String remoteAddress = context.getConnection().getRemoteAddress();if (!allowedIPAddresses.contains(remoteAddress)) {throw new SecurityException("Connecting from IP address "
            + remoteAddress+ " is not allowed" );
        }super.addConnection(context, info);
    }
}
Copy after login

Install the plug-in:

package ch02.ptp;import java.util.List;import org.apache.activemq.broker.Broker;import org.apache.activemq.broker.BrokerPlugin;public class IPAuthenticationPlugin implements BrokerPlugin {
    List<String> allowedIPAddresses;public Broker installPlugin(Broker broker) throws Exception {return new IPAuthenticationBroker(broker, allowedIPAddresses);
    }public List<String> getAllowedIPAddresses() {return allowedIPAddresses;
    }public void setAllowedIPAddresses(List<String> allowedIPAddresses) {this.allowedIPAddresses = allowedIPAddresses;
    }
}
Copy after login

ps: Put this class into a jar package and put it in the lib directory of activemq

Configure custom plug-in:

<plugins><bean xmlns="http://www.springframework.org/schema/beans" id="ipAuthenticationPlugin"   class="org.apache.activemq.book.ch6.IPAuthenticationPlugin"><property name="allowedIPAddresses"><list>  <value>127.0.0.1</value></list></property></bean></plugins>
Copy after login

The above is the detailed content of Detailed explanation of the security mechanism of JMS Active MQ. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template