Authentication: Verify whether an entity or user has permission to access protected resources.
MQ provides two plug-ins for authority authentication:
(1), Simple authentication plug-in: Directly configure the relevant authority authentication information to XML file.
Configure the broker element of conf/activemq.xml to add a plug-in:
There are two authentication methods in the code:
1. When creating a Connection When authenticating
//用户认证Connection conn = connFactory.createConnection("admin","password");2, you can also authenticate when creating the ConnectionFactory factory
ConnectionFactory connFactory = new ActiveMQConnectionFactory("admin","password",url);
(2) JAAS authentication plug-in: implements the JAAS API and provides a more powerful and customizable permission scheme.
Configuration method:
1. Create the login.config file in the conf directory User configuration PropertiesLoginModule:
activemq-domain {
org.apache.activemq.jaas.PropertiesLoginModule required debug=trueorg.apache.activemq.jaas.properties.user="users.properties"org.apache.activemq.jaas.properties.group="groups.properties";
};2. Create it in the conf directory users.properties file user configuration user:
# 创建四个用户 admin=password publisher=password consumer=password guest=password
3. Create groups.properties file user configuration user group in the conf directory:
#创建四个组并分配用户 admins=admin publishers=admin,publisher consumers=admin,publisher,consumer guests=guest
4. Insert the configuration into activemq.xml:
5. Configure the startup parameters of MQ:
Use the dos command to start:
D:\tools\apache-activemq-5.6.0-bin\apache-activemq-5.6.0\bin\win64>activemq.bat -Djava.security.auth.login.config=D:/tools/apache-activemq-5.6.0-bin/apache-activemq-5.6.0/conf/login.config
6. The authentication method in the code is the same as the Simple authentication plug-in.
Based on authentication, corresponding permissions can be granted based on the actual user role. For example, some users have queue write permissions, some can only read, etc.
Two authorization methods
(1) Destination level authorization
Three operation levels of JMS destination:
Read: Permission to read destination messages
Write: Permission to send messages to the destination
Admin: Permission to manage the destination
Configuration method conf/activemq.xml:
(2) Message level authorization
Authorize specific messages.
Development steps:
1. To implement the message authorization plug-in, you need to implement the MessageAuthorizationPolicy interface
public class AuthorizationPolicy implements MessageAuthorizationPolicy {private static final Log LOG = LogFactory.
getLog(AuthorizationPolicy.class);public boolean isAllowedToConsume(ConnectionContext context,
Message message) {
LOG.info(context.getConnection().getRemoteAddress());
String remoteAddress = context.getConnection().getRemoteAddress();if (remoteAddress.startsWith("/127.0.0.1")) {
LOG.info("Permission to consume granted");return true;
} else {
LOG.info("Permission to consume denied");return false;
}
}
}2. Type the plug-in implementation class into a JAR package and put it into In the lib directory of activeMq
3. Set the
Plug-in logic needs to implement the BrokerFilter class and install it through the BrokerPlugin implementation class for interception and Broker-level operations:
Access consumption Authors and producers
Commit transactions
Add and delete broker connections
demo: Restrict Broker connections based on IP address.
package ch02.ptp;import java.util.List;import org.apache.activemq.broker.Broker;import org.apache.activemq.broker.BrokerFilter;import org.apache.activemq.broker.ConnectionContext;import org.apache.activemq.command.ConnectionInfo;public class IPAuthenticationBroker extends BrokerFilter {
List allowedIPAddresses;public IPAuthenticationBroker(Broker next, ListallowedIPAddresses) {super(next);this.allowedIPAddresses = allowedIPAddresses;
}public void addConnection(ConnectionContext context, ConnectionInfo info) throws Exception {
String remoteAddress = context.getConnection().getRemoteAddress();if (!allowedIPAddresses.contains(remoteAddress)) {throw new SecurityException("Connecting from IP address "
+ remoteAddress+ " is not allowed" );
}super.addConnection(context, info);
}
} Install the plug-in:
package ch02.ptp;import java.util.List;import org.apache.activemq.broker.Broker;import org.apache.activemq.broker.BrokerPlugin;public class IPAuthenticationPlugin implements BrokerPlugin {
List allowedIPAddresses;public Broker installPlugin(Broker broker) throws Exception {return new IPAuthenticationBroker(broker, allowedIPAddresses);
}public List getAllowedIPAddresses() {return allowedIPAddresses;
}public void setAllowedIPAddresses(List allowedIPAddresses) {this.allowedIPAddresses = allowedIPAddresses;
}
} ps: Put this class into a jar package and put it in the lib directory of activemq
Configure custom plug-in:
127.0.0.1
The above is the detailed content of Detailed explanation of the security mechanism of JMS Active MQ. For more information, please follow other related articles on the PHP Chinese website!