ActiveMQ中的安全机制
ActiveMQ据说可以支持多种可插拔的provider来支持消息安全机制,可是我找遍了它的网站也没有找到除JAAS以外的可用provider。这里简单介绍一下在ActiveMQ里面通过JAAS实现安全机制。
ActiveMQ据说可以支持多种可插拔的provider来支持消息安全机制,可是我找遍了它的网站也没有找到除JAAS以外的可用provider。这里简单介绍一下在ActiveMQ里面通过JAAS实现安全机制。
JAAS(Java Authentication and Authorization Service)也就是java的验证Authentication)、授权(Authorization)服务。简单来说,验证Authentication就是要验证一个用户的有效性,即用户名、密码是否正确。授权Authorization就是授予用户某种角色,可以访问哪些资源。其实我了解得也就这么多了,曾经买了一本java安全的书,到现在也没看几眼。
要想在ActiveMQ中使用JAAS实现消息安全和控制,比较简单的方法就是使用配制文件。
首先,编写login.config文件,内容如下
activemq-domain {
org.apache.activemq.jaas.PropertiesLoginModule required
debug=true
org.apache.activemq.jaas.properties.user="users.properties"
org.apache.activemq.jaas.properties.group="groups.properties";
};
把这个文件放在CLASSPATH所指路径下,我选择放在%ACTIVEMQ_HOME%\conf\下,这样就不用设置了。然后编写users.properties和groups.properties文件,内容可参考下例:
#users.properties
system=manager
user=password
guest=password
首先,编写login.config文件,内容如下
activemq-domain {
org.apache.activemq.jaas.PropertiesLoginModule required
debug=true
org.apache.activemq.jaas.properties.user="users.properties"
org.apache.activemq.jaas.properties.group="groups.properties";
};
把这个文件放在CLASSPATH所指路径下,我选择放在%ACTIVEMQ_HOME%\conf\下,这样就不用设置了。然后编写users.properties和groups.properties文件,内容可参考下例:
#users.properties
system=manager
user=password
guest=password
#groups.properties
admins=system
users=system,user
guests=guest
内容是显而易见的,users.properties文件里面配制了三个用户,并分别制定了他们的密码。groups.properties文件里配制了三个组,以及每个组里面的用户。这两个文件和login.config放在同一个目录。
以上部分属于认证,下面来讨论授权。通过修改activemq.xml文件来增加对不同group中的用户指定所能进行的操作。
<!-- START SNIPPET: example -->
<beans xmlns="http://activemq.org/config/1.0">
admins=system
users=system,user
guests=guest
内容是显而易见的,users.properties文件里面配制了三个用户,并分别制定了他们的密码。groups.properties文件里配制了三个组,以及每个组里面的用户。这两个文件和login.config放在同一个目录。
以上部分属于认证,下面来讨论授权。通过修改activemq.xml文件来增加对不同group中的用户指定所能进行的操作。
<!-- START SNIPPET: example -->
<beans xmlns="http://activemq.org/config/1.0">
<!-- Allows us to use system properties as variables in this configuration file -->
<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
<broker useJmx="true">
<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer"/>
<broker useJmx="true">
<!-- In ActiveMQ 4, you can setup destination policies -->
<destinationPolicy>
<policyMap><policyEntries>
<policyEntry topic="FOO.>">
<dispatchPolicy>
<strictOrderDispatchPolicy />
</dispatchPolicy>
<subscriptionRecoveryPolicy>
<lastImageSubscriptionRecoveryPolicy />
</subscriptionRecoveryPolicy>
</policyEntry>
<destinationPolicy>
<policyMap><policyEntries>
<policyEntry topic="FOO.>">
<dispatchPolicy>
<strictOrderDispatchPolicy />
</dispatchPolicy>
<subscriptionRecoveryPolicy>
<lastImageSubscriptionRecoveryPolicy />
</subscriptionRecoveryPolicy>
</policyEntry>
</policyEntries></policyMap>
</destinationPolicy>
<persistenceAdapter>
<journaledJDBC journalLogFiles="5" dataDirectory="${activemq.home}/activemq-data"/>
<!-- To use a different datasource, use th following syntax : -->
<!--
<journaledJDBC journalLogFiles="5" dataDirectory="../activemq-data" dataSource="#postgres-ds"/>
-->
</persistenceAdapter>
<transportConnectors>
<transportConnector name="default" uri="tcp://localhost:61616" discoveryUri="multicast://default"/>
<transportConnector name="stomp" uri="stomp://localhost:61613"/>
</transportConnectors>
<networkConnectors>
<!-- by default just auto discover the other brokers -->
<networkConnector name="default" uri="multicast://default"/>
<!--
<networkConnector name="host1 and host2" uri="static://(tcp://host1:61616,tcp://host2:61616)" failover="true"/>
-->
</networkConnectors>
<plugins>
<!-- use JAAS to authenticate using the login.config file on the classpath to configure JAAS -->
<jaasAuthenticationPlugin configuration="activemq-domain" />
</destinationPolicy>
<persistenceAdapter>
<journaledJDBC journalLogFiles="5" dataDirectory="${activemq.home}/activemq-data"/>
<!-- To use a different datasource, use th following syntax : -->
<!--
<journaledJDBC journalLogFiles="5" dataDirectory="../activemq-data" dataSource="#postgres-ds"/>
-->
</persistenceAdapter>
<transportConnectors>
<transportConnector name="default" uri="tcp://localhost:61616" discoveryUri="multicast://default"/>
<transportConnector name="stomp" uri="stomp://localhost:61613"/>
</transportConnectors>
<networkConnectors>
<!-- by default just auto discover the other brokers -->
<networkConnector name="default" uri="multicast://default"/>
<!--
<networkConnector name="host1 and host2" uri="static://(tcp://host1:61616,tcp://host2:61616)" failover="true"/>
-->
</networkConnectors>
<plugins>
<!-- use JAAS to authenticate using the login.config file on the classpath to configure JAAS -->
<jaasAuthenticationPlugin configuration="activemq-domain" />
<!-- lets configure a destination based authorization mechanism -->
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue=">" read="admins,guests" write="guests" admin="admins,guests" />
<authorizationEntry queue="USERS.>" read="users" write="users" admin="users" />
<authorizationEntry queue="GUEST.>" read="guests" write="guests,users" admin="guests,users" />
<authorizationEntry topic=">" read="admins" write="admins" admin="admins" />
<authorizationEntry topic="USERS.>" read="users" write="users" admin="users" />
<authorizationEntry topic="GUEST.>" read="guests" write="guests,users" admin="guests,users" />
<authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,users" write="guests,users" admin="guests,users"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
</broker>
</beans>
<!-- END SNIPPET: example -->
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue=">" read="admins,guests" write="guests" admin="admins,guests" />
<authorizationEntry queue="USERS.>" read="users" write="users" admin="users" />
<authorizationEntry queue="GUEST.>" read="guests" write="guests,users" admin="guests,users" />
<authorizationEntry topic=">" read="admins" write="admins" admin="admins" />
<authorizationEntry topic="USERS.>" read="users" write="users" admin="users" />
<authorizationEntry topic="GUEST.>" read="guests" write="guests,users" admin="guests,users" />
<authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,users" write="guests,users" admin="guests,users"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
</broker>
</beans>
<!-- END SNIPPET: example -->
加黑部分为所加授权配制信息。针对不同的queue或者topic设置了可以进行操作的组。里面主要涉及三种操作:read, write, admin
read:可以从queue或者topic里面接收消息
write:可以向queue或者topic发送消息
admin:可以创建queue或者topic(可能还有别的功能)
这些文件配制好时候,ActiveMQ就具有了基本的安全机制,另外需要注意的是,在ActiveMQ 4.0.1 release版中,并没有带有activemq-jaas.jar,需要自己下载,http://people.apache.org/repository/incubator-activemq/jars/activemq-jaas-4.0.1.jar下载后放到%ACTIVEMQ_HOME%\lib目录下即可。然后启动%ACTIVEMQ_HOME%\bin\activemq消息中心,一下代码创建了具有安全机制的connection。
ActiveMQConnectionFactory connectionFactory = new ActiveMQConnectionFactory("tcp://localhost:61616");
Connection connection = connectionFactory.createConnection("username","password");
read:可以从queue或者topic里面接收消息
write:可以向queue或者topic发送消息
admin:可以创建queue或者topic(可能还有别的功能)
这些文件配制好时候,ActiveMQ就具有了基本的安全机制,另外需要注意的是,在ActiveMQ 4.0.1 release版中,并没有带有activemq-jaas.jar,需要自己下载,http://people.apache.org/repository/incubator-activemq/jars/activemq-jaas-4.0.1.jar下载后放到%ACTIVEMQ_HOME%\lib目录下即可。然后启动%ACTIVEMQ_HOME%\bin\activemq消息中心,一下代码创建了具有安全机制的connection。
ActiveMQConnectionFactory connectionFactory = new ActiveMQConnectionFactory("tcp://localhost:61616");
Connection connection = connectionFactory.createConnection("username","password");
至于这种方法是否灵活、方便、安全,与编程模式实现的安全机制有什么异同还需要进一步分析比较。
