当前位置: 首页 > ActiveMQ in Action 读书笔记 > 正文

6.1 ActiveMQ安全认证 – Authentication


All security concepts in ActiveMQ are implemented as plug-ins. This allows for easyconfiguration and customization via the <plugin> element of the ActiveMQ XML configurationfile. Two plug-ins are available in ActiveMQ to authenticate users:

 Simple authentication plug-in—Handles credentials directly in the XML configurationfile or in a properties file

 JAAS authentication plug-in—Implements the JAAS API and provides a more powerfuland customizable authentication solution

Let’s review these two authentication plug-ins.



简单认证插件 — 直接通过XML配置文件或者属性文件处理认证
JAAS认证插件 — 实现了JAAS API,提供一种更强大的可自定义的认证解决方案


 6.1.1 Configuring the simple authentication plug-in

The easiest way to secure the broker is through the use of authentication credentialsplaced directly in the broker’s XML configuration file. Such functionality is providedby the simple authentication plug-in that’s part of ActiveMQ. The following listing providesan example of using this plug-in.Listing6.1 Configuring the simple authentication plug-in

 6.1.1 配置简单认证插件

配置安全代理的最简单的方式是使用配置在代理的XML配置文件中的身份验证凭据.该功能由ActiveMQ附带的简单认证插件提供.下面的配置的示例代码:清单6.1 配置简单认证插件

<broker ...>
        <authenticationUser username="admin" password="password" groups="admins,publishers,consumers"/>
        <authenticationUser username="publisher" password="password" groups="publishers,consumers"/>
        <authenticationUser username="consumer" password="password" groups="consumers"/>
        <authenticationUser username="guest" password="password" groups="guests"/>
By using this simple configuration snippet, four users can now access ActiveMQ. Obviously,for authentication purposes, each user must have a username and a password.Additionally, the groups attribute provides a comma-separated list of groups to whichthe user belongs. This information is used for authorization purposes, as will be seenshortly.  通过这种简单配置的代码片段,4个用户可以访问ActiveMQ.显然,为了认证,每个用户必须有一个用户名和密码.另外,groups属性提供一个通过逗号分隔的列表,表示用户属于配置的这些群组.正如我们接下来即将看到的这些配置信息用于认证.
 The best way to understand this configuration is to use it with the stock portfolio
example. First, the broker must be started using the configuration file defined earlier:
 理解这种配置的最好方式是在stock portfolio例子中使用这种安全认证机制.首先,需要启动包含了上面
  ${ACTIVEMQ_HOME}/bin/activemq console xbean:src/main/resources/org/apache/activemq/book/ch6/activemq-simple.xml
(window xp下的命令为:%ACTIVEMQ_HOME%/bin/activemq xbean:src/main/resources/org/apache/activemq/book/ch6/activemq-simple.xml)
 Now run the stock publisher and you should see the following exception:  现在通过下面的命令运行publisher,然后你将看到后面的异常信息:
$ mvn exec:java -Dexec.mainClass=org.apache.activemq.book.ch3.portfolio.Publisher -Dexec.args="CSCO ORCL"
Exception in thread "main" javax.jms.JMSException: User name or password is invalid.
 The preceding exception is expected because a security plug-in is activated but the authentication credentials haven’t yet been defined in the publisher client. To fix this exception, modify the publisher to add a username and password. The following snippet provides an example of this:  前面的出现异常是因为启用了安全插件但是在客户端的publisher中没有定义认证身份信息.为避免这个异常,需要修改publisher代码加上username和password.下面是代码示例:
private String username = "publisher";
  private String password = "password";
  public Publisher() throws JMSException 
    factory = new ActiveMQConnectionFactory(brokerURL);
    connection = factory.createConnection(username, password);
    session = connection.createSession(false,
    producer = session.createProducer(null);
 As the preceding snippet shows, the only necessary change is to define a usernameand a password that are then used as parameters to the call to the create-Connection() method. Compiling and running the modified publisher will now yieldthe proper behavior, as shown in the following output:  如前面代码片段所示,唯一需要的修改是定义一个username和password,然后将他们作为参数传递给createConnection方法.通过下面命令编译运行修改过的publisher,publisher功能恢复正常,如后面面输出所示:
$ mvn exec:java -Dexec.mainClass=org.apache.activemq.book.ch6.Publisher -Dexec.args="CSCO ORCL"
Sending: {price=35.25020234334, stock=ORCL, offer=35.28545254568, up=true} on destination: topic://STOCKS.ORCL
Sending: {price=35.018408299624, stock=ORCL, offer=35.053426707924, up=false} on destination: topic://STOCKS.ORCL
Sending: {price=34.722966908601, stock=ORCL, offer=34.75768987551, up=false} on destination: topic://STOCKS.ORCL
Sending: {price=1.651542629939308, stock=CSCO, offer=1.653194172569, up=true} on destination: topic://STOCKS.CSCO
Sending: {price=34.598719623046, stock=ORCL, offer=34.63331834266, up=false} on destination:topic://STOCKS.ORCL
Sending: {price=34.43900856142, stock=ORCL, offer=34.47344756998, up=false} on destination: topic://STOCKS.ORCL
Sending: {price=1.6580787335090, stock=CSCO, offer=1.659736812242, up=true} on destination: topic://STOCKS.CSCO
Sending: {price=34.458768559093, stock=ORCL, offer=34.49322732765, up=true} on destination: topic://STOCKS.ORCL
Sending: {price=1.6547727745488, stock=CSCO, offer=1.6564275473233,up=false} on destination:topic://STOCKS.CSCO
Sending: {price=1.665375738897, stock=CSCO, offer=1.6670411146368, up=true} on destination: topic://STOCKS.CSCO
Published '10' of '10' price messages
 Note in the output that our producer successfully connects to the broker and sends messages.Unfortunately, with the simple authentication plug-in, passwords are stored (andtransferred) as clear text, which impacts the security of the broker. But even plain-textpasswords prevent unauthorized clients from interacting with the broker, and in someenvironments this is all that’s needed. Additionally, you can consider using the simpleauthentication plug-in in combination with the SSL transport, which will at least solvethe problem of sending plain passwords over the network.  注意到前面的输出信息表名producer已经能够成功的连接到代理并且发送消息了.不幸的是,使用简单认证插件时,密码存储和传输时都是使用明文,这可能对代理的安全造成隐患.但是,即便是传文本形式的密码也能阻止未授权的客户端与代理之间非法交换,并且在一些环境中,这种处理方式正是需求所要求的.另外,你可以将简单认证插件和SSL传输连接器配合起来使用,这样至少可以避免在网络中发送明文形式的密码.
 For environments that need a more secure installation and/or for environmentsthat already have an existing security infrastructure with which ActiveMQ will need tointegrate, the JAAS plug-in may be more appropriate.  对于一个需要更保险安全措施的环境和/或一个已经有一套安全设施需要集成到ActiveMQ中的环境来说,使用JAAS插件更加合适.

 6.1.2 Configuring the JAAS plug-in

A detailed explanation of JAAS is beyond the scope of this book. Instead, this section willbriefly introduce JAAS basic concepts and demonstrate how to create a Properties-LoginModule that can be used to achieve the same functionality as the simple securityplug-in using JAAS. For more detailed information about JAAS, please refer to the JAASdocumentation (http://mng.bz/BvvB).

 6.1.2 配置JAAS插件


 JAAS provides pluggable authentication, which means ActiveMQ will use the sameauthentication API regardless of the technique used to verify user credentials (a textfile, a relational database, LDAP, and so on). All that’s required is an implementationof the javax.security.auth.spi.LoginModule interface (http://mng.bz/8zLV) anda configuration change to ActiveMQ. Fortunately, ActiveMQ comes with implementationsof some modules that can authenticate users using properties files, LDAP, andSSL certificates, which will be enough for many use cases. Because JAAS login modulesfollow a specification, one advantage of them is that they’re relatively straightforwardto configure. The best way to understand a login module is by walking through a configuration.For this task, the login module that works with properties files will be used.The first step in this task is to identify the PropertiesLoginModule so thatActiveMQ is made aware of it. To do so, you must create a file named login.config thatcontains a standardized format for configuring JAAS users and groups (http://mng.bz/IIEB). Here are the contents of the file:  JAAS提供了一种可插拔式认证机制,这就是说ActiveMQ将使用与JAAS相同的认证API而不管验证用户身份所使用的具体技术(比如一个文本文件,一个关系型数据库,LDAP等等).使用JAAS认证所需的仅仅是javax.security.auth.spi.LoginModule接口(参阅http://mng.bz/8zLV)的一个实现以及ActiveMQ配置文件的修改.幸运的是,ActiveMQ已经实现了一些模块,使用这些模块可以使用属性文件,LDAP以及SSL证书来验证用户.这些对于大多数用户来书已经足够使用了.因为JAAS的登陆模块需要遵循一个规范,这样就有一个优势 — 它们配置起来相对简单.理解登陆模块最好的方式是亲自进行一次配置.为此,我们将使用基于属性文件的登陆模块来进行一次配置.首先,需要指定PropertiesLoginModule以便PropertiesLoginModule可以使用它.为此,你必须创建一个名称为login.config的配置文件,该文件包含一个配置标准格式的JAAS用户和群组信息(参阅http://mng.bz/IIEB).下面是这个配置文件的内容:
  org.apache.activemq.jaas.PropertiesLoginModule required debug=true
 The login.config file shown here contains a few different items for configuring a JAASmodule. The activemq-domain is the predominant item in this file and it contains allthe configuration for the login module. First is the fully qualified name of thePropertiesLoginModule and the trailing notation identifying it as required. Thismeans that the authentication can’t continue without this login module. Second is aline to enable debug logging for the login module; this is optional. Third is theorg.apache.activemq.jaas.properties.user property, which points to the users.properties file. Fourth is the org.apache.activemq.jaas.properties.group property,which points to the groups.properties file. Once this is all defined, the two propertiesfiles must be created.NOTE The PropertiesLoginModule used in this section is an implementation of a JAAS login module, and it comes with ActiveMQ.Defining user credentials in the properties files is simple. The users.properties file
defines each user in a line-delimited manner along with its password, as shown:
 The groups.properties file defines group names in a line-delimited manner as well. But each group contains a comma-separated list of its users as shown:  groups.properties中同样每一行定义一个群组.但是群组=后面是一组通过逗号分割的用户名,
 Once these files are created, the JAAS plug-in must be defined in the ActiveMQ XML configuration file. The following is an example of this necessary change:  上面的文件创建完成后,还必须在ActiveMQ的XML配置文件中配置JAAS插件.原来的配置文件需要做一些修改,如下面的代码所示:
  <jaasAuthenticationPlugin configuration="activemq-domain" />
 The example is shortened for readability and only shows the necessary change toenable the JAAS login module. As you can see, the JAAS plug-in only needs the nameof the JAAS domain in the login.config file. ActiveMQ will locate the login.config fileon the classpath (an alternative to this is to use the java.security.auth.login.config system property for the location of the login.config file). To test out the JAASlogin module that was just created, start up ActiveMQ using these changes. Here’s thecommand to use:  上面代码可读性不好,仅仅是用于展示开启JAAS登陆模块时XML配置文件需要做的修改.正如你看到的那样,配置的JAAS插件仅仅需要login.config中配置的域名(activemq-domain).ActiveMQ会在classpath中查找login.config文件.(另一个方法是使用系统参数java.security.auth.login.config作为login.config的路径).为测试刚刚配置的JAAS模块,可以使用下面的命令启动ActiveMQ:
${ACTIVEMQ_HOME}/bin/activemq console -Djava.security.auth.login.config=src/main/resources/org/apache/activemq/book/ch6/login.config xbean:src/main/resources/org/apache/activemq/book/ch6/activemq-jaas.xml
(window xp中使用的命令: %ACTIVEMQ_HOME%/bin/activemq -Djava.security.auth.login.config=src/main/resources/org/apache/activemq/book/ch6/login.config xbean:src/main/resources/org/apache/activemq/book/ch6/activemq-jaas.xml)...
Loading message broker from: xbean:src/main/resources/org/apache/activemq/book/ch6/activemq-jaas.xml
INFO | PListStore: Users/bsnyder/amq/apache-activemq-5.4.1/data/localhost/tmp_storage started
INFO | Using Persistence Adapter: KahaDBPersistenceAdapter [/Users/bsnyder/amq/apache-activemq-5.4.1/data/localhost/KahaDB]
INFO | JMX consoles can connect to service: jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi
INFO | ActiveMQ 5.4.1 JMS Message Broker (localhost) is starting
INFO | For help or more information please see: http://activemq.apache.org/
INFO | Scheduler using directory: /Users/bsnyder/amq/apache-activemq-5.4.1/data/localhost/scheduler
INFO | JobSchedulerStore: /Users/bsnyder/amq/apache-activemq-5.4.1/data/localhost/scheduler started
INFO | Listening for connections at: tcp://localhost:61616
INFO | Connector openwire Started
INFO | ActiveMQ JMS Message Broker
(localhost, ID:mongoose.local-61955-1289966951514-0:0) started
 The broker has been secured just like the previous section where simple authenticationwas used, only now the JAAS standard was used. Now we can start our stock portfoliopublisher that uses proper credentials and expect it to be able to access the broker:  启动后,代理手到安全包含,就想前面小节中使用简单认证方式一样,只是现在使用JAAS标准验证.现在,我们可以运行stock portfolio例子中的publisher,然后使用合适的凭证希望publisher可以正常操作代理.参考下面的命令运行publisher:
mvn exec:java -Dexec.mainClass=org.apache.activemq.book.ch6.Publisher -Dexec.args="CSCO ORCL"
Sending: {price=44.84266119470, stock=ORCL, offer=44.88750385590,up=true} on destination: topic://STOCKS.ORCL
Sending: {price=44.5575471806, stock=ORCL, offer=44.60210472778,up=false} on destination: topic://STOCKS.ORCL
Sending: {price=44.49794307251, stock=ORCL, offer=44.54244101559,up=false} on destination: topic://STOCKS.ORCL
Sending: {price=44.48574009628, stock=ORCL, offer=44.530225836380,up=false} on destination: topic://STOCKS.ORCL
Sending: {price=55.89763705357, stock=CSCO, offer=55.953534690630,up=true} on destination: topic://STOCKS.CSCO
Sending: {price=44.09643970531, stock=ORCL, offer=44.140536145020,up=false} on destination: topic://STOCKS.ORCL
Sending: {price=44.20879151845, stock=ORCL, offer=44.25300030997,up=true} on destination: topic://STOCKS.ORCL
Sending: {price=44.38257378288, stock=ORCL, offer=44.426956356664,up=true} on destination: topic://STOCKS.ORCL
Sending: {price=44.660334580924, stock=ORCL, offer=44.704994915505,up=true} on destination: topic://STOCKS.ORCL
Sending: {price=44.77852477644, stock=ORCL, offer=44.8233033012,up=true} on destination: topic://STOCKS.ORCL
Published '10' of '10' price messages
 As we can see, the JAAS plug-in provides exactly the same functionality as the simpleauthentication plug-in. But it does so using the standardized Java mechanism, meaningyou can use it to plug in any existing security policies you use inside your organization.In addition to the ability to authenticate access to the broker services, ActiveMQalso provides the ability to authorize specific operations at a fine-grained level. Thenext section explores this topic thoroughly.  我们看到,JAAS插件可以提供和简单验证插件一样的功能,但是JAAS使用了标准的Java验证授权机制,因此你可以将这种验证插件插入到任何已有的安全策略中.另外,为了给使用代理服务进行鉴权,ActiveMQ还具有给特定的细粒度操作授权的功能,下面章节将详细讨论这方面内容.


赞 赏

   微信赞赏  支付宝赞赏

本文固定链接: https://www.jack-yin.com/coding/translation/activemq-in-action/1004.html | 边城网事

该日志由 边城网事 于2013年10月25日发表在 ActiveMQ in Action 读书笔记 分类下, 你可以发表评论,并在保留原文地址及作者的情况下引用到你的网站或博客。
原创文章转载请注明: 6.1 ActiveMQ安全认证 – Authentication | 边城网事

6.1 ActiveMQ安全认证 – Authentication 暂无评论