当前位置: 首页 > ActiveMQ in Action 读书笔记 > 正文

6.3 创建自定义安全插件


6.3 Building a custom security plug-in

So far this chapter has focused on the built-in security features in ActiveMQ. Thoughthese features should provide enough functionality for the majority of users, an evenmore powerful feature is available. As stated previously, the ActiveMQ plug-in API isextremely flexible and the possibilities are endless. The flexibility in this functionalitycomes from the BrokerFilter class. This class provides the ability to intercept manyof the available broker-level operations. Broker operations include such items as addingconsumers and producers to the broker, committing transactions in the broker,and adding and removing connections to the broker, to name a few. Custom functionalitycan be added by extending the BrokerFilter class and overriding a method for agiven operation.

6.3 创建自定义安全插件


 Though the ActiveMQ plug-in API isn’t concerned solely with security, implementinga class whose main purpose is to handle a custom security feature is achievable. Soif you have security requirements that can’t be met using the previous security features,you may want to consider developing a custom solution for your needs. Dependingon your needs, two choices are available:


 Implement a JAAS login module—There’s a good chance that you’re already usingJAAS in your Java applications. In this case, it’s only natural that you’ll try toreuse all that work for securing the ActiveMQ broker, too. Since JAAS isn’t themain topic of this book, we won’t dive any deeper into this topic than wealready have.

 方式一:实现一个JAAS登陆模块 — 如果你已经在你的应用程序中使用JAAS的话,这是一个不错的选择.这种情况下,你可以很自然的想到在ActiveMQ代理中重用已实现的JASS登陆模块.因为JAAS不是本书讨论的主题,我们不打算更深入的介绍JAAS.

 Implement a custom plug-in for handling security—ActiveMQ provides a flexiblegeneric plug-in mechanism. You can create your own custom plug-ins for justabout anything, including custom security plug-ins. So if you have requirementsthat can’t be met by implementing a JAAS module, writing a custom plug-in isthe way to go.


 In this section we’ll describe how to write a simple security plug-in that authorizes brokerconnections only from a certain set of IP addresses. The concept isn’t complex butis good enough to give you a taste of the BrokerFilter with an angle toward security.


 6.3.1 Implementing the plug-in

In order to limit connectivity to the broker based on IP address, we’ll create a classnamed IPAuthenticationBroker to override the BrokerFilter.addConnection()method. The implementation of this method will perform a simple check of the IPaddress using a regular expression to determine the ability to connect. The followinglisting shows the implementation of the IPAuthenticationBroker class.

Listing 6.4 IPAuthenticationBroker class—custom broker implementation

 6.3.1 实现插件


清单6.4 IPAuthenticationBroker类 — 实现自定义代理

 The BrokerFilter class defines methods that intercept broker operations such as addinga connection, removing a subscriber, and so forth. In the IPAuthenticationBrokerclass, the addConnection() method is overridden to create some logic that checkswhether the address of a connecting client falls within a list of IP addresses that areallowed to connect. If that IP address is allowed to connect, the call is delegated to theBrokerFilter. addConnection() method. If that IP address isn’t allowed to connect,an exception is thrown.

 BrokerFilter类定义了一些方法,这些方法可以拦截代理的一些操作,比如:增加一个连接,移除一个消息订阅者,等等.在IPAuthenticationBroker类中,addConnection()方法被覆盖了以便创建一些检查客户端IP地址是否在允许IP地址列表之内的逻辑.如果当前的IP地址可以连接到代理,对该方法的调用将转移给BrokerFilter类的addConnection() 方法来处理.如果当前的IP地址不允许连接,则会抛出一个异常.

 One additional item of note in the IPAuthenticationBroker class is that its constructorcalls the BrokerFilter’s constructor. This call serves to set up the chain ofinterceptors so that the proper cascading will take place through the chain. Don’t forgetto do this if you create your own BrokerFilter implementation.


 After the actual plug-in logic has been implemented, the plug-in must be configuredand installed. For this purpose, an implementation of the BrokerPlugin will becreated. The BrokerPlugin is used to expose the configuration of a plug-in and alsoto install the plug-in into the ActiveMQ broker. In order to configure and install theIPAuthenticationBroker, the IPAuthenticationPlugin class is created as shown inthe following listing.

Listing 6.5 IPAuthenticationPlugin class—custom plug-in implementation


清单6.5 IPAuthenticationPlugin类 — 自实现定义插件

 The IPAuthenticationBroker.installPlugin() method is used to instantiate theplug-in and return a new intercepted broker for the next plug-in in the chain. Notethat the IPAuthenticationPlugin class also contains getter and setter methods usedto configure the IPAuthenticationBroker. These setter and getter methods are thenavailable via a Spring beans–style XML configuration in the ActiveMQ XML configurationfile (as you’ll see in a moment).

 IPAuthenticationBroker的installPlugin()方法用来初始化插件然后返回一个被拦截的代理,该代理用于拦截链中的下一个插件.需要注意的是,IPAuthenticationPlugin还包含getter和setter方法用于配置IPAuthenticationBroker类–setter和getter方法可用于ActiveMQ的Spring beans风格的XML配置文件(稍后将看到).

 6.3.2 Configuring the plug-in

Now that we’ve implemented the plug-in, let’s see how we can configure it usingthe ActiveMQ XML configuration file. The following listing shows how theIPAuthenticationPlugin class is used in configuration.

Listing 6.6 Configuring the custom plug-in

 6.3.2 配置插件


代码清单6.6 自定义插件配置

 The <broker> element provides the plugins element for declaring plug-ins. Usingthe IPAuthenticationPlugin, only those clients connecting from the IP address127.0.0.1 (the localhost) can actually connect to the broker.


 6.3.3 Testing the plug-in

All that needs to be done now is to test the plug-in. Here’s the command to copy theexamples JAR file into place (because it contains the plug-in) and the command tostart up ActiveMQ using the IPAuthenticationPlugin and the IPAuthentication-Broker:

 6.3.3 测试插件


$ cp target/activemq-in-action-examples.jar ${ACTIVEMQ_HOME}/lib/

$ {ACTIVEMQ_HOME}/bin/activemq console xbean:src/main/resources/org/apache/activemq/book/ch6/activemq-custom.xml
(译注:window中的命令 %ACTIVEMQ_HOME%/bin/activemq xbean:src/main/resources/org/apache/activemq/book/ch6/activemq-custom.xml)



 Now run the client to connect to ActiveMQ from the localhost and everything shouldbe working fine. See the following output:


 If a connection attempt is made from any host other than the localhost, you canexpect to see the following output including the exception:


  Although this example was more complex, it serves as a good demonstration of thepower provided by the BrokerFilter class. Just imagine how flexible this plug-inmechanism is for integrating with existing custom security requirements. This examplewas focused on a security example, but many other operations can be customizedby using the pattern illustrated here.



   微信打赏  支付宝打赏

本文固定链接: https://www.jack-yin.com/coding/translation/activemq-in-action/1089.html | 边城网事

该日志由 边城网事 于2013年10月28日发表在 ActiveMQ in Action 读书笔记 分类下, 你可以发表评论,并在保留原文地址及作者的情况下引用到你的网站或博客。
原创文章转载请注明: 6.3 创建自定义安全插件 | 边城网事
关键字: , , ,

6.3 创建自定义安全插件 暂无评论