If I want to implement JAAS authorization on Apache ActiveMQ, do I have to use the plug-in in the activemq.xml configuration file?
This way is really NOT good because if I want to change authorization, I have to change the activemq.xml file and restart the server in order to work.
Is there any way I can use like JAAS authentication by changing other properties file rather than the activemq.xml file? Or can I custom my own authorization plugin?
Thanks.
Whenever I have set up ActiveMQ security, I have found it best to use the plain AuthorizationPlugin with wildcards that denote the destinations covered (which is why it's really handy to use naming conventions fro your queues and topics). The idea is that you define a handful of user groups and grant them access to those destinations.
The role of assigning a group from a username is handled by one of the authentication plugins - the JAAS plugin is particularly useful for externalising this information outside the ActiveMQ config in an LDAP directory.
Check out the ActiveMQ Security Guide from FuseSource (registration required) for further information.
Update 2018-07-02 ActiveMQ Security Guide, now located on redhat.
I found some code snippets that ended up being tremendously helpful in getting started on this subject:
http://activemq.2283324.n4.nabble.com/Fully-programmatic-authorization-map-tp2344815.html
Here's how I ended up using it (may not be the best way):
public class TestAuthorizationPlugin extends AuthorizationPlugin {
Then:
@Override
public Broker installPlugin(Broker broker) {
List<DestinationMapEntry> entries = new ArrayList<DestinationMapEntry>();
try {
entries.add(makeTopicAuthorization("groupA.topic", "groupA", "groupA", "groupA"));
entries.add(makeQueueAuthorization("groupA.queue", "groupA", "groupA", "groupA"));
entries.add(makeQueueAuthorization("groupB.queue", "groupB", "groupB", "groupB"));
entries.add(makeTopicAuthorization("ActiveMQ.Advisory.>", "all", "all", "all"));
AuthorizationMap authMap = new DefaultAuthorizationMap(entries);
return new AuthorizationBroker(broker, authMap);
} catch (Exception e) {
LOGGER.error(e);
}
return new AuthorizationBroker(broker, null);
}
jar this and stick it in <activemq_home>/lib/.
Modify the activemq.xml:
<plugins>
<!-- use JAAS to authenticate using the login.config file on the classpath to configure JAAS -->
<jaasAuthenticationPlugin configuration="activemq" />
<!-- Authorization control -->
<bean xmlns="http://www.springframework.org/schema/beans" class="com.blackstrype.activemq.security.TestAuthorizationPlugin"/>
</plugins>
Another helpful link for more info on autho plugin dev:
http://mariuszprzydatek.com/2014/01/04/token-based-authentication-plugin-for-activemq/
{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://img.manongdao.com/sparkler-677774__340.jpg', '推荐 三岁会撩人 的文章《ActiveMQ authorization》','https://www.manongdao.com/article-335000.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}