Detailed explanation of the security mechanism of JMS Active MQ

1. Authentication

Authentication: Verify whether an entity or user has permission to access protected resources.

MQ provides two plug-ins for authority authentication:
(1), Simple authentication plug-in: Directly configure the relevant authority authentication information to XML file.

Configure the broker element of conf/activemq.xml to add a plug-in:

        <plugins><simpleAuthenticationPlugin><users><authenticationUser username="admin" password="password" groups="admins,publishers,consumers"/><authenticationUser username="publisher" password="password"  groups="publishers,consumers"/><authenticationUser username="consumer" password="password" groups="consumers"/><authenticationUser username="guest" password="password"  groups="guests"/></users></simpleAuthenticationPlugin></plugins>

There are two authentication methods in the code:

1. When creating a Connection When authenticating

//用户认证Connection conn = connFactory.createConnection("admin","password");

2, you can also authenticate when creating the ConnectionFactory factory

ConnectionFactory connFactory = new ActiveMQConnectionFactory("admin","password",url);

(2) JAAS authentication plug-in: implements the JAAS API and provides a more powerful and customizable permission scheme.

Configuration method:

1. Create the login.config file in the conf directory User configuration PropertiesLoginModule:

activemq-domain {
    org.apache.activemq.jaas.PropertiesLoginModule required debug=trueorg.apache.activemq.jaas.properties.user="users.properties"org.apache.activemq.jaas.properties.group="groups.properties";
};

2. Create it in the conf directory users.properties file user configuration user:

# 创建四个用户
admin=password  
publisher=password 
consumer=password  
guest=password

3. Create groups.properties file user configuration user group in the conf directory:

#创建四个组并分配用户
admins=admin
publishers=admin,publisher
consumers=admin,publisher,consumer
guests=guest

4. Insert the configuration into activemq.xml:

<!-- JAAS authentication plug-in --><plugins><jaasAuthenticationPlugin configuration="activemq-domain" /></plugins>

5. Configure the startup parameters of MQ:

Use the dos command to start:

D:\tools\apache-activemq-5.6.0-bin\apache-activemq-5.6.0\bin\win64>activemq.bat -Djava.security.auth.login.config=D:/tools/apache-activemq-5.6.0-bin/apache-activemq-5.6.0/conf/login.config

6. The authentication method in the code is the same as the Simple authentication plug-in.

2. Authorization

Based on authentication, corresponding permissions can be granted based on the actual user role. For example, some users have queue write permissions, some can only read, etc.
Two authorization methods
(1) Destination level authorization

Three operation levels of JMS destination:
Read: Permission to read destination messages
Write: Permission to send messages to the destination
Admin: Permission to manage the destination

Configuration method conf/activemq.xml:

<plugins><jaasAuthenticationPlugin configuration="activemq-domain" /><authorizationPlugin><map><authorizationMap><authorizationEntries><authorizationEntry topic="topic.ch09" read="consumers" write="publishers" admin="publishers" /></authorizationEntries></authorizationMap></map></authorizationPlugin></plugins>

(2) Message level authorization

Authorize specific messages.

Development steps:
1. To implement the message authorization plug-in, you need to implement the MessageAuthorizationPolicy interface

public class AuthorizationPolicy implements MessageAuthorizationPolicy {private static final Log LOG = LogFactory.
        getLog(AuthorizationPolicy.class);public boolean isAllowedToConsume(ConnectionContext context,
        Message message) {
        LOG.info(context.getConnection().getRemoteAddress());
        String remoteAddress = context.getConnection().getRemoteAddress();if (remoteAddress.startsWith("/127.0.0.1")) {
            LOG.info("Permission to consume granted");return true;
        } else {
        LOG.info("Permission to consume denied");return false;
    }
    }
}

2. Type the plug-in implementation class into a JAR package and put it into In the lib directory of activeMq

3. Set the element in activemq.xml

<messageAuthorizationPolicy><bean class="org.apache.activemq.book.ch6.AuthorizationPolicy" xmlns="http://www.springframework.org/schema/beans" /></messageAuthorizationPolicy>

3. Customize the security plug-in

Plug-in logic needs to implement the BrokerFilter class and install it through the BrokerPlugin implementation class for interception and Broker-level operations:

• Access consumption Authors and producers

• Commit transactions

• Add and delete broker connections

demo: Restrict Broker connections based on IP address.

package ch02.ptp;import java.util.List;import org.apache.activemq.broker.Broker;import org.apache.activemq.broker.BrokerFilter;import org.apache.activemq.broker.ConnectionContext;import org.apache.activemq.command.ConnectionInfo;public class IPAuthenticationBroker extends BrokerFilter {
    List<String> allowedIPAddresses;public IPAuthenticationBroker(Broker next, List<String>allowedIPAddresses) {super(next);this.allowedIPAddresses = allowedIPAddresses;
    }public void addConnection(ConnectionContext context, ConnectionInfo info) throws Exception {
        String remoteAddress = context.getConnection().getRemoteAddress();if (!allowedIPAddresses.contains(remoteAddress)) {throw new SecurityException("Connecting from IP address "
            + remoteAddress+ " is not allowed" );
        }super.addConnection(context, info);
    }
}

Install the plug-in:

package ch02.ptp;import java.util.List;import org.apache.activemq.broker.Broker;import org.apache.activemq.broker.BrokerPlugin;public class IPAuthenticationPlugin implements BrokerPlugin {
    List<String> allowedIPAddresses;public Broker installPlugin(Broker broker) throws Exception {return new IPAuthenticationBroker(broker, allowedIPAddresses);
    }public List<String> getAllowedIPAddresses() {return allowedIPAddresses;
    }public void setAllowedIPAddresses(List<String> allowedIPAddresses) {this.allowedIPAddresses = allowedIPAddresses;
    }
}

ps: Put this class into a jar package and put it in the lib directory of activemq

Configure custom plug-in:

<plugins><bean xmlns="http://www.springframework.org/schema/beans" id="ipAuthenticationPlugin"   class="org.apache.activemq.book.ch6.IPAuthenticationPlugin"><property name="allowedIPAddresses"><list>　　<value>127.0.0.1</value></list></property></bean></plugins>

The above is the detailed content of Detailed explanation of the security mechanism of JMS Active MQ. For more information, please follow other related articles on the PHP Chinese website!