探索ActiveMQ之安全机制

       上一篇博文（点击打开链接）主要介绍了在第一次使用ActiveMQ进行调测过程中遇到的一些问题、问题产生的原因以及解决方案，但是上次测试通了之后发现一个问题：不论在生产者配置文件还是消费者配置文件中，尽管配置了用户名跟密码，但却并没有真正用到：

<bean id="targetConnectionFactory" class="org.apache.activemq.ActiveMQConnectionFactory">
              <!-- ActiveMQ服务地址 -->
              <property name="brokerURL" value="failover:tcp://127.0.0.1:61616" />
              <property name="userName" value="system"/>          <!--配置但未使用到的用户名-->
              <property name="password" value="manager"/>         <!--配置但未使用到的密码-->
              <!-- 消息传输监听器 处理网络及服务器异常 -->
              <property name="transportListener">
                     <bean class="com.sts.listener.ActiveMQTransportListener" />
              </property>
</bean>

那么问题来了，这个用户名跟密码是干啥用的？按理说应该起到访问认证作用，但为什么没有找到拦截校验的地方呢？

通过进一步学习发现，并非用户名与密码没有用，而是因为在ActiveMQ的配置文件中并未设置用户名密码的拦截校验，导致所有的用户名密码均可不校验通过。如何设置拦截规则？

进入activemq的bin目录下，可以看到有很多配置文件：

[root@sts /usr/local/drp/activemq/apache-activemq-5.15.4/conf]# ll
total 80
-rw-r--r-- 1 root root 6162 Jul  5 09:41 activemq.xml
-rw-r--r-- 1 root root 1370 May 18 01:59 broker.ks
-rw-r--r-- 1 root root  592 May 18 01:59 broker-localhost.cert
-rw-r--r-- 1 root root  665 May 18 01:59 broker.ts
-rw-r--r-- 1 root root 1357 May 18 01:59 client.ks
-rw-r--r-- 1 root root  665 May 18 01:59 client.ts
-rw-r--r-- 1 root root 1172 May 18 02:05 credentials-enc.properties
-rw-r--r-- 1 root root 1162 Jul  5 09:42 credentials.properties
-rw-r--r-- 1 root root  962 May 18 02:05 groups.properties
-rw-r--r-- 1 root root 1011 May 18 02:05 java.security
-rw-r--r-- 1 root root 1087 May 18 02:05 jetty-realm.properties
-rw-r--r-- 1 root root 7795 May 18 02:05 jetty.xml
-rw-r--r-- 1 root root  965 May 18 02:05 jmx.access
-rw-r--r-- 1 root root  964 May 18 02:05 jmx.password
-rw-r--r-- 1 root root 3071 May 18 02:05 log4j.properties
-rw-r--r-- 1 root root 1207 May 18 02:05 logging.properties
-rw-r--r-- 1 root root 1016 May 18 02:05 login.config
-rw-r--r-- 1 root root  961 May 18 02:05 users.properties

其中jetty-realm.properties中配置的是访问web也就是控制台的用户名密码：

admin: admin, admin
user: user, user

在jetty.xml中有个id为securityConstraint的bean：

<bean id="adminSecurityConstraint" class="org.eclipse.jetty.util.security.Constraint">
        <property name="name" value="BASIC" />
        <property name="roles" value="admin" />
         <!-- set authenticate=false to disable login -->
        <property name="authenticate" value="true" />
</bean>

将property name为authenticate的属性value="false" 改为"true"，高版本的已经默认为true了。

（authenticate属性是是否开启用户认证，true：开启，false：关闭）

上一步执行之后，进入activemq.xml,在<broker>节点内增加一个插件：

 <plugins>
                <simpleAuthenticationPlugin>
                <users>
                         <authenticationUser username="sts" password="123456" groups="admins"/>
                </users>
                </simpleAuthenticationPlugin>
  </plugins>

注：username/password即用户名与密码，groups为该用户所属用户组（不可缺），若不配置会报错：

WARN | Failed to connect to [tcp://127.0.0.1:61616] after: 10 attempt(s) continuing to retry.

groups中的组名可以是不存在的，系统会默认是新的组，也可以在配置文件中配置。用户组在groups.properties配置：

## ---------------------------------------------------------------------------
## Licensed to the Apache Software Foundation (ASF) under one or more
## contributor license agreements.  See the NOTICE file distributed with
## this work for additional information regarding copyright ownership.
## The ASF licenses this file to You under the Apache License, Version 2.0
## (the "License"); you may not use this file except in compliance with
## the License.  You may obtain a copy of the License at
##
## http://www.apache.org/licenses/LICENSE-2.0
##
## Unless required by applicable law or agreed to in writing, software
## distributed under the License is distributed on an "AS IS" BASIS,
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
## See the License for the specific language governing permissions and
## limitations under the License.
## ---------------------------------------------------------------------------

admins=admin

默认有个admins，也可在里面添加其他的用户组或将用户添加在admins组内，组内的用户之间用逗号隔开。

在activemq.xml中配置客户端的访问用户名密码之后，进行测试：

在客户端的配置文件中修改用户名密码为上面设置的用户名密码：

<bean id="targetConnectionFactory" class="org.apache.activemq.ActiveMQConnectionFactory">
              <!-- ActiveMQ服务地址 -->
              <property name="brokerURL" value="failover:tcp://127.0.0.1:61616" />
              <property name="userName" value="sts"/>
              <property name="password" value="123456"/>
              <!-- 消息传输监听器 处理网络及服务器异常 -->
              <property name="transportListener">
                     <bean class="com.sts.listener.ActiveMQTransportListener" />
              </property>
       </bean>

运行生产消息测试类，测试结果为：

修改用户名或密码与配置不一致，运行生产消息测试类：

RROR | 发送消息失败
org.springframework.jms.IllegalStateException: javax.jms.JMSSecurityException: User name [sts] or password is invalid.; nested exception is javax.jms.IllegalStateException: javax.jms.JMSSecurityException: User name [sts] or password is invalid.
	at org.springframework.jms.support.JmsUtils.convertJmsAccessException(JmsUtils.java:279)
	at org.springframework.jms.support.JmsAccessor.convertJmsAccessException(JmsAccessor.java:169)
	at org.springframework.jms.core.JmsTemplate.execute(JmsTemplate.java:497)
	at org.springframework.jms.core.JmsTemplate.send(JmsTemplate.java:580)
	at com.sts.testPro.MessageSender.send(MessageSender.java:54)
	at com.sts.testPro.MessageSender.integraMessage(MessageSender.java:43)
	at com.sts.testCustomer.MQProducerTest.main(MQProducerTest.java:24)
Caused by: javax.jms.IllegalStateException: javax.jms.JMSSecurityException: User name [sts] or password is invalid.
	at org.apache.activemq.jms.pool.ConnectionPool.createSession(ConnectionPool.java:154)
	at org.apache.activemq.jms.pool.PooledConnection.createSession(PooledConnection.java:167)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at org.springframework.jms.connection.SingleConnectionFactory$SharedConnectionInvocationHandler.invoke(SingleConnectionFactory.java:620)
	at com.sun.proxy.$Proxy1.createSession(Unknown Source)
	at org.springframework.jms.support.JmsAccessor.createSession(JmsAccessor.java:192)
	at org.springframework.jms.core.JmsTemplate.execute(JmsTemplate.java:485)
	... 4 more
Caused by: javax.jms.JMSSecurityException: User name [sts] or password is invalid.
	at org.apache.activemq.util.JMSExceptionSupport.create(JMSExceptionSupport.java:52)
	at org.apache.activemq.ActiveMQConnection.syncSendPacket(ActiveMQConnection.java:1392)
	at org.apache.activemq.ActiveMQConnection.ensureConnectionInfoSent(ActiveMQConnection.java:1495)
	at org.apache.activemq.ActiveMQConnection.createSession(ActiveMQConnection.java:323)
	at org.apache.activemq.jms.pool.ConnectionPool.makeSession(ConnectionPool.java:107)
	at org.apache.activemq.jms.pool.ConnectionPool$1.makeObject(ConnectionPool.java:77)
	at org.apache.activemq.jms.pool.ConnectionPool$1.makeObject(ConnectionPool.java:73)
	at org.apache.commons.pool2.impl.GenericKeyedObjectPool.create(GenericKeyedObjectPool.java:1041)
	at org.apache.commons.pool2.impl.GenericKeyedObjectPool.borrowObject(GenericKeyedObjectPool.java:357)
	at org.apache.commons.pool2.impl.GenericKeyedObjectPool.borrowObject(GenericKeyedObjectPool.java:279)
	at org.apache.activemq.jms.pool.ConnectionPool.createSession(ConnectionPool.java:136)
	... 13 more
Caused by: java.lang.SecurityException: User name [sts] or password is invalid.
	at org.apache.activemq.security.SimpleAuthenticationBroker.authenticate(SimpleAuthenticationBroker.java:103)
	at org.apache.activemq.security.SimpleAuthenticationBroker.addConnection(SimpleAuthenticationBroker.java:71)
	at org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:99)
	at org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:843)
	at org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:77)
	at org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:139)
	at org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:330)
	at org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:194)
	at org.apache.activemq.transport.MutexTransport.onCommand(MutexTransport.java:50)
	at org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:125)
	at org.apache.activemq.transport.AbstractInactivityMonitor.onCommand(AbstractInactivityMonitor.java:301)
	at org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)
	at org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233)
	at org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215)
	at java.lang.Thread.run(Thread.java:748)
ERROR | onException -> 消息服务器连接错误......
java.io.IOException: Force close due to SecurityException on connect
	at org.apache.activemq.ActiveMQConnection.forceCloseOnSecurityException(ActiveMQConnection.java:1372)
	at org.apache.activemq.ActiveMQConnection.syncSendPacket(ActiveMQConnection.java:1397)
	at org.apache.activemq.ActiveMQConnection.ensureConnectionInfoSent(ActiveMQConnection.java:1495)
	at org.apache.activemq.ActiveMQConnection.createSession(ActiveMQConnection.java:323)
	at org.apache.activemq.jms.pool.ConnectionPool.makeSession(ConnectionPool.java:107)
	at org.apache.activemq.jms.pool.ConnectionPool$1.makeObject(ConnectionPool.java:77)
	at org.apache.activemq.jms.pool.ConnectionPool$1.makeObject(ConnectionPool.java:73)
	at org.apache.commons.pool2.impl.GenericKeyedObjectPool.create(GenericKeyedObjectPool.java:1041)
	at org.apache.commons.pool2.impl.GenericKeyedObjectPool.borrowObject(GenericKeyedObjectPool.java:357)
	at org.apache.commons.pool2.impl.GenericKeyedObjectPool.borrowObject(GenericKeyedObjectPool.java:279)
	at org.apache.activemq.jms.pool.ConnectionPool.createSession(ConnectionPool.java:136)
	at org.apache.activemq.jms.pool.PooledConnection.createSession(PooledConnection.java:167)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at org.springframework.jms.connection.SingleConnectionFactory$SharedConnectionInvocationHandler.invoke(SingleConnectionFactory.java:620)
	at com.sun.proxy.$Proxy1.createSession(Unknown Source)
	at org.springframework.jms.support.JmsAccessor.createSession(JmsAccessor.java:192)
	at org.springframework.jms.core.JmsTemplate.execute(JmsTemplate.java:485)
	at org.springframework.jms.core.JmsTemplate.send(JmsTemplate.java:580)
	at com.sts.testPro.MessageSender.send(MessageSender.java:54)
	at com.sts.testPro.MessageSender.integraMessage(MessageSender.java:43)
	at com.sts.testCustomer.MQProducerTest.main(MQProducerTest.java:24)
Caused by: java.lang.SecurityException: User name [sts] or password is invalid.
	at org.apache.activemq.security.SimpleAuthenticationBroker.authenticate(SimpleAuthenticationBroker.java:103)
	at org.apache.activemq.security.SimpleAuthenticationBroker.addConnection(SimpleAuthenticationBroker.java:71)
	at org.apache.activemq.broker.BrokerFilter.addConnection(BrokerFilter.java:99)
	at org.apache.activemq.broker.TransportConnection.processAddConnection(TransportConnection.java:843)
	at org.apache.activemq.broker.jmx.ManagedTransportConnection.processAddConnection(ManagedTransportConnection.java:77)
	at org.apache.activemq.command.ConnectionInfo.visit(ConnectionInfo.java:139)
	at org.apache.activemq.broker.TransportConnection.service(TransportConnection.java:330)
	at org.apache.activemq.broker.TransportConnection$1.onCommand(TransportConnection.java:194)
	at org.apache.activemq.transport.MutexTransport.onCommand(MutexTransport.java:50)
	at org.apache.activemq.transport.WireFormatNegotiator.onCommand(WireFormatNegotiator.java:125)
	at org.apache.activemq.transport.AbstractInactivityMonitor.onCommand(AbstractInactivityMonitor.java:301)
	at org.apache.activemq.transport.TransportSupport.doConsume(TransportSupport.java:83)
	at org.apache.activemq.transport.tcp.TcpTransport.doRun(TcpTransport.java:233)
	at org.apache.activemq.transport.tcp.TcpTransport.run(TcpTransport.java:215)
	at java.lang.Thread.run(Thread.java:748)
 INFO | ===>System.exit
 INFO | Expiring connection ActiveMQConnection {id=ID:DESKTOP-HCAROEL-56035-1530758554572-1:1,clientId=ID:DESKTOP-HCAROEL-56035-1530758554572-0:1,started=false} on IOException: Force close due to SecurityException on connect

提示用户名或密码错误，用户密码拦截配置成功。

运行消费消息测试类：

并未找到消息，说明消息确实发送失败。

除了上面那种直接在activeMQ写死客户端的访问用户名密码外，还可通过配置文件来实现：

在activemq.xml中的<broker>中配置：

<plugins>
                <simpleAuthenticationPlugin>
                <users>
                         <authenticationUser username="${activemq.name}" password="${activemq.pass}" groups="musers"/>
                </users>
                </simpleAuthenticationPlugin>
        </plugins>

在activemq.xml中往上翻会看到有个文件的调用：

<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
        <property name="locations">
            <value>file:${activemq.conf}/credentials.properties</value>
        </property>
    </bean>

这个credentials.properties中存放的就是关于上面配置的${activemq.name}以及${activemq.pass}，使用vim进入credentials.properties：

## ---------------------------------------------------------------------------
## Licensed to the Apache Software Foundation (ASF) under one or more
## contributor license agreements.  See the NOTICE file distributed with
## this work for additional information regarding copyright ownership.
## The ASF licenses this file to You under the Apache License, Version 2.0
## (the "License"); you may not use this file except in compliance with
## the License.  You may obtain a copy of the License at
## 
## http://www.apache.org/licenses/LICENSE-2.0
## 
## Unless required by applicable law or agreed to in writing, software
## distributed under the License is distributed on an "AS IS" BASIS,
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
## See the License for the specific language governing permissions and
## limitations under the License.
## ---------------------------------------------------------------------------

# Defines credentials that will be used by components (like web console) to access the broker

activemq.username=system
activemq.password=manager
guest.password=password

activemq.name=sts
activemq.pass=123456
~                         

需要注意的是上面两种不论使用那种方法，修改完配置文件后需要重启activemq服务才会生效！（多一嘴）