6.1 安全认证

6.1 Authentication

6.1 安全认证

All security concepts in ActiveMQ are implemented as plug-ins. This allows for easy

configuration and customization via the <plugin> element of the ActiveMQ XML configuration

file. Two plug-ins are available in ActiveMQ to authenticate users:

 Simple authentication plug-in—Handles credentials directly in the XML configuration

file or in a properties file

 JAAS authentication plug-in—Implements the JAAS API and provides a more powerful

and customizable authentication solution

Let’s review these two authentication plug-ins.

ActiveMQ中所有安全相关的概念都是通过插件的形式实现的.这样可以通过ActiveMQ的XML

配置文件的<plugin>元素来简化配置和自定义安全认证机制.ActiveMQ提供两种认证方式:

  

    简单认证插件 -- 直接通过XML配置文件或者属性文件处理认证

    JAAS认证插件 -- 实现了JAAS API,提供一种更强大的可自定义的认证解决方案

   

下面让我们开始讨论这两种认证方案.

6.1.1 Configuring the simple authentication plug-in

6.1.1 配置简单认证插件

The easiest way to secure the broker is through the use of authentication credentials

placed directly in the broker’s XML configuration file. Such functionality is provided

by the simple authentication plug-in that’s part of ActiveMQ. The following listing provides

an example of using this plug-in.

配置安全代理的最简单的方式是使用配置在代理的XML配置文件中的身份验证凭据.该功能由ActiveMQ附带的

简单认证插件提供.下面的配置的示例代码:

Listing 6.1 Configuring the simple authentication plug-in

清单6.1 配置简单认证插件

<broker ...>

  <plugins>

    <simpleAuthenticationPlugin>

      <users>

        <authenticationUser username="admin" password="password" groups="admins,publishers,consumers"/>

        <authenticationUser username="publisher" password="password" groups="publishers,consumers"/>

        <authenticationUser username="consumer" password="password" groups="consumers"/>

        <authenticationUser username="guest" password="password" groups="guests"/>

      </users>

    </simpleAuthenticationPlugin>

  </plugins>

</broker>

By using this simple configuration snippet, four users can now access ActiveMQ. Obviously,

for authentication purposes, each user must have a username and a password.

Additionally, the groups attribute provides a comma-separated list of groups to which

the user belongs. This information is used for authorization purposes, as will be seen

shortly.

通过这种简单配置的代码片段,4个用户可以访问ActiveMQ.显然,为了认证,每个用户必须有一个用户名

和密码.另外,groups属性提供一个通过逗号分隔的列表,表示用户属于配置的这些群组.正如我们接下来

即将看到的这些配置信息用于认证.

The best way to understand this configuration is to use it with the stock portfolio

example. First, the broker must be started using the configuration file defined earlier:

理解这种配置的最好方式是在stock portfolio例子中使用这种安全认证机制.首先,需要启动包含了上面

配置信息的代理:

${ACTIVEMQ_HOME}/bin/activemq console xbean:src/main/resources/org/apache/activemq/book/ch6/activemq-simple.xml

(window xp下的命令为:%ACTIVEMQ_HOME%/bin/activemq  xbean:src/main/resources/org/apache/activemq/book/ch6/activemq-simple.xml)

Now run the stock publisher and you should see the following exception:

现在通过下面的命令运行publisher,然后你将看到后面的异常信息:

$ mvn exec:java -Dexec.mainClass=org.apache.activemq.book.ch3.portfolio.Publisher -Dexec.args="CSCO ORCL"

...

Exception in thread "main" javax.jms.JMSException: User name or password is invalid.

...

The preceding exception is expected because a security plug-in is activated but the

authentication credentials haven’t yet been defined in the publisher client. To fix this

exception, modify the publisher to add a username and password. The following snippet

provides an example of this:

前面的出现异常是因为启用了安全插件但是在客户端的publisher中没有定义认证身份信息.

为避免这个异常,需要修改publisher代码加上username和password.下面是代码示例:

  private String username = "publisher";

  private String password = "password";

  public Publisher() throws JMSException 

  {

    factory = new ActiveMQConnectionFactory(brokerURL);

    connection = factory.createConnection(username, password);

    connection.start();

    session = connection.createSession(false,

    Session.AUTO_ACKNOWLEDGE);

    producer = session.createProducer(null);

  }

  

As the preceding snippet shows, the only necessary change is to define a username

and a password that are then used as parameters to the call to the create-

Connection() method. Compiling and running the modified publisher will now yield

the proper behavior, as shown in the following output:

如前面代码片段所示,唯一需要的修改是定义一个username和password,然后将他们作为参数传递给

createConnection方法.通过下面命令编译运行修改过的publisher,publisher功能恢复正常,如后面面输出所示:

$ mvn exec:java -Dexec.mainClass=org.apache.activemq.book.ch6.Publisher -Dexec.args="CSCO ORCL"

...

Sending: {price=35.25020234334, stock=ORCL, offer=35.28545254568, up=true} on destination: topic://STOCKS.ORCL

Sending: {price=35.018408299624, stock=ORCL, offer=35.053426707924, up=false} on destination: topic://STOCKS.ORCL

Sending: {price=34.722966908601, stock=ORCL, offer=34.75768987551, up=false} on destination: topic://STOCKS.ORCL

Sending: {price=1.651542629939308, stock=CSCO, offer=1.653194172569, up=true} on destination: topic://STOCKS.CSCO

Sending: {price=34.598719623046, stock=ORCL, offer=34.63331834266, up=false} on destination:topic://STOCKS.ORCL

Sending: {price=34.43900856142, stock=ORCL, offer=34.47344756998, up=false} on destination: topic://STOCKS.ORCL

Sending: {price=1.6580787335090, stock=CSCO, offer=1.659736812242, up=true} on destination: topic://STOCKS.CSCO

Sending: {price=34.458768559093, stock=ORCL, offer=34.49322732765, up=true} on destination: topic://STOCKS.ORCL

Sending: {price=1.6547727745488, stock=CSCO, offer=1.6564275473233,up=false} on destination:topic://STOCKS.CSCO

Sending: {price=1.665375738897, stock=CSCO, offer=1.6670411146368, up=true} on destination: topic://STOCKS.CSCO

Published '10' of '10' price messages

...

Note in the output that our producer successfully connects to the broker and sends

messages.

注意到前面的输出信息表名producer已经能够成功的连接到代理并且发送消息了.

Unfortunately, with the simple authentication plug-in, passwords are stored (and

transferred) as clear text, which impacts the security of the broker. But even plain-text

passwords prevent unauthorized clients from interacting with the broker, and in some

environments this is all that’s needed. Additionally, you can consider using the simple

authentication plug-in in combination with the SSL transport, which will at least solve

the problem of sending plain passwords over the network.

不幸的是,使用简单认证插件时,密码存储和传输时都是使用明文,这可能对代理的安全造成隐患.

但是,即便是传文本形式的密码也能阻止未授权的客户端与代理之间非法交换,并且在一些环境

中,这种处理方式正是需求所要求的.另外,你可以将简单认证插件和SSL传输连接器配合起来使用,这样

至少可以避免在网络中发送明文形式的密码.

For environments that need a more secure installation and/or for environments

that already have an existing security infrastructure with which ActiveMQ will need to

integrate, the JAAS plug-in may be more appropriate.

对于一个需要更保险安全措施的环境和/或一个已经有一套安全设施需要集成到ActiveMQ中的环境来说,

使用JAAS插件更加合适.

6.1.2 Configuring the JAAS plug-in

6.1.2 配置JAAS插件

A detailed explanation of JAAS is beyond the scope of this book. Instead, this section will

briefly introduce JAAS basic concepts and demonstrate how to create a Properties-

LoginModule that can be used to achieve the same functionality as the simple security

plug-in using JAAS. For more detailed information about JAAS, please refer to the JAAS

documentation (http://mng.bz/BvvB).

讨论JAAS的详细信息已经超出了本书的范围.因而,本节将简要的介绍JAAS的基本概念以及说明如何

创建一个PropertiesLoginModule,使用该PropertiesLoginModule可以实现JAAS的简单安全插件同样的功能.

关于JAAS的详细信息,请参阅JAAS文档(http://mng.bz/BvvB).

JAAS provides pluggable authentication, which means ActiveMQ will use the same

authentication API regardless of the technique used to verify user credentials (a text

file, a relational database, LDAP, and so on). All that’s required is an implementation

of the javax.security.auth.spi.LoginModule interface (http://mng.bz/8zLV) and

a configuration change to ActiveMQ. Fortunately, ActiveMQ comes with implementations

of some modules that can authenticate users using properties files, LDAP, and

SSL certificates, which will be enough for many use cases. Because JAAS login modules

follow a specification, one advantage of them is that they’re relatively straightforward

to configure. The best way to understand a login module is by walking through a configuration.

For this task, the login module that works with properties files will be used.

JAAS提供了一种可插拔式认证机制,这就是说ActiveMQ将使用与JAAS相同的认证API而不管验证用户身份

所使用的具体技术(比如一个文本文件,一个关系型数据库,LDAP等等).使用JAAS认证所需的仅仅是

javax.security.auth.spi.LoginModule接口(参阅http://mng.bz/8zLV)的一个实现以及ActiveMQ配置

文件的修改.幸运的是,ActiveMQ已经实现了一些模块,使用这些模块可以使用属性文件,LDAP以及SSL证书

来验证用户.这些对于大多数用户来书已经足够使用了.因为JAAS的登陆模块需要遵循一个规范,这样就有

一个优势 -- 它们配置起来相对简单.理解登陆模块最好的方式是亲自进行一次配置.为此,我们将使用基于

属性文件的登陆模块来进行一次配置.

The first step in this task is to identify the PropertiesLoginModule so that

ActiveMQ is made aware of it. To do so, you must create a file named login.config that

contains a standardized format for configuring JAAS users and groups (http://

mng.bz/IIEB). Here are the contents of the file:

首先,需要指定PropertiesLoginModule以便PropertiesLoginModule可以使用它.为此,你必须创建一个名称为

login.config的配置文件,该文件包含一个配置标准格式的JAAS用户和群组信息(参阅http://mng.bz/IIEB).

下面是这个配置文件的内容:

activemq-domain 

{

  org.apache.activemq.jaas.PropertiesLoginModule required debug=true

  org.apache.activemq.jaas.properties.user="users.properties"

  org.apache.activemq.jaas.properties.group="groups.properties";

};

The login.config file shown here contains a few different items for configuring a JAAS

module. The activemq-domain is the predominant item in this file and it contains all

the configuration for the login module. First is the fully qualified name of the

PropertiesLoginModule and the trailing notation identifying it as required. This

means that the authentication can’t continue without this login module. Second is a

line to enable debug logging for the login module; this is optional. Third is the

org.apache.activemq.jaas.properties.user property, which points to the users.properties file. 

Fourth is the org.apache.activemq.jaas.properties.group property,

which points to the groups.properties file. Once this is all defined, the two properties

files must be created.

上面的login.config文件与JAAS登陆模块的配置文件有一些不同.文件中模块名称为activemq-domain的是主要的配置性,

它包含登陆模块所需的所有信息.首先,是用包名完全限定的模块实现类名PropertiesLoginModule,后面紧跟着required.

这表示验证必须要加载这个登陆模块否则不能进行.第二,是表示为这个登陆模块开启调试日志配置,是可选的.第三

是org.apache.activemq.jaas.properties.user属性,该属性指定了使用users.properties文件.第四是

org.apache.activemq.jaas.properties.group属性,该属性指向groups.properties文件.一旦配置完成,上面两个

.properties文件必须事先创建好.

NOTE The PropertiesLoginModule used in this section is an implementation

of a JAAS login module, and it comes with ActiveMQ.

注意:本节中使用的PropertiesLoginModule登陆模块是JAAS的登陆模块接口的一个实现,是随ActiveMQ版本

一起发布的.

Defining user credentials in the properties files is simple. The users.properties file

defines each user in a line-delimited manner along with its password, as shown:

定义用户证书文件非常简单.users.properties中每一行定义一个用户,使用用户名=密码的格式,如下所示:

admin=password

publisher=password

consumer=password

guest=password

The groups.properties file defines group names in a line-delimited manner as well.

But each group contains a comma-separated list of its users as shown:

groups.properties中同样每一行定义一个群组.但是群组=后面是一组通过逗号分割的用户名,

表示这些用户属于该群组,如下所示:

admins=admin

publishers=admin,publisher

consumers=admin,publisher,consumer

guests=guest

Once these files are created, the JAAS plug-in must be defined in the ActiveMQ XML

configuration file. The following is an example of this necessary change:

上面的文件创建完成后,还必须在ActiveMQ的XML配置文件中配置JAAS插件.原来的配置文件需要做

一些修改,如下面的代码所示:

...

<plugins>

  <jaasAuthenticationPlugin configuration="activemq-domain" />

</plugins>

...

The example is shortened for readability and only shows the necessary change to

enable the JAAS login module. As you can see, the JAAS plug-in only needs the name

of the JAAS domain in the login.config file. ActiveMQ will locate the login.config file

on the classpath (an alternative to this is to use the java.security.auth.login.

config system property for the location of the login.config file). To test out the JAAS

login module that was just created, start up ActiveMQ using these changes. Here’s the

command to use:

上面代码可读性不好,仅仅是用于展示开启JAAS登陆模块时XML配置文件需要做的修改.正如你看到的那样,配置的JAAS插件

仅仅需要login.config中配置的域名(activemq-domain).ActiveMQ会在classpath中查找login.config文件.

(另一个方法是使用系统参数java.security.auth.login.config作为login.config的路径).

为测试刚刚配置的JAAS模块,可以使用下面的命令启动ActiveMQ:

${ACTIVEMQ_HOME}/bin/activemq console -Djava.security.auth.login.config=src/main/resources/org/apache/activemq/book/ch6/login.config xbean:src/main/resources/org/apache/activemq/book/ch6/activemq-jaas.xml

(window xp中使用的命令:

%ACTIVEMQ_HOME%/bin/activemq -Djava.security.auth.login.config=src/main/resources/org/apache/activemq/book/ch6/login.config xbean:src/main/resources/org/apache/activemq/book/ch6/activemq-jaas.xml

)

...

Loading message broker from: xbean:src/main/resources/org/apache/activemq/book/ch6/activemq-jaas.xml

INFO | PListStore: Users/bsnyder/amq/apache-activemq-5.4.1/data/localhost/tmp_storage started

INFO | Using Persistence Adapter: KahaDBPersistenceAdapter [/Users/bsnyder/amq/apache-activemq-5.4.1/data/localhost/KahaDB]

INFO | JMX consoles can connect to service: jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi

INFO | ActiveMQ 5.4.1 JMS Message Broker (localhost) is starting

INFO | For help or more information please see: http://activemq.apache.org/

INFO | Scheduler using directory: /Users/bsnyder/amq/apache-activemq-5.4.1/data/localhost/scheduler

INFO | JobSchedulerStore: /Users/bsnyder/amq/apache-activemq-5.4.1/data/localhost/scheduler started

INFO | Listening for connections at: tcp://localhost:61616

INFO | Connector openwire Started

INFO | ActiveMQ JMS Message Broker

(localhost, ID:mongoose.local-61955-1289966951514-0:0) started

The broker has been secured just like the previous section where simple authentication

was used, only now the JAAS standard was used. Now we can start our stock portfolio

publisher that uses proper credentials and expect it to be able to access the broker:

启动后,代理手到安全包含,就想前面小节中使用简单认证方式一样,只是现在使用JAAS标准验证.

现在,我们可以运行stock portfolio例子中的publisher,然后使用合适的凭证希望publisher

可以正常操作代理.参考下面的命令运行publisher:

mvn exec:java -Dexec.mainClass=org.apache.activemq.book.ch6.Publisher -Dexec.args="CSCO ORCL"

...

Sending: {price=44.84266119470, stock=ORCL, offer=44.88750385590,up=true} on destination: topic://STOCKS.ORCL

Sending: {price=44.5575471806, stock=ORCL, offer=44.60210472778,up=false} on destination: topic://STOCKS.ORCL

Sending: {price=44.49794307251, stock=ORCL, offer=44.54244101559,up=false} on destination: topic://STOCKS.ORCL

Sending: {price=44.48574009628, stock=ORCL, offer=44.530225836380,up=false} on destination: topic://STOCKS.ORCL

Sending: {price=55.89763705357, stock=CSCO, offer=55.953534690630,up=true} on destination: topic://STOCKS.CSCO

Sending: {price=44.09643970531, stock=ORCL, offer=44.140536145020,up=false} on destination: topic://STOCKS.ORCL

Sending: {price=44.20879151845, stock=ORCL, offer=44.25300030997,up=true} on destination: topic://STOCKS.ORCL

Sending: {price=44.38257378288, stock=ORCL, offer=44.426956356664,up=true} on destination: topic://STOCKS.ORCL

Sending: {price=44.660334580924, stock=ORCL, offer=44.704994915505,up=true} on destination: topic://STOCKS.ORCL

Sending: {price=44.77852477644, stock=ORCL, offer=44.8233033012,up=true} on destination: topic://STOCKS.ORCL

Published '10' of '10' price messages

...

As we can see, the JAAS plug-in provides exactly the same functionality as the simple

authentication plug-in. But it does so using the standardized Java mechanism, meaning

you can use it to plug in any existing security policies you use inside your organization.

In addition to the ability to authenticate access to the broker services, ActiveMQ

also provides the ability to authorize specific operations at a fine-grained level. The

next section explores this topic thoroughly.

我们看到,JAAS插件可以提供和简单验证插件一样的功能,但是JAAS使用了标准的Java验证授权机制,

因此你可以将这种验证插件插入到任何已有的安全策略中.另外,为了给使用代理服务进行鉴权,ActiveMQ还

具有给特定的细粒度操作授权的功能,下面章节将详细讨论这方面内容.