6 Securing ActiveMQ
6 ActiveMQ消息安全管理
This chapter covers
How to use authentication in ActiveMQ
How to use authorization in ActiveMQ
How to create a custom security plug-in for ActiveMQ
Using certificate-based security with ActiveMQ
本章内容包括
如何使用ActiveMQ认证
如何使用ActiveMQ授权
如何构件ActiveMQ用户安全插件
使用ActiveMQ基于证书的安全管理
Securing access to the message broker and its destinations is a common concern.
For this reason, ActiveMQ provides a flexible and customizable security model that
can be adapted to the security mechanisms used in your environment.
Before we begin our discussion about security with ActiveMQ, a brief review of
some basic terms related to security and how they fit into the ActiveMQ security
model is in order.
安全的操作消息代理和消息目的地问题是一个常规问题.ActiveMQ提供了一种灵活的
可定制化的安全模型,你可以在自己的应用环境中使用该模型以便适应现有的安全机制.
在深入讨论ActiveMQ的安全机制之前,我们将简要的回顾安全方面的一些基本问题以及
这些问题如何应用在ActiveMQ安全模型中.
Authentication is the process used to verify the integrity of an entity or a user
that’s requesting access to a secured resource. Some common forms of authentication
include plain-text passwords, one-time password devices, smart cards, or Kerberos,
just to name a few. ActiveMQ provides simple authentication and JAAS (Java
Authentication and Authorization Service) authentication, as well as an API for
writing custom authentication plug-ins. Upon successful authentication, access to
the system is granted, but access to perform operations using the system resources
may require specific authorization.
认证用于核实一个请求存取收受安全保护资源的实体或用户的真实性.一些常用的认证方法包括
文本格式的密码,一次性密码设备,智能卡,Kerberos身份验证,这里仅举几个例子.ActiveMQ提供
简单的认证和JAAS(Java认证和授权服务)认证,同时也提供编写客户自定义认证插件的API.
验证成功后,自然能够进入系统,但执行操作使用的系统资源的访问可能需要特定的授权。
Authorization is the process used to determine the access rights of a user or an
entity to a secured resource. Authorization depends upon authentication to prevent
unauthorized users from entering the system, but authorization determines whether a
user has the privileges to perform certain actions. For example, does user X have the
necessary permissions to execute program Y on system Z? Such privileges are often
referred to as access control lists (ACLs) and determine who or what can access a given
resource to perform a given operation. In ActiveMQ, authentication involves restricting
access to various operations including the ability to publish to a destination, to
consume from a destination, to create a destination, or to delete a destination.
授权过程用于确定用户或者实体是否有权限访问受安全保护的系统资源.授权利用认证以阻止未授权
用户进入系统,但认证决定一个用户是否拥有权限来进行特定的操作.比如,用户X是否在系统Z上具有操作
Y程序的权限?类似的权限通常来自一个访问控制列表以便确定谁或者何种操作可以访问特定的资源然后做
给定的操作.ActiveMQ中,认证包括限制进行多种操作,比如发布消息到一个目的地,从一个目的接收处理
消息,创建消息,或者删除一个消息目的地.
We’ll start this chapter by describing authentication plug-ins. We’ll see how we can
set authentication directly in XML configuration by using the simple authentication plugin
or by using the JAAS API. Next, it’s time to deal with authorization. We’ll cover the
authorization plug-in, which in conjunction with the authentication plug-ins allows us to
define a fine-grained security access to broker clients. Besides this standard per-client
authorization, ActiveMQ allows you to do authorization on the message level, as we’ll
see next. If none of these built-in security mechanisms works for you, you can always
build your own. We’ll demonstrate this process by building a custom security plug-in
that authenticates the clients based on their IP address. The final section of this chapter
will deal with certificate-based security. We’ll expand on our SSL example used in
chapter 4 and see how you can authenticate and authorize clients based on their SSL
certificates.
本章中,我们从介绍认证插件开始.我们将看到如何通过XML文件使用简单的认证插件直接的配置认证,或者
如何使用JAAS API配置认证.接着开始讨论授权了.我们将讨论授权插件,通过该插件和认证插件的配合,我们
可以定义访问代理客户端的细粒度的安全控制.除了这种客户端级别的标准认授权,ActiveMQ还允许在消息
层面上进行授权.如果这些内嵌的安全机制都不能满足你的需要,你还可以使用自定义的授权方法.我们将通过
建立一种客户自定义安全插件(该安全机制根据客户端的IP地址进行授权)来阐述如何使用自定义授权.
本章最后,我们将介绍基于证书的安全验证.我们将使用第4章中介绍的SSL例子来说明如何根据SSL证书
来进行认证和授权.
So, after reading this chapter, you’ll be able to secure the broker and integrate it
fully with your existing security infrastructure. Now let’s look at some practical examples
of ActiveMQ security configurations.
所以,阅读本章后,你将能够完全根据你现有的安全机制创建安全代理.现在让我们来看看一些
ActiveMQ安全配置实例.