ActiveMQ Security Authentication
Chapter Guide
- How to use secure authentication
- How to use authorization
- How to create a custom security plugin
- Use certificate-based security authentication
Authentication is the process of verifying the integrity of some user or entity requesting a protected resource. Some common forms of authentication include plain text passwords, one-time password devices, smart cards, etc. Activemq provides some simple authentication and JAAS ( java authentication and java authentication service), and an api for custom security plugins. After successful authentication, it is authorized to access system resources.
1.1 Certification
All security concepts implemented in MQ are implemented in the form of plugins.
- Simple Authentication Plugin - Authorize authentication information directly in xml or properties file.
- JAAS authentication plugin - implements the JAAS API and provides a more powerful and customizable authentication solution.
1.1.1 Configuring the Simple Authentication Plugin
It is the easiest way to configure authentication credentials directly in the proxy's xml. The configured xml is as follows:
<broker ...> <plugins> <simpleAuthenticationPlugin> <users> <authenticationUser username="admin" password="password" groups="admins,publishers,consumers"/> <authenticationUser username="publisher" password="password" groups="publishers,consumers"/> <authenticationUser username="consumer" password="password" groups="consumers"/> <authenticationUser username="guest" password="password" groups="guests"/> </users> </simpleAuthenticationPlugin> </plugins> </broker>
The change in the code is to use a method with a username and password when creating a connection.
connection = factory.createConnection(username, password);
The security of using text password authentication cannot be guaranteed unless ssl is added. The JAAS plugin is more suitable for security.
1.1.2 Configuring the JAAS plugin
JAAS provides pluggable authentication, which means that Mq will use the same authentication api. This requires implementing the javax.security.auth.spi.LoginModule interface and changing the Mq configuration file.
1. Modify the conf/login.config configuration file
activemq-domain { org.apache.activemq.jaas.PropertiesLoginModule required debug=true org.apache.activemq.jaas.properties.user="users.properties" org.apache.activemq.jaas.properties.group="groups.properties"; };PropertiesLoginModule is used for the jaas login module, the file that defines the user is in users.properties, and the file that defines the group is in groups.properties
user.properties
admin = admin publisher=password consumer=password guest=passwordgroup.properties
admins=admin publishers=admin,publisher consumers=admin,publisher,consumer guests=guest