Chapter 7 ActiveMQ Security Authentication

                                                                  ActiveMQ Security Authentication

 

Chapter Guide

•    How to use secure authentication
•    How to use authorization
•    How to create a custom security plugin
•    Use certificate-based security authentication

             Authentication is the process of verifying the integrity of some user or entity requesting a protected resource. Some common forms of authentication include plain text passwords, one-time password devices, smart cards, etc. Activemq provides some simple authentication and JAAS ( java authentication and java authentication service), and an api for custom security plugins. After successful authentication, it is authorized to access system resources.

 

1.1 Certification

       All security concepts implemented in MQ are implemented in the form of plugins.

• Simple Authentication Plugin - Authorize authentication information directly in xml or properties file.
• JAAS authentication plugin - implements the JAAS API and provides a more powerful and customizable authentication solution.

   1.1.1 Configuring the Simple Authentication Plugin

         It is the easiest way to configure authentication credentials directly in the proxy's xml. The configured xml is as follows:

                  

<broker ...>
	<plugins>
		<simpleAuthenticationPlugin>
			<users>
				<authenticationUser username="admin" password="password" groups="admins,publishers,consumers"/>
				<authenticationUser username="publisher" password="password" groups="publishers,consumers"/>
				<authenticationUser username="consumer" password="password" groups="consumers"/>
				<authenticationUser username="guest" password="password" groups="guests"/>
			</users>
		</simpleAuthenticationPlugin>
	</plugins>
</broker>

   The change in the code is to use a method with a username and password when creating a connection.

   

  connection = factory.createConnection(username, password);

 

 

     The security of using text password authentication cannot be guaranteed unless ssl is added. The JAAS plugin is more suitable for security.

   1.1.2 Configuring the JAAS plugin

         JAAS provides pluggable authentication, which means that Mq will use the same authentication api. This requires implementing the javax.security.auth.spi.LoginModule interface and changing the Mq configuration file.

         1. Modify the conf/login.config configuration file

          

activemq-domain {
        org.apache.activemq.jaas.PropertiesLoginModule required
	debug=true
	org.apache.activemq.jaas.properties.user="users.properties"
        org.apache.activemq.jaas.properties.group="groups.properties";
};

    PropertiesLoginModule is used for the jaas login module, the file that defines the user is in users.properties, and the file that defines the group is in groups.properties

 

  user.properties

admin = admin
publisher=password
consumer=password
guest=password

   group.properties  

admins=admin
publishers=admin,publisher
consumers=admin,publisher,consumer
guests=guest