一、认证
认证(authentication):验证某个实体或者用户是否有权限访问受保护资源。
MQ提供两种插件用于权限认证:
(一)、Simple authentication plug-in:直接把相关的权限认证信息配置到XML文件中。
配置 conf/activemq.xml 的 broke元素添加插件:
<plugins><simpleAuthenticationPlugin><users><authenticationUser username="admin" password="password" groups="admins,publishers,consumers"/><authenticationUser username="publisher" password="password" groups="publishers,consumers"/><authenticationUser username="consumer" password="password" groups="consumers"/><authenticationUser username="guest" password="password" groups="guests"/></users></simpleAuthenticationPlugin></plugins>
代码中的认证方式两种:
1、在创建Connection的时候认证
//用户认证Connection conn = connFactory.createConnection("admin","password");2、也可以在创建ConnectionFactory工厂的时候认证
ConnectionFactory connFactory = new ActiveMQConnectionFactory("admin","password",url);
(二)、JAAS authentication plug-in:实现了JAAS API,提供了一个更强大的和可定制的权限方案。
配置方式:
1、在conf目录中创建 login.config 文件 用户 配置 PropertiesLoginModule:
activemq-domain {
org.apache.activemq.jaas.PropertiesLoginModule required debug=trueorg.apache.activemq.jaas.properties.user="users.properties"org.apache.activemq.jaas.properties.group="groups.properties";
};2、在conf目录中创建users.properties 文件用户配置用户:
# 创建四个用户 admin=password publisher=password consumer=password guest=password
3、在conf目录中创建groups.properties 文件用户配置用户组:
#创建四个组并分配用户 admins=admin publishers=admin,publisher consumers=admin,publisher,consumer guests=guest
4、将该配置插入到activemq.xml中:
<!-- JAAS authentication plug-in --><plugins><jaasAuthenticationPlugin configuration="activemq-domain" /></plugins>
5、配置MQ的启动参数:
使用dos命令启动:
D:\tools\apache-activemq-5.6.0-bin\apache-activemq-5.6.0\bin\win64>activemq.bat -Djava.security.auth.login.config=D:/tools/apache-activemq-5.6.0-bin/apache-activemq-5.6.0/conf/login.config
6、在代码中的认证方式与Simple authentication plug-in 相同。
二、授权
基于认证的基础上,可以根据实际用户角色来授予相应的权限,如有些用户有队列写的权限,有些则只能读等等。
两种授权方式
(一)、目的地级别授权
JMS目的地的三种操作级别:
Read :读取目的地消息权限
Write:发送消息到目的地权限
Admin:管理目的地的权限
配置方式 conf/activemq.xml :
<plugins><jaasAuthenticationPlugin configuration="activemq-domain" /><authorizationPlugin><map><authorizationMap><authorizationEntries><authorizationEntry topic="topic.ch09" read="consumers" write="publishers" admin="publishers" /></authorizationEntries></authorizationMap></map></authorizationPlugin></plugins>
(二)、消息级别授权
授权特定的消息。
开发步骤:
1、实现消息授权插件,需要实现MessageAuthorizationPolicy接口
public class AuthorizationPolicy implements MessageAuthorizationPolicy {private static final Log LOG = LogFactory.
getLog(AuthorizationPolicy.class);public boolean isAllowedToConsume(ConnectionContext context,
Message message) {
LOG.info(context.getConnection().getRemoteAddress());
String remoteAddress = context.getConnection().getRemoteAddress();if (remoteAddress.startsWith("/127.0.0.1")) {
LOG.info("Permission to consume granted");return true;
} else {
LOG.info("Permission to consume denied");return false;
}
}
}2、把插件实现类打成JAR包,放入到activeMq 的 lib目录中
3、在activemq.xml中设置
<messageAuthorizationPolicy><bean class="org.apache.activemq.book.ch6.AuthorizationPolicy" xmlns="http://www.springframework.org/schema/beans" /></messageAuthorizationPolicy>
三、自定义安全插件
插件逻辑需要实现BrokerFilter类,并且通过BrokerPlugin实现类来安装,用于拦截,Broker级别的操作:
接入消费者和生产者
提交事务
添加和删除broker的连接
demo:基于IP地址,限制Broker连接。
package ch02.ptp;import java.util.List;import org.apache.activemq.broker.Broker;import org.apache.activemq.broker.BrokerFilter;import org.apache.activemq.broker.ConnectionContext;import org.apache.activemq.command.ConnectionInfo;public class IPAuthenticationBroker extends BrokerFilter {
List<String> allowedIPAddresses;public IPAuthenticationBroker(Broker next, List<String>allowedIPAddresses) {super(next);this.allowedIPAddresses = allowedIPAddresses;
}public void addConnection(ConnectionContext context, ConnectionInfo info) throws Exception {
String remoteAddress = context.getConnection().getRemoteAddress();if (!allowedIPAddresses.contains(remoteAddress)) {throw new SecurityException("Connecting from IP address "
+ remoteAddress+ " is not allowed" );
}super.addConnection(context, info);
}
}安装插件:
package ch02.ptp;import java.util.List;import org.apache.activemq.broker.Broker;import org.apache.activemq.broker.BrokerPlugin;public class IPAuthenticationPlugin implements BrokerPlugin {
List<String> allowedIPAddresses;public Broker installPlugin(Broker broker) throws Exception {return new IPAuthenticationBroker(broker, allowedIPAddresses);
}public List<String> getAllowedIPAddresses() {return allowedIPAddresses;
}public void setAllowedIPAddresses(List<String> allowedIPAddresses) {this.allowedIPAddresses = allowedIPAddresses;
}
}ps:将这连个类打成jar包放到activemq的lib目录下
配置自定义插件:
<plugins><bean xmlns="http://www.springframework.org/schema/beans" id="ipAuthenticationPlugin" class="org.apache.activemq.book.ch6.IPAuthenticationPlugin"><property name="allowedIPAddresses"><list> <value>127.0.0.1</value></list></property></bean></plugins>
