Monday, October 30, 2017

Security for ACTIVEMQ

Configuration file: ACTIVEMQ_HOME/conf/activemq.xml
Here’s a sample snippet to show you how authentication / authorization can be handled in ActiveMQ.

. . .
 <plugins>
 <simpleAuthenticationPlugin>
 <users>
 <authenticationUser username="sa" password="manager" groups="producers,consumers,admins" />
 <authenticationUser username="frontend" password="manager" groups="producers,consumers" />
 <authenticationUser username="backend" password="manager" groups="consumers" />
 </users>
 </simpleAuthenticationPlugin>
 <authorizationPlugin>
 <map>
 <authorizationMap>
 <authorizationEntries>
 <authorizationEntry queue=">" write="producers" read="consumers" admin="admins" />
 </authorizationEntries>
 </authorizationMap>
 </map>
 </authorizationPlugin>
 </plugins>
. . .

For advanced users – ActiveMQ provides pluggable security through various different providers. Have a look at http://activemq.apache.org/security.html

ActiveMQ 4.x and greater provides pluggable security through various different providers.
The most common providers are
  • JAAS for authentication
  • a default authorization mechanism using a simple XML configuration file.

Authentication

The default JAAS plugin relies on the standard JAAS mechanism for authentication. Refer to the documentation for more detail.
Typically you configure JAAS using a config file like this one and set the java.security.auth.login.config system property to point to it. If no system property is specified then by default the ActiveMQ JAAS plugin will look for login.config on the classpath and use that.

Authentication Example

Here is an example login.config which then points to these files
Note: Until version 5.11.1, these property files got reloaded on every authentication request by default. So updates to users, password and groups were loaded immediately. From 5.12 onward they only get reloaded if reload=true is set in your LoginModule configuration, e.g.
activemq { org.apache.activemq.jaas.PropertiesLoginModule required org.apache.activemq.jaas.properties.user="users.properties" org.apache.activemq.jaas.properties.group="groups.properties" reload=true; };
If reload=true is not set, these property files get loaded on broker startup only!! See AMQ-5876 for details.

Simple Authentication Plugin

If you have modest authentication requirements (or just want to quickly set up your testing environment) you can use SimpleAuthenticationPlugin. With this plugin you can define users and groups directly in the broker's XML configuration. Take a look at the following snippet for example:
xml
Users and groups defined in this way can be later used with the appropriate authorization plugin.