`

6.1 安全认证

 
阅读更多

6.1 Authentication

6.1 安全认证

 

All security concepts in ActiveMQ are implemented as plug-ins. This allows for easy

configuration and customization via the <plugin> element of the ActiveMQ XML configuration

file. Two plug-ins are available in ActiveMQ to authenticate users:

 Simple authentication plug-in—Handles credentials directly in the XML configuration

file or in a properties file

 JAAS authentication plug-in—Implements the JAAS API and provides a more powerful

and customizable authentication solution

Let’s review these two authentication plug-ins.

 

ActiveMQ中所有安全相关的概念都是通过插件的形式实现的.这样可以通过ActiveMQ的XML

配置文件的<plugin>元素来简化配置和自定义安全认证机制.ActiveMQ提供两种认证方式:

  

    简单认证插件 -- 直接通过XML配置文件或者属性文件处理认证

    JAAS认证插件 -- 实现了JAAS API,提供一种更强大的可自定义的认证解决方案

   

下面让我们开始讨论这两种认证方案.

 

6.1.1 Configuring the simple authentication plug-in

6.1.1 配置简单认证插件

 

The easiest way to secure the broker is through the use of authentication credentials

placed directly in the broker’s XML configuration file. Such functionality is provided

by the simple authentication plug-in that’s part of ActiveMQ. The following listing provides

an example of using this plug-in.

 

配置安全代理的最简单的方式是使用配置在代理的XML配置文件中的身份验证凭据.该功能由ActiveMQ附带的

简单认证插件提供.下面的配置的示例代码:

 

Listing 6.1 Configuring the simple authentication plug-in

清单6.1 配置简单认证插件

 

<broker ...>

  <plugins>

    <simpleAuthenticationPlugin>

      <users>

        <authenticationUser username="admin" password="password" groups="admins,publishers,consumers"/>

        <authenticationUser username="publisher" password="password" groups="publishers,consumers"/>

        <authenticationUser username="consumer" password="password" groups="consumers"/>

        <authenticationUser username="guest" password="password" groups="guests"/>

      </users>

    </simpleAuthenticationPlugin>

  </plugins>

</broker>

 

By using this simple configuration snippet, four users can now access ActiveMQ. Obviously,

for authentication purposes, each user must have a username and a password.

Additionally, the groups attribute provides a comma-separated list of groups to which

the user belongs. This information is used for authorization purposes, as will be seen

shortly.

 

通过这种简单配置的代码片段,4个用户可以访问ActiveMQ.显然,为了认证,每个用户必须有一个用户名

和密码.另外,groups属性提供一个通过逗号分隔的列表,表示用户属于配置的这些群组.正如我们接下来

即将看到的这些配置信息用于认证.

 

The best way to understand this configuration is to use it with the stock portfolio

example. First, the broker must be started using the configuration file defined earlier:

 

理解这种配置的最好方式是在stock portfolio例子中使用这种安全认证机制.首先,需要启动包含了上面

配置信息的代理:

 

${ACTIVEMQ_HOME}/bin/activemq console xbean:src/main/resources/org/apache/activemq/book/ch6/activemq-simple.xml

(window xp下的命令为:%ACTIVEMQ_HOME%/bin/activemq  xbean:src/main/resources/org/apache/activemq/book/ch6/activemq-simple.xml)

 

Now run the stock publisher and you should see the following exception:

现在通过下面的命令运行publisher,然后你将看到后面的异常信息:

 

$ mvn exec:java -Dexec.mainClass=org.apache.activemq.book.ch3.portfolio.Publisher -Dexec.args="CSCO ORCL"

 

...

Exception in thread "main" javax.jms.JMSException: User name or password is invalid.

...

 

The preceding exception is expected because a security plug-in is activated but the

authentication credentials haven’t yet been defined in the publisher client. To fix this

exception, modify the publisher to add a username and password. The following snippet

provides an example of this:

 

前面的出现异常是因为启用了安全插件但是在客户端的publisher中没有定义认证身份信息.

为避免这个异常,需要修改publisher代码加上username和password.下面是代码示例:

 

  private String username = "publisher";

  private String password = "password";

  public Publisher() throws JMSException 

  {

    factory = new ActiveMQConnectionFactory(brokerURL);

    connection = factory.createConnection(username, password);

    connection.start();

    session = connection.createSession(false,

    Session.AUTO_ACKNOWLEDGE);

    producer = session.createProducer(null);

  }

  

As the preceding snippet shows, the only necessary change is to define a username

and a password that are then used as parameters to the call to the create-

Connection() method. Compiling and running the modified publisher will now yield

the proper behavior, as shown in the following output:

 

如前面代码片段所示,唯一需要的修改是定义一个username和password,然后将他们作为参数传递给

createConnection方法.通过下面命令编译运行修改过的publisher,publisher功能恢复正常,如后面面输出所示:

 

$ mvn exec:java -Dexec.mainClass=org.apache.activemq.book.ch6.Publisher -Dexec.args="CSCO ORCL"

 

...

Sending: {price=35.25020234334, stock=ORCL, offer=35.28545254568, up=true} on destination: topic://STOCKS.ORCL

Sending: {price=35.018408299624, stock=ORCL, offer=35.053426707924, up=false} on destination: topic://STOCKS.ORCL

Sending: {price=34.722966908601, stock=ORCL, offer=34.75768987551, up=false} on destination: topic://STOCKS.ORCL

Sending: {price=1.651542629939308, stock=CSCO, offer=1.653194172569, up=true} on destination: topic://STOCKS.CSCO

Sending: {price=34.598719623046, stock=ORCL, offer=34.63331834266, up=false} on destination:topic://STOCKS.ORCL

Sending: {price=34.43900856142, stock=ORCL, offer=34.47344756998, up=false} on destination: topic://STOCKS.ORCL

Sending: {price=1.6580787335090, stock=CSCO, offer=1.659736812242, up=true} on destination: topic://STOCKS.CSCO

Sending: {price=34.458768559093, stock=ORCL, offer=34.49322732765, up=true} on destination: topic://STOCKS.ORCL

Sending: {price=1.6547727745488, stock=CSCO, offer=1.6564275473233,up=false} on destination:topic://STOCKS.CSCO

Sending: {price=1.665375738897, stock=CSCO, offer=1.6670411146368, up=true} on destination: topic://STOCKS.CSCO

Published '10' of '10' price messages

...

 

Note in the output that our producer successfully connects to the broker and sends

messages.

 

注意到前面的输出信息表名producer已经能够成功的连接到代理并且发送消息了.

 

Unfortunately, with the simple authentication plug-in, passwords are stored (and

transferred) as clear text, which impacts the security of the broker. But even plain-text

passwords prevent unauthorized clients from interacting with the broker, and in some

environments this is all that’s needed. Additionally, you can consider using the simple

authentication plug-in in combination with the SSL transport, which will at least solve

the problem of sending plain passwords over the network.

 

不幸的是,使用简单认证插件时,密码存储和传输时都是使用明文,这可能对代理的安全造成隐患.

但是,即便是传文本形式的密码也能阻止未授权的客户端与代理之间非法交换,并且在一些环境

中,这种处理方式正是需求所要求的.另外,你可以将简单认证插件和SSL传输连接器配合起来使用,这样

至少可以避免在网络中发送明文形式的密码.

 

For environments that need a more secure installation and/or for environments

that already have an existing security infrastructure with which ActiveMQ will need to

integrate, the JAAS plug-in may be more appropriate.

 

对于一个需要更保险安全措施的环境和/或一个已经有一套安全设施需要集成到ActiveMQ中的环境来说,

使用JAAS插件更加合适.

 

6.1.2 Configuring the JAAS plug-in

6.1.2 配置JAAS插件

 

A detailed explanation of JAAS is beyond the scope of this book. Instead, this section will

briefly introduce JAAS basic concepts and demonstrate how to create a Properties-

LoginModule that can be used to achieve the same functionality as the simple security

plug-in using JAAS. For more detailed information about JAAS, please refer to the JAAS

documentation (http://mng.bz/BvvB).

 

讨论JAAS的详细信息已经超出了本书的范围.因而,本节将简要的介绍JAAS的基本概念以及说明如何

创建一个PropertiesLoginModule,使用该PropertiesLoginModule可以实现JAAS的简单安全插件同样的功能.

关于JAAS的详细信息,请参阅JAAS文档(http://mng.bz/BvvB).

 

JAAS provides pluggable authentication, which means ActiveMQ will use the same

authentication API regardless of the technique used to verify user credentials (a text

file, a relational database, LDAP, and so on). All that’s required is an implementation

of the javax.security.auth.spi.LoginModule interface (http://mng.bz/8zLV) and

a configuration change to ActiveMQ. Fortunately, ActiveMQ comes with implementations

of some modules that can authenticate users using properties files, LDAP, and

SSL certificates, which will be enough for many use cases. Because JAAS login modules

follow a specification, one advantage of them is that they’re relatively straightforward

to configure. The best way to understand a login module is by walking through a configuration.

For this task, the login module that works with properties files will be used.

 

JAAS提供了一种可插拔式认证机制,这就是说ActiveMQ将使用与JAAS相同的认证API而不管验证用户身份

所使用的具体技术(比如一个文本文件,一个关系型数据库,LDAP等等).使用JAAS认证所需的仅仅是

javax.security.auth.spi.LoginModule接口(参阅http://mng.bz/8zLV)的一个实现以及ActiveMQ配置

文件的修改.幸运的是,ActiveMQ已经实现了一些模块,使用这些模块可以使用属性文件,LDAP以及SSL证书

来验证用户.这些对于大多数用户来书已经足够使用了.因为JAAS的登陆模块需要遵循一个规范,这样就有

一个优势 -- 它们配置起来相对简单.理解登陆模块最好的方式是亲自进行一次配置.为此,我们将使用基于

属性文件的登陆模块来进行一次配置.

 

The first step in this task is to identify the PropertiesLoginModule so that

ActiveMQ is made aware of it. To do so, you must create a file named login.config that

contains a standardized format for configuring JAAS users and groups (http://

mng.bz/IIEB). Here are the contents of the file:

 

首先,需要指定PropertiesLoginModule以便PropertiesLoginModule可以使用它.为此,你必须创建一个名称为

login.config的配置文件,该文件包含一个配置标准格式的JAAS用户和群组信息(参阅http://mng.bz/IIEB).

下面是这个配置文件的内容:

 

activemq-domain 

{

  org.apache.activemq.jaas.PropertiesLoginModule required debug=true

  org.apache.activemq.jaas.properties.user="users.properties"

  org.apache.activemq.jaas.properties.group="groups.properties";

};

 

 

The login.config file shown here contains a few different items for configuring a JAAS

module. The activemq-domain is the predominant item in this file and it contains all

the configuration for the login module. First is the fully qualified name of the

PropertiesLoginModule and the trailing notation identifying it as required. This

means that the authentication can’t continue without this login module. Second is a

line to enable debug logging for the login module; this is optional. Third is the

org.apache.activemq.jaas.properties.user property, which points to the users.properties file. 

Fourth is the org.apache.activemq.jaas.properties.group property,

which points to the groups.properties file. Once this is all defined, the two properties

files must be created.

 

上面的login.config文件与JAAS登陆模块的配置文件有一些不同.文件中模块名称为activemq-domain的是主要的配置性,

它包含登陆模块所需的所有信息.首先,是用包名完全限定的模块实现类名PropertiesLoginModule,后面紧跟着required.

这表示验证必须要加载这个登陆模块否则不能进行.第二,是表示为这个登陆模块开启调试日志配置,是可选的.第三

是org.apache.activemq.jaas.properties.user属性,该属性指定了使用users.properties文件.第四是

org.apache.activemq.jaas.properties.group属性,该属性指向groups.properties文件.一旦配置完成,上面两个

.properties文件必须事先创建好.

 

NOTE The PropertiesLoginModule used in this section is an implementation

of a JAAS login module, and it comes with ActiveMQ.

 

注意:本节中使用的PropertiesLoginModule登陆模块是JAAS的登陆模块接口的一个实现,是随ActiveMQ版本

一起发布的.

 

Defining user credentials in the properties files is simple. The users.properties file

defines each user in a line-delimited manner along with its password, as shown:

定义用户证书文件非常简单.users.properties中每一行定义一个用户,使用用户名=密码的格式,如下所示:

 

admin=password

publisher=password

consumer=password

guest=password

 

The groups.properties file defines group names in a line-delimited manner as well.

But each group contains a comma-separated list of its users as shown:

groups.properties中同样每一行定义一个群组.但是群组=后面是一组通过逗号分割的用户名,

表示这些用户属于该群组,如下所示:

 

admins=admin

publishers=admin,publisher

consumers=admin,publisher,consumer

guests=guest

 

Once these files are created, the JAAS plug-in must be defined in the ActiveMQ XML

configuration file. The following is an example of this necessary change:

 

上面的文件创建完成后,还必须在ActiveMQ的XML配置文件中配置JAAS插件.原来的配置文件需要做

一些修改,如下面的代码所示:

 

...

<plugins>

  <jaasAuthenticationPlugin configuration="activemq-domain" />

</plugins>

...

 

The example is shortened for readability and only shows the necessary change to

enable the JAAS login module. As you can see, the JAAS plug-in only needs the name

of the JAAS domain in the login.config file. ActiveMQ will locate the login.config file

on the classpath (an alternative to this is to use the java.security.auth.login.

config system property for the location of the login.config file). To test out the JAAS

login module that was just created, start up ActiveMQ using these changes. Here’s the

command to use:

 

上面代码可读性不好,仅仅是用于展示开启JAAS登陆模块时XML配置文件需要做的修改.正如你看到的那样,配置的JAAS插件

仅仅需要login.config中配置的域名(activemq-domain).ActiveMQ会在classpath中查找login.config文件.

(另一个方法是使用系统参数java.security.auth.login.config作为login.config的路径).

为测试刚刚配置的JAAS模块,可以使用下面的命令启动ActiveMQ:

 

${ACTIVEMQ_HOME}/bin/activemq console -Djava.security.auth.login.config=src/main/resources/org/apache/activemq/book/ch6/login.config xbean:src/main/resources/org/apache/activemq/book/ch6/activemq-jaas.xml

(window xp中使用的命令:

%ACTIVEMQ_HOME%/bin/activemq -Djava.security.auth.login.config=src/main/resources/org/apache/activemq/book/ch6/login.config xbean:src/main/resources/org/apache/activemq/book/ch6/activemq-jaas.xml

)

...

Loading message broker from: xbean:src/main/resources/org/apache/activemq/book/ch6/activemq-jaas.xml

INFO | PListStore: Users/bsnyder/amq/apache-activemq-5.4.1/data/localhost/tmp_storage started

INFO | Using Persistence Adapter: KahaDBPersistenceAdapter [/Users/bsnyder/amq/apache-activemq-5.4.1/data/localhost/KahaDB]

INFO | JMX consoles can connect to service: jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi

INFO | ActiveMQ 5.4.1 JMS Message Broker (localhost) is starting

INFO | For help or more information please see: http://activemq.apache.org/

INFO | Scheduler using directory: /Users/bsnyder/amq/apache-activemq-5.4.1/data/localhost/scheduler

INFO | JobSchedulerStore: /Users/bsnyder/amq/apache-activemq-5.4.1/data/localhost/scheduler started

INFO | Listening for connections at: tcp://localhost:61616

INFO | Connector openwire Started

INFO | ActiveMQ JMS Message Broker

(localhost, ID:mongoose.local-61955-1289966951514-0:0) started

 

The broker has been secured just like the previous section where simple authentication

was used, only now the JAAS standard was used. Now we can start our stock portfolio

publisher that uses proper credentials and expect it to be able to access the broker:

 

启动后,代理手到安全包含,就想前面小节中使用简单认证方式一样,只是现在使用JAAS标准验证.

现在,我们可以运行stock portfolio例子中的publisher,然后使用合适的凭证希望publisher

可以正常操作代理.参考下面的命令运行publisher:

 

mvn exec:java -Dexec.mainClass=org.apache.activemq.book.ch6.Publisher -Dexec.args="CSCO ORCL"

 

...

Sending: {price=44.84266119470, stock=ORCL, offer=44.88750385590,up=true} on destination: topic://STOCKS.ORCL

Sending: {price=44.5575471806, stock=ORCL, offer=44.60210472778,up=false} on destination: topic://STOCKS.ORCL

Sending: {price=44.49794307251, stock=ORCL, offer=44.54244101559,up=false} on destination: topic://STOCKS.ORCL

Sending: {price=44.48574009628, stock=ORCL, offer=44.530225836380,up=false} on destination: topic://STOCKS.ORCL

Sending: {price=55.89763705357, stock=CSCO, offer=55.953534690630,up=true} on destination: topic://STOCKS.CSCO

Sending: {price=44.09643970531, stock=ORCL, offer=44.140536145020,up=false} on destination: topic://STOCKS.ORCL

Sending: {price=44.20879151845, stock=ORCL, offer=44.25300030997,up=true} on destination: topic://STOCKS.ORCL

Sending: {price=44.38257378288, stock=ORCL, offer=44.426956356664,up=true} on destination: topic://STOCKS.ORCL

Sending: {price=44.660334580924, stock=ORCL, offer=44.704994915505,up=true} on destination: topic://STOCKS.ORCL

Sending: {price=44.77852477644, stock=ORCL, offer=44.8233033012,up=true} on destination: topic://STOCKS.ORCL

Published '10' of '10' price messages

...

 

 

As we can see, the JAAS plug-in provides exactly the same functionality as the simple

authentication plug-in. But it does so using the standardized Java mechanism, meaning

you can use it to plug in any existing security policies you use inside your organization.

In addition to the ability to authenticate access to the broker services, ActiveMQ

also provides the ability to authorize specific operations at a fine-grained level. The

next section explores this topic thoroughly.

 

我们看到,JAAS插件可以提供和简单验证插件一样的功能,但是JAAS使用了标准的Java验证授权机制,

因此你可以将这种验证插件插入到任何已有的安全策略中.另外,为了给使用代理服务进行鉴权,ActiveMQ还

具有给特定的细粒度操作授权的功能,下面章节将详细讨论这方面内容.

分享到:
评论

相关推荐

    AIX 6.1 administrator认证考试 000-104 v9.02-109题.pdf

    根据给定文件的信息,我们可以提炼出与"AIX 6.1 Administrator"认证考试相关的几个重要知识点: ### 一、AIX 6.1 Administrator 认证考试 000-104 概述 #### 考试编号:000-104 此编号代表了IBM AIX 6.1 系统管理...

    WASWebSphere Portal v6.1 的认证资讯原理

    ### WAS WebSphere Portal v6.1 认证资讯原理详解 #### 一、概述 本文档旨在提供关于 WebSphere Application Server 和 WebSphere Portal 版本 6.1 及以上版本中用于识别用户的概念和术语概述。为了更好地理解文档...

    WebSphere Application Server v6.1 安全篇(Security)

    在v6.1版本中,安全是至关重要的一个方面,因为这关系到系统中敏感数据的保护以及应用程序的稳定性。本篇将深入探讨WebSphere Application Server v6.1的安全特性、配置和最佳实践。 1. **身份验证与授权** - **...

    WAS6.1认证培训PPT文档1

    作为一个全面的平台,WAS V6.1不仅支持数据库连接、线程管理、安全性和事务处理等基本服务,还随着时间的推移不断进化,增加了许多新功能和改进。 在WAS的历史演变中,我们可以看到从V4.0.X到V6.1的关键发展。V5.0...

    监控启用全局安全后ND环境下的WebSphere6.1.

    在IT行业中,WebSphere Application Server...总的来说,这份文档将为IT专业人员提供关于在复杂、安全敏感的ND环境中运行WebSphere 6.1的宝贵指南,帮助他们更好地监控、管理和维护应用服务器,确保系统的稳定和安全。

    WAS6.1配置双向SSL

    其中,双向SSL认证是一种重要的安全措施,它不仅能够验证客户端的身份,还能够确保数据传输的安全性。本文将详细介绍如何在WAS 6.1版本中配置双向SSL认证。 #### 二、准备工作 在进行双向SSL配置之前,需要准备以下...

    IHS 6.1 for windows

    2. **企业级特性**:IHS 6.1包含了对企业环境至关重要的安全特性,如SSL/TLS加密支持,用于保护Web通信的安全。同时,它还支持身份验证和授权机制,如基本认证、摘要认证以及与IBM Tivoli Access Manager的集成。 3...

    越狱的6.1越狱

    这使得用户可以安装Cydia等第三方应用商店,从中下载各种未经Apple认证的软件和插件,实现个性化定制和功能扩展。 越狱的6.1版本具有一定的历史意义。iOS 6.1是苹果在发布iOS 7之前的最后一个主要版本,它包含了多...

    WebSphere Application Server V6.1 Security Handbook.

    ### WebSphere Application Server V6.1安全手册知识点详解 #### 一、概述 《WebSphere Application Server V6.1 Security Handbook》是IBM公司为WebSphere Application Server V6.1版本编写的安全指南。该文档...

    TongWeb6.1轻量级用户手册

    4. **安全管理**:TongWeb6.1提供了丰富的安全控制机制,包括用户认证、授权、会话管理等。这部分会详细阐述如何配置SSL/TLS以实现HTTPS,以及如何设置防火墙规则、访问控制列表(ACL)以保护服务器安全。 5. **...

    XXX软件系统安全保障方案.doc

    软件系统安全保障方案,包括目录结构和一些通用性的描述。...6.1 身份认证系统 7 6.2 用户权限管理 7 6.3 信息访问控制 8 6.4 系统日志与审计 8 6.5 数据完整性 8 7、 安全管理体系 8 8、 其他 9

    PCS7 V6.1 PC 组态与授权手册.

    - **附录C - 认证配置**:列出了在PC站上经过认证的配置清单,帮助用户了解哪些配置是已经被测试验证过且推荐使用的。 #### 五、安全指南 - **危险标识**:用“!危险”标识表示如果不采取适当的安全措施,则可能...

    cas-overlay-template-6.1 服务端代码

    CAS 6.1X 是CAS服务器的一个版本,它提供了许多增强的安全性和功能。"overlay"在这里指的是自定义CAS服务器的构建过程,允许开发者根据项目需求调整和覆盖默认配置。"cas-overlay-template-6.1"是这个覆盖模板,包含...

    WebSphere6.1安装配置手册

    - 在“安全性 =&gt; JAAS 配置 =&gt; J2C 认证数据”中创建新的认证数据条目,用于存储连接数据库所需的用户名和密码。 **3. 配置 JDBC 提供程序** - 对于 SQL Server 2000,首先在“资源 =&gt; JDBC 提供程序”中新建一个 ...

    websphere ND6.1 集群方案

    5. **安全性**:讲解如何在集群环境中设置和管理安全策略,如SSL通信、用户认证和授权等。 6. **资源共享**:阐述集群内共享资源的管理,如JDBC数据源、JMS队列和主题等。 7. **健康监测**:介绍如何使用监控工具...

    RegistryBooster 2013 v6.1.1.1 注册版(Keygen)

    RegistryBooster是微软官方合作伙伴,通过微软金牌认证,获得100多个五星级冠军奖。Registry Booster是Uniblue系列产品中最主要的产品,它能够有效的清理,修复并优化您的系统性能,系统注册表中大量的残留文件,...

    Websphere6.1集群安装和配置最终.rar

    - **安全性设置**:配置集群的用户认证、授权和加密机制,确保数据安全。 - **高可用性方案**:启用节点监视和恢复机制,以及健康检查策略,防止服务中断。 10. **故障排除** 在遇到问题时,检查日志、跟踪信息...

    ibm aix61 安全性中文版

    《深入解析IBM AIX 6.1安全性:中文版指南》 一、引言 IBM AIX 6.1作为一款高性能的企业级UNIX操作系统,其安全性一直是IT领域关注的焦点。本文将根据“IBM AIX61 安全性中文版”的资料,详细解析AIX 6.1在安全...

    CH-HCNetSDKV6.1.6.45_build20210302_win64_20210508181836.zip

    6. 安全机制:SDK内置了安全认证机制,确保数据传输的安全性,如HTTPS加密、数字签名等。 7. 平台集成:开发者可以通过SDK将海康设备接入自建的监控平台,实现设备的集中管理和控制。 在实际开发过程中,开发者应...

    WebSphere Application Server v6.1 系统管理(System Administration)

    总的来说,WebSphere Application Server v6.1的系统管理涵盖了广泛的知识点,包括安装配置、安全管理、数据源管理、集群配置、监控诊断和维护优化。熟悉这些内容将帮助管理员确保企业级应用服务的高效、安全和稳定...

Global site tag (gtag.js) - Google Analytics