6.2 Authorization
6.2 授权
To build upon authentication, consider a use case requiring more fine-grained control
over clients to authorize certain tasks. In most stock trading applications, only specific
applications can write to a given destination. After all, you wouldn’t want any old
application publishing stock prices to the STOCKS.* destinations. Only an authenticated
and authorized application should have this ability.
For this reason, ActiveMQ provides two levels of authorization: operation-level
authorization and message-level authorization. These two types of authorization provide
a more detailed level of control than simple authentication. This section discusses
these two types of authorization and walks through some examples to
demonstrate each.
6.2.1 Destination-level authorization
6.2.1 目的地级别的授权
There are three types of user-level operations with JMS destinations:
Read—The ability to receive messages from the destination
Write—The ability to send messages to the destination
Admin—The ability to administer the destination
读 -- 具有从特定目的地接收消息的权限
写 -- 具有发送消息到特定目的地的权限
管理 -- 具有管理消息目的地的权限
Through these well-known operations, you can control the ability to perform the
operations. Using the ActiveMQ XML configuration file, such authorization can be
easily defined. Take a look at the following listing to add some operation-specific
authorization to some destinations.
Listing 6.2 Configuring destination-level authorization
<jaasAuthenticationPlugin configuration="activemq-domain" />
<authorizationEntry topic=">" read="admins" write="admins" admin="admins" />
<authorizationEntry topic="STOCKS.>" read="consumers" write="publishers" admin="publishers" />
<authorizationEntry topic="STOCKS.ORCL" read="guests" />
<authorizationEntry topic="ActiveMQ.Advisory.>"
admin="admins,publishers,consumers,guests" />
In the listing, the JAAS authorization plug-in has been defined and pointed at the
activemq-domain configuration in the login.config file. It has also been provided with
a map of authorization entries. When configuring the map of authorization entries,
the first task is to define the destination to be secured. This is achieved through the
use of either a topic or a queue attribute on the entry. The next task is to declare
which users and/or groups have privileges for operations on that destination.
A handy feature is the ability to define the destination value using wildcards. For
example, STOCKS.> means the entry applies to all destinations in the STOCKS path
recursively. You can find more information on wildcards in chapter 11. Also, the
authorization operations will accept either a single group or a comma-separated list of
groups as a value.
在配置消息目的地时,可以使用通配符来简化配置.例如,"STOCKS.>" 表示该授权实体可以递归地应用到
Considering this explanation, the configuration used in the previous example can
be translated as follows:
Users from the admins group have full access to all topics
Consumers can consume and publishers can publish to the destinations in the STOCKS path
Guests can only consume from the STOCKS.ORCL topic
The previous example uses an additive model, where all operations on a topic have
been restricted to administrators only. Beyond this, specific operations on specific destinations
are added as needed.
In order to start the broker to test out both the JAAS authentication plug-in as well
as the authorization entries, use the following command to start the broker:
${ACTIVEMQ_HOME}/bin/activemq console -Djava.security.auth.login.config=src/main/resources/org/apache/activemq/book/ch6/login.config xbean:src/main/resources/org/apache/activemq/book/ch6/activemq-authorization.xml
(window启动命令:%ACTIVEMQ_HOME%/bin/activemq -Djava.security.auth.login.config=src/main/resources/org/apache/activemq/book/ch6/login.config xbean:src/main/resources/org/apache/activemq/book/ch6/activemq-authorization.xml)
INFO | PListStore:/Users/bsnyder/amq/apache-activemq-5.4.1/data/localhost/tmp_storage started
INFO | Using Persistence Adapter: KahaDBPersistenceAdapter[/Users/bsnyder/amq/apache-activemq-5.4.1/data/localhost/KahaDB]
INFO | JMX consoles can connect to service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi
INFO | ActiveMQ 5.4.1 JMS Message Broker (localhost) is starting
INFO | For help or more information please see:http://activemq.apache.org/
INFO | Scheduler using directory:/Users/bsnyder/amq/apache-activemq-5.4.1/data/localhost/scheduler
INFO | JobSchedulerStore:/Users/bsnyder/amq/apache-activemq-5.4.1/data/localhost/schedulerstarted
INFO | Listening for connections at: tcp://localhost:61616
INFO | Connector openwire Started
INFO | ActiveMQ JMS Message Broker
(localhost, ID:mongoose.local-62861-1289968271876-0:0) started
Note the use of the java.security.auth.login.config system property to point to
the login.config file. This ensures that ActiveMQ can locate the file for its use.
Now let’s see how introduction of authorization affects JMS clients. We’ll demonstrate
our authorization setup by trying to consume from the stock topics. As we were
doing for the publisher example in the previous section, we’ll modify our original
stock portfolio consumer and make it pass an appropriate connection username and
password. For example, in order to try consuming from the STOCKS.ORCL topic as
guest, we should add the following to the consumer (marked as bold):
原先的stock portfolio实例中consumer的代码以便能够传入适当的用户名和密码然后建立连接.
private String username = "guest";
private String password = "password";
public Consumer() throws JMSException
factory = new ActiveMQConnectionFactory(brokerURL);
connection = factory.createConnection(username, password);
session = connection.createSession(false,Session.AUTO_ACKNOWLEDGE);
Credentials have been added so that the consumer can create a connection to the broker
using an appropriate username and password. The modified consumer can be
found in the org.apache.activemq.book.ch6.Consumer class. Now we can run our
example and see how authorization configuration at the broker affects the client. First
start the publisher using the following command:
$ mvn exec:java -Dexec.mainClass=org.apache.activemq.book.ch6.Publisher -Dexec.args="CSCO ORCL"
Sending: {price=24.07337784180, stock=ORCL, offer=24.0974512196,up=true} on destination: topic://STOCKS.ORCL
Sending: {price=73.49647952723, stock=CSCO, offer=73.5699760067,up=false} on destination: topic://STOCKS.CSCO
Sending: {price=24.282731805343, stock=ORCL, offer=24.307014537149,up=true} on destination: topic://STOCKS.ORCL
Sending: {price=74.1916498091, stock=CSCO, offer=74.265841458,up=true} on destination: topic://STOCKS.CSCO
Sending: {price=24.350683304888, stock=ORCL, offer=24.375033988192,up=true} on destination: topic://STOCKS.ORCL
Sending: {price=24.46113711010, stock=ORCL, offer=24.485598247216,up=true} on destination: topic://STOCKS.ORCL
Sending: {price=24.219079287873, stock=ORCL, offer=24.243298367160,up=false} on destination: topic://STOCKS.ORCL
Sending: {price=24.282977831328, stock=ORCL, offer=24.307260809160,up=true} on destination: topic://STOCKS.ORCL
Sending: {price=24.33344653108, stock=ORCL, offer=24.35777997761,up=true} on destination: topic://STOCKS.ORCL
Sending: {price=73.86498266780, stock=CSCO, offer=73.93884765047,up=false} on destination: topic://STOCKS.CSCO
Published '10' of '10' price messages
Now let’s see what happens when we try to access different destinations with guest user
credentials. For example, if you instruct it to consume messages from STOCKS.CSCO
topic, you’ll see the following exception:
$ mvn exec:java -Dexec.mainClass=org.apache.activemq.book.ch6.Consumer -Dexec.args="STOCKS.CSCO"
Exception in thread "main"
javax.jms.JMSException: User guest is not authorized to read from: topic://STOCKS.CSCO ...
This is exactly what we expected to happen. Consuming from the STOCKS.CSCO topic
is restricted due to the authorization settings in listing 6.2. But the authorization configuration
does allow guests to consume from the STOCKS.ORCL topic as shown in the
following example:
$ mvn exec:java -Dexec.mainClass=org.apache.activemq.book.ch6.Consumer -Dexec.args="STOCKS.ORCL"
(译注: 貌似-Dexec.args参数值应该为 -Dexec.args="ORCL" 否则出错,因为配置有权限的topic为STOCKS.ORCL,
代码中使用这个参数语句为:createTopic("STOCKS." + stock);
修改后的命令为: mvn exec:java -Dexec.mainClass=org.apache.activemq.book.ch6.Consumer -Dexec.args="ORCL")
ORCL 9.66 9.67 down
ORCL 9.70 9.71 up
ORCL 9.80 9.81 up
ORCL 9.83 9.84 up
ORCL 9.80 9.81 down
ORCL 9.75 9.76 down
ORCL 9.81 9.82 up
ORCL 9.88 9.89 up
ORCL 9.80 9.81 down
ORCL 9.84 9.85 up
ORCL 9.84 9.85 up
ORCL 9.86 9.87 up
ORCL 9.95 9.96 up
ORCL 10.03 10.04 up
ORCL 10.03 10.04 down
As you can see, the authorization settings allowed only read access to the STOCKS.ORCL
topic for users that belong to the guests group.
These simple examples demonstrate how easy it is to secure ActiveMQ destinations
and assign different security levels to various users and groups. But what if defining
the access levels per destination isn’t enough for your application’s needs? Luckily,
ActiveMQ allows you to do a message-based authorization as well.
但是,假如在消息目的地级别进行访问控制已不能完全符合应用需求时,改如何操作? 很幸运的是,ActiveMQ
6.2.2 Message-level authorization
6.2.2 消息级别的授权
So far in this chapter, we’ve covered broker-level authentication and authorization.
But as you can see, authorization was granted or denied in the process of creating a
connection to the broker. In some situations you might want to authorize access to
only particular messages in a destination. In this section, we’ll examine such message
level authorization.
We’ll implement a simple authorization plug-in that allows only applications running
on the same host as the broker (the localhost) to consume messages. The first
thing we need to do is to create an implementation of the org.apache.activemq.
security.MessageAuthorizationPolicy interface, as shown in the following listing.
Listing 6.3 Implementation of MessageAuthorizationPolicy interface
代码清单6.3 实现MessageAuthorizationPolicy接口
public class AuthorizationPolicy implements MessageAuthorizationPolicy
private static final Log LOG = LogFactory.getLog(AuthorizationPolicy.class);
public boolean isAllowedToConsume(ConnectionContext context,Message message)
String remoteAddress = context.getConnection().getRemoteAddress();
if (remoteAddress.startsWith("/"))
LOG.info("Permission to consume granted");
return true;
LOG.info("Permission to consume denied");
return false;
As you can see, the MessageAuthorizationPolicy interface is simple and defines only
one method named isAllowedToConsume(). This method has access to the message
in question and the context of the connection in which the message will be consumed.
In this example, the remote address property for a connection is used (via the
call to the Connection.getRemoteAddress() method) to distinguish a remote consumer
from a local consumer. The isAllowedToConsume() method then determines
whether the read operation is allowed for the given consumer. Of course, this implementation
is arbitrary. You can use any message property or even some message content
to make the determination. The implementation of this method is meant to be a
simple example.
Now this policy must be installed and configured in the ActiveMQ broker. The first
and most obvious step is to compile this class and package it in an appropriate JAR.
Place this JAR into the lib/ directory of the ActiveMQ distribution and the policy is
ready to be used. You can do that by building and copying the book examples JAR:
$ mvn clean install
$ cp target/activemq-in-action-examples.jar ${ACTIVEMQ_HOME}/lib/
Second, the policy must be configured to create an instance of the Authorization-
Policy class in the ActiveMQ XML configuration file. Using the Spring beans–style
XML inside the <messageAuthorizationPolicy> element, the AuthorizationPolicy
class is instantiated when the broker starts up. Here’s an example of this configuration:
<bean class="org.apache.activemq.book.ch6.AuthorizationPolicy" xmlns="http://www.springframework.org/schema/beans" />
The only step left is to start up ActiveMQ and test out the new policy. Here’s the command
to start up the broker using the appropriate configuration file:
${ACTIVEMQ_HOME}/bin/activemq console xbean:src/main/resources/org/apache/activemq/book/ch6/activemq-policy.xml
(window下命令:%ACTIVEMQ_HOME%/bin/activemq xbean:src/main/resources/org/apache/activemq/book/ch6/activemq-policy.xml)
Loading message broker from:
22:19:23,532 | INFO | PListStore:/Users/bsnyder/amq/apache-activemq-5.4.1/data/localhost/tmp_storage started
22:19:23,692 | INFO | JMX consoles can connect to service:jmx:rmi:///jndi/rmi://localhost:1099/jmxrmi
22:19:23,717 | INFO | Using Persistence Adapter: KahaDBPersistenceAdapter[/Users/bsnyder/amq/apache-activemq-5.4.1/data/localhost/KahaDB]
22:19:23,815 | DEBUG | loading
22:19:23,847 | INFO | ActiveMQ 5.4.1 JMS Message Broker (localhost) is starting
22:19:23,848 | INFO | For help or more information please see: http://activemq.apache.org/
22:19:23,990 | INFO | Scheduler using directory:/Users/bsnyder/amq/apache-activemq-5.4.1/data/localhost/scheduler
22:19:24,037 | DEBUG | loading
22:19:24,039 | DEBUG | loading
22:19:24,041 | INFO | JobSchedulerStore:/Users/bsnyder/amq/apache-activemq-5.4.1/data/localhost/scheduler started
22:19:24,081 | INFO | Listening for connections at: tcp://localhost:61616
22:19:24,081 | INFO | Connector openwire Started
22:19:24,083 | INFO | ActiveMQ JMS Message Broker(localhost, ID:mongoose.local-64256-1289971163870-0:0) started
If you run the examples from chapter 3 now on the host on which your broker is running,
you’ll see that everything works in the same manner as it did with the original
configuration. The producer produces messages:
$ mvn exec:java -Dexec.mainClass=org.apache.activemq.book.ch3.portfolio.Publisher -Dexec.args="CSCO ORCL"
Sending: {price=94.51516220513759, stock=ORCL, offer=94.60967736734271,up=true} on destination: topic://STOCKS.ORCL
Sending: {price=94.12582896629408, stock=ORCL, offer=94.21995479526036,up=false} on destination: topic://STOCKS.ORCL
Sending: {price=52.82279394171494, stock=CSCO, offer=52.87561673565665,up=false} on destination: topic://STOCKS.CSCO
Sending: {price=93.30370880341836, stock=ORCL, offer=93.39701251222176,up=false} on destination: topic://STOCKS.ORCL
Sending: {price=94.0890269658999, stock=ORCL, offer=94.1831159928658,up=true} on destination: topic://STOCKS.ORCL
Sending: {price=52.50790406130471, stock=CSCO, offer=52.56041196536601,up=false} on destination: topic://STOCKS.CSCO
Sending: {price=94.11072880595002, stock=ORCL, offer=94.20483953475596,up=true} on destination: topic://STOCKS.ORCL
Sending: {price=52.947263764976896, stock=CSCO, offer=53.000211028741866,up=true} on destination: topic://STOCKS.CSCO
Sending: {price=94.40912590172766, stock=ORCL, offer=94.50353502762938,up=true} on destination: topic://STOCKS.ORCL
Sending: {price=95.0802935408136, stock=ORCL, offer=95.1753738343544,up=true} on destination: topic://STOCKS.ORCL
Published '10' of '10' price messages
And the consumer receives these stock messages:
$ mvn exec:java -Dexec.mainClass=org.apache.activemq.book.ch3.portfolio.Consumer -Dexec.args="CSCO ORCL"
ORCL 94.52 94.61 up
ORCL 94.13 94.22 down
CSCO 52.82 52.88 down
ORCL 93.30 93.40 down
ORCL 94.09 94.18 up
CSCO 52.51 52.56 down
ORCL 94.11 94.20 up
CSCO 52.95 53.00 up
ORCL 94.41 94.50 up
ORCL 95.08 95.18 up
CSCO 52.90 52.96 down
ORCL 95.62 95.71 up
CSCO 53.32 53.37 up
ORCL 95.45 95.55 down
CSCO 53.59 53.64 up
You can also notice log messages from the policy in the broker’s console:
INFO | /
INFO | Permission to consume granted
INFO | /
INFO | Permission to consume granted
INFO | /
INFO | Permission to consume granted
INFO | /
INFO | Permission to consume granted
INFO | /
INFO | Permission to consume granted
INFO | /
INFO | Permission to consume granted
But, when run from another host (for example,, the consumer won’t
be able to consume messages, as our policy will deny the access. And you’ll notice log
messages similar to these in the broker’s console:
INFO | /
INFO | Permission to consume denied
INFO | /
INFO | Permission to consume denied
INFO | /
INFO | Permission to consume denied
INFO | /
INFO | Permission to consume denied
INFO | /
INFO | Permission to consume denied
INFO | /
INFO | Permission to consume denied
In this way, we verified that our message-based policy works and enables message consumption
only from the local host.
Message-level authorization provides some powerful functionality with endless possibilities.
Although a simple example was used here, you can adapt it to any security
mechanism used in your project. Just bear in mind that a message authorization policy
is executed for every message that flows through the broker. So be careful not to
add functionality that could possibly slow down the flow of messages.
In addition to authorization, ActiveMQ provides a special class for tighter control
over broker-level operations that’s even more powerful. The next section examines
and demonstrates just such an example.
《prodave 6.2 授权文件详解及应用指南》 在数字音频工作站(DAW)的世界里,prodave 6.2是一款备受推崇的专业级软件,它为音乐制作人和音频工程师提供了丰富的功能和出色的音质。然而,为了能够完全解锁其全部潜能...
授权方法如下: 1、先安装PrvDisk2.10软件 2、将VJD6.2(pa*ss 12345678)文件添加后缀.dpd ...4、打开VJD6.2软件开始注册,选择授权转让选项,会自动找到生成的VJD[X]驱动盘(未找到手动改一下就好),同意,注册完成!
施耐德触摸屏Vijeo Designer V6.2 Page 13-39 IA&DT; Service & Support Page 13-39 动系统,再次解压或者安装即可 IA&DT; Service & Support Page 13-39 图14 安装组态包时的错误信息 此时需要在控制面板中...
WinCC v6.2 U盘版授权工具下载.rar
《PRODAVE MPI/IE V6.2 接口指南》是针对Prodave V6.2这一专业软件的详细教程,主要关注如何使用该软件进行工业自动化设备的通信与编程。Prodave是一款由西门子(Siemens)开发的专业工具,主要用于与其PLC(可编程...
根据提供的文件信息,“VJD6.2参考号和序列号”,我们可以推断出这与某个软件版本或硬件设备有关,具体来说是VJD6.2的相关编号信息。下面将详细介绍这些概念及其在IT领域的应用。 ### VJD6.2概述 VJD6.2可能指的是...
在本文中,我们将深入探讨Vijeo Designer 6.1的安装过程以及授权方法。 首先,安装Vijeo Designer 6.1的过程需要遵循以下步骤: 1. **下载安装包**:确保你已经获取到Vijeo Designer 6.1的安装文件,这通常是一个....
施耐德Vijeo Designer 6.0 KEY 授权
《彩虹发卡6.2去授权源码解析与应用探讨》 在IT行业中,源码是软件开发的基础,它揭示了程序内部的工作机制。本文将深入探讨“彩虹发卡6.2去授权源码”,这一主题涉及到的是一个用于在线销售虚拟商品如游戏点卡、...
MongoDB是一款分布式文档型数据库,以其灵活性、高性能和高可扩展性在现代数据存储解决方案中占据了重要地位。而"NoSQL Manager for MongoDB"则是一个专为MongoDB设计的强大管理工具,旨在帮助用户更有效地操作和...
2. **合格人员定义**:指那些按照既定的安全规范和标准被授权对设备、系统及其电路进行安装、接地和标记的人员。 #### 五、规定用途 1. **! Warning**:该设备及其组件只能用于产品目录或技术说明书中所描述的应用...