ActiveMQ authorization

java authorization activemq jaas
11,420

Solution 1

Whenever I have set up ActiveMQ security, I have found it best to use the plain AuthorizationPlugin with wildcards that denote the destinations covered (which is why it's really handy to use naming conventions fro your queues and topics). The idea is that you define a handful of user groups and grant them access to those destinations.

The role of assigning a group from a username is handled by one of the authentication plugins - the JAAS plugin is particularly useful for externalising this information outside the ActiveMQ config in an LDAP directory.

Check out the ActiveMQ Security Guide from FuseSource (registration required) for further information.

Update 2018-07-02 ActiveMQ Security Guide, now located on redhat.

Solution 2

I found some code snippets that ended up being tremendously helpful in getting started on this subject:

http://activemq.2283324.n4.nabble.com/Fully-programmatic-authorization-map-tp2344815.html

Here's how I ended up using it (may not be the best way):

public class TestAuthorizationPlugin extends AuthorizationPlugin {

Then:

@Override
public Broker installPlugin(Broker broker) {
    List<DestinationMapEntry> entries = new ArrayList<DestinationMapEntry>(); 
    try {
        entries.add(makeTopicAuthorization("groupA.topic", "groupA", "groupA", "groupA"));
        entries.add(makeQueueAuthorization("groupA.queue", "groupA", "groupA", "groupA"));
        entries.add(makeQueueAuthorization("groupB.queue", "groupB", "groupB", "groupB"));
        entries.add(makeTopicAuthorization("ActiveMQ.Advisory.>", "all", "all", "all"));
        AuthorizationMap authMap = new DefaultAuthorizationMap(entries);
        return new AuthorizationBroker(broker, authMap);
    } catch (Exception e) {
        LOGGER.error(e);
    } 

    return new AuthorizationBroker(broker, null);
}

jar this and stick it in <activemq_home>/lib/.

Modify the activemq.xml:

<plugins>
    <!--  use JAAS to authenticate using the login.config file on the classpath to configure JAAS -->
    <jaasAuthenticationPlugin configuration="activemq" />

    <!-- Authorization control -->
    <bean xmlns="http://www.springframework.org/schema/beans" class="com.blackstrype.activemq.security.TestAuthorizationPlugin"/>
</plugins>

Another helpful link for more info on autho plugin dev:

http://mariuszprzydatek.com/2014/01/04/token-based-authentication-plugin-for-activemq/

Share:
11,420
Cacheing
Author by

Cacheing

Updated on June 04, 2022

Comments

  • Cacheing
    Cacheing almost 2 years

    If I want to implement JAAS authorization on Apache ActiveMQ, do I have to use the plug-in in the activemq.xml configuration file?

    This way is really NOT good because if I want to change authorization, I have to change the activemq.xml file and restart the server in order to work.

    Is there any way I can use like JAAS authentication by changing other properties file rather than the activemq.xml file? Or can I custom my own authorization plugin?

    Thanks.

  • Cacheing
    Cacheing almost 12 years
    I am using JAAS plugin for the authentication. But for my application, there will be new topics created all the time with different names, thus I don't think using wildcards is enough for my application. But is the authorization plugin the only way to implement authorization for ActiveMQ?
  • Jakub Korab
    Jakub Korab almost 12 years
    It's pretty straightforward to define a naming convention for newly created queues and topics. If you cannot define one because you don't know how your broker will be used, you are likely to run into deeper problems later on. There are two authorization plugins, but both work on the basis of granting access to resources by wildcards - the LDAP one may be a better fit for your needs if you can wire together the code that creates those destinations with an LDAP entry to grant access. Though the requirement comes across as an architectural smell.
  • Cacheing
    Cacheing almost 12 years
    All right, I got what you said. But for me, the topic name is really unpredictable. I think I may need to meet my requirement in another way. And ummm, ActiveMQ really needs improvement, isn't it? :D
  • realMarkusSchmidt
    realMarkusSchmidt almost 9 years
    How about multi-tenancy, requiring to regularly set up new users and groups? Is there any way to use placeholders in authorization rules like "{group}.>" except using a custom plugin? Wildcards alone won't help in this case.
  • Manish Kumar
    Manish Kumar about 8 years
    can you give an example how to add a username & password dynamically using java?
  • Jakub Korab
    Jakub Korab about 8 years
    Please outline your problem as another question.
  • DKG
    DKG about 6 years
    I tried to do a similar implementation but the connection I tried to make are all with ActiveMQ.Advisory.> because of which, the auth map is always mapped to 'all'
  • blackstrype
    blackstrype about 4 years
    Yes I haven't really found a clever way around this. Three theoretical options: 1) disable Advisories 2) put all users in a group that have full auth on the Advisories. 3) create an accompanying rule for the advisory topic for each messaging authorization (don't know if this is really possible).

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Any simple way to get the queue length of an ActiveMQ?
ActiveMQ 5.8: Cannot load JDBC driver class 'oracle.jdbc.driver.OracleDriver'
Spring security authrorize based on input parameter criteria
EJBException: Failed to acquire the pool semaphore
When should I close a JMS connection that was created in a stateless session bean?
JSF 2.0 redirect to index.jsf after login
How to kill consumers in activemq
Basic authentication in REST-application
Sample JMS example using Active MQ
How does java LoginContext.login() work?