第六章, ActiveMQ安全 【笔记,慎重浏览】
来源:互联网 发布:淘宝客采集软件多少钱 编辑:程序博客网 时间:2024/05/16 05:41
概述:涉及消息传输,都会涉及安全问题
本章涉及:
- 基础安全概念
- 通过XML或JAAS授权
- 授权技术
- 消息级别授权
- 构建一个自定义安全插件
6.1、介绍基础安全概念
介绍目前安全有,直接用户名密码、JAAS进行授权,ACL(权限控制列表)
6.2、授权
分为两种,一种为Xml配置,一种JAAS授权插件
6.2.1、配置简单授权插件(xml格式)
<?xml version="1.0" encoding="utf-8"?><broker xmlns="http://activemq.org/config/1.0" brokerName="localhost" dataDirectory="${activemq.base}/data"> <transportConnectors> <transportConnector name="openwire" uri="tcp://localhost:61616"/> </transportConnectors> <plugins> <simpleAuthenticationPlugin> <users> <authenticationUser username="admin" password="password" groups="admins,publishers,consumers"/> <authenticationUser username="publisher" password="password" groups="publishers,consumers"/> <authenticationUser username="consumer" password="password" groups="consumers"/> <authenticationUser username="guest" password="password" groups="guests"/> </users>¶ </simpleAuthenticationPlugin> </plugins> </broker>
6.2.2.配置JAAS插件
JAAS官方文档:http://www.oracle.com/technetwork/java/javase/jaas/index.html
它验证文件可以简单的文本文件、关系型数据库,LDAP等等,它必须要实现javax.security.auth.spi.LoginModule接口
创建一个login.config
activemq-domain {org.apache.activemq.jaas.PropertiesLoginModule requireddebug=trueorg.apache.activemq.jaas.properties.user="users.properties"org.apache.activemq.jaas.properties.group="groups.properties";};users.properties
admin=passwordpublisher=passwordconsumer=passwordguest=password
groups.properties
admins=adminpublishers=admin,publisherconsumers=admin,publisher,consumerguests=guest
最后配置
...<plugins><jaasAuthenticationPlugin configuration="activemq-domain" /></plugins>...
6.3、授权
分为两种级别:一种操作级别和消息级别
6.3.1. 操作级别授权
有三种,读、写、Admin(读/写)
<plugins> <jaasAuthenticationPlugin configuration="activemq-domain"/> <authorizationPlugin> <map> <authorizationMap> <authorizationEntries> <authorizationEntry topic=">" read="admins" write="admins" admin="admins"/> <authorizationEntry topic="STOCKS.>" read="consumers" write="publishers" admin="publishers"/># <authorizationEntry topic="STOCKS.ORCL" read="guests"/> <authorizationEntry topic="ActiveMQ.Advisory.>" read="admins,publishers,consumers,guests" write="admins,publishers,consumers,guests" admin="admins,publishers,consumers,guests"/> </authorizationEntries> </authorizationMap> </map> </authorizationPlugin> </plugins>
6.3.2.消息级别授权
需要实现org.apache.activemq.security.MessageAuthorizationPolicy接口
public class AuthorizationPolicy implements MessageAuthorizationPolicy {private static final Log LOG = LogFactory.getLog(AuthorizationPolicy.class);public boolean isAllowedToConsume (ConnectionContext context, Message message) {LOG.info(context.getConnection().getRemoteAddress());if (context.getConnection().getRemoteAddress().startsWith("/127.0.0.1")) {return true;} else {return false;}}}
然后配置:
<messageAuthorizationPolicy><bean class="org.apache.activemq.book.ch5.AuthorizationPolicy" xmlns="" /></messageAuthorizationPolicy>
6.4、代理商级别操作
BrokerFilter类提供很多有用的操作
一种实现JAAS登录模块
一种实现自定义插件去处理安全问题
6.4.1 构建自定义安全插件
基于IP地址限制,IPAuthenticationBroker类,重写它BrokerFilter.addConnection();方法
public class IPAuthenticationBroker extends BrokerFilter {List<String> allowedIPAddresses;Pattern pattern = Pattern.compile("^/([0-9\\.]*):(.*)");public IPAuthenticationBroker(Broker next, List<String> allowedIPAddresses) {super(next);this.allowedIPAddresses = allowedIPAddresses;}public void addConnection(ConnectionContext context, ConnectionInfo info)throws Exception { String remoteAddress = context.getConnection().getRemoteAddress();Matcher matcher = pattern.matcher(remoteAddress);if (matcher.matches()) {String ip = matcher.group(1);if (!allowedIPAddresses.contains(ip)) {throw new SecurityException("Connecting from IP address " + ip + " is not allowed");}} else {throw new SecurityException("Invalid remote address " + remoteAddress);}super.addConnection(context, info);}}
实现自己的插件
public class IPAuthenticationPlugin implements BrokerPlugin {List<String> allowedIPAddresses;public Broker installPlugin(Broker broker) throws Exception {¶return new IPAuthenticationBroker(broker, allowedIPAddresses);}public List<String> getAllowedIPAddresses() {return allowedIPAddresses;}public void setAllowedIPAddresses(List<String> allowedIPAddresses) {this.allowedIPAddresses = allowedIPAddresses;}}
然后配置这个插件
<broker xmlns="http://activemq.org/config/1.0" brokerName="localhost" dataDirectory="${activemq.base}/data"plugins="#ipAuthenticationPlugin"><transportConnectors><transportConnector name="openwire" uri="tcp://localhost:61616" /></transportConnectors></broker><bean id="ipAuthenticationPlugin" class="org.apache.activemq.book.ch5.IPAuthenticationPlugin"><property name="allowedIPAddresses"><list><value>127.0.0.1</value></list></property></bean>
阅读全文
0 0
- 第六章, ActiveMQ安全 【笔记,慎重浏览】
- 慎重
- 第六章笔记
- 第六章笔记
- 学习笔记 第六章
- SQL笔记 第六章
- 第六章循环笔记
- 第六章 学习笔记
- WebView启动安全浏览
- WebView安全浏览
- 浏览笔记
- 浏览笔记
- ActiveMQ 安全配置
- activeMQ的安全机制
- ActiveMQ的安全配置
- activemq安全设置
- activemq安全设置
- 【笔记】第一条:慎重选择容器类型
- 用 Go 构建一个区块链 -- Part 4: 交易(1)
- 求1~10的阶乘的和
- helm的使用
- hdu5492Find a path dp
- 如何更新os系统的java
- 第六章, ActiveMQ安全 【笔记,慎重浏览】
- 注解注入
- Java 整数溢出
- shadowsocksdaji搭建教程
- [洛谷P1197]星球大战
- Rhyme/Linux ACL权限的查看与设定命令getfacl与setfacl
- HBase中-ROOT-和.META.表
- lingo基本操作
- socket客户端与服务端的通信