activeMQ Security--实现登录验证

一、Security 

     ActiveMQ支持可插拔的安全机制，用以在不同的provider之间切换。例如JAAS Authentication Plugin，Custom Authentication Implementation，Authorization Plugin 
下面以JAAS Authentication Plugin为例。

    JAAS Authentication Plugin依赖标准的JAAS机制来实现认证。通常情况下，你需要通过设置java.security.auth.login.config系统属性来 配置login modules的配置文件。如果没有指定这个系统属性，那么JAAS Authentication Plugin会缺省使用login.config作为文件名。

    到官网http://activemq.apache.org/下载 activeMQ发布，目前activeMQ5.11需要JDK7支持,下面以activeMQ5.9+JDK6为例。打开conf文件夹如下

    

1.打开文件login.config，

activemq-domain {    org.apache.activemq.jaas.PropertiesLoginModule required    org.apache.activemq.jaas.properties.user="users.properties"    org.apache.activemq.jaas.properties.group="groups.properties";};

这个login.config文件中设置了两个属性：org.apache.activemq.jaas.properties.user和 org.apache.activemq.jaas.properties.group分别用来指向user.properties

2.打开文件groups.properties

#格式：用户组=用户1,用户2,...admins=system,users=system,client,userguests=guest

3.打开文件user.properties

#格式user=passwordsystem=pass0user=pass1guest=pass2

4.打开文件activemq.xml

           <plugins>    <!--use JAAS to authenticate using the login.config file on the classpath to configure JAAS -->    <jaasAuthenticationPlugin configuration="activemq-domain" />    <!--  lets configure a destination based authorization mechanism -->    <authorizationPlugin>  <map>   <authorizationMap>  <authorizationEntries>    <authorizationEntry queue=">" read="admins" write="admins" admin="admins" />   <authorizationEntry queue="USERS.>" read="users" write="users" admin="users" />    <authorizationEntry queue="GUEST.>" read="guests" write="guests,users" admin="guests,users" />        <authorizationEntry topic=">" read="admins" write="admins" admin="admins" />    <authorizationEntry topic="USERS.>" read="users" write="users" admin="users" />    <authorizationEntry topic="GUEST.>" read="guests" write="guests,users" admin="guests,users" />  <authorizationEntry queue="ActiveMQ.Advisory.>" read="guests,users" write="guests,users" admin="guests,users"/>    <authorizationEntry topic="ActiveMQ.Advisory.>" read="guests,users" write="guests,users" admin="guests,users"/>   </authorizationEntries>   </authorizationMap>     </map>                         </authorizationPlugin>         </plugins> 

In ActiveMQ we use a number of operations which you can associate with user roles and either individual queues or topics or you can use wildcards to attach to hierarchies of topics and queues.

Operation

Description

read

You can browse and consume from the destination

write

You can send messages to the destination

admin

You can lazily create the destination if it does not yet exist. This allows you fine grained control over which new destinations can be dynamically created in what part of the queue/topic hierarchy

项目引入activeMQ的jar包依赖,

 <dependency>        <groupId>org.activemq</groupId>        <artifactId>activemq-all</artifactId>        <version>5.9.0</version>  </dependency>

实现代码

import org.apache.activemq.ActiveMQConnection;import org.apache.activemq.ActiveMQConnectionFactory;import org.slf4j.Logger;import org.slf4j.LoggerFactory;import javax.jms.*;/** * Created by IntelliJ IDEA. * Author: ndong * Date: 2015-2-13 * Time: 16:50 */public class ClientListener implements MessageListener {  private static final Logger logger = LoggerFactory.getLogger(ClientListener.class);  //在点对点（PTP）消息传递域中，目的地被成为队列（queue）  private Destination destination = null;  //初始化 一个JMS客户端到JMS Provider的连接  private Connection connection = null;  //初始化  一个接受消息的进程  private Session session = null;  //初始化 消息消费者  private MessageConsumer consumer = null;  public ClientListener() throws Exception {    initialize();  }  private void initialize() throws Exception {    String userName = "user";    String password = "pass1";    String url = "failover://tcp://localhost:61616";    if (StringUtil.isEmpty(url)) {      logger.error("can't read BROKER.URL in property file");      throw new Exception("请在配置文件中，添加服务地址。");    }    ActiveMQConnectionFactory connectionFactory = new ActiveMQConnectionFactory(      userName, password, url);    connection = connectionFactory.createConnection();    ((ActiveMQConnection) connection).addTransportListener(new ClientTransportListener());    //false 参数表示 为非事务型消息，后面的参数表示消息的确认类型（见4.消息发出去后的确认模式）    session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE);    String subject = "test.subject";    destination = session.createQueue(subject);    consumer = session.createConsumer(destination);  }  public void start() throws Exception {    logger.info("begin listening...");    consumer.setMessageListener(this);    connection.start();  }  /**     * 消息处理函数     *     * @param message     */    public void onMessage(Message message) {      try {        if (message instanceof TextMessage) {          TextMessage txtMsg = (TextMessage) message;          String msg = txtMsg.getText();          logger.info("received msg:" + msg);                           } else {          logger.info("consumer received: " + message);        }      } catch (Exception e) {        logger.error(e.getMessage(), e);      }    }}

二、ActiveMQ Web Console Security

ActiveMQ使用的是jetty服务器, 通过控制台可以监控消息，默认端口为8161，可通过浏览器http://localhost:8161/admin/index.jsp查看

默认登录密码为admin/admin,修改默认账户，打开conf/jetty.xml文件，找到

<bean id="securityConstraint" class="org.eclipse.jetty.http.security.Constraint">        <property name="name" value="BASIC" />        <property name="roles" value="admin" />        <property name="authenticate" value="false" /></bean>

将property name为authenticate的属性value="false" 改为"true"，
控制台的登录用户名密码保存在conf/jetty-realm.properties文件中,内容如下:

## ---------------------------------------------------------------------------
## Licensed to the Apache Software Foundation (ASF) under one or more
## contributor license agreements.  See the NOTICE file distributed with
## this work for additional information regarding copyright ownership.
## The ASF licenses this file to You under the Apache License, Version 2.0
## (the "License"); you may not use this file except in compliance with
## the License.  You may obtain a copy of the License at
## 
## http://www.apache.org/licenses/LICENSE-2.0
## 
## Unless required by applicable law or agreed to in writing, software
## distributed under the License is distributed on an "AS IS" BASIS,
## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
## See the License for the specific language governing permissions and
## limitations under the License.
## ---------------------------------------------------------------------------


# Defines users that can access the web (console, demo, etc.)
# username: password [,rolename ...]
admin: admin, admin

值得注意的是 用户名和密码的格式是

用户名 : 密码 ,角色名