http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/docs/user-manual/en/security.md ---------------------------------------------------------------------- diff --git a/docs/user-manual/en/security.md b/docs/user-manual/en/security.md index eeb36c1..34e1a49 100644 --- a/docs/user-manual/en/security.md +++ b/docs/user-manual/en/security.md @@ -129,17 +129,21 @@ Sockets Layer (SSL) transport. For more information on configuring the SSL transport, please see [Configuring the Transport](configuring-transports.md). -## Basic user credentials +## User credentials -Apache ActiveMQ Artemis ships with a security manager implementation that reads user -credentials, i.e. user names, passwords and role information from properties -files on the classpath called `artemis-users.properties` and `artemis-roles.properties`. This is the default security manager. +Apache ActiveMQ Artemis ships with two security manager implementations: + +- The legacy, deprecated `ActiveMQSecurityManager` that reads user credentials, i.e. user names, passwords and role +information from properties files on the classpath called `artemis-users.properties` and `artemis-roles.properties`. +This is the default security manager. -If you wish to use this security manager, then users, passwords and -roles can easily be added into these files. +- The flexible, pluggable `ActiveMQJAASSecurityManager` which supports any standard JAAS login module. Artemis ships +with several login modules which will be discussed further down. -To configure this manager then it needs to be added to the `bootstrap.xml` configuration. -Lets take a look at what this might look like: +### Non-JAAS Security Manager + +If you wish to use the legacy, deprecated `ActiveMQSecurityManager`, then it needs to be added to the `bootstrap.xml` +configuration. Lets take a look at what this might look like: <basic-security> <users>file:${activemq.home}/config/non-clustered/artemis-users.properties</users> @@ -149,28 +153,276 @@ Lets take a look at what this might look like: The first 2 elements `users` and `roles` define what properties files should be used to load in the users and passwords. -The next thing to note is the element `defaultuser`. This defines what -user will be assumed when the client does not specify a -username/password when creating a session. In this case they will be the -user `guest`. Multiple roles can be specified for a default user in the -`artemis-roles.properties`. +The next thing to note is the element `defaultuser`. This defines what user will be assumed when the client does not +specify a username/password when creating a session. In this case they will be the user `guest`. Multiple roles can be +specified for a default user in the `artemis-roles.properties`. -Lets now take alook at the `artemis-users.properties` file, this is basically -just a set of key value pairs that define the users and their password, like so: +Lets now take a look at the `artemis-users.properties` file, this is basically just a set of key value pairs that define +the users and their password, like so: bill=activemq andrew=activemq1 frank=activemq2 sam=activemq3 -The `artemis-roles.properties` defines what groups these users belong too -where the key is the user and the value is a comma separated list of the groups -the user belongs to, like so: +The `artemis-roles.properties` defines what groups these users belong too where the key is the user and the value is a +comma separated list of the groups the user belongs to, like so: bill=user andrew=europe-user,user frank=us-user,news-user,user sam=news-user,user + +### JAAS Security Manager + +When using JAAS much of the configuration depends on which login module is used. However, there are a few commonalities +for every case. Just like in the non-JAAS use-case, the first place to look is in `bootstrap.xml`. Here is an example +using the `PropertiesLogin` JAAS login module which reads user, password, and role information from properties files +much like the non-JAAS security manager implementation: + + <jaas-security login-module="PropertiesLogin"/> + +No matter what login module you're using, you'll need to specify it here in `bootstrap.xml`. The `login-module` attribute +here refers to the relevant login module entry in `login.config`. For example: + + PropertiesLogin { + org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule required + debug=true + org.apache.activemq.jaas.properties.user="artemis-users.properties" + org.apache.activemq.jaas.properties.role="artemis-roles.properties"; + }; + +The `login.config` file is a standard JAAS configuration file. You can read more about this file on +[Oracle's website](https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html). +In short, the file defines: + +- an alias for a configuration (e.g. `PropertiesLogin`) + +- the implementation class (e.g. `org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule`) + +- a flag which indicates whether the success of the LoginModule is `required`, `requisite`, `sufficient`, or `optional` + +- a list of configuration options specific to the login module implementation + +By default, the location and name of `login.config` is specified on the Artemis command-line which is set by +`etc/artemis.profile` on linux and `etc\artemis.profile.cmd` on Windows. + +### JAAS Login Modules + +#### GuestLoginModule +Allows users without credentials (and, depending on how it is configured, possibly also users with invalid credentials) +to access the broker. Normally, the guest login module is chained with another login module, such as a properties login +module. It is implemented by `org.apache.activemq.artemis.spi.core.security.jaas.GuestLoginModule`. + +- `org.apache.activemq.jaas.guest.user` - the user name to assign; default is "guest" + +- `org.apache.activemq.jaas.guest.role` - the role name to assign; default is "guests" + +- `credentialsInvalidate` - boolean flag; if `true`, reject login requests that include a password (i.e. guest login +succeeds only when the user does not provide a password); default is `false` + +- `debug` - boolean flag; if `true`, enable debugging; this is used only for testing or debugging; normally, it +should be set to `false`, or omitted; default is `false` + +There are two basic use cases for the guest login module, as follows: + +- Guests with no credentials or invalid credentials. + +- Guests with no credentials only. + +The following snippet shows how to configure a JAAS login entry for the use case where users with no credentials or +invalid credentials are logged in as guests. In this example, the guest login module is used in combination with the +properties login module. + + activemq-domain { + org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule sufficient + debug=true + org.apache.activemq.jaas.properties.user="artemis-users.properties" + org.apache.activemq.jaas.properties.role="artemis-roles.properties"; + + org.apache.activemq.artemis.spi.core.security.jaas.GuestLoginModule sufficient + debug=true + org.apache.activemq.jaas.guest.user="anyone" + org.apache.activemq.jaas.guest.role="restricted"; + }; + +Depending on the user login data, authentication proceeds as follows: + +- User logs in with a valid password â the properties login module successfully authenticates the user and returns + immediately. The guest login module is not invoked. + +- User logs in with an invalid password â the properties login module fails to authenticate the user, and authentication + proceeds to the guest login module. The guest login module successfully authenticates the user and returns the guest principal. + +- User logs in with a blank password â the properties login module fails to authenticate the user, and authentication + proceeds to the guest login module. The guest login module successfully authenticates the user and returns the guest principal. + +The following snipped shows how to configure a JAAS login entry for the use case where only those users with no +credentials are logged in as guests. To support this use case, you must set the credentialsInvalidate option to true in +the configuration of the guest login module. You should also note that, compared with the preceding example, the order +of the login modules is reversed and the flag attached to the properties login module is changed to requisite. + + activemq-guest-when-no-creds-only-domain { + org.apache.activemq.artemis.spi.core.security.jaas.GuestLoginModule sufficient + debug=true + credentialsInvalidate=true + org.apache.activemq.jaas.guest.user="guest" + org.apache.activemq.jaas.guest.role="guests"; + + org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule requisite + debug=true + org.apache.activemq.jaas.properties.user="artemis-users.properties" + org.apache.activemq.jaas.properties.role="artemis-roles.properties"; + }; + +Depending on the user login data, authentication proceeds as follows: + +- User logs in with a valid password â the guest login module fails to authenticate the user (because the user has + presented a password while the credentialsInvalidate option is enabled) and authentication proceeds to the properties + login module. The properties login module sucessfully authenticates the user and returns. + +- User logs in with an invalid password â the guest login module fails to authenticate the user and authentication proceeds + to the properties login module. The properties login module also fails to authenticate the user. The nett result is + authentication failure. + +- User logs in with a blank password â the guest login module successfully authenticates the user and returns immediately. + The properties login module is not invoked. + +#### PropertiesLoginModule +The JAAS properties login module provides a simple store of authentication data, where the relevant user data is stored +in a pair of flat files. This is convenient for demonstrations and testing, but for an enterprise system, the integration +with LDAP is preferable. It is implemented by `org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule`. + +- `org.apache.activemq.jaas.properties.user` - the path to the file which contains user and password properties + +- `org.apache.activemq.jaas.properties.role` - the path to the file which contains user and role properties + +- `debug` - boolean flag; if `true`, enable debugging; this is used only for testing or debugging; normally, it +should be set to `false`, or omitted; default is `false` + +In the context of the properties login module, the `artemis-users.properties` file consists of a list of properties of the +form, `UserName=Password`. For example, to define the users `system`, `user`, and `guest`, you could create a file like +the following: + + system=manager + user=password + guest=password + +The `artemis-roles.properties` file consists of a list of properties of the form, `Role=UserList`, where UserList is a +comma-separated list of users. For example, to define the roles `admins`, `users`, and `guests`, you could create a file +like the following: + + admins=system + users=system,user + guests=guest + +#### LDAPLoginModule +The LDAP login module enables you to perform authentication and authorization by checking the incoming credentials against +user data stored in a central X.500 directory server. For systems that already have an X.500 directory server in place, +this means that you can rapidly integrate ActiveMQ Artemis with the existing security database and user accounts can be +managed using the X.500 system. It is implemented by `org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule`. + +- `initialContextFactory` - must always be set to `com.sun.jndi.ldap.LdapCtxFactory` + +- `connectionURL` - specify the location of the directory server using an ldap URL, ldap://Host:Port. You can + optionally qualify this URL, by adding a forward slash, `/`, followed by the DN of a particular node in the directory + tree. For example, ldap://ldapserver:10389/ou=system. + +- `authentication` - specifies the authentication method used when binding to the LDAP server. Can take either of + the values, `simple` (username and password) or `none` (anonymous). + +- `connectionUsername` - the DN of the user that opens the connection to the directory server. For example, + `uid=admin,ou=system`. Directory servers generally require clients to present username/password credentials in order + to open a connection. + +- `connectionPassword` - the password that matches the DN from `connectionUsername`. In the directory server, + in the DIT, the password is normally stored as a `userPassword` attribute in the corresponding directory entry. + +- `connectionProtocol` - currently, the only supported value is a blank string. In future, this option will allow + you to select the Secure Socket Layer (SSL) for the connection to the directory server. This option must be set + explicitly to an empty string, because it has no default value. + +- `userBase` - selects a particular subtree of the DIT to search for user entries. The subtree is specified by a + DN, which specifes the base node of the subtree. For example, by setting this option to `ou=User,ou=ActiveMQ,ou=system`, + the search for user entries is restricted to the subtree beneath the `ou=User,ou=ActiveMQ,ou=system` node. + +- `userSearchMatching` - specifies an LDAP search filter, which is applied to the subtree selected by `userBase`. + Before passing to the LDAP search operation, the string value you provide here is subjected to string substitution, + as implemented by the `java.text.MessageFormat` class. Essentially, this means that the special string, `{0}`, is + substituted by the username, as extracted from the incoming client credentials. + + After substitution, the string is interpreted as an LDAP search filter, where the LDAP search filter syntax is + defined by the IETF standard, RFC 2254. A short introduction to the search filter syntax is available from Oracle's + JNDI tutorial, [Search Filters](http://download.oracle.com/javase/jndi/tutorial/basics/directory/filter.html). + + For example, if this option is set to `(uid={0})` and the received username is `jdoe`, the search filter becomes + `(uid=jdoe)` after string substitution. If the resulting search filter is applied to the subtree selected by the + user base, `ou=User,ou=ActiveMQ,ou=system`, it would match the entry, `uid=jdoe,ou=User,ou=ActiveMQ,ou=system` + (and possibly more deeply nested entries, depending on the specified search depthâsee the `userSearchSubtree` option). + +- `userSearchSubtree` - specify the search depth for user entries, relative to the node specified by `userBase`. + This option is a boolean. `false` indicates it will try to match one of the child entries of the `userBase` node + (maps to `javax.naming.directory.SearchControls.ONELEVEL_SCOPE`). `true` indicates it will try to match any entry + belonging to the subtree of the `userBase` node (maps to `javax.naming.directory.SearchControls.SUBTREE_SCOPE`). + +- `userRoleName` - specifies the name of the multi-valued attribute of the user entry that contains a list of + role names for the user (where the role names are interpreted as group names by the broker's authorization plug-in). + If you omit this option, no role names are extracted from the user entry. + +- `roleBase` - if you want to store role data directly in the directory server, you can use a combination of role + options (`roleBase`, `roleSearchMatching`, `roleSearchSubtree`, and `roleName`) as an alternative to (or in addition + to) specifying the `userRoleName` option. This option selects a particular subtree of the DIT to search for role/group + entries. The subtree is specified by a DN, which specifes the base node of the subtree. For example, by setting this + option to `ou=Group,ou=ActiveMQ,ou=system`, the search for role/group entries is restricted to the subtree beneath + the `ou=Group,ou=ActiveMQ,ou=system` node. + +- `roleName` - specifies the attribute type of the role entry that contains the name of the role/group (e.g. C, O, + OU, etc.). If you omit this option, the role search feature is effectively disabled. + +- `roleSearchMatching` - specifies an LDAP search filter, which is applied to the subtree selected by `roleBase`. + This works in a similar manner to the `userSearchMatching` option, except that it supports two substitution strings, + as follows: + + - `{0}` - substitutes the full DN of the matched user entry (that is, the result of the user search). For + example, for the user, `jdoe`, the substituted string could be `uid=jdoe,ou=User,ou=ActiveMQ,ou=system`. + + - `{1}` - substitutes the received username. For example, `jdoe`. + + For example, if this option is set to `(member=uid={1})` and the received username is `jdoe`, the search filter + becomes `(member=uid=jdoe)` after string substitution (assuming ApacheDS search filter syntax). If the resulting + search filter is applied to the subtree selected by the role base, `ou=Group,ou=ActiveMQ,ou=system`, it matches all + role entries that have a `member` attribute equal to `uid=jdoe` (the value of a `member` attribute is a DN). + + This option must always be set, even if role searching is disabled, because it has no default value. + + If you use OpenLDAP, the syntax of the search filter is `(member:=uid=jdoe)`. + +- `roleSearchSubtree` - specify the search depth for role entries, relative to the node specified by `roleBase`. + This option can take boolean values, as follows: + + - `false` (default) - try to match one of the child entries of the roleBase node (maps to + `javax.naming.directory.SearchControls.ONELEVEL_SCOPE`). + + - `true` â try to match any entry belonging to the subtree of the roleBase node (maps to + `javax.naming.directory.SearchControls.SUBTREE_SCOPE`). + +- `debug` - boolean flag; if `true`, enable debugging; this is used only for testing or debugging; normally, it +should be set to `false`, or omitted; default is `false` + +Add user entries under the node specified by the `userBase` option. When creating a new user entry in the directory, +choose an object class that supports the `userPassword` attribute (for example, the `person` or `inetOrgPerson` object +classes are typically suitable). After creating the user entry, add the `userPassword` attribute, to hold the user's +password. + +If you want to store role data in dedicated role entries (where each node represents a particular role), create a role +entry as follows. Create a new child of the `roleBase` node, where the `objectClass` of the child is `groupOfNames`. Set +the `cn` (or whatever attribute type is specified by `roleName`) of the new child node equal to the name of the +role/group. Define a `member` attribute for each member of the role/group, setting the `member` value to the DN of the +corresponding user (where the DN is specified either fully, `uid=jdoe,ou=User,ou=ActiveMQ,ou=system`, or partially, +`uid=jdoe`). + +If you want to add roles to user entries, you would need to customize the directory schema, by adding a suitable +attribute type to the user entry's object class. The chosen attribute type must be capable of handling multiple values. ## Changing the username/password for clustering
http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/examples/features/standard/pom.xml ---------------------------------------------------------------------- diff --git a/examples/features/standard/pom.xml b/examples/features/standard/pom.xml index fe56e87..eaf9b38 100644 --- a/examples/features/standard/pom.xml +++ b/examples/features/standard/pom.xml @@ -82,6 +82,7 @@ under the License. <module>request-reply</module> <module>scheduled-message</module> <module>security</module> + <module>security-jaas</module> <module>send-acknowledgements</module> <module>spring-integration</module> <module>ssl-enabled</module> @@ -142,6 +143,7 @@ under the License. <module>rest</module> <module>scheduled-message</module> <module>security</module> + <module>security-jaas</module> <module>send-acknowledgements</module> <module>spring-integration</module> http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/examples/features/standard/security-jaas/pom.xml ---------------------------------------------------------------------- diff --git a/examples/features/standard/security-jaas/pom.xml b/examples/features/standard/security-jaas/pom.xml new file mode 100644 index 0000000..ff975a3 --- /dev/null +++ b/examples/features/standard/security-jaas/pom.xml @@ -0,0 +1,111 @@ +<?xml version='1.0'?> +<!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +--> + +<project xmlns="http://maven.apache.org/POM/4.0.0"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd";> + <modelVersion>4.0.0</modelVersion> + + <parent> + <groupId>org.apache.activemq.examples.broker</groupId> + <artifactId>jms-examples</artifactId> + <version>1.1.1-SNAPSHOT</version> + </parent> + + <artifactId>security-jaas</artifactId> + <packaging>jar</packaging> + <name>ActiveMQ Artemis JMS JAAS Security Example</name> + + <properties> + <activemq.basedir>${project.basedir}/../../../..</activemq.basedir> + </properties> + + <dependencies> + <dependency> + <groupId>org.apache.activemq</groupId> + <artifactId>artemis-jms-client</artifactId> + <version>${project.version}</version> + </dependency> + </dependencies> + + <build> + <plugins> + <plugin> + <groupId>org.apache.activemq</groupId> + <artifactId>artemis-maven-plugin</artifactId> + <executions> + <execution> + <id>create</id> + <goals> + <goal>create</goal> + </goals> + <configuration> + <ignore>${noServer}</ignore> + <brokerSecurity>jaas</brokerSecurity> + </configuration> + </execution> + <execution> + <id>start</id> + <goals> + <goal>cli</goal> + </goals> + <configuration> + <ignore>${noServer}</ignore> + <spawn>true</spawn> + <testURI>tcp://localhost:61616</testURI> + <testUser>bill</testUser> + <testPassword>activemq</testPassword> + <args> + <param>run</param> + </args> + </configuration> + </execution> + <execution> + <id>runClient</id> + <goals> + <goal>runClient</goal> + </goals> + <configuration> + <clientClass>org.apache.activemq.artemis.jms.example.JaasSecurityExample</clientClass> + </configuration> + </execution> + <execution> + <id>stop</id> + <goals> + <goal>cli</goal> + </goals> + <configuration> + <ignore>${noServer}</ignore> + <args> + <param>stop</param> + </args> + </configuration> + </execution> + </executions> + <dependencies> + <dependency> + <groupId>org.apache.activemq.examples.broker</groupId> + <artifactId>security-jaas</artifactId> + <version>${project.version}</version> + </dependency> + </dependencies> + </plugin> + </plugins> + </build> + +</project> http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/examples/features/standard/security-jaas/readme.html ---------------------------------------------------------------------- diff --git a/examples/features/standard/security-jaas/readme.html b/examples/features/standard/security-jaas/readme.html new file mode 100644 index 0000000..9a678f6 --- /dev/null +++ b/examples/features/standard/security-jaas/readme.html @@ -0,0 +1,324 @@ +<!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +--> + +<html> + <head> + <title>ActiveMQ Artemis JMS Security Example</title> + <link rel="stylesheet" type="text/css" href="../../../common/common.css" /> + <link rel="stylesheet" type="text/css" href="../../../common/prettify.css" /> + <script type="text/javascript" src="../../../common/prettify.js"></script> + </head> + <body onload="prettyPrint()"> + <h1>JMS JAAS Security Example</h1> + + <pre>To run the example, simply type <b>mvn verify</b> from this directory, <br>or <b>mvn -PnoServer verify</b> if you want to start and create the server manually.</pre> + + + <p>This example shows how to configure and use JAAS security using ActiveMQ Artemis.</p> + + <p>With security properly configured, ActiveMQ Artemis can restrict client access to its resources, including + connection creation, message sending/receiving, etc. This is done by configuring users and roles as well as permissions in + the configuration files.</p> + + <p>ActiveMQ Artemis supports wild-card security configuration. This feature makes security configuration very + flexible and enables fine-grained control over permissions in an efficient way.</p> + + <p>For a full description of how to configure security with ActiveMQ Artemis, please consult the user + manual.</p> + + <p>This example demonstrates how to configure users/roles using a JAAS login module, how to configure topics with + proper permissions using wild-card expressions, and how they take effects in a simple program. </p> + + <p>First we need to configure users with roles. Since this example is using the <code>PropertiesLogin</code> JAAS + login module the users and roles are configured in <code>artemis-users.properties</code> and + <code>artemis-roles.properties</code> which are referenced from the login module's configuration in <code>login.config</code>. + This example has four users configured as below:</p> + + <pre class="prettyprint"> + <code> + bill=activemq + andrew=activemq1 + frank=activemq2 + sam=activemq3 + </code> + </pre> + + <p>And various roles for those users:</p> + + <pre class="prettyprint"> + <code> + user=bill,andrew,frank,sam + europe-user=andrew + us-user=frank + news-user=frank,sam + </code> + </pre> + + <p> + Each user has three properties available: user name, password, and roles it belongs to. It should be noted that + a user can belong to more than one role. In the above configuration, all users belong to role 'user'. User 'andrew' also + belongs to role 'europe-user', user 'frank' also belongs to 'us-user' and 'news-user' and user 'sam' also belongs to 'news-user'. + </p> + <p> + User name and password consists of a valid account that can be used to establish connections to a ActiveMQ Artemis server, while + roles are used in controlling the access privileges against ActiveMQ Artemis topics and queues. You can achieve this control by + configuring proper permissions in <code>broker.xml</code>, like the following + </p> + <pre class="prettyprint"><code> + <security-settings> + <!-- any user can have full control of generic topics --> + <security-setting match="jms.topic.#"> + <permission type="createDurableQueue" roles="user"/> + <permission type="deleteDurableQueue" roles="user"/> + <permission type="createNonDurableQueue" roles="user"/> + <permission type="deleteNonDurableQueue" roles="user"/> + <permission type="send" roles="user"/> + <permission type="consume" roles="user"/> + </security-setting> + + <security-setting match="jms.topic.news.europe.#"> + <permission type="createDurableQueue" roles="user"/> + <permission type="deleteDurableQueue" roles="user"/> + <permission type="createNonDurableQueue" roles="user"/> + <permission type="deleteNonDurableQueue" roles="user"/> + <permission type="send" roles="europe-user"/> + <permission type="consume" roles="news-user"/> + </security-setting> + + <security-setting match="jms.topic.news.us.#"> + <permission type="createDurableQueue" roles="user"/> + <permission type="deleteDurableQueue" roles="user"/> + <permission type="createNonDurableQueue" roles="user"/> + <permission type="deleteNonDurableQueue" roles="user"/> + <permission type="send" roles="us-user"/> + <permission type="consume" roles="news-user"/> + </security-setting> + </security-settings> + </code></pre> + + <p>Permissions can be defined on any group of queues, by using a wildcard. You can easily specify + wildcards to apply certain permissions to a set of matching queues and topics. In the above configuration + we have created four sets of permissions, each set matches against a special group of targets, indicated by wild-card match attributes.</p> + + <p>You can provide a very broad permission control as a default and then add more strict control + over specific addresses. By the above we define the following access rules:</p> + + <li>Only role 'us-user' can create/delete and pulish messages to topics whose names match wild-card pattern 'news.us.#'.</li> + <li>Only role 'europe-user' can create/delete and publish messages to topics whose names match wild-card pattern 'news.europe.#'.</li> + <li>Only role 'news-user' can subscribe messages to topics whose names match wild-card pattern 'news.us.#' and 'news.europe.#'.</li> + <li>For any other topics that don't match any of the above wild-card patterns, permissions are granted to users of role 'user'.</li> + + <p>To illustrate the effect of permissions, three topics are deployed. Topic 'genericTopic' matches 'jms.topic.#' wild-card, topic 'news.europe.europeTopic' matches + jms.topic.news.europe.#' wild-cards, and topic 'news.us.usTopic' matches 'jms.topic.news.us.#'.</p> + + <p>With ActiveMQ Artemis, the security manager is also configurable. You can use JAASSecurityManager or JBossASSecurityManager based on you need. Please + check out the activemq-beans.xml for how to do. In this example we just use the basic ActiveMQSecurityManagerImpl which reads users/roles/passwords from the xml + file <code>activemq-users.xml</code>. + + + <h2>Example step-by-step</h2> + <p><i>To run the example, simply type <code>mvn verify -Pexample</code> from this directory</i></p> + + <ol> + <li>First we need to get an initial context so we can look-up the JMS connection factory and destination objects from JNDI. This initial context will get it's properties from the <code>client-jndi.properties</code> file in the directory <code>../common/config</code></li> + <pre class="prettyprint"> + <code> + InitialContext initialContext = getContext(0); + </code> + </pre> + + <li>We perform lookup on the topics</li> + <pre class="prettyprint"> + <code> + Topic genericTopic = (Topic) initialContext.lookup("/topic/genericTopic"); + Topic europeTopic = (Topic) initialContext.lookup("/topic/europeTopic"); + Topic usTopic = (Topic) initialContext.lookup("/topic/usTopic"); + </code> + </pre> + + <li>We perform a lookup on the Connection Factory</li> + <pre class="prettyprint"> + <code> + ConnectionFactory cf = (ConnectionFactory) initialContext.lookup("/ConnectionFactory"); + </code> + </pre> + + <li>We try to create a JMS Connection without user/password. It will fail.</li> + <pre class="prettyprint"> + <code> + try + { + cf.createConnection(); + result = false; + } + catch (JMSSecurityException e) + { + System.out.println("Default user cannot get a connection. Details: " + e.getMessage()); + } + </code> + </pre> + + <li>Bill tries to make a connection using wrong password</li> + <pre class="prettyprint"> + <code> + billConnection = null; + try + { + billConnection = createConnection("bill", "activemq1", cf); + result = false; + } + catch (JMSException e) + { + System.out.println("User bill failed to connect. Details: " + e.getMessage()); + } + </code> + </pre> + + <li>Bill makes a good connection.</li> + <pre class="prettyprint"> + <code> + billConnection = createConnection("bill", "activemq", cf); + billConnection.start(); + </code> + </pre> + + <li>Andrew makes a good connection</li> + <pre class="prettyprint"> + <code> + andrewConnection = createConnection("andrew", "activemq1", cf); + andrewConnection.start(); + </code> + </pre> + + <li>Frank makes a good connection</li> + <pre class="prettyprint"> + <code> + frankConnection = createConnection("frank", "activemq2", cf); + frankConnection.start(); + </code> + </pre> + + <li>Sam makes a good connection</li> + <pre class="prettyprint"> + <code> + samConnection = createConnection("sam", "activemq3", cf); + samConnection.start(); + </code> + </pre> + + <li>We check every user can publish/subscribe genericTopics</li> + <pre class="prettyprint"> + <code> + checkUserSendAndReceive(genericTopic, billConnection, "bill"); + checkUserSendAndReceive(genericTopic, andrewConnection, "andrew"); + checkUserSendAndReceive(genericTopic, frankConnection, "frank"); + checkUserSendAndReceive(genericTopic, samConnection, "sam"); + </code> + </pre> + + <li>We check permissions on news.europe.europeTopic for bill: can't send and can't receive</li> + <pre class="prettyprint"> + <code> + checkUserNoSendNoReceive(europeTopic, billConnection, "bill", andrewConnection, frankConnection); + </code> + </pre> + + <li>We check permissions on news.europe.europeTopic for andrew: can send but can't receive</li> + <pre class="prettyprint"> + <code> + checkUserSendNoReceive(europeTopic, andrewConnection, "andrew", frankConnection); + </code> + </pre> + + <li>We check permissions on news.europe.europeTopic for frank: can't send but can receive</li> + <pre class="prettyprint"> + <code> + checkUserReceiveNoSend(europeTopic, frankConnection, "frank", andrewConnection); + </code> + </pre> + + <li>We check permissions on news.europe.europeTopic for sam: can't send but can receive</li> + <pre class="prettyprint"> + <code> + checkUserReceiveNoSend(europeTopic, samConnection, "sam", andrewConnection); + </code> + </pre> + + <li>We check permissions on news.us.usTopic for bill: can't send and can't receive</li> + <pre class="prettyprint"> + <code> + checkUserNoSendNoReceive(usTopic, billConnection, "bill"); + </code> + </pre> + + <li>We check permissions on news.us.usTopic for andrew: can't send and can't receive</li> + <pre class="prettyprint"> + <code> + checkUserNoSendNoReceive(usTopic, andrewConnection, "andrew"); + </code> + </pre> + + <li>We check permissions on news.us.usTopic for frank: can both send and receive</li> + <pre class="prettyprint"> + <code> + checkUserSendAndReceive(usTopic, frankConnection, "frank"); + </code> + </pre> + + <li>We check permissions on news.us.usTopic for sam: can't send but can receive</li> + <pre class="prettyprint"> + <code> + checkUserReceiveNoSend(usTopic, samConnection, "sam", frankConnection); + </code> + </pre> + + <li>And finally, <b>always</b> remember to close your JMS connections and resources after use, in a <code>finally</code> block. Closing a JMS connection will automatically close all of its sessions, consumers, producer and browser objects</li> + + <pre class="prettyprint"> + <code> + finally + { + if (billConnection != null) + { + billConnection.close(); + } + if (andrewConnection != null) + { + andrewConnection.close(); + } + if (frankConnection != null) + { + frankConnection.close(); + } + if (samConnection != null) + { + samConnection.close(); + } + + // Also the initialContext + if (initialContext != null) + { + initialContext.close(); + } + } + </code> + </pre> + </ol> + </body> +</html> http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/examples/features/standard/security-jaas/src/main/java/org/apache/activemq/artemis/jms/example/JaasSecurityExample.java ---------------------------------------------------------------------- diff --git a/examples/features/standard/security-jaas/src/main/java/org/apache/activemq/artemis/jms/example/JaasSecurityExample.java b/examples/features/standard/security-jaas/src/main/java/org/apache/activemq/artemis/jms/example/JaasSecurityExample.java new file mode 100644 index 0000000..eae3fdd --- /dev/null +++ b/examples/features/standard/security-jaas/src/main/java/org/apache/activemq/artemis/jms/example/JaasSecurityExample.java @@ -0,0 +1,282 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.artemis.jms.example; + +import javax.jms.Connection; +import javax.jms.ConnectionFactory; +import javax.jms.JMSException; +import javax.jms.JMSSecurityException; +import javax.jms.MessageConsumer; +import javax.jms.MessageProducer; +import javax.jms.Session; +import javax.jms.TextMessage; +import javax.jms.Topic; +import javax.naming.InitialContext; + +public class JaasSecurityExample { + + public static void main(final String[] args) throws Exception { + boolean result = true; + Connection failConnection = null; + Connection billConnection = null; + Connection andrewConnection = null; + Connection frankConnection = null; + Connection samConnection = null; + + InitialContext initialContext = null; + try { + // /Step 1. Create an initial context to perform the JNDI lookup. + initialContext = new InitialContext(); + + // Step 2. perform lookup on the topics + Topic genericTopic = (Topic) initialContext.lookup("topic/genericTopic"); + Topic europeTopic = (Topic) initialContext.lookup("topic/europeTopic"); + Topic usTopic = (Topic) initialContext.lookup("topic/usTopic"); + + // Step 3. perform a lookup on the Connection Factory + ConnectionFactory cf = (ConnectionFactory) initialContext.lookup("ConnectionFactory"); + + // Step 4. Try to create a JMS Connection without user/password. It will fail. + try { + failConnection = cf.createConnection(); + result = false; + } + catch (JMSSecurityException e) { + System.out.println("Default user cannot get a connection. Details: " + e.getMessage()); + } + + // Step 5. bill tries to make a connection using wrong password + billConnection = null; + try { + billConnection = createConnection("bill", "activemq1", cf); + result = false; + } + catch (JMSException e) { + System.out.println("User bill failed to connect. Details: " + e.getMessage()); + } + + // Step 6. bill makes a good connection. + billConnection = createConnection("bill", "activemq", cf); + billConnection.start(); + + // Step 7. andrew makes a good connection. + andrewConnection = createConnection("andrew", "activemq1", cf); + andrewConnection.start(); + + // Step 8. frank makes a good connection. + frankConnection = createConnection("frank", "activemq2", cf); + frankConnection.start(); + + // Step 9. sam makes a good connection. + samConnection = createConnection("sam", "activemq3", cf); + samConnection.start(); + + // Step 10. Check every user can publish/subscribe genericTopics. + System.out.println("------------------------Checking permissions on " + genericTopic + "----------------"); + checkUserSendAndReceive(genericTopic, billConnection, "bill"); + checkUserSendAndReceive(genericTopic, andrewConnection, "andrew"); + checkUserSendAndReceive(genericTopic, frankConnection, "frank"); + checkUserSendAndReceive(genericTopic, samConnection, "sam"); + System.out.println("-------------------------------------------------------------------------------------"); + + System.out.println("------------------------Checking permissions on " + europeTopic + "----------------"); + + // Step 11. Check permissions on news.europe.europeTopic for bill: can't send and can't receive + checkUserNoSendNoReceive(europeTopic, billConnection, "bill"); + + // Step 12. Check permissions on news.europe.europeTopic for andrew: can send but can't receive + checkUserSendNoReceive(europeTopic, andrewConnection, "andrew", frankConnection); + + // Step 13. Check permissions on news.europe.europeTopic for frank: can't send but can receive + checkUserReceiveNoSend(europeTopic, frankConnection, "frank", andrewConnection); + + // Step 14. Check permissions on news.europe.europeTopic for sam: can't send but can receive + checkUserReceiveNoSend(europeTopic, samConnection, "sam", andrewConnection); + System.out.println("-------------------------------------------------------------------------------------"); + + System.out.println("------------------------Checking permissions on " + usTopic + "----------------"); + + // Step 15. Check permissions on news.us.usTopic for bill: can't send and can't receive + checkUserNoSendNoReceive(usTopic, billConnection, "bill"); + + // Step 16. Check permissions on news.us.usTopic for andrew: can't send and can't receive + checkUserNoSendNoReceive(usTopic, andrewConnection, "andrew"); + + // Step 17. Check permissions on news.us.usTopic for frank: can both send and receive + checkUserSendAndReceive(usTopic, frankConnection, "frank"); + + // Step 18. Check permissions on news.us.usTopic for sam: can't send but can receive + checkUserReceiveNoSend(usTopic, samConnection, "sam", frankConnection); + System.out.println("-------------------------------------------------------------------------------------"); + } + finally { + // Step 19. Be sure to close our JMS resources! + if (failConnection != null) { + failConnection.close(); + } + if (billConnection != null) { + billConnection.close(); + } + if (andrewConnection != null) { + andrewConnection.close(); + } + if (frankConnection != null) { + frankConnection.close(); + } + if (samConnection != null) { + samConnection.close(); + } + + // Also the initialContext + if (initialContext != null) { + initialContext.close(); + } + } + } + + // Check the user can receive message but cannot send message. + private static void checkUserReceiveNoSend(final Topic topic, + final Connection connection, + final String user, + final Connection sendingConn) throws JMSException { + Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE); + MessageProducer producer = session.createProducer(topic); + MessageConsumer consumer = session.createConsumer(topic); + TextMessage msg = session.createTextMessage("hello-world-1"); + + try { + producer.send(msg); + throw new IllegalStateException("Security setting is broken! User " + user + + " can send message [" + + msg.getText() + + "] to topic " + + topic); + } + catch (JMSException e) { + System.out.println("User " + user + " cannot send message [" + msg.getText() + "] to topic: " + topic); + } + + // Now send a good message + Session session1 = sendingConn.createSession(false, Session.AUTO_ACKNOWLEDGE); + producer = session1.createProducer(topic); + producer.send(msg); + + TextMessage receivedMsg = (TextMessage) consumer.receive(2000); + + if (receivedMsg != null) { + System.out.println("User " + user + " can receive message [" + receivedMsg.getText() + "] from topic " + topic); + } + else { + throw new IllegalStateException("Security setting is broken! User " + user + " cannot receive message from topic " + topic); + } + + session1.close(); + session.close(); + } + + // Check the user can send message but cannot receive message + private static void checkUserSendNoReceive(final Topic topic, + final Connection connection, + final String user, + final Connection receivingConn) throws JMSException { + Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE); + MessageProducer producer = session.createProducer(topic); + try { + session.createConsumer(topic); + } + catch (JMSException e) { + System.out.println("User " + user + " cannot receive any message from topic " + topic); + } + + Session session1 = receivingConn.createSession(false, Session.AUTO_ACKNOWLEDGE); + MessageConsumer goodConsumer = session1.createConsumer(topic); + + TextMessage msg = session.createTextMessage("hello-world-2"); + producer.send(msg); + + TextMessage receivedMsg = (TextMessage) goodConsumer.receive(2000); + if (receivedMsg != null) { + System.out.println("User " + user + " can send message [" + receivedMsg.getText() + "] to topic " + topic); + } + else { + throw new IllegalStateException("Security setting is broken! User " + user + + " cannot send message [" + + msg.getText() + + "] to topic " + + topic); + } + + session.close(); + session1.close(); + } + + // Check the user has neither send nor receive permission on topic + private static void checkUserNoSendNoReceive(final Topic topic, + final Connection connection, + final String user) throws JMSException { + Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE); + MessageProducer producer = session.createProducer(topic); + + try { + session.createConsumer(topic); + } + catch (JMSException e) { + System.out.println("User " + user + " cannot create consumer on topic " + topic); + } + + TextMessage msg = session.createTextMessage("hello-world-3"); + try { + producer.send(msg); + throw new IllegalStateException("Security setting is broken! User " + user + + " can send message [" + + msg.getText() + + "] to topic " + + topic); + } + catch (JMSException e) { + System.out.println("User " + user + " cannot send message [" + msg.getText() + "] to topic: " + topic); + } + + session.close(); + } + + // Check the user connection has both send and receive permissions on the topic + private static void checkUserSendAndReceive(final Topic topic, + final Connection connection, + final String user) throws JMSException { + Session session = connection.createSession(false, Session.AUTO_ACKNOWLEDGE); + TextMessage msg = session.createTextMessage("hello-world-4"); + MessageProducer producer = session.createProducer(topic); + MessageConsumer consumer = session.createConsumer(topic); + producer.send(msg); + TextMessage receivedMsg = (TextMessage) consumer.receive(5000); + if (receivedMsg != null) { + System.out.println("User " + user + " can send message: [" + msg.getText() + "] to topic: " + topic); + System.out.println("User " + user + " can receive message: [" + msg.getText() + "] from topic: " + topic); + } + else { + throw new IllegalStateException("Error! User " + user + " cannot receive the message! "); + } + session.close(); + } + + private static Connection createConnection(final String username, + final String password, + final ConnectionFactory cf) throws JMSException { + return cf.createConnection(username, password); + } +} http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/examples/features/standard/security-jaas/src/main/resources/activemq/server0/artemis-roles.properties ---------------------------------------------------------------------- diff --git a/examples/features/standard/security-jaas/src/main/resources/activemq/server0/artemis-roles.properties b/examples/features/standard/security-jaas/src/main/resources/activemq/server0/artemis-roles.properties new file mode 100644 index 0000000..243b341 --- /dev/null +++ b/examples/features/standard/security-jaas/src/main/resources/activemq/server0/artemis-roles.properties @@ -0,0 +1,20 @@ +## --------------------------------------------------------------------------- +## Licensed to the Apache Software Foundation (ASF) under one or more +## contributor license agreements. See the NOTICE file distributed with +## this work for additional information regarding copyright ownership. +## The ASF licenses this file to You under the Apache License, Version 2.0 +## (the "License"); you may not use this file except in compliance with +## the License. You may obtain a copy of the License at +## +## http://www.apache.org/licenses/LICENSE-2.0 +## +## Unless required by applicable law or agreed to in writing, software +## distributed under the License is distributed on an "AS IS" BASIS, +## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +## See the License for the specific language governing permissions and +## limitations under the License. +## --------------------------------------------------------------------------- +user=bill,andrew,frank,sam +europe-user=andrew +us-user=frank +news-user=frank,sam \ No newline at end of file http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/examples/features/standard/security-jaas/src/main/resources/activemq/server0/artemis-users.properties ---------------------------------------------------------------------- diff --git a/examples/features/standard/security-jaas/src/main/resources/activemq/server0/artemis-users.properties b/examples/features/standard/security-jaas/src/main/resources/activemq/server0/artemis-users.properties new file mode 100644 index 0000000..0a206c6 --- /dev/null +++ b/examples/features/standard/security-jaas/src/main/resources/activemq/server0/artemis-users.properties @@ -0,0 +1,20 @@ +## --------------------------------------------------------------------------- +## Licensed to the Apache Software Foundation (ASF) under one or more +## contributor license agreements. See the NOTICE file distributed with +## this work for additional information regarding copyright ownership. +## The ASF licenses this file to You under the Apache License, Version 2.0 +## (the "License"); you may not use this file except in compliance with +## the License. You may obtain a copy of the License at +## +## http://www.apache.org/licenses/LICENSE-2.0 +## +## Unless required by applicable law or agreed to in writing, software +## distributed under the License is distributed on an "AS IS" BASIS, +## WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +## See the License for the specific language governing permissions and +## limitations under the License. +## --------------------------------------------------------------------------- +bill=activemq +andrew=activemq1 +frank=activemq2 +sam=activemq3 \ No newline at end of file http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/examples/features/standard/security-jaas/src/main/resources/activemq/server0/broker.xml ---------------------------------------------------------------------- diff --git a/examples/features/standard/security-jaas/src/main/resources/activemq/server0/broker.xml b/examples/features/standard/security-jaas/src/main/resources/activemq/server0/broker.xml new file mode 100644 index 0000000..e2dc187 --- /dev/null +++ b/examples/features/standard/security-jaas/src/main/resources/activemq/server0/broker.xml @@ -0,0 +1,81 @@ +<?xml version='1.0'?> +<!-- +Licensed to the Apache Software Foundation (ASF) under one +or more contributor license agreements. See the NOTICE file +distributed with this work for additional information +regarding copyright ownership. The ASF licenses this file +to you under the Apache License, Version 2.0 (the +"License"); you may not use this file except in compliance +with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, +software distributed under the License is distributed on an +"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +KIND, either express or implied. See the License for the +specific language governing permissions and limitations +under the License. +--> + +<configuration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; + xmlns="urn:activemq" + xsi:schemaLocation="urn:activemq /schema/artemis-server.xsd"> + + <jms xmlns="urn:activemq:jms"> + <topic name="genericTopic"/> + + <topic name="news.europe.europeTopic"/> + + <topic name="news.us.usTopic"/> + </jms> + + <core xmlns="urn:activemq:core"> + + <bindings-directory>./data/messaging/bindings</bindings-directory> + + <journal-directory>./data/messaging/journal</journal-directory> + + <large-messages-directory>./data/messaging/largemessages</large-messages-directory> + + <paging-directory>./data/messaging/paging</paging-directory> + + <!-- Acceptors --> + <acceptors> + <acceptor name="netty-acceptor">tcp://localhost:61616</acceptor> + </acceptors> + + <!-- Other config --> + + <security-settings> + <!-- any user can have full control of generic topics --> + <security-setting match="jms.topic.#"> + <permission type="createDurableQueue" roles="user"/> + <permission type="deleteDurableQueue" roles="user"/> + <permission type="createNonDurableQueue" roles="user"/> + <permission type="deleteNonDurableQueue" roles="user"/> + <permission type="send" roles="user"/> + <permission type="consume" roles="user"/> + </security-setting> + + <security-setting match="jms.topic.news.europe.#"> + <permission type="createDurableQueue" roles="user"/> + <permission type="deleteDurableQueue" roles="user"/> + <permission type="createNonDurableQueue" roles="user"/> + <permission type="deleteNonDurableQueue" roles="user"/> + <permission type="send" roles="europe-user"/> + <permission type="consume" roles="news-user"/> + </security-setting> + + <security-setting match="jms.topic.news.us.#"> + <permission type="createDurableQueue" roles="user"/> + <permission type="deleteDurableQueue" roles="user"/> + <permission type="createNonDurableQueue" roles="user"/> + <permission type="deleteNonDurableQueue" roles="user"/> + <permission type="send" roles="us-user"/> + <permission type="consume" roles="news-user"/> + </security-setting> + </security-settings> + + </core> +</configuration> http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/examples/features/standard/security-jaas/src/main/resources/jndi.properties ---------------------------------------------------------------------- diff --git a/examples/features/standard/security-jaas/src/main/resources/jndi.properties b/examples/features/standard/security-jaas/src/main/resources/jndi.properties new file mode 100644 index 0000000..0a3b640 --- /dev/null +++ b/examples/features/standard/security-jaas/src/main/resources/jndi.properties @@ -0,0 +1,22 @@ +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +java.naming.factory.initial=org.apache.activemq.artemis.jndi.ActiveMQInitialContextFactory +connectionFactory.ConnectionFactory=tcp://localhost:61616 +topic.topic/genericTopic=genericTopic +topic.topic/europeTopic=news.europe.europeTopic +topic.topic/usTopic=news.us.usTopic http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/pom.xml ---------------------------------------------------------------------- diff --git a/pom.xml b/pom.xml index def5ea2..f1fd068 100644 --- a/pom.xml +++ b/pom.xml @@ -123,6 +123,8 @@ <geronimo.jms.2.spec.version>1.0-alpha-2</geronimo.jms.2.spec.version> <javac-compiler-id>javac-with-errorprone</javac-compiler-id> + + <directory-version>1.5.7</directory-version> </properties> <scm> http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/tests/integration-tests/pom.xml ---------------------------------------------------------------------- diff --git a/tests/integration-tests/pom.xml b/tests/integration-tests/pom.xml index de8ca77..bb4ec15 100644 --- a/tests/integration-tests/pom.xml +++ b/tests/integration-tests/pom.xml @@ -261,6 +261,24 @@ <version>1.0.1</version> <scope>test</scope> </dependency> + <dependency> + <groupId>org.apache.directory.server</groupId> + <artifactId>apacheds-server-integ</artifactId> + <version>${directory-version}</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.apache.directory.server</groupId> + <artifactId>apacheds-core-integ</artifactId> + <version>${directory-version}</version> + <scope>test</scope> + <exclusions> + <exclusion> + <groupId>bouncycastle</groupId> + <artifactId>bcprov-jdk15</artifactId> + </exclusion> + </exclusions> + </dependency> </dependencies> <build> http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/6ed9c5ae/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/LDAPSecurityTest.java ---------------------------------------------------------------------- diff --git a/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/LDAPSecurityTest.java b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/LDAPSecurityTest.java new file mode 100644 index 0000000..f5aeec5 --- /dev/null +++ b/tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/security/LDAPSecurityTest.java @@ -0,0 +1,347 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.activemq.artemis.tests.integration.security; + +import javax.naming.Context; +import javax.naming.NameClassPair; +import javax.naming.NamingEnumeration; +import javax.naming.directory.DirContext; +import javax.naming.directory.InitialDirContext; +import java.io.File; +import java.lang.management.ManagementFactory; +import java.net.URL; +import java.util.HashSet; +import java.util.Hashtable; +import java.util.Set; + +import org.apache.activemq.artemis.api.core.ActiveMQException; +import org.apache.activemq.artemis.api.core.SimpleString; +import org.apache.activemq.artemis.api.core.TransportConfiguration; +import org.apache.activemq.artemis.api.core.client.ActiveMQClient; +import org.apache.activemq.artemis.api.core.client.ClientConsumer; +import org.apache.activemq.artemis.api.core.client.ClientProducer; +import org.apache.activemq.artemis.api.core.client.ClientSession; +import org.apache.activemq.artemis.api.core.client.ClientSessionFactory; +import org.apache.activemq.artemis.api.core.client.ServerLocator; +import org.apache.activemq.artemis.core.config.Configuration; +import org.apache.activemq.artemis.core.config.impl.ConfigurationImpl; +import org.apache.activemq.artemis.core.remoting.impl.invm.InVMAcceptorFactory; +import org.apache.activemq.artemis.core.remoting.impl.invm.InVMConnectorFactory; +import org.apache.activemq.artemis.core.security.Role; +import org.apache.activemq.artemis.core.server.ActiveMQServer; +import org.apache.activemq.artemis.core.server.ActiveMQServers; +import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager; +import org.apache.activemq.artemis.tests.util.ActiveMQTestBase; +import org.apache.directory.server.annotations.CreateLdapServer; +import org.apache.directory.server.annotations.CreateTransport; +import org.apache.directory.server.core.annotations.ApplyLdifFiles; +import org.apache.directory.server.core.integ.AbstractLdapTestUnit; +import org.apache.directory.server.core.integ.FrameworkRunner; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.TemporaryFolder; +import org.junit.runner.RunWith; + +@RunWith(FrameworkRunner.class) +@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port = 1024)}) +@ApplyLdifFiles("test.ldif") +public class LDAPSecurityTest extends AbstractLdapTestUnit { + + static { + String path = System.getProperty("java.security.auth.login.config"); + if (path == null) { + URL resource = LDAPSecurityTest.class.getClassLoader().getResource("login.config"); + if (resource != null) { + path = resource.getFile(); + System.setProperty("java.security.auth.login.config", path); + } + } + } + + private ServerLocator locator; + + public static final String TARGET_TMP = "./target/tmp"; + private static final String PRINCIPAL = "uid=admin,ou=system"; + private static final String CREDENTIALS = "secret"; + + + public LDAPSecurityTest() { + File parent = new File(TARGET_TMP); + parent.mkdirs(); + temporaryFolder = new TemporaryFolder(parent); + } + + @Rule + public TemporaryFolder temporaryFolder; + private String testDir; + + @Before + public void setUp() throws Exception { + locator = ActiveMQClient.createServerLocatorWithHA(new TransportConfiguration(InVMConnectorFactory.class.getCanonicalName())); + testDir = temporaryFolder.getRoot().getAbsolutePath(); + } + + @SuppressWarnings("unchecked") + @Test + public void testRunning() throws Exception { + Hashtable env = new Hashtable(); + env.put(Context.PROVIDER_URL, "ldap://localhost:1024";); + env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); + env.put(Context.SECURITY_AUTHENTICATION, "simple"); + env.put(Context.SECURITY_PRINCIPAL, PRINCIPAL); + env.put(Context.SECURITY_CREDENTIALS, CREDENTIALS); + DirContext ctx = new InitialDirContext(env); + + HashSet set = new HashSet(); + + NamingEnumeration list = ctx.list("ou=system"); + + while (list.hasMore()) { + NameClassPair ncp = (NameClassPair) list.next(); + set.add(ncp.getName()); + } + + Assert.assertTrue(set.contains("uid=admin")); + Assert.assertTrue(set.contains("ou=users")); + Assert.assertTrue(set.contains("ou=groups")); + Assert.assertTrue(set.contains("ou=configuration")); + Assert.assertTrue(set.contains("prefNodeName=sysPrefRoot")); + } + + @Test + public void testJAASSecurityManagerAuthentication() throws Exception { + ActiveMQServer server = getActiveMQServer(); + server.start(); + ClientSessionFactory cf = locator.createSessionFactory(); + + try { + ClientSession session = cf.createSession("first", "secret", false, true, true, false, 0); + session.close(); + } + catch (ActiveMQException e) { + e.printStackTrace(); + Assert.fail("should not throw exception"); + } + + cf.close(); + locator.close(); + server.stop(); + } + + @Test + public void testJAASSecurityManagerAuthenticationBadPassword() throws Exception { + ActiveMQServer server = getActiveMQServer(); + server.start(); + ClientSessionFactory cf = locator.createSessionFactory(); + + try { + cf.createSession("first", "badpassword", false, true, true, false, 0); + Assert.fail("should throw exception here"); + } + catch (Exception e) { + // ignore + } + + cf.close(); + locator.close(); + server.stop(); + } + + @Test + public void testJAASSecurityManagerAuthorizationNegative() throws Exception { + final SimpleString ADDRESS = new SimpleString("address"); + final SimpleString DURABLE_QUEUE = new SimpleString("durableQueue"); + final SimpleString NON_DURABLE_QUEUE = new SimpleString("nonDurableQueue"); + + ActiveMQServer server = getActiveMQServer(); + Set<Role> roles = new HashSet<>(); + roles.add(new Role("programmers", false, false, false, false, false, false, false)); + server.getConfiguration().getSecurityRoles().put("#", roles); + server.start(); + server.createQueue(ADDRESS, DURABLE_QUEUE, null, true, false); + server.createQueue(ADDRESS, NON_DURABLE_QUEUE, null, false, false); + + ClientSessionFactory cf = locator.createSessionFactory(); + ClientSession session = cf.createSession("first", "secret", false, true, true, false, 0); + + // CREATE_DURABLE_QUEUE + try { + session.createQueue(ADDRESS, DURABLE_QUEUE, true); + Assert.fail("should throw exception here"); + } + catch (ActiveMQException e) { + // ignore + } + + // DELETE_DURABLE_QUEUE + try { + session.deleteQueue(DURABLE_QUEUE); + Assert.fail("should throw exception here"); + } + catch (ActiveMQException e) { + // ignore + } + + // CREATE_NON_DURABLE_QUEUE + try { + session.createQueue(ADDRESS, NON_DURABLE_QUEUE, false); + Assert.fail("should throw exception here"); + } + catch (ActiveMQException e) { + // ignore + } + + // DELETE_NON_DURABLE_QUEUE + try { + session.deleteQueue(NON_DURABLE_QUEUE); + Assert.fail("should throw exception here"); + } + catch (ActiveMQException e) { + // ignore + } + + // PRODUCE + try { + ClientProducer producer = session.createProducer(ADDRESS); + producer.send(session.createMessage(true)); + Assert.fail("should throw exception here"); + } + catch (ActiveMQException e) { + // ignore + } + + // CONSUME + try { + ClientConsumer consumer = session.createConsumer(DURABLE_QUEUE); + Assert.fail("should throw exception here"); + } + catch (ActiveMQException e) { + // ignore + } + + // MANAGE + try { + ClientProducer producer = session.createProducer(server.getConfiguration().getManagementAddress()); + producer.send(session.createMessage(true)); + Assert.fail("should throw exception here"); + } + catch (ActiveMQException e) { + // ignore + } + + session.close(); + cf.close(); + locator.close(); + server.stop(); + } + + @Test + public void testJAASSecurityManagerAuthorizationPositive() throws Exception { + final SimpleString ADDRESS = new SimpleString("address"); + final SimpleString DURABLE_QUEUE = new SimpleString("durableQueue"); + final SimpleString NON_DURABLE_QUEUE = new SimpleString("nonDurableQueue"); + + ActiveMQServer server = getActiveMQServer(); + Set<Role> roles = new HashSet<>(); + roles.add(new Role("admins", true, true, true, true, true, true, true)); + server.getConfiguration().getSecurityRoles().put("#", roles); + server.start(); + + ClientSessionFactory cf = locator.createSessionFactory(); + ClientSession session = cf.createSession("first", "secret", false, true, true, false, 0); + + // CREATE_DURABLE_QUEUE + try { + session.createQueue(ADDRESS, DURABLE_QUEUE, true); + } + catch (ActiveMQException e) { + e.printStackTrace(); + Assert.fail("should not throw exception here"); + } + + // DELETE_DURABLE_QUEUE + try { + session.deleteQueue(DURABLE_QUEUE); + } + catch (ActiveMQException e) { + e.printStackTrace(); + Assert.fail("should not throw exception here"); + } + + // CREATE_NON_DURABLE_QUEUE + try { + session.createQueue(ADDRESS, NON_DURABLE_QUEUE, false); + } + catch (ActiveMQException e) { + Assert.fail("should not throw exception here"); + } + + // DELETE_NON_DURABLE_QUEUE + try { + session.deleteQueue(NON_DURABLE_QUEUE); + } + catch (ActiveMQException e) { + Assert.fail("should not throw exception here"); + } + + session.createQueue(ADDRESS, DURABLE_QUEUE, true); + + // PRODUCE + try { + ClientProducer producer = session.createProducer(ADDRESS); + producer.send(session.createMessage(true)); + } + catch (ActiveMQException e) { + Assert.fail("should not throw exception here"); + } + + // CONSUME + try { + session.createConsumer(DURABLE_QUEUE); + } + catch (ActiveMQException e) { + Assert.fail("should not throw exception here"); + } + + // MANAGE + try { + ClientProducer producer = session.createProducer(server.getConfiguration().getManagementAddress()); + producer.send(session.createMessage(true)); + } + catch (ActiveMQException e) { + Assert.fail("should not throw exception here"); + } + + session.close(); + cf.close(); + locator.close(); + server.stop(); + } + + private ActiveMQServer getActiveMQServer() { + ActiveMQJAASSecurityManager securityManager = new ActiveMQJAASSecurityManager(); + securityManager.setConfigurationName("LDAPLogin"); + Configuration configuration = new ConfigurationImpl().setSecurityEnabled(true).addAcceptorConfiguration(new TransportConfiguration(InVMAcceptorFactory.class.getCanonicalName())) + .setJournalDirectory(ActiveMQTestBase.getJournalDir(testDir, 0, false)) + .setBindingsDirectory(ActiveMQTestBase.getBindingsDir(testDir, 0, false)) + .setPagingDirectory(ActiveMQTestBase.getPageDir(testDir, 0, false)) + .setLargeMessagesDirectory(ActiveMQTestBase.getLargeMessagesDir(testDir, 0, false)); + return ActiveMQServers.newActiveMQServer(configuration, ManagementFactory.getPlatformMBeanServer(), securityManager, false); + } +}
