Modified: qpid/site/docs/releases/qpid-trunk/java-broker/book/Java-Broker-Security.html URL: http://svn.apache.org/viewvc/qpid/site/docs/releases/qpid-trunk/java-broker/book/Java-Broker-Security.html?rev=1632181&r1=1632180&r2=1632181&view=diff ============================================================================== --- qpid/site/docs/releases/qpid-trunk/java-broker/book/Java-Broker-Security.html (original) +++ qpid/site/docs/releases/qpid-trunk/java-broker/book/Java-Broker-Security.html Wed Oct 15 21:29:55 2014 @@ -21,7 +21,7 @@ --> <html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en"> <head> - <title>Chapter 11. Security - Apache Qpid™</title> + <title>Chapter 8. Security - Apache Qpid™</title> <meta http-equiv="X-UA-Compatible" content="IE=edge"/> <meta name="viewport" content="width=device-width, initial-scale=1.0"/> <link rel="stylesheet" href="/site.css" type="text/css" async="async"/> @@ -106,68 +106,48 @@ </div> <div id="-middle" class="panel"> - <ul id="-path-navigation"><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-trunk/index.html">Qpid Trunk</a></li><li><a href="/releases/qpid-trunk/java-broker/book/index.html">AMQP Messaging Broker (Java)</a></li><li>Chapter 11. Security</li></ul> - <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">Chapter 11. Security</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Stores-HA-BDB-Store.html">Prev</a> </td><th align="center" width="60%"> </th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Security-Group-Providers.html">Next</a></td></tr></table><hr /></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a id="Java-Broker-Security"></a>Chapter 11. Security</h1></div></div></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Authentication-Providers">11.1. Authentication Providers</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-LDAP-Provider">11.1.1. Simple LDAP Authentication P rovider</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Kerberos-Provider">11.1.2. Kerberos</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-External-Provider">11.1.3. External (SSL Client Certificates)</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Anonymous-Provider">11.1.4. Anonymous</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-PlainPasswordFile-Provider">11.1.5. Plain Password File</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Base64MD5PasswordFile-Provider">11.1.6. Base64MD5 Password File</a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Security-Group-Providers.html">11.2. Group Providers</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security-Group-Providers.html#File-Group-Manager">11. 2.1. GroupFile Provider</a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Security-ACLs.html">11.3. Access Control Lists</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security-ACLs.html#Java-Broker-Security-ACLs-WriteACL">11.3.1. + <ul id="-path-navigation"><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-trunk/index.html">Qpid Trunk</a></li><li><a href="/releases/qpid-trunk/java-broker/book/index.html">AMQP Messaging Broker (Java)</a></li><li>Chapter 8. Security</li></ul> + <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">Chapter 8. Security</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Management-Managing-Plugins-JMX.html">Prev</a> </td><th align="center" width="60%"> </th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Security-Group-Providers.html">Next</a></td></tr></table><hr /></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a id="Java-Broker-Security"></a>Chapter 8. Security</h1></div></div></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Authentication-Providers">8.1. Authentication Providers</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-LDAP-Provider">8.1.1. Simple LDAP Authenti cation Provider</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Kerberos-Provider">8.1.2. Kerberos</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-External-Provider">8.1.3. External (SSL Client Certificates)</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Anonymous-Provider">8.1.4. Anonymous</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-ScramSha-Providers">8.1.5. SCRAM SHA Providers</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-PlainPasswordFile-Provider">8.1.6. Plain Password File</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Base64MD5PasswordFile-Provider">8.1.7. Base64MD5 Password File</a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Security-Group-Providers.html ">8.2. Group Providers</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security-Group-Providers.html#File-Group-Manager">8.2.1. GroupFile Provider</a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Security-ACLs.html">8.3. Access Control Lists</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security-ACLs.html#Java-Broker-Security-ACLs-WriteACL">8.3.1. Writing .acl files - </a></span></dt><dt><span class="section"><a href="Java-Broker-Security-ACLs.html#Java-Broker-Security-ACLs-Syntax">11.3.2. + </a></span></dt><dt><span class="section"><a href="Java-Broker-Security-ACLs.html#Java-Broker-Security-ACLs-Syntax">8.3.2. Syntax - </a></span></dt><dt><span class="section"><a href="Java-Broker-Security-ACLs.html#Java-Broker-Security-ACLs-WorkedExamples">11.3.3. + </a></span></dt><dt><span class="section"><a href="Java-Broker-Security-ACLs.html#Java-Broker-Security-ACLs-WorkedExamples">8.3.3. Worked Examples - </a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Security-SSL.html">11.4. SSL</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security-SSL.html#Java-Broker-SSL-Keystore">11.4.1. Keystore Configuration</a></span></dt><dt><span class="section"><a href="Java-Broker-Security-SSL.html#SSL-Truststore-ClientCertificate">11.4.2. Truststore / Client Certificate Authentication</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title"><a id="Java-Broker-Security-Authentication-Providers"></a>11.1. Authentication Providers</h2></div></div></div><p> - In order to successfully establish a connection to the Java Broker, the connection must be - authenticated. The Java Broker supports a number of different authentication schemes, each - with its own "authentication provider". Any number of Authentication Providers can be configured - on the Broker at the same time. - </p><p> - The Authentication Providers can be configured using <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-REST-API" title="5.2.4. REST API">REST Management interfaces</a> - and <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-Web-Console" title="5.2.2. Web Management Console">Web Management Console</a>. - </p><p>The following Authentication Provider managing operations are available from Web Management Console: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A new Authentication Provider can be added by clicking onto "Add Provider" on the Broker tab.</p></li><li class="listitem"><p>An Authentication Provider details can be viewed on the Authentication Provider tab. - The tab is displayed after clicking onto Authentication Provider name in the Broker object tree or after clicking - onto Authentication Provider row in Authentication Providers grid on the Broker tab.</p></li><li class="listitem"><p>Editing of Authentication Provider can be performed by clicking on "Edit" button - on Authentication Provider tab.</p></li><li class="listitem"><p>An existing Authentication Provider can be deleted by clicking on "Delete Provider" button - on Broker tab or "Delete" button on the Authentication Provider tab.</p></li></ul></div><p> - The Authentication Provider type and name cannot be changed for existing providers as editing of name and type - is unsupported at the moment. Only provider specific attributes can be modified in the editing dialog - and stored in the broker configuration store. - </p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3> - Only unused Authentication Provider can be deleted. For delete requests attempting to delete Authentication Provider - associated with the Ports, the errors will be returned and delete operations will be aborted. It is possible to change - the Authentication Provider on Port at runtime. However, the Broker restart is required for changes on Port to take effect. - </div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-LDAP-Provider"></a>11.1.1. Simple LDAP Authentication Provider</h3></div></div></div><p> - SimpleLDAPAuthenticationProvider authenticates connections against a Directory (LDAP). - </p><p> - To create a SimpleLDAPAuthenticationProvider the following mandatory fields are required: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><span class="emphasis"><em>LDAP server URL</em></span> is the URL of the server, for example, <code class="literal">ldaps://example.com:636</code></p></li><li class="listitem"><p><span class="emphasis"><em>Search context</em></span> is the distinguished name of the search base object. It defines the location from which - the search for users begins, for example, <code class="literal">dc=users,dc=example,dc=com</code></p></li><li class="listitem"><p><span class="emphasis"><em>Search filter</em></span> is a DN template to find an LDAP user entry by provided user name, for example, <code class="literal">(uid={0})</code></p></li></ul></div><p> - Additionally, the following optional fields can be specified: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><span class="emphasis"><em>LDAP context factory</em></span> is a fully qualified class name for the JNDI LDAP context factory. - This class must implement the <a class="ulink" href="http://docs.oracle.com/javase/6/docs/api/javax/naming/spi/InitialContextFactory.html"; target="_top">InitialContextFactory</a> - interface and produce instances of <a class="ulink" href="http://docs.oracle.com/javase/6/docs/api/javax/naming/directory/DirContext.html"; target="_top">DirContext</a>. - If not specified a default value of <code class="literal">com.sun.jndi.ldap.LdapCtxFactory</code> is used.</p></li><li class="listitem"><p><span class="emphasis"><em>LDAP authentication URL</em></span> is the URL of LDAP server for performing "ldap bind". If not - specified, the <span class="emphasis"><em>LDAP server URL</em></span> will be used for both searches and authentications.</p></li><li class="listitem"><p><span class="emphasis"><em>Truststore name</em></span> is a name of <a class="link" href="Java-Broker-Security-SSL.html#SSL-Truststore-ClientCertificate" title="11.4.2. Truststore / Client Certificate Authentication">configured truststore</a>. - Use this if connecting to a Directory over SSL (i.e. ldaps://) which is protected by a certificate signed by a private CA (or - utilising a self-signed certificate).</p></li></ul></div><p> - </p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3> - In order to protect the security of the user's password, when using LDAP authentication, you must: - <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Use SSL on the broker's AMQP, JMX, and HTTP ports to protect the password during - transmission to the Broker.</p></li><li class="listitem"><p>Authenticate to the Directory using SSL (i.e. ldaps://) to protect the password - during transmission from the Broker to the Directory.</p></li></ul></div></div><p> - The LDAP Authentication Provider works in the following manner. It first connects to the Directory anonymously - and searches for the ldap entity which is identified by the username. The search begins at the distinguished name - identified by <code class="literal">Search Context</code> and uses the username as a filter. The search scope is sub-tree - meaning the search will include the base object and the subtree extending beneath it. - </p><p> - If the search returns a match, the Authentication Provider then attempts to bind to the LDAP server with the given - name and the password. Note that - <a class="ulink" href="http://docs.oracle.com/javase/6/docs/api/javax/naming/Context.html#SECURITY_AUTHENTICATION"; target="_top">simple security authentication</a> - is used so the Directory receives the password in the clear. - </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Kerberos-Provider"></a>11.1.2. Kerberos</h3></div></div></div><p> - Kereberos Authentication Provider uses java GSS-API SASL mechanism to authenticate the connections. - </p><p> - Configuration of kerberos is done through system properties (there doesn't seem to be a way - around this unfortunately). - </p><pre class="programlisting"> + </a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Security-Configuration-Encryption.html">8.4. Configuration Encryption</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security-Configuration-Encryption.html#Java-Broker-Security-Configuration-Encryption-Configuration">8.4.1. Configuration</a></span></dt><dt><span class="section"><a href="Java-Broker-Security-Configuration-Encryption.html#Java-Broker-Security-Configuration-Encryption-Alternate-Implementations">8.4.2. Alternate Implementations</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title"><a id="Java-Broker-Security-Authentication-Providers"></a>8.1. Authentication Providers</h2></div></div></div><p> In order to successfully establish a connection to the Java Broker, the connection must be + authenticated. The Java Broker supports a number of different authentication schemes, each with + its own "authentication provider". Any number of Authentication Providers can be configured on + the Broker at the same time. </p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p> Only unused Authentication Provider can be deleted. For delete requests attempting to + delete Authentication Provider associated with the Ports, the errors will be returned and + delete operations will be aborted. It is possible to change the Authentication Provider on + Port at runtime. However, the Broker restart is required for changes on Port to take effect. + </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-LDAP-Provider"></a>8.1.1. Simple LDAP Authentication Provider</h3></div></div></div><p> SimpleLDAPAuthenticationProvider authenticates connections against a Directory (LDAP). </p><p> To create a SimpleLDAPAuthenticationProvider the following mandatory fields are required: </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><span class="emphasis"><em>LDAP server URL</em></span> is the URL of the server, for example, + <code class="literal">ldaps://example.com:636</code></p></li><li class="listitem"><p><span class="emphasis"><em>Search context</em></span> is the distinguished name of the search base + object. It defines the location from which the search for users begins, for example, + <code class="literal">dc=users,dc=example,dc=com</code></p></li><li class="listitem"><p><span class="emphasis"><em>Search filter</em></span> is a DN template to find an LDAP user entry by + provided user name, for example, <code class="literal">(uid={0})</code></p></li></ul></div><p> Additionally, the following optional fields can be specified: </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><span class="emphasis"><em>LDAP context factory</em></span> is a fully qualified class name for the + JNDI LDAP context factory. This class must implement the <a class="ulink" href="http://docs.oracle.com/javase/6/docs/api/javax/naming/spi/InitialContextFactory.html"; target="_top">InitialContextFactory</a> interface and produce instances of <a class="ulink" href="http://docs.oracle.com/javase/6/docs/api/javax/naming/directory/DirContext.html"; target="_top">DirContext</a>. If + not specified a default value of <code class="literal">com.sun.jndi.ldap.LdapCtxFactory</code> is + used.</p></li><li class="listitem"><p><span class="emphasis"><em>LDAP authentication URL</em></span> is the URL of LDAP server for + performing "ldap bind". If not specified, the <span class="emphasis"><em>LDAP server URL</em></span> will + be used for both searches and authentications.</p></li><li class="listitem"><p><span class="emphasis"><em>Truststore name</em></span> is a name of <a class="link" href="Java-Broker-Management-Managing-Truststores.html#Java-Broker-Management-Managing-Truststores-Attributes" title="7.12.1. Attributes">configured + truststore</a>. Use this if connecting to a Directory over SSL (i.e. ldaps://) + which is protected by a certificate signed by a private CA (or utilising a self-signed + certificate).</p></li></ul></div><p> + </p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>In order to protect the security of the user's password, when using LDAP authentication, + you must: </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Use SSL on the broker's AMQP, HTTP and JMX ports to protect the password during + transmission to the Broker. The Broker enforces this restriction automatically on AMQP + and HTTP ports.</p></li><li class="listitem"><p>Authenticate to the Directory using SSL (i.e. ldaps://) to protect the password + during transmission from the Broker to the Directory.</p></li></ul></div></div><p> The LDAP Authentication Provider works in the following manner. If not in <code class="literal">bind + without search</code> mode, it first connects to the Directory and searches for the ldap + entity which is identified by the username. The search begins at the distinguished name + identified by <code class="literal">Search Context</code> and uses the username as a filter. The search + scope is sub-tree meaning the search will include the base object and the subtree extending + beneath it. </p><p> If the search returns a match, or is configured in <code class="literal">bind without search</code> + mode, the Authentication Provider then attempts to bind to the LDAP server with the given name + and the password. Note that <a class="ulink" href="http://docs.oracle.com/javase/6/docs/api/javax/naming/Context.html#SECURITY_AUTHENTICATION"; target="_top">simple security + authentication</a> is used so the Directory receives the password in the clear. </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Kerberos-Provider"></a>8.1.2. Kerberos</h3></div></div></div><p> Kereberos Authentication Provider uses java GSS-API SASL mechanism to authenticate the + connections. </p><p> Configuration of kerberos is done through system properties (there doesn't seem to be a + way around this unfortunately). </p><pre class="programlisting"> export JAVA_OPTS=-Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=qpid.conf ${QPID_HOME}/bin/qpid-server </pre><p>Where qpid.conf would look something like this:</p><pre class="programlisting"> @@ -181,69 +161,52 @@ com.sun.security.jgss.accept { kdc="kerberos.example.com" keyTab="/path/to/keytab-file" principal="<name>/<host>"; -};</pre><p> - Where realm, kdc, keyTab and principal should obviously be set correctly for the environment - where you are running (see the existing documentation for the C++ broker about creating a keytab - file). - </p><p> - Note: You may need to install the "Java Cryptography Extension (JCE) Unlimited Strength - Jurisdiction Policy Files" appropriate for your JDK in order to get Kerberos support working. - </p><p> - Since Kerberos support only works where SASL authentication is available (e.g. not for JMX - authentication) you may wish to also include an alternative Authentication Provider - configuration, and use this for JMX and HTTP ports. - </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-External-Provider"></a>11.1.3. External (SSL Client Certificates)</h3></div></div></div><p> - When <a class="link" href="Java-Broker-Security-SSL.html#SSL-Truststore-ClientCertificate" title="11.4.2. Truststore / Client Certificate Authentication"> requiring SSL Client Certificates</a> be - presented the External Authentication Provider can be used, such that the user is authenticated based on - trust of their certificate alone, and the X500Principal from the SSL session is then used as the username - for the connection, instead of also requiring the user to present a valid username and password. - </p><p> - <span class="bold"><strong>Note:</strong></span> The External Authentication Provider should typically only be used on the - AMQP ports, in conjunction with <a class="link" href="Java-Broker-Security-SSL.html#SSL-Truststore-ClientCertificate" title="11.4.2. Truststore / Client Certificate Authentication">SSL client certificate - authentication</a>. It is not intended for other uses such as the JMX management port and will treat any - non-sasl authentication processes on these ports as successful with the given username. As such you should - configure another Authentication Provider for use on non-AMQP ports. Perhaps the only exception to this - would be where the broker is embedded in a container that is itself externally protecting the HTTP interface - and then providing the remote users name. - </p><p>On creation of External Provider the use of full DN or username CN as a principal name can be configured. - If field "Use the full DN as the Username" is set to "true" the full DN is used as an authenticated principal name. - If field "Use the full DN as the Username" is set to "false" the user name CN part is used as the authenticated principal name. - Setting the field to "false" is particular useful when <a class="link" href="Java-Broker-Security-ACLs.html" title="11.3. Access Control Lists">ACL</a> is required, - as at the moment, ACL does not support commas in the user name. - </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Anonymous-Provider"></a>11.1.4. Anonymous</h3></div></div></div><p> - The Anonymous Authentication Provider will allow users to connect with or without credentials and result - in their identification on the broker as the user ANONYMOUS. This Provider does not require specification - of any additional fields on creation. - </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-PlainPasswordFile-Provider"></a>11.1.5. Plain Password File</h3></div></div></div><p> - The PlainPasswordFile Provider uses local file to store and manage user credentials. - When creating an authentication provider the path to the file needs to be specified. - If specified file does not exist an empty file is created automatically on Authentication Provider creation. - On Provider deletion the password file is deleted as well. For this Provider - user credentials can be added, removed or changed using REST management interfaces and web management console. - </p><p> - On navigating to the Plain Password File Provider tab (by clicking onto provider name from Broker tree or provider - row in providers grid on Broker tab) the list of existing credentials is displayed on the tab with the buttons "Add User" - and "Delete Users" to add new user credentials and delete the existing user credentials respectively. - On clicking into user name on Users grid the pop-up dialog to change the password is displayed. - </p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="idm233114546208"></a>11.1.5.1. Plain Password File Format</h4></div></div></div><p> - The user credentials are stored on the single file line as user name and user password pairs separated by colon character. - </p><pre class="programlisting"> +};</pre><p> Where realm, kdc, keyTab and principal should obviously be set correctly for the + environment where you are running (see the existing documentation for the C++ broker about + creating a keytab file). </p><p> Note: You may need to install the "Java Cryptography Extension (JCE) Unlimited Strength + Jurisdiction Policy Files" appropriate for your JDK in order to get Kerberos support working. </p><p> Since Kerberos support only works where SASL authentication is available (e.g. not for + JMX authentication) you may wish to also include an alternative Authentication Provider + configuration, and use this for JMX and HTTP ports. </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-External-Provider"></a>8.1.3. External (SSL Client Certificates)</h3></div></div></div><p> When <a class="link" href="Java-Broker-Management-Managing-Truststores.html" title="7.12. Truststores"> requiring SSL Client + Certificates</a> be presented the External Authentication Provider can be used, such that + the user is authenticated based on trust of their certificate alone, and the X500Principal + from the SSL session is then used as the username for the connection, instead of also + requiring the user to present a valid username and password. </p><p> + <span class="bold"><strong>Note:</strong></span> The External Authentication Provider should typically + only be used on the AMQP/HTTP ports, in conjunction with <a class="link" href="Java-Broker-Management-Managing-Ports.html" title="7.9. Ports">SSL client certificate + authentication</a>. It is not intended for other uses such as the JMX management port and + will treat any non-sasl authentication processes on these ports as successful with the given + username. As such you should configure another Authentication Provider for use on JMX + ports.</p><p>On creation of External Provider the use of full DN or username CN as a principal name can + be configured. If attribute "Use the full DN as the Username" is set to "true" the full DN is + used as an authenticated principal name. If attribute "Use the full DN as the Username" is set + to "false" the user name CN part is used as the authenticated principal name. Setting the + field to "false" is particular useful when <a class="link" href="Java-Broker-Security-ACLs.html" title="8.3. Access Control Lists">ACL</a> is required, as at the moment, ACL does not support commas in the user name. + </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Anonymous-Provider"></a>8.1.4. Anonymous</h3></div></div></div><p> The Anonymous Authentication Provider will allow users to connect with or without + credentials and result in their identification on the broker as the user ANONYMOUS. This + Provider does not require specification of any additional attributes on creation. </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-ScramSha-Providers"></a>8.1.5. SCRAM SHA Providers</h3></div></div></div><p>The SCRAM SHA Providers uses the Broker configuration itself to store the database of + users. (Unlike the <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-PlainPasswordFile-Provider" title="8.1.6. Plain Password File">Plain</a> and <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-Base64MD5PasswordFile-Provider" title="8.1.7. Base64MD5 Password File">Base64MD5</a> providers that follow, there is no separate password file). The users' + passwords are stored as salted SHA digested password. This can be further encrypted using the + facilities described in <a class="xref" href="Java-Broker-Security-Configuration-Encryption.html" title="8.4. Configuration Encryption">Section 8.4, “Configuration Encryption”</a>.</p><p>There are two variants of this provider, SHA1 and SHA256. SHA256 is recommended whenever + possible. SHA1 is provided with compatibility with clients utilising JDK 1.6 (which does not + support SHA256).</p><p>For these providers user credentials can be added, removed or changed using + Management.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-PlainPasswordFile-Provider"></a>8.1.6. Plain Password File</h3></div></div></div><p> The PlainPasswordFile Provider uses local file to store and manage user credentials. When + creating an authentication provider the path to the file needs to be specified. If specified + file does not exist an empty file is created automatically on Authentication Provider + creation. On Provider deletion the password file is deleted as well.</p><p>For these providers user credentials can be added, removed or changed using + Management.</p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="idp1059824"></a>8.1.6.1. Plain Password File Format</h4></div></div></div><p> The user credentials are stored on the single file line as user name and user password + pairs separated by colon character. This file must not be modified externally whilst the + Broker is running.</p><pre class="programlisting"> # password file format # <user name>: <user password> guest:guest - </pre></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Base64MD5PasswordFile-Provider"></a>11.1.6. Base64MD5 Password File</h3></div></div></div><p> - Base64MD5PasswordFile Provider uses local file to store and manage user credentials similar to Similar to PlainPasswordFile - but instead of storing a password the MD5 password digest encoded with Base64 encoding is stored in the file. - When creating an authentication provider the path to the file needs to be specified. - If specified file does not exist an empty file is created automatically on Authentication Provider creation. - On Base64MD5PasswordFile Provider deletion the password file is deleted as well. For this Provider - user credentials can be added, removed or changed using REST management interfaces and web management console. - </p><p> - On navigating to the Base64MD5PasswordFile Provider tab (by clicking onto provider name from Broker tree or provider - row in providers grid on Broker tab) the list of existing credentials is displayed on the tab with the buttons "Add User" - and "Delete Users" to add new user credentials and delete the existing user credentials respectively. - On clicking into user name on Users grid the pop-up dialog to change the password is displayed. - </p></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Stores-HA-BDB-Store.html">Prev</a> </td><td align="center" width="20%"> </td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Security-Group-Providers.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">10.5. High Availability BDB Message Store </td><td align="center" width="20%"><a accesskey="h" href="index.html">Home</a></td><td align="right" valign="top" width="40%"> 11.2. Group Providers</td></tr></table></div></div> + </pre></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Base64MD5PasswordFile-Provider"></a>8.1.7. Base64MD5 Password File</h3></div></div></div><p> Base64MD5PasswordFile Provider uses local file to store and manage user credentials + similar to PlainPasswordFile but instead of storing a password the MD5 password digest encoded + with Base64 encoding is stored in the file. When creating an authentication provider the path + to the file needs to be specified. If specified file does not exist an empty file is created + automatically on Authentication Provider creation. On Base64MD5PasswordFile Provider deletion + the password file is deleted as well.</p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="idp1063952"></a>8.1.7.1. Base64MD5 File Format</h4></div></div></div><p> The user credentials are stored on the single file line as user name and user password + pairs separated by colon character. The password is stored MD5 digest/Base64 encoded. This + file must not be modified externally whilst the Broker is running.</p></div></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Management-Managing-Plugins-JMX.html">Prev</a> </td><td align="center" width="20%"> </td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Security-Group-Providers.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">7.16. JMX Plugin </td><td align="center" width="20%"><a accesskey="h" href="index.html">Home</a></td><td align="right" valign="top" width="40%"> 8.2. Group Providers</td></tr></table></div></div> <hr/>
Added: qpid/site/docs/releases/qpid-trunk/java-broker/book/images/Broker-MessageFlow.png URL: http://svn.apache.org/viewvc/qpid/site/docs/releases/qpid-trunk/java-broker/book/images/Broker-MessageFlow.png?rev=1632181&view=auto ============================================================================== Binary file - no diff available. Propchange: qpid/site/docs/releases/qpid-trunk/java-broker/book/images/Broker-MessageFlow.png ------------------------------------------------------------------------------ svn:mime-type = application/octet-stream Modified: qpid/site/docs/releases/qpid-trunk/java-broker/book/images/Broker-Model.png URL: http://svn.apache.org/viewvc/qpid/site/docs/releases/qpid-trunk/java-broker/book/images/Broker-Model.png?rev=1632181&r1=1632180&r2=1632181&view=diff ============================================================================== Binary files - no diff available. Added: qpid/site/docs/releases/qpid-trunk/java-broker/book/images/Broker-PortAuthFlow.png URL: http://svn.apache.org/viewvc/qpid/site/docs/releases/qpid-trunk/java-broker/book/images/Broker-PortAuthFlow.png?rev=1632181&view=auto ============================================================================== Binary file - no diff available. Propchange: qpid/site/docs/releases/qpid-trunk/java-broker/book/images/Broker-PortAuthFlow.png ------------------------------------------------------------------------------ svn:mime-type = application/octet-stream Added: qpid/site/docs/releases/qpid-trunk/java-broker/book/images/HA-Create-1.png URL: http://svn.apache.org/viewvc/qpid/site/docs/releases/qpid-trunk/java-broker/book/images/HA-Create-1.png?rev=1632181&view=auto ============================================================================== Binary file - no diff available. Propchange: qpid/site/docs/releases/qpid-trunk/java-broker/book/images/HA-Create-1.png ------------------------------------------------------------------------------ svn:mime-type = application/octet-stream Added: qpid/site/docs/releases/qpid-trunk/java-broker/book/images/HA-Create-2.png URL: http://svn.apache.org/viewvc/qpid/site/docs/releases/qpid-trunk/java-broker/book/images/HA-Create-2.png?rev=1632181&view=auto ============================================================================== Binary file - no diff available. Propchange: qpid/site/docs/releases/qpid-trunk/java-broker/book/images/HA-Create-2.png ------------------------------------------------------------------------------ svn:mime-type = application/octet-stream Added: qpid/site/docs/releases/qpid-trunk/java-broker/book/images/HA-Create-3.png URL: http://svn.apache.org/viewvc/qpid/site/docs/releases/qpid-trunk/java-broker/book/images/HA-Create-3.png?rev=1632181&view=auto ============================================================================== Binary file - no diff available. Propchange: qpid/site/docs/releases/qpid-trunk/java-broker/book/images/HA-Create-3.png ------------------------------------------------------------------------------ svn:mime-type = application/octet-stream Added: qpid/site/docs/releases/qpid-trunk/java-broker/book/images/HA-Overview.png URL: http://svn.apache.org/viewvc/qpid/site/docs/releases/qpid-trunk/java-broker/book/images/HA-Overview.png?rev=1632181&view=auto ============================================================================== Binary file - no diff available. Propchange: qpid/site/docs/releases/qpid-trunk/java-broker/book/images/HA-Overview.png ------------------------------------------------------------------------------ svn:mime-type = application/octet-stream Added: qpid/site/docs/releases/qpid-trunk/java-broker/book/images/Management-Web-Add-Dialogue.png URL: http://svn.apache.org/viewvc/qpid/site/docs/releases/qpid-trunk/java-broker/book/images/Management-Web-Add-Dialogue.png?rev=1632181&view=auto ============================================================================== Binary file - no diff available. Propchange: qpid/site/docs/releases/qpid-trunk/java-broker/book/images/Management-Web-Add-Dialogue.png ------------------------------------------------------------------------------ svn:mime-type = application/octet-stream Added: qpid/site/docs/releases/qpid-trunk/java-broker/book/images/Management-Web-Auth.png URL: http://svn.apache.org/viewvc/qpid/site/docs/releases/qpid-trunk/java-broker/book/images/Management-Web-Auth.png?rev=1632181&view=auto ============================================================================== Binary file - no diff available. Propchange: qpid/site/docs/releases/qpid-trunk/java-broker/book/images/Management-Web-Auth.png ------------------------------------------------------------------------------ svn:mime-type = application/octet-stream Modified: qpid/site/docs/releases/qpid-trunk/java-broker/book/images/Management-Web-Console.png URL: http://svn.apache.org/viewvc/qpid/site/docs/releases/qpid-trunk/java-broker/book/images/Management-Web-Console.png?rev=1632181&r1=1632180&r2=1632181&view=diff ============================================================================== Binary files - no diff available. Added: qpid/site/docs/releases/qpid-trunk/java-broker/book/images/Management-Web-ContextVar.png URL: http://svn.apache.org/viewvc/qpid/site/docs/releases/qpid-trunk/java-broker/book/images/Management-Web-ContextVar.png?rev=1632181&view=auto ============================================================================== Binary file - no diff available. Propchange: qpid/site/docs/releases/qpid-trunk/java-broker/book/images/Management-Web-ContextVar.png ------------------------------------------------------------------------------ svn:mime-type = application/octet-stream Added: qpid/site/docs/releases/qpid-trunk/java-broker/book/images/Management-Web-Edit-Dialogue.png URL: http://svn.apache.org/viewvc/qpid/site/docs/releases/qpid-trunk/java-broker/book/images/Management-Web-Edit-Dialogue.png?rev=1632181&view=auto ============================================================================== Binary file - no diff available. Propchange: qpid/site/docs/releases/qpid-trunk/java-broker/book/images/Management-Web-Edit-Dialogue.png ------------------------------------------------------------------------------ svn:mime-type = application/octet-stream Added: qpid/site/docs/releases/qpid-trunk/java-broker/book/images/Management-Web-Tab.png URL: http://svn.apache.org/viewvc/qpid/site/docs/releases/qpid-trunk/java-broker/book/images/Management-Web-Tab.png?rev=1632181&view=auto ============================================================================== Binary file - no diff available. Propchange: qpid/site/docs/releases/qpid-trunk/java-broker/book/images/Management-Web-Tab.png ------------------------------------------------------------------------------ svn:mime-type = application/octet-stream Modified: qpid/site/docs/releases/qpid-trunk/java-broker/book/images/VirtualHost-Model.png URL: http://svn.apache.org/viewvc/qpid/site/docs/releases/qpid-trunk/java-broker/book/images/VirtualHost-Model.png?rev=1632181&r1=1632180&r2=1632181&view=diff ============================================================================== Binary files - no diff available. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
