http://git-wip-us.apache.org/repos/asf/qpid-site/blob/a1891eca/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-ACLs.html ---------------------------------------------------------------------- diff --git a/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-ACLs.html b/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-ACLs.html new file mode 100644 index 0000000..040280f --- /dev/null +++ b/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-ACLs.html @@ -0,0 +1,411 @@ +<!DOCTYPE html> +<!-- + - + - Licensed to the Apache Software Foundation (ASF) under one + - or more contributor license agreements. See the NOTICE file + - distributed with this work for additional information + - regarding copyright ownership. The ASF licenses this file + - to you under the Apache License, Version 2.0 (the + - "License"); you may not use this file except in compliance + - with the License. You may obtain a copy of the License at + - + - http://www.apache.org/licenses/LICENSE-2.0 + - + - Unless required by applicable law or agreed to in writing, + - software distributed under the License is distributed on an + - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + - KIND, either express or implied. See the License for the + - specific language governing permissions and limitations + - under the License. + - +--> +<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en"> + <head> + <title>11.3. Access Control Lists - Apache Qpid™</title> + <meta http-equiv="X-UA-Compatible" content="IE=edge"/> + <meta name="viewport" content="width=device-width, initial-scale=1.0"/> + <link rel="stylesheet" href="/site.css" type="text/css" async="async"/> + <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/> + <script type="text/javascript">var _deferredFunctions = [];</script> + <script type="text/javascript" src="/deferred.js" defer="defer"></script> + <!--[if lte IE 8]> + <link rel="stylesheet" href="/ie.css" type="text/css"/> + <script type="text/javascript" src="/html5shiv.js"></script> + <![endif]--> + + <!-- Redirects for `go get` and godoc.org --> + <meta name="go-import" + content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/> + <meta name="go-source" + content="qpid.apache.org +https://github.com/apache/qpid-proton/blob/go1/README.md +https://github.com/apache/qpid-proton/tree/go1{/dir} +https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> + </head> + <body> + <div id="-content"> + <div id="-top" class="panel"> + <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a> + + <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a> + + <ul id="-global-navigation"> + <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li> + <li><a href="/documentation.html">Documentation</a></li> + <li><a href="/download.html">Download</a></li> + <li><a href="/discussion.html">Discussion</a></li> + </ul> + </div> + + <div id="-menu" class="panel" style="display: none;"> + <div class="flex"> + <section> + <h3>Project</h3> + + <ul> + <li><a href="/overview.html">Overview</a></li> + <li><a href="/components/index.html">Components</a></li> + <li><a href="/releases/index.html">Releases</a></li> + </ul> + </section> + + <section> + <h3>Messaging APIs</h3> + + <ul> + <li><a href="/proton/index.html">Qpid Proton</a></li> + <li><a href="/components/jms/index.html">Qpid JMS</a></li> + <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li> + </ul> + </section> + + <section> + <h3>Servers and tools</h3> + + <ul> + <li><a href="/components/java-broker/index.html">Java broker</a></li> + <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> + <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> + </ul> + </section> + + <section> + <h3>Resources</h3> + + <ul> + <li><a href="/dashboard.html">Dashboard</a></li> + <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index";>Wiki</a></li> + <li><a href="/resources.html">More resources</a></li> + </ul> + </section> + </div> + </div> + + <div id="-search" class="panel" style="display: none;"> + <form action="http://www.google.com/search"; method="get"> + <input type="hidden" name="sitesearch" value="qpid.apache.org"/> + <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/> + <button type="submit">Search</button> + <a href="/search.html">More ways to search</a> + </form> + </div> + + <div id="-middle" class="panel"> + <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-0.26/index.html">Qpid 0.26</a></li><li><a href="/releases/qpid-0.26/java-broker/book/index.html">AMQP Messaging Broker (Java)</a></li><li>11.3. Access Control Lists</li></ul> + + <div id="-middle-content"> + <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">11.3. Access Control Lists</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security-Group-Providers.html">Prev</a> </td><th align="center" width="60%">Chapter 11. Security</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Security-SSL.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title"><a id="Java-Broker-Security-ACLs"></a>11.3. Access Control Lists</h2></div></div></div><p> + In Qpid, Access Control Lists (ACLs) specify which actions can be performed by each authenticated user. + To enable, an <span class="emphasis"><em>Access Control Provider</em></span> needs to be configured on the <span class="emphasis"><em>Broker</em></span> + level or/and ACL configuration should be provided on a <span class="emphasis"><em>Virtual Host</em></span> level. + The first imposes the ACL broker wide, and the second is applied to individual virtual hosts. + The <span class="emphasis"><em>Access Control Provider</em></span> of type "AclFile" uses local file to specify the ACL rules. + By convention, this file should have a .acl extension. + </p><p> + A Group Provider can be configured with ACL to define the user groups which can be used in ACL + to determine the ACL rules applicable to the entire group. The configuration details for the Group Providers are described in + <a class="xref" href="Java-Broker-Security-Group-Providers.html" title="11.2. Group Providers">Section 11.2, “Group Providers”</a>. On creation of ACL Provider with group rules, + the Group Provider should be added first. Otherwise, if the individual ACL rules are not defined for the logged principal + the following invocation of management operations could be denied due to absence of the required groups.</p><p>Only one <span class="emphasis"><em>Access Control Provider</em></span> can be used by the Broker. + If several <span class="emphasis"><em>Access Control Providers</em></span> are configured on Broker level + only one of them will be used (the latest one). <a class="xref" href="Java-Broker-Virtual-Hosts-Configuration-File-ACL.html" title="14.2. Configuring ACL">Section 14.2, “Configuring ACL”</a> + shows how to configure ACL on <span class="emphasis"><em>Virtual Host</em></span> using virtual host configuration xml. + If both Broker <span class="emphasis"><em>Access Control Provider</em></span> and <span class="emphasis"><em>Virtual Host</em></span> ACL are configured, + the <span class="emphasis"><em>Virtual Host</em></span> ACL is used for authorization of operations on <span class="emphasis"><em>Virtual Host</em></span> and + Virtual Host objects and Broker level ACL is used to authorization of operations on Broker and Broker children + (excluding Virtual Hosts having ACL configured). + </p><p> + The ACL Providers can be configured using <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-REST-API" title="5.2.4. REST API">REST Management interfaces</a> + and <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-Web-Console" title="5.2.2. Web Management Console">Web Management Console</a>. + </p><p>The following ACL Provider managing operations are available from Web Management Console: + </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A new ACL Provider can be added by clicking onto "Add Access Control Provider" on the Broker tab.</p></li><li class="listitem"><p>An ACL Provider details can be viewed on the Access Control Provider tab. + The tab is shown after clicking onto ACL Provider name in the Broker object tree or after clicking + onto ACL Provider row in ACL Providers grid on the Broker tab.</p></li><li class="listitem"><p>An existing ACL Provider can be deleted by clicking onto buttons "Delete Access Control Provider" + on the Broker tab or Access Control Provider tab.</p></li></ul></div><p> + </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-ACLs-WriteACL"></a>11.3.1.  + Writing .acl files + </h3></div></div></div><p> + The ACL file consists of a series of rules associating behaviour for a user or group. Use of groups can serve to make the ACL file more concise. See <a class="link" href="Java-Broker-Security-Group-Providers.html" title="11.2. Group Providers">Configuring Group Providers</a> for more information on defining groups. + </p><p> + Each ACL rule grants or denies a particular action on an object to a user/group. The rule may be augmented with one or more properties, restricting + the rule's applicability. + </p><pre class="programlisting"> + ACL ALLOW alice CREATE QUEUE # Grants alice permission to create all queues. + ACL DENY bob CREATE QUEUE name="myqueue" # Denies bob permission to create a queue called "myqueue" + </pre><p> + The ACL is considered in strict line order with the first matching rule taking precedence over all those that follow. In the following + example, if the user bob tries to create an exchange "myexch", the operation will be allowed by the first rule. The second rule will + never be considered. + </p><pre class="programlisting"> + ACL ALLOW bob ALL EXCHANGE + ACL DENY bob CREATE EXCHANGE name="myexch" # Dead rule + </pre><p> + If the desire is to allow bob to create all exchanges except "myexch", order of the rules must be reversed: + </p><pre class="programlisting"> + ACL DENY bob CREATE EXCHANGE name="myexch" + ACL ALLOW bob ALL EXCHANGE + </pre><p> + All ACL files end with an implict rule denying all operations to all users. It is as if each file ends with + </p><pre class="programlisting">ACL DENY ALL ALL </pre><p> + If instead you wish to <span class="emphasis"><em>allow</em></span> all operations other than those controlled by earlier rules, + add </p><pre class="programlisting">ACL ALLOW ALL ALL</pre><p> to the bottom of the ACL file. + </p><p> + When writing a new ACL, a good approach is to begin with an .acl file containing only </p><pre class="programlisting">ACL DENY-LOG ALL ALL</pre><p> + which will cause the Broker to deny all operations with details of the denial logged to the Qpid log file. Build up the ACL rule by rule, + gradually working through the use-cases of your system. Once the ACL is complete, consider switching the DENY-LOG actions to DENY + to improve performamce and reduce log noise. + </p><p> + ACL rules are very powerful: it is possible to write very granular rules specifying many broker objects and their + properties. Most projects probably won't need this degree of flexibility. A reasonable approach is to choose to apply permissions + at a certain level of abstraction (e.g. QUEUE) and apply them consistently across the whole system. + </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-ACLs-Syntax"></a>11.3.2.  + Syntax + </h3></div></div></div><p> + ACL rules follow this syntax: + </p><pre class="programlisting"> + ACL {permission} {<group-name>|<user-name>>|ALL} {action|ALL} [object|ALL] [property="<property-value>"] + </pre><p> + Comments may be introduced with the hash (#) character and are ignored. Long lines can be broken with the slash (\) character. + </p><pre class="programlisting"> + # A comment + ACL ALLOW admin CREATE ALL # Also a comment + ACL DENY guest \ + ALL ALL # A broken line + </pre></div><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_permissions"></a><p class="title"><strong>Table 11.1. List of ACL permission</strong></p><div class="table-contents"><table border="1" summary="List of ACL permission"><colgroup><col /><col /></colgroup><tbody><tr><td><span class="command"><strong>ALLOW</strong></span></td><td><p>Allow the action</p></td></tr><tr><td><span class="command"><strong>ALLOW-LOG</strong></span></td><td><p> Allow the action and log the action in the log </p></td></tr><tr><td><span class="command"><strong>DENY</strong></span></td><td><p> Deny the action</p></td></tr><tr><td><span class="command"><strong>DENY-LOG</strong></span></td><td><p> Deny the action and log the action in the log</p></td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_actions"></a><p class="title"><strong>Table 11.2. List of ACL actions</strong></p><div class="t able-contents"><table border="1" summary="List of ACL actions"><colgroup><col /><col /></colgroup><tbody><tr><td> <span class="command"><strong>CONSUME</strong></span> </td><td> <p> Applied when subscriptions are created </p> </td></tr><tr><td> <span class="command"><strong>PUBLISH</strong></span> </td><td> <p> Applied on a per message basis on publish message transfers</p> </td></tr><tr><td> <span class="command"><strong>CREATE</strong></span> </td><td> <p> Applied when an object is created, such as bindings, queues, exchanges</p> </td></tr><tr><td> <span class="command"><strong>ACCESS</strong></span> </td><td> <p> Applied when an object is read or accessed</p> </td></tr><tr><td> <span class="command"><strong>BIND</strong></span> </td><td> <p> Applied when queues are bound to exchanges</p> </td></tr><tr><td> <span class="command"><strong>UNBIND</strong></span> </td><td> <p> Applied when queues are unbound from exchanges</p> </td></tr><tr><td> <span class="command"><strong>DELETE</s trong></span> </td><td> <p> Applied when objects are deleted </p> </td></tr><tr><td> <span class="command"><strong>PURGE</strong></span> </td><td> + <p>Applied when purge the contents of a queue</p> </td></tr><tr><td> <span class="command"><strong>UPDATE</strong></span> </td><td> <p> Applied when an object is updated </p> </td></tr><tr><td> <span class="command"><strong>CONFIGURE</strong></span> </td><td> <p> Applied when an object is configured via REST management interfaces(Java Broker only).</p> </td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_objects"></a><p class="title"><strong>Table 11.3. List of ACL objects</strong></p><div class="table-contents"><table border="1" summary="List of ACL objects"><colgroup><col /><col /></colgroup><tbody><tr><td> <span class="command"><strong>VIRTUALHOST</strong></span> </td><td> <p>A virtualhost (Java Broker only)</p> </td></tr><tr><td> <span class="command"><strong>MANAGEMENT </strong></span> </td><td> <p>Management - for web and JMX (Java Broker only)</p> </td></tr><tr><td> <span class="co mmand"><strong>QUEUE</strong></span> </td><td> <p>A queue </p> </td></tr><tr><td> <span class="command"><strong>EXCHANGE</strong></span> </td><td> <p>An exchange </p> </td></tr><tr><td> <span class="command"><strong>USER</strong></span> </td><td> <p>A user (Java Broker only)</p> </td></tr><tr><td> <span class="command"><strong>GROUP</strong></span> </td><td> <p>A group (Java Broker only)</p> </td></tr><tr><td> <span class="command"><strong>METHOD</strong></span> </td><td> <p>Management or agent or broker method (Java Broker only)</p> </td></tr><tr><td> <span class="command"><strong>LINK</strong></span> </td><td> <p>A federation or inter-broker link (not currently used in Java Broker)</p> </td></tr><tr><td> <span class="command"><strong>BROKER</strong></span> </td><td> <p>The broker</p> </td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_properties"></a><p class="title"><strong>Table 11.4. List of ACL properties</strong></p><div class="table-contents"><table border="1" summary="List of ACL properties"><colgroup><col /><col /></colgroup><tbody><tr><td><span class="command"><strong>name</strong></span> </td><td> <p> String. Object name, such as a queue name, exchange name or JMX method name. </p> </td></tr><tr><td> <span class="command"><strong>durable</strong></span> </td><td> <p> Boolean. Indicates the object is durable </p> </td></tr><tr><td> <span class="command"><strong>routingkey</strong></span> </td><td> <p> String. Specifies routing key </p> </td></tr><tr><td> <span class="command"><strong>passive</strong></span> </td><td> <p> Boolean. Indicates the presence of a <em class="parameter"><code>passive</code></em> flag </p> </td></tr><tr><td> <span class="command"><strong>autodelete</strong></span> </td><td> <p> Boolean. Indicates whether or not the object gets deleted when the connection is closed </p> </td></tr><tr><td> <span class="command"><strong>exclusive</strong></s pan> </td><td> <p> Boolean. Indicates the presence of an <em class="parameter"><code>exclusive</code></em> flag </p> </td></tr><tr><td> <span class="command"><strong>temporary</strong></span> </td><td> <p> Boolean. Indicates the presence of an <em class="parameter"><code>temporary</code></em> flag </p> </td></tr><tr><td> <span class="command"><strong>type</strong></span> </td><td> <p> String. Type of object, such as topic, fanout, or xml </p> </td></tr><tr><td> <span class="command"><strong>alternate</strong></span> </td><td> <p> String. Name of the alternate exchange </p> </td></tr><tr><td> <span class="command"><strong>queuename</strong></span> </td><td> <p> String. Name of the queue (used only when the object is something other than <em class="parameter"><code>queue</code></em> </p> </td></tr><tr><td> <span class="command"><strong>component</strong></span> </td><td> <p> String. JMX component name (Java Broker only)</p> </td></tr><tr><td> <span class="command"><strong>schemapackag e</strong></span> </td><td> <p> String. QMF schema package name (Not used in Java Broker)</p> </td></tr><tr><td> <span class="command"><strong>schemaclass</strong></span> </td><td> <p> String. QMF schema class name (Not used in Java Broker)</p> </td></tr><tr><td> <span class="command"><strong>from_network</strong></span> </td><td> + <p> + Comma-separated strings representing IPv4 address ranges. + </p> + <p> + Intended for use in ACCESS VIRTUALHOST rules to apply firewall-like restrictions. + </p> + <p> + The rule matches if any of the address ranges match the IPv4 address of the messaging client. + The address ranges are specified using either Classless Inter-Domain Routing notation + (e.g. 192.168.1.0/24; see <a class="ulink" href="http://tools.ietf.org/html/rfc4632"; target="_top">RFC 4632</a>) + or wildcards (e.g. 192.169.1.*). + </p> + <p> + Java Broker only. + </p> + </td></tr><tr><td> <span class="command"><strong>from_hostname</strong></span> </td><td> + <p> + Comma-separated strings representing hostnames, specified using Perl-style regular + expressions, e.g. .*\.example\.company\.com + </p> + <p> + Intended for use in ACCESS VIRTUALHOST rules to apply firewall-like restrictions. + </p> + <p> + The rule matches if any of the patterns match the hostname of the messaging client. + </p> + <p> + To look up the client's hostname, Qpid uses Java's DNS support, which internally caches its results. + </p> + <p> + You can modify the time-to-live of cached results using the *.ttl properties described on the + Java <a class="ulink" href="http://docs.oracle.com/javase/6/docs/technotes/guides/net/properties.html"; target="_top">Networking + Properties</a> page. + </p> + <p> + For example, you can either set system property sun.net.inetaddr.ttl from the command line + (e.g. export QPID_OPTS="-Dsun.net.inetaddr.ttl=0") or networkaddress.cache.ttl in + $JAVA_HOME/lib/security/java.security. The latter is preferred because it is JVM + vendor-independent. + </p> + <p> + Java Broker only. + </p> + </td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_javacomponents"></a><p class="title"><strong>Table 11.5. List of ACL rules</strong></p><div class="table-contents"><table border="1" summary="List of ACL rules"><colgroup><col /><col /><col /></colgroup><tbody><tr><td> <span class="command"><strong>UserManagement</strong></span> </td><td> <p>User maintainance; create/delete/view users, change passwords etc</p> </td><td> <p>permissionable at broker level only</p> </td></tr><tr><td> <span class="command"><strong>ConfigurationManagement</strong></span> </td><td> <p>Dynammically reload configuration from disk.</p> </td><td> <p>permissionable at broker level only</p> </td></tr><tr><td> <span class="command"><strong>LoggingManagement</strong></span> </td><td> <p>Dynammically control Qpid logging level</p> </td><td> <p>permissionable at broker level only</p> </td></tr><tr><td> <span class="com mand"><strong>ServerInformation</strong></span> </td><td> <p>Read-only information regarding the Qpid: version number etc</p> </td><td> <p>permissionable at broker level only</p> </td></tr><tr><td> <span class="command"><strong>VirtualHost.Queue</strong></span> </td><td> <p>Queue maintainance; copy/move/purge/view etc</p> </td><td class="auto-generated"> </td></tr><tr><td> <span class="command"><strong>VirtualHost.Exchange</strong></span> </td><td> <p>Exchange maintenance; bind/unbind queues to exchanges</p> </td><td class="auto-generated"> </td></tr><tr><td> <span class="command"><strong>VirtualHost.VirtualHost</strong></span> </td><td> <p>Virtual host maintainace; create/delete exchanges, queues etc</p> </td><td class="auto-generated"> </td></tr></tbody></table></div></div><br class="table-break" /><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-ACLs-WorkedExamples"></a>11.3.3.  + Worked Examples + </h3></div></div></div><p> + Here are some example ACLs illustrating common use cases. + In addition, note that the Java broker provides a complete example ACL file, located at etc/broker_example.acl. + </p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-ACLs-WorkedExample1"></a>11.3.3.1.  + Worked example 1 - Management rights + </h4></div></div></div><p> + Suppose you wish to permission two users: a user 'operator' must be able to perform all Management operations, and + a user 'readonly' must be enable to perform only read-only functions. Neither 'operator' nor 'readonly' + should be allowed to connect clients for messaging. + </p><pre class="programlisting"> +# Deny (loggged) operator/readonly permission to connect messaging clients. +ACL DENY-LOG operator ACCESS VIRTUALHOST +ACL DENY-LOG readonly ACCESS VIRTUALHOST +# Give operator permission to perfom all other actions +ACL ALLOW operator ALL ALL +# Give readonly permission to execute only read-only actions +ACL ALLOW readonly ACCESS ALL +... +... rules for other users +... +# Explicitly deny all (log) to eveyone +ACL DENY-LOG ALL ALL + </pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-ACLs-WorkedExample2"></a>11.3.3.2.  + Worked example 2 - User maintainer group + </h4></div></div></div><p> + Suppose you wish to restrict User Management operations to users belonging to a + <a class="link" href="Java-Broker-Security-Group-Providers.html" title="11.2. Group Providers">group</a> 'usermaint'. No other user + is allowed to perform user maintainence This example illustrates the permissioning of an individual component. + </p><pre class="programlisting"> +# Give usermaint access to management and permission to execute all JMX Methods on the +# UserManagement MBean and perform all actions for USER objects +ACL ALLOW usermaint ACCESS MANAGEMENT +ACL ALLOW usermaint ALL METHOD component="UserManagement" +ACL ALLOW usermaint ALL USER +ACL DENY ALL ALL METHOD component="UserManagement" +ACL DENY ALL ALL USER +... +... rules for other users +... +ACL DENY-LOG ALL ALL + </pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-ACLs-WorkedExample3"></a>11.3.3.3.  + Worked example 3 - Request/Response messaging + </h4></div></div></div><p> + Suppose you wish to permission a system using a request/response paradigm. Two users: 'client' publishes requests; + 'server' consumes the requests and generates a response. This example illustrates the permissioning of AMQP exchanges + and queues. + </p><pre class="programlisting"> +# Allow client and server to connect to the virtual host. +ACL ALLOW client ACCESS VIRTUALHOST +ACL ALLOW server ACCESS VIRTUALHOST + +# Client side +# Allow the 'client' user to publish requests to the request queue. As is the norm for the request/response paradigm, the client +# is required to create a temporary queue on which the server will respond. Consequently, there are rules to allow the creation +# of the temporary queues and consumption of messages from it. +ACL ALLOW client CREATE QUEUE temporary="true" +ACL ALLOW client CONSUME QUEUE temporary="true" +ACL ALLOW client DELETE QUEUE temporary="true" +ACL ALLOW client BIND EXCHANGE name="amq.direct" temporary="true" +ACL ALLOW client UNBIND EXCHANGE name="amq.direct" temporary="true" +ACL ALLOW client PUBLISH EXCHANGE name="amq.direct" routingKey="example.RequestQueue" + +# Server side +# Allow the 'server' user to consume from the request queue and publish a response to the temporary response queue created by +# client. We also allow the server to create the request queue. +ACL ALLOW server CREATE QUEUE name="example.RequestQueue" +ACL ALLOW server CONSUME QUEUE name="example.RequestQueue" +ACL ALLOW server BIND EXCHANGE +ACL ALLOW server PUBLISH EXCHANGE name="amq.direct" routingKey="TempQueue*" + +ACL DENY-LOG all all + </pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-ACLs-WorkedExample4"></a>11.3.3.4.  + Worked example 4 - firewall-like access control + </h4></div></div></div><p> + This example illustrates how to set up an ACL that restricts the IP addresses and hostnames + of messaging clients that can access a virtual host. + </p><pre class="programlisting"> +################ +# Hostname rules +################ + +# Allow messaging clients from company1.com and company1.co.uk to connect +ACL ALLOW all ACCESS VIRTUALHOST from_hostname=".*\.company1\.com,.*\.company1\.co\.uk" + +# Deny messaging clients from hosts within the dev subdomain +ACL DENY-LOG all ACCESS VIRTUALHOST from_hostname=".*\.dev\.company1\.com" + +################## +# IP address rules +################## + +# Deny access to all users in the IP ranges 192.168.1.0-192.168.1.255 and 192.168.2.0-192.168.2.255, +# using the notation specified in RFC 4632, "Classless Inter-domain Routing (CIDR)" +ACL DENY-LOG messaging-users ACCESS VIRTUALHOST \ + from_network="192.168.1.0/24,192.168.2.0/24" + +# Deny access to all users in the IP ranges 192.169.1.0-192.169.1.255 and 192.169.2.0-192.169.2.255, +# using wildcard notation. +ACL DENY-LOG messaging-users ACCESS VIRTUALHOST \ + from_network="192.169.1.*,192.169.2.*" + +ACL DENY-LOG all all + </pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-ACLs-WorkedExample5"></a>11.3.3.5.  + Worked example 5 - REST management ACL example + </h4></div></div></div><p> + This example illustrates how to set up an ACL that restricts usage of REST management interfaces. + </p><pre class="programlisting"> +# allow to the users from webadmins group to change broker model +# this rule allows adding/removing/editing of Broker level objects: +# Broker, Virtual Host, Group Provider, Authentication Provider, Port, Access Control Provider etc +ACL ALLOW-LOG webadmins CONFIGURE BROKER + +# allow to the users from webadmins group to perform +# create/update/delete on Virtual Host children +ACL ALLOW-LOG webadmins CREATE QUEUE +ACL ALLOW-LOG webadmins UPDATE QUEUE +ACL ALLOW-LOG webadmins DELETE QUEUE +ACL ALLOW-LOG webadmins PURGE QUEUE +ACL ALLOW-LOG webadmins CREATE EXCHANGE +ACL ALLOW-LOG webadmins DELETE EXCHANGE +ACL ALLOW-LOG webadmins BIND EXCHANGE +ACL ALLOW-LOG webadmins UNBIND EXCHANGE + +# allow to the users from webadmins group to create/update/delete groups on Group Providers +ACL ALLOW-LOG webadmins CREATE GROUP +ACL ALLOW-LOG webadmins DELETE GROUP +ACL ALLOW-LOG webadmins UPDATE GROUP + +# allow to the users from webadmins group to create/update/delete users for Authentication Providers +ACL ALLOW-LOG webadmins CREATE USER +ACL ALLOW-LOG webadmins DELETE USER +ACL ALLOW-LOG webadmins UPDATE USER + +# allow to the users from webadmins group to move, copy and delete messagaes +# using REST management interfaces +ACL ALLOW-LOG webadmins UPDATE METHOD + +# at the moment only the following UPDATE METHOD rules are supported by web management console +#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="moveMessages" +#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="copyMessages" +#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="deleteMessages" + +ACL DENY-LOG all all + </pre></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security-Group-Providers.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Security-SSL.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">11.2. Group Providers </td><td align="center" width="20%"><a accesskey="h" href="index.html">Home</a></td><td align="right" valign="top" width="40%"> 11.4. SSL</td></tr></table></div></div> + + <hr/> + + <ul id="-apache-navigation"> + <li><a href="http://www.apache.org/";>Apache</a></li> + <li><a href="http://www.apache.org/licenses/";>License</a></li> + <li><a href="http://www.apache.org/foundation/sponsorship.html";>Sponsorship</a></li> + <li><a href="http://www.apache.org/foundation/thanks.html";>Thanks!</a></li> + <li><a href="http://www.apache.org/security/";>Security</a></li> + <li><a href="http://www.apache.org/";><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li> + </ul> + + <p id="-legal"> + Apache Qpid, Messaging built on AMQP; Copyright © 2015 + The Apache Software Foundation; Licensed under + the <a href="http://www.apache.org/licenses/LICENSE-2.0";>Apache + License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton, + Proton, Apache, the Apache feather logo, and the Apache Qpid + project logo are trademarks of The Apache Software + Foundation; All other marks mentioned may be trademarks or + registered trademarks of their respective owners + </p> + </div> + </div> + </div> + </body> +</html>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/a1891eca/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-Group-Providers.html ---------------------------------------------------------------------- diff --git a/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-Group-Providers.html b/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-Group-Providers.html new file mode 100644 index 0000000..b4fead0 --- /dev/null +++ b/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-Group-Providers.html @@ -0,0 +1,174 @@ +<!DOCTYPE html> +<!-- + - + - Licensed to the Apache Software Foundation (ASF) under one + - or more contributor license agreements. See the NOTICE file + - distributed with this work for additional information + - regarding copyright ownership. The ASF licenses this file + - to you under the Apache License, Version 2.0 (the + - "License"); you may not use this file except in compliance + - with the License. You may obtain a copy of the License at + - + - http://www.apache.org/licenses/LICENSE-2.0 + - + - Unless required by applicable law or agreed to in writing, + - software distributed under the License is distributed on an + - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + - KIND, either express or implied. See the License for the + - specific language governing permissions and limitations + - under the License. + - +--> +<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en"> + <head> + <title>11.2. Group Providers - Apache Qpid™</title> + <meta http-equiv="X-UA-Compatible" content="IE=edge"/> + <meta name="viewport" content="width=device-width, initial-scale=1.0"/> + <link rel="stylesheet" href="/site.css" type="text/css" async="async"/> + <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/> + <script type="text/javascript">var _deferredFunctions = [];</script> + <script type="text/javascript" src="/deferred.js" defer="defer"></script> + <!--[if lte IE 8]> + <link rel="stylesheet" href="/ie.css" type="text/css"/> + <script type="text/javascript" src="/html5shiv.js"></script> + <![endif]--> + + <!-- Redirects for `go get` and godoc.org --> + <meta name="go-import" + content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/> + <meta name="go-source" + content="qpid.apache.org +https://github.com/apache/qpid-proton/blob/go1/README.md +https://github.com/apache/qpid-proton/tree/go1{/dir} +https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> + </head> + <body> + <div id="-content"> + <div id="-top" class="panel"> + <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a> + + <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a> + + <ul id="-global-navigation"> + <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li> + <li><a href="/documentation.html">Documentation</a></li> + <li><a href="/download.html">Download</a></li> + <li><a href="/discussion.html">Discussion</a></li> + </ul> + </div> + + <div id="-menu" class="panel" style="display: none;"> + <div class="flex"> + <section> + <h3>Project</h3> + + <ul> + <li><a href="/overview.html">Overview</a></li> + <li><a href="/components/index.html">Components</a></li> + <li><a href="/releases/index.html">Releases</a></li> + </ul> + </section> + + <section> + <h3>Messaging APIs</h3> + + <ul> + <li><a href="/proton/index.html">Qpid Proton</a></li> + <li><a href="/components/jms/index.html">Qpid JMS</a></li> + <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li> + </ul> + </section> + + <section> + <h3>Servers and tools</h3> + + <ul> + <li><a href="/components/java-broker/index.html">Java broker</a></li> + <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> + <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> + </ul> + </section> + + <section> + <h3>Resources</h3> + + <ul> + <li><a href="/dashboard.html">Dashboard</a></li> + <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index";>Wiki</a></li> + <li><a href="/resources.html">More resources</a></li> + </ul> + </section> + </div> + </div> + + <div id="-search" class="panel" style="display: none;"> + <form action="http://www.google.com/search"; method="get"> + <input type="hidden" name="sitesearch" value="qpid.apache.org"/> + <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/> + <button type="submit">Search</button> + <a href="/search.html">More ways to search</a> + </form> + </div> + + <div id="-middle" class="panel"> + <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-0.26/index.html">Qpid 0.26</a></li><li><a href="/releases/qpid-0.26/java-broker/book/index.html">AMQP Messaging Broker (Java)</a></li><li>11.2. Group Providers</li></ul> + + <div id="-middle-content"> + <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">11.2. Group Providers</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security.html">Prev</a> </td><th align="center" width="60%">Chapter 11. Security</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Security-ACLs.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title"><a id="Java-Broker-Security-Group-Providers"></a>11.2. Group Providers</h2></div></div></div><p> + The Java broker utilises GroupProviders to allow assigning users to groups for use in <a class="link" href="Java-Broker-Security-ACLs.html" title="11.3. Access Control Lists">ACLs</a>. + Following authentication by a given <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-Authentication-Providers" title="11.1. Authentication Providers">Authentication Provider</a>, + the configured Group Providers are consulted allowing the assignment of GroupPrincipals for a given authenticated user. Any number of + Group Providers can be added into the Broker. All of them will be checked for the presence of the groups for a given authenticated user. + </p><p>The <span class="emphasis"><em>Group Provider</em></span> can be configured using <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-REST-API" title="5.2.4. REST API"> + REST Management interfaces</a> and <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-Web-Console" title="5.2.2. Web Management Console">Web Management Console</a>.</p><p>The following <span class="emphasis"><em>Group Provider</em></span> managing operations are available from Web Management Console: + </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A new Group Provider can be added by clicking onto "Add Group Provider" button on a Broker tab.</p></li><li class="listitem"><p>An existing providers can be removed by pressing "Delete Group Provider" button + on Broker tab or Group Provider tab.</p></li><li class="listitem"><p>On clicking onto provider name in the Group Providers grid or Broker object tree, + the tab for the Group Provider is displayed.</p></li><li class="listitem"><p>A new group can be added into the Group Provider by clicking onto "Add Group" button on provider tab.</p></li><li class="listitem"><p>An existing group can be deleted from the Group Provider by clicking onto "Delete Group" button on provider tab.</p></li><li class="listitem"><p>On clicking onto group name in the groups grid, the tab with the list of existing + group members is displayed for the Group.</p></li><li class="listitem"><p>From the Group tab a new member can be added into a group or existing members can be deleted + from a group by clicking on "Add Group Member" or "Remove Group Members" accordingly.</p></li></ul></div><p> + </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="File-Group-Manager"></a>11.2.1. GroupFile Provider</h3></div></div></div><p> + The <span class="emphasis"><em>GroupFile</em></span> Provider allows specifying group membership in a flat file on disk. + On adding a new GroupFile Provider the path to the groups file is required to be specified. + If file does not exist an empty file is created automatically. On deletion of GroupFile Provider + the groups file is deleted as well. Only one instance of "GroupFile" Provider per groups file location can be created. + On attempt to create another GroupFile Provider pointing to the same location the error will be displayed and + the creation will be aborted. + </p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="File-Group-Manager-FileFormat"></a>11.2.1.1. File Format</h4></div></div></div><p> + The groups file has the following format: + </p><pre class="programlisting"> + # <GroupName>.users = <comma deliminated user list> + # For example: + + administrators.users = admin,manager +</pre><p> + Only users can be added to a group currently, not other groups. Usernames can't contain commas. + </p><p> + Lines starting with a '#' are treated as comments when opening the file, but these are not preserved when the broker updates the file due to changes made through the management interface. + </p></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Security-ACLs.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">Chapter 11. Security </td><td align="center" width="20%"><a accesskey="h" href="index.html">Home</a></td><td align="right" valign="top" width="40%"> 11.3. Access Control Lists</td></tr></table></div></div> + + <hr/> + + <ul id="-apache-navigation"> + <li><a href="http://www.apache.org/";>Apache</a></li> + <li><a href="http://www.apache.org/licenses/";>License</a></li> + <li><a href="http://www.apache.org/foundation/sponsorship.html";>Sponsorship</a></li> + <li><a href="http://www.apache.org/foundation/thanks.html";>Thanks!</a></li> + <li><a href="http://www.apache.org/security/";>Security</a></li> + <li><a href="http://www.apache.org/";><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li> + </ul> + + <p id="-legal"> + Apache Qpid, Messaging built on AMQP; Copyright © 2015 + The Apache Software Foundation; Licensed under + the <a href="http://www.apache.org/licenses/LICENSE-2.0";>Apache + License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton, + Proton, Apache, the Apache feather logo, and the Apache Qpid + project logo are trademarks of The Apache Software + Foundation; All other marks mentioned may be trademarks or + registered trademarks of their respective owners + </p> + </div> + </div> + </div> + </body> +</html> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/a1891eca/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-SSL.html ---------------------------------------------------------------------- diff --git a/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-SSL.html b/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-SSL.html new file mode 100644 index 0000000..bbd9981 --- /dev/null +++ b/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-SSL.html @@ -0,0 +1,190 @@ +<!DOCTYPE html> +<!-- + - + - Licensed to the Apache Software Foundation (ASF) under one + - or more contributor license agreements. See the NOTICE file + - distributed with this work for additional information + - regarding copyright ownership. The ASF licenses this file + - to you under the Apache License, Version 2.0 (the + - "License"); you may not use this file except in compliance + - with the License. You may obtain a copy of the License at + - + - http://www.apache.org/licenses/LICENSE-2.0 + - + - Unless required by applicable law or agreed to in writing, + - software distributed under the License is distributed on an + - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + - KIND, either express or implied. See the License for the + - specific language governing permissions and limitations + - under the License. + - +--> +<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en"> + <head> + <title>11.4. SSL - Apache Qpid™</title> + <meta http-equiv="X-UA-Compatible" content="IE=edge"/> + <meta name="viewport" content="width=device-width, initial-scale=1.0"/> + <link rel="stylesheet" href="/site.css" type="text/css" async="async"/> + <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/> + <script type="text/javascript">var _deferredFunctions = [];</script> + <script type="text/javascript" src="/deferred.js" defer="defer"></script> + <!--[if lte IE 8]> + <link rel="stylesheet" href="/ie.css" type="text/css"/> + <script type="text/javascript" src="/html5shiv.js"></script> + <![endif]--> + + <!-- Redirects for `go get` and godoc.org --> + <meta name="go-import" + content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/> + <meta name="go-source" + content="qpid.apache.org +https://github.com/apache/qpid-proton/blob/go1/README.md +https://github.com/apache/qpid-proton/tree/go1{/dir} +https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> + </head> + <body> + <div id="-content"> + <div id="-top" class="panel"> + <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a> + + <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a> + + <ul id="-global-navigation"> + <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li> + <li><a href="/documentation.html">Documentation</a></li> + <li><a href="/download.html">Download</a></li> + <li><a href="/discussion.html">Discussion</a></li> + </ul> + </div> + + <div id="-menu" class="panel" style="display: none;"> + <div class="flex"> + <section> + <h3>Project</h3> + + <ul> + <li><a href="/overview.html">Overview</a></li> + <li><a href="/components/index.html">Components</a></li> + <li><a href="/releases/index.html">Releases</a></li> + </ul> + </section> + + <section> + <h3>Messaging APIs</h3> + + <ul> + <li><a href="/proton/index.html">Qpid Proton</a></li> + <li><a href="/components/jms/index.html">Qpid JMS</a></li> + <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li> + </ul> + </section> + + <section> + <h3>Servers and tools</h3> + + <ul> + <li><a href="/components/java-broker/index.html">Java broker</a></li> + <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> + <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> + </ul> + </section> + + <section> + <h3>Resources</h3> + + <ul> + <li><a href="/dashboard.html">Dashboard</a></li> + <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index";>Wiki</a></li> + <li><a href="/resources.html">More resources</a></li> + </ul> + </section> + </div> + </div> + + <div id="-search" class="panel" style="display: none;"> + <form action="http://www.google.com/search"; method="get"> + <input type="hidden" name="sitesearch" value="qpid.apache.org"/> + <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/> + <button type="submit">Search</button> + <a href="/search.html">More ways to search</a> + </form> + </div> + + <div id="-middle" class="panel"> + <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-0.26/index.html">Qpid 0.26</a></li><li><a href="/releases/qpid-0.26/java-broker/book/index.html">AMQP Messaging Broker (Java)</a></li><li>11.4. SSL</li></ul> + + <div id="-middle-content"> + <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">11.4. SSL</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security-ACLs.html">Prev</a> </td><th align="center" width="60%">Chapter 11. Security</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Runtime.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title"><a id="Java-Broker-Security-SSL"></a>11.4. SSL</h2></div></div></div><p> + This section guides through the details of configuration of Keystores and Trsustores + required for enabling of SSL transport and Client Certificate Authentication on Broker ports. + The details how to configure SSL on Broker ports are provided in <a class="xref" href="Java-Broker-Ports.html" title="Chapter 6. Broker Ports">Chapter 6, <em>Broker Ports</em></a>. + </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-SSL-Keystore"></a>11.4.1. Keystore Configuration</h3></div></div></div><p> + A Keystore can be added/deleted/edited using <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-REST-API" title="5.2.4. REST API"> + REST Management interfaces</a> and <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-Web-Console" title="5.2.2. Web Management Console"> + Web Management Console</a>. Any number of Keystores can be configured on the Broker. + SSL ports can be configured with different Keystores. + </p><p>The following Keystore managing operations are available from + <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-Web-Console" title="5.2.2. Web Management Console">Web Management Console</a>: + </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A new Keystore can be added by clicking on "Add Key Store" button on the Broker tab.</p></li><li class="listitem"><p>Keystore details can be viewed on the Keystore tab which is displayed after clicking + on Keystore name in the Broker object tree or after clicking on Keystore row in Keystores grid on the Broker tab.</p></li><li class="listitem"><p>Editing of Keystore can be performed by clicking on "Edit" button on the Keystore tab. + Changing of Keystore name is unsupported at the moment. If changed Keystore is used by the Port + the changes on Port object will take effect after Broker restart.</p></li><li class="listitem"><p>An existing Keystore can be deleted by clicking on "Delete Key Store" button on Broker tab + or hitting "Delete" button on the Keystore tab. Only unused Keystores can be deleted. + The deletion of the Keystore configured on any Broker Port is not allowed.</p></li></ul></div><p> + </p><p> + The "Keystore certificate alias" field is an optional way of specifying which certificate the broker should use + if the keystore contains multiple entries. Optionally "Key manager factory algorithm" and "Key store type" can + be specified on Keystore creation. + </p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p> + The password of the certificate used by the Broker <span class="bold"><strong>must</strong></span> + match the password of the keystore itself. This is a restriction of the Qpid Broker + implementation. If using the <a class="ulink" href="http://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html"; target="_top">keytool</a> utility, + note that this means the argument to the <code class="option">-keypass</code> option must match + the <code class="option">-storepass</code> option. + </p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="SSL-Truststore-ClientCertificate"></a>11.4.2. Truststore / Client Certificate Authentication</h3></div></div></div><p> + The SSL trustore and related Client Certificate Authentication behaviour can be configured + by adding a Trustore configured object and associating it with the SSL port. + A Truststore can be added/deleted/edited using <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-REST-API" title="5.2.4. REST API"> + REST Management interfaces</a> and <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-Web-Console" title="5.2.2. Web Management Console"> + Web Management Console</a>. Any number of Trustores can be configured on the Broker. + Multiple Trustores can be configured on Broker SSL Ports. + </p><p>The following Truststore managing operations are available from + <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-Web-Console" title="5.2.2. Web Management Console">Web Management Console</a>: + </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A new Truststore can be added by clicking on "Add Trust Store" button on the Broker tab.</p></li><li class="listitem"><p>Truststore details can be viewed on the Truststore tab which is displayed after clicking + onto Truststore name in the Broker object tree or after clicking onto Truststore row in Truststores grid on the Broker tab.</p></li><li class="listitem"><p>Trustore can be edited by clicking onto "Edit" button on the Trustore tab. + Changing of Trustore name is unsupported at the moment.</p></li><li class="listitem"><p>An existing Trustore can be deleted by clicking onto "Delete Trust Store" button + on Broker tab or "Delete" button on the Truststore tab. Only unused Truststores can be deleted. + The deletion of the Truststore configured on any Broker Port is not allowed.</p></li></ul></div><p> + </p><p>When "Peers Only" option is selected for the Truststore it will allow logging in for the clients + with the certificate exactly matching the certificate loaded in the Truststore database, + thus, authenticating the connections with self signed certificates not nessesary signed by CA. + </p><p>"Trust manager factory algorithm" and "Trust store type" can + be optionally specified for the Trustore. + </p></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security-ACLs.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Runtime.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">11.3. Access Control Lists </td><td align="center" width="20%"><a accesskey="h" href="index.html">Home</a></td><td align="right" valign="top" width="40%"> Chapter 12. Runtime</td></tr></table></div></div> + + <hr/> + + <ul id="-apache-navigation"> + <li><a href="http://www.apache.org/";>Apache</a></li> + <li><a href="http://www.apache.org/licenses/";>License</a></li> + <li><a href="http://www.apache.org/foundation/sponsorship.html";>Sponsorship</a></li> + <li><a href="http://www.apache.org/foundation/thanks.html";>Thanks!</a></li> + <li><a href="http://www.apache.org/security/";>Security</a></li> + <li><a href="http://www.apache.org/";><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li> + </ul> + + <p id="-legal"> + Apache Qpid, Messaging built on AMQP; Copyright © 2015 + The Apache Software Foundation; Licensed under + the <a href="http://www.apache.org/licenses/LICENSE-2.0";>Apache + License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton, + Proton, Apache, the Apache feather logo, and the Apache Qpid + project logo are trademarks of The Apache Software + Foundation; All other marks mentioned may be trademarks or + registered trademarks of their respective owners + </p> + </div> + </div> + </div> + </body> +</html> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/a1891eca/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security.html ---------------------------------------------------------------------- diff --git a/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security.html b/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security.html new file mode 100644 index 0000000..7b88bf7 --- /dev/null +++ b/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security.html @@ -0,0 +1,280 @@ +<!DOCTYPE html> +<!-- + - + - Licensed to the Apache Software Foundation (ASF) under one + - or more contributor license agreements. See the NOTICE file + - distributed with this work for additional information + - regarding copyright ownership. The ASF licenses this file + - to you under the Apache License, Version 2.0 (the + - "License"); you may not use this file except in compliance + - with the License. You may obtain a copy of the License at + - + - http://www.apache.org/licenses/LICENSE-2.0 + - + - Unless required by applicable law or agreed to in writing, + - software distributed under the License is distributed on an + - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + - KIND, either express or implied. See the License for the + - specific language governing permissions and limitations + - under the License. + - +--> +<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en"> + <head> + <title>Chapter 11. Security - Apache Qpid™</title> + <meta http-equiv="X-UA-Compatible" content="IE=edge"/> + <meta name="viewport" content="width=device-width, initial-scale=1.0"/> + <link rel="stylesheet" href="/site.css" type="text/css" async="async"/> + <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/> + <script type="text/javascript">var _deferredFunctions = [];</script> + <script type="text/javascript" src="/deferred.js" defer="defer"></script> + <!--[if lte IE 8]> + <link rel="stylesheet" href="/ie.css" type="text/css"/> + <script type="text/javascript" src="/html5shiv.js"></script> + <![endif]--> + + <!-- Redirects for `go get` and godoc.org --> + <meta name="go-import" + content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/> + <meta name="go-source" + content="qpid.apache.org +https://github.com/apache/qpid-proton/blob/go1/README.md +https://github.com/apache/qpid-proton/tree/go1{/dir} +https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> + </head> + <body> + <div id="-content"> + <div id="-top" class="panel"> + <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a> + + <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a> + + <ul id="-global-navigation"> + <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li> + <li><a href="/documentation.html">Documentation</a></li> + <li><a href="/download.html">Download</a></li> + <li><a href="/discussion.html">Discussion</a></li> + </ul> + </div> + + <div id="-menu" class="panel" style="display: none;"> + <div class="flex"> + <section> + <h3>Project</h3> + + <ul> + <li><a href="/overview.html">Overview</a></li> + <li><a href="/components/index.html">Components</a></li> + <li><a href="/releases/index.html">Releases</a></li> + </ul> + </section> + + <section> + <h3>Messaging APIs</h3> + + <ul> + <li><a href="/proton/index.html">Qpid Proton</a></li> + <li><a href="/components/jms/index.html">Qpid JMS</a></li> + <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li> + </ul> + </section> + + <section> + <h3>Servers and tools</h3> + + <ul> + <li><a href="/components/java-broker/index.html">Java broker</a></li> + <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> + <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> + </ul> + </section> + + <section> + <h3>Resources</h3> + + <ul> + <li><a href="/dashboard.html">Dashboard</a></li> + <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index";>Wiki</a></li> + <li><a href="/resources.html">More resources</a></li> + </ul> + </section> + </div> + </div> + + <div id="-search" class="panel" style="display: none;"> + <form action="http://www.google.com/search"; method="get"> + <input type="hidden" name="sitesearch" value="qpid.apache.org"/> + <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/> + <button type="submit">Search</button> + <a href="/search.html">More ways to search</a> + </form> + </div> + + <div id="-middle" class="panel"> + <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-0.26/index.html">Qpid 0.26</a></li><li><a href="/releases/qpid-0.26/java-broker/book/index.html">AMQP Messaging Broker (Java)</a></li><li>Chapter 11. Security</li></ul> + + <div id="-middle-content"> + <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">Chapter 11. Security</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Stores-HA-BDB-Store.html">Prev</a> </td><th align="center" width="60%"> </th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Security-Group-Providers.html">Next</a></td></tr></table><hr /></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a id="Java-Broker-Security"></a>Chapter 11. Security</h1></div></div></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Authentication-Providers">11.1. Authentication Providers</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-LDAP-Provider">11.1.1. Simple LDAP Authentication Provider</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Kerberos-Provider">11.1.2. Kerberos</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-External-Provider">11.1.3. External (SSL Client Certificates)</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Anonymous-Provider">11.1.4. Anonymous</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-PlainPasswordFile-Provider">11.1.5. Plain Password File</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Base64MD5PasswordFile-Provider">11.1.6. Base64MD5 Password File</a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Security-Group-Providers.html">11.2. Group Providers</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security-Group-Providers.html#File-Group-Manager">1 1.2.1. GroupFile Provider</a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Security-ACLs.html">11.3. Access Control Lists</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security-ACLs.html#Java-Broker-Security-ACLs-WriteACL">11.3.1. + Writing .acl files + </a></span></dt><dt><span class="section"><a href="Java-Broker-Security-ACLs.html#Java-Broker-Security-ACLs-Syntax">11.3.2. + Syntax + </a></span></dt><dt><span class="section"><a href="Java-Broker-Security-ACLs.html#Java-Broker-Security-ACLs-WorkedExamples">11.3.3. + Worked Examples + </a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Security-SSL.html">11.4. SSL</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security-SSL.html#Java-Broker-SSL-Keystore">11.4.1. Keystore Configuration</a></span></dt><dt><span class="section"><a href="Java-Broker-Security-SSL.html#SSL-Truststore-ClientCertificate">11.4.2. Truststore / Client Certificate Authentication</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title"><a id="Java-Broker-Security-Authentication-Providers"></a>11.1. Authentication Providers</h2></div></div></div><p> + In order to successfully establish a connection to the Java Broker, the connection must be + authenticated. The Java Broker supports a number of different authentication schemes, each + with its own "authentication provider". Any number of Authentication Providers can be configured + on the Broker at the same time. + </p><p> + The Authentication Providers can be configured using <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-REST-API" title="5.2.4. REST API">REST Management interfaces</a> + and <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-Web-Console" title="5.2.2. Web Management Console">Web Management Console</a>. + </p><p>The following Authentication Provider managing operations are available from Web Management Console: + </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A new Authentication Provider can be added by clicking onto "Add Provider" on the Broker tab.</p></li><li class="listitem"><p>An Authentication Provider details can be viewed on the Authentication Provider tab. + The tab is displayed after clicking onto Authentication Provider name in the Broker object tree or after clicking + onto Authentication Provider row in Authentication Providers grid on the Broker tab.</p></li><li class="listitem"><p>Editing of Authentication Provider can be performed by clicking on "Edit" button + on Authentication Provider tab.</p></li><li class="listitem"><p>An existing Authentication Provider can be deleted by clicking on "Delete Provider" button + on Broker tab or "Delete" button on the Authentication Provider tab.</p></li></ul></div><p> + The Authentication Provider type and name cannot be changed for existing providers as editing of name and type + is unsupported at the moment. Only provider specific attributes can be modified in the editing dialog + and stored in the broker configuration store. + </p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3> + Only unused Authentication Provider can be deleted. For delete requests attempting to delete Authentication Provider + associated with the Ports, the errors will be returned and delete operations will be aborted. It is possible to change + the Authentication Provider on Port at runtime. However, the Broker restart is required for changes on Port to take effect. + </div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-LDAP-Provider"></a>11.1.1. Simple LDAP Authentication Provider</h3></div></div></div><p> + SimpleLDAPAuthenticationProvider authenticates connections against a Directory (LDAP). + </p><p> + To create a SimpleLDAPAuthenticationProvider the following mandatory fields are required: + </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><span class="emphasis"><em>LDAP server URL</em></span> is the URL of the server, for example, <code class="literal">ldaps://example.com:636</code></p></li><li class="listitem"><p><span class="emphasis"><em>Search context</em></span> is the distinguished name of the search base object. It defines the location from which + the search for users begins, for example, <code class="literal">dc=users,dc=example,dc=com</code></p></li><li class="listitem"><p><span class="emphasis"><em>Search filter</em></span> is a DN template to find an LDAP user entry by provided user name, for example, <code class="literal">(uid={0})</code></p></li></ul></div><p> + Additionally, the following optional fields can be specified: + </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><span class="emphasis"><em>LDAP context factory</em></span> is a fully qualified class name for the JNDI LDAP context factory. + This class must implement the <a class="ulink" href="http://docs.oracle.com/javase/6/docs/api/javax/naming/spi/InitialContextFactory.html"; target="_top">InitialContextFactory</a> + interface and produce instances of <a class="ulink" href="http://docs.oracle.com/javase/6/docs/api/javax/naming/directory/DirContext.html"; target="_top">DirContext</a>. + If not specified a default value of <code class="literal">com.sun.jndi.ldap.LdapCtxFactory</code> is used.</p></li><li class="listitem"><p><span class="emphasis"><em>LDAP authentication URL</em></span> is the URL of LDAP server for performing "ldap bind". If not + specified, the <span class="emphasis"><em>LDAP server URL</em></span> will be used for both searches and authentications.</p></li><li class="listitem"><p><span class="emphasis"><em>Truststore name</em></span> is a name of <a class="link" href="Java-Broker-Security-SSL.html#SSL-Truststore-ClientCertificate" title="11.4.2. Truststore / Client Certificate Authentication">configured truststore</a>. + Use this if connecting to a Directory over SSL (i.e. ldaps://) which is protected by a certificate signed by a private CA (or + utilising a self-signed certificate).</p></li></ul></div><p> + </p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3> + In order to protect the security of the user's password, when using LDAP authentication, you must: + <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Use SSL on the broker's AMQP, JMX, and HTTP ports to protect the password during + transmission to the Broker.</p></li><li class="listitem"><p>Authenticate to the Directory using SSL (i.e. ldaps://) to protect the password + during transmission from the Broker to the Directory.</p></li></ul></div></div><p> + The LDAP Authentication Provider works in the following manner. It first connects to the Directory anonymously + and searches for the ldap entity which is identified by the username. The search begins at the distinguished name + identified by <code class="literal">Search Context</code> and uses the username as a filter. The search scope is sub-tree + meaning the search will include the base object and the subtree extending beneath it. + </p><p> + If the search returns a match, the Authentication Provider then attempts to bind to the LDAP server with the given + name and the password. Note that + <a class="ulink" href="http://docs.oracle.com/javase/6/docs/api/javax/naming/Context.html#SECURITY_AUTHENTICATION"; target="_top">simple security authentication</a> + is used so the Directory receives the password in the clear. + </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Kerberos-Provider"></a>11.1.2. Kerberos</h3></div></div></div><p> + Kereberos Authentication Provider uses java GSS-API SASL mechanism to authenticate the connections. + </p><p> + Configuration of kerberos is done through system properties (there doesn't seem to be a way + around this unfortunately). + </p><pre class="programlisting"> + export JAVA_OPTS=-Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=qpid.conf + ${QPID_HOME}/bin/qpid-server + </pre><p>Where qpid.conf would look something like this:</p><pre class="programlisting"> +com.sun.security.jgss.accept { + com.sun.security.auth.module.Krb5LoginModule required + useKeyTab=true + storeKey=true + doNotPrompt=true + realm="EXAMPLE.COM" + useSubjectCredsOnly=false + kdc="kerberos.example.com" + keyTab="/path/to/keytab-file" + principal="<name>/<host>"; +};</pre><p> + Where realm, kdc, keyTab and principal should obviously be set correctly for the environment + where you are running (see the existing documentation for the C++ broker about creating a keytab + file). + </p><p> + Note: You may need to install the "Java Cryptography Extension (JCE) Unlimited Strength + Jurisdiction Policy Files" appropriate for your JDK in order to get Kerberos support working. + </p><p> + Since Kerberos support only works where SASL authentication is available (e.g. not for JMX + authentication) you may wish to also include an alternative Authentication Provider + configuration, and use this for JMX and HTTP ports. + </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-External-Provider"></a>11.1.3. External (SSL Client Certificates)</h3></div></div></div><p> + When <a class="link" href="Java-Broker-Security-SSL.html#SSL-Truststore-ClientCertificate" title="11.4.2. Truststore / Client Certificate Authentication"> requiring SSL Client Certificates</a> be + presented the External Authentication Provider can be used, such that the user is authenticated based on + trust of their certificate alone, and the X500Principal from the SSL session is then used as the username + for the connection, instead of also requiring the user to present a valid username and password. + </p><p> + <span class="bold"><strong>Note:</strong></span> The External Authentication Provider should typically only be used on the + AMQP ports, in conjunction with <a class="link" href="Java-Broker-Security-SSL.html#SSL-Truststore-ClientCertificate" title="11.4.2. Truststore / Client Certificate Authentication">SSL client certificate + authentication</a>. It is not intended for other uses such as the JMX management port and will treat any + non-sasl authentication processes on these ports as successful with the given username. As such you should + configure another Authentication Provider for use on non-AMQP ports. Perhaps the only exception to this + would be where the broker is embedded in a container that is itself externally protecting the HTTP interface + and then providing the remote users name. + </p><p>On creation of External Provider the use of full DN or username CN as a principal name can be configured. + If field "Use the full DN as the Username" is set to "true" the full DN is used as an authenticated principal name. + If field "Use the full DN as the Username" is set to "false" the user name CN part is used as the authenticated principal name. + Setting the field to "false" is particular useful when <a class="link" href="Java-Broker-Security-ACLs.html" title="11.3. Access Control Lists">ACL</a> is required, + as at the moment, ACL does not support commas in the user name. + </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Anonymous-Provider"></a>11.1.4. Anonymous</h3></div></div></div><p> + The Anonymous Authentication Provider will allow users to connect with or without credentials and result + in their identification on the broker as the user ANONYMOUS. This Provider does not require specification + of any additional fields on creation. + </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-PlainPasswordFile-Provider"></a>11.1.5. Plain Password File</h3></div></div></div><p> + The PlainPasswordFile Provider uses local file to store and manage user credentials. + When creating an authentication provider the path to the file needs to be specified. + If specified file does not exist an empty file is created automatically on Authentication Provider creation. + On Provider deletion the password file is deleted as well. For this Provider + user credentials can be added, removed or changed using REST management interfaces and web management console. + </p><p> + On navigating to the Plain Password File Provider tab (by clicking onto provider name from Broker tree or provider + row in providers grid on Broker tab) the list of existing credentials is displayed on the tab with the buttons "Add User" + and "Delete Users" to add new user credentials and delete the existing user credentials respectively. + On clicking into user name on Users grid the pop-up dialog to change the password is displayed. + </p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="idm140218886937008"></a>11.1.5.1. Plain Password File Format</h4></div></div></div><p> + The user credentials are stored on the single file line as user name and user password pairs separated by colon character. + </p><pre class="programlisting"> +# password file format +# <user name>: <user password> +guest:guest + </pre></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Base64MD5PasswordFile-Provider"></a>11.1.6. Base64MD5 Password File</h3></div></div></div><p> + Base64MD5PasswordFile Provider uses local file to store and manage user credentials similar to Similar to PlainPasswordFile + but instead of storing a password the MD5 password digest encoded with Base64 encoding is stored in the file. + When creating an authentication provider the path to the file needs to be specified. + If specified file does not exist an empty file is created automatically on Authentication Provider creation. + On Base64MD5PasswordFile Provider deletion the password file is deleted as well. For this Provider + user credentials can be added, removed or changed using REST management interfaces and web management console. + </p><p> + On navigating to the Base64MD5PasswordFile Provider tab (by clicking onto provider name from Broker tree or provider + row in providers grid on Broker tab) the list of existing credentials is displayed on the tab with the buttons "Add User" + and "Delete Users" to add new user credentials and delete the existing user credentials respectively. + On clicking into user name on Users grid the pop-up dialog to change the password is displayed. + </p></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Stores-HA-BDB-Store.html">Prev</a> </td><td align="center" width="20%"> </td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Security-Group-Providers.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">10.5. High Availability BDB Message Store </td><td align="center" width="20%"><a accesskey="h" href="index.html">Home</a></td><td align="right" valign="top" width="40%"> 11.2. Group Providers</td></tr></table></div></div> + + <hr/> + + <ul id="-apache-navigation"> + <li><a href="http://www.apache.org/";>Apache</a></li> + <li><a href="http://www.apache.org/licenses/";>License</a></li> + <li><a href="http://www.apache.org/foundation/sponsorship.html";>Sponsorship</a></li> + <li><a href="http://www.apache.org/foundation/thanks.html";>Thanks!</a></li> + <li><a href="http://www.apache.org/security/";>Security</a></li> + <li><a href="http://www.apache.org/";><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li> + </ul> + + <p id="-legal"> + Apache Qpid, Messaging built on AMQP; Copyright © 2015 + The Apache Software Foundation; Licensed under + the <a href="http://www.apache.org/licenses/LICENSE-2.0";>Apache + License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton, + Proton, Apache, the Apache feather logo, and the Apache Qpid + project logo are trademarks of The Apache Software + Foundation; All other marks mentioned may be trademarks or + registered trademarks of their respective owners + </p> + </div> + </div> + </div> + </body> +</html> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
