http://git-wip-us.apache.org/repos/asf/qpid-site/blob/18ab1b17/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Runtime-Memory.html ---------------------------------------------------------------------- diff --git a/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Runtime-Memory.html b/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Runtime-Memory.html index 7c84244..c4f69e1 100644 --- a/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Runtime-Memory.html +++ b/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Runtime-Memory.html @@ -83,7 +83,7 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> <h3>Servers and tools</h3> <ul> - <li><a href="/components/java-broker/index.html">Java broker</a></li> + <li><a href="/components/java-broker/index.html">Broker for Java</a></li> <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> </ul> @@ -111,7 +111,7 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> </div> <div id="-middle" class="panel"> - <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-java-trunk/index.html">Qpid Java Trunk</a></li><li><a href="/releases/qpid-java-trunk/java-broker/book/index.html">AMQP Messaging Broker (Java)</a></li><li>9.10. Memory</li></ul> + <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-java-trunk/index.html">Qpid for Java Trunk</a></li><li><a href="/releases/qpid-java-trunk/java-broker/book/index.html">Apache Qpid Broker for Java</a></li><li>9.10. Memory</li></ul> <div id="-middle-content"> <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">9.10. Memory</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Runtime-Connection-Limit.html">Prev</a> </td><th align="center" width="60%">Chapter 9. Runtime</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-High-Availability.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Runtime-Memory"></a>9.10. Memory</h2></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Runtime-Memory-Introduction"></a>9.10.1. Introduction</h3></div></div></div><p> @@ -128,13 +128,13 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Runtime-Memory-Types"></a>9.10.2. Types of Memory</h3></div></div></div><p> While Java has a couple of different internal memory types we will focus on the two types that are relevant to the Qpid broker. Both of these memory types are taken from the same physical memory (RAM). - </p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="d0e5806"></a>9.10.2.1. Heap</h4></div></div></div><p> + </p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="d0e5952"></a>9.10.2.1. Heap</h4></div></div></div><p> Normally, all objects are allocated from Java's heap memory. Once, nothing references an object it is cleaned up by the Java Garbage Collector and it's memory returned to the heap. This works fine for most use cases. However, when interacting with other parts of the operating system using Java's heap is not ideal. This is where the so called direct memory comes into play. - </p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="d0e5811"></a>9.10.2.2. Direct</h4></div></div></div><p> + </p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="d0e5957"></a>9.10.2.2. Direct</h4></div></div></div><p> The world ouside of the JVM, in particular the operating system (OS), does not know about Java heap memory and uses other structures like C arrays. In order to interact with these systems Java needs to copy data between its own heap memory and these native structures. This can become a bottle neck when there is a lot of exchange between Java and the OS like in I/O (both disk and network) heavy applications. @@ -145,16 +145,16 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> This section lists some note worthy users of memory within the broker and where possible lists their usage of heap and direct memory. Note that to ensure smooth performance some heap memory should remain unused by the application and be reserved for the JVM to do house keeping and garbage collection. <a class="link" href="https://docs.oracle.com/cd/E17277_02/html/java/com/sleepycat/je/util/DbCacheSize.html"; target="_top">Some guides</a> advise to reserve up to 30% of heap memory for the JVM. - </p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="d0e5830"></a>9.10.3.1. Broker</h4></div></div></div><p> + </p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="d0e5976"></a>9.10.3.1. Broker</h4></div></div></div><p> The broker itself uses a moderate amount of heap memory (≈15 MB). However, each connection and session comes with a heap overhead of about 17 kB and 15 kB respectively. In addition, each connection reserves 512 kB direct memory for network I/O. - </p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="d0e5835"></a>9.10.3.2. Virtual Hosts</h4></div></div></div><p> + </p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="d0e5981"></a>9.10.3.2. Virtual Hosts</h4></div></div></div><p> The amount of memory a Virtual Host uses depends on its type. For a JSON Virtual Host Node with a BDB Virtual Host the heap memory usage is approximately 2 MB. However, each BDB Virtual Hosts has a mandatory cache in heap memory which has an impact on performance. See <a class="link" href="Java-Broker-Runtime-Memory.html#Java-Broker-Runtime-Memory-Usage-BDB" title="9.10.3.4. Message Store">below</a> for more information. - </p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="d0e5843"></a>9.10.3.3. Messages</h4></div></div></div><p> + </p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="d0e5989"></a>9.10.3.3. Messages</h4></div></div></div><p> Messages and their headers are kept in direct memory and have an additional overhead of approximately 1 kB heap memory each. This means that most brokers will want to have more direct memory than heap memory. When many small messages accumulate on the broker the 1 kB heap memory overhead can become a <a class="link" href="Java-Broker-Runtime-Memory.html#Java-Broker-Runtime-Memory-Low-Memory-Heap" title="9.10.4.1. Low on Heap Memory">limiting factor</a>. @@ -164,7 +164,7 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> For persistent messages this only means freeing the direct memory representation because they always have an on-disk representation to guard against unexpected failure (e.g., a power cut). For transient messages this implies additional disk I/O. After being flown to disk messages need to be re-read from disk before delivery. - </p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Runtime-Memory-Usage-BDB"></a>9.10.3.4. Message Store</h4></div></div></div><div class="section"><div class="titlepage"><div><div><h5 class="title"><a id="d0e5862"></a>Berkeley DB (BDB)</h5></div></div></div><p> + </p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Runtime-Memory-Usage-BDB"></a>9.10.3.4. Message Store</h4></div></div></div><div class="section"><div class="titlepage"><div><div><h5 class="title"><a id="d0e6008"></a>Berkeley DB (BDB)</h5></div></div></div><p> The broker can use Oracle's BDB JE (BDB) as a message store to persist messages by writing them to a database. BDB uses a mandatory cache for navigating and organising its database structure. Sizing and tuning this cache is a topic of its own and would go beyond the scope of this guide. @@ -173,9 +173,9 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> For those interested, Qpid uses <a class="link" href="http://docs.oracle.com/cd/E17277_02/html/java/com/sleepycat/je/CacheMode.html#EVICT_LN"; target="_top">EVICT_LN</a> as its default JE cacheMode. </p><p> Note that due to licensing concerns Qpid does not ship the BDB JE jar files. - </p></div><div class="section"><div class="titlepage"><div><div><h5 class="title"><a id="d0e5878"></a>Derby</h5></div></div></div><p> + </p></div><div class="section"><div class="titlepage"><div><div><h5 class="title"><a id="d0e6024"></a>Derby</h5></div></div></div><p> TODO - </p></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="d0e5883"></a>9.10.3.5. HTTP Management</h4></div></div></div><p> + </p></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="d0e6029"></a>9.10.3.5. HTTP Management</h4></div></div></div><p> Qpid uses Jetty for the HTTP Management (both REST and Web Management Console). When the management plugin is loaded it will allocate the memory it needs and should not require more memory during operation and can thus be largely ignored. </p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Runtime-Memory-Low-Memory"></a>9.10.4. Low Memory Conditions</h3></div></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Runtime-Memory-Low-Memory-Heap"></a>9.10.4.1. Low on Heap Memory</h4></div></div></div><p> @@ -199,18 +199,18 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> </li></ul></div><p> As an example, this would accomodate a broker with 50 connections, each serving 5 sessions, and each session having 1000 messages of 1 kB on queues in the broker. This means a total of 250 concurrent sessions and a total of 250000 messages without flowing messages to disk. - </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Runtime-Memory-Tuning"></a>9.10.6. Memory Tuning the Broker</h3></div></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="d0e5919"></a>9.10.6.1. Java Tuning</h4></div></div></div><p> + </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Runtime-Memory-Tuning"></a>9.10.6. Memory Tuning the Broker</h3></div></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="d0e6065"></a>9.10.6.1. Java Tuning</h4></div></div></div><p> Most of these options are implementation specific. It is assumed you are using Oracle Java 1.7 and Qpid v6. </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"> Heap and direct memory can be configured through the <a class="link" href="Java-Broker-Appendix-Environment-Variables.html#Java-Broker-Appendix-Environment-Variables-Qpid-Java-Mem"><code class="literal">QPID_JAVA_MEM</code> environment variable</a>. </li></ul></div><p> - </p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="d0e5933"></a>9.10.6.2. Qpid Tuning</h4></div></div></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"> + </p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="d0e6079"></a>9.10.6.2. Qpid Tuning</h4></div></div></div><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"> The system property <code class="literal">qpid.broker.bdbTotalCacheSize</code> sets the total amount of heap memory (in bytes) allocated to BDB caches. </li><li class="listitem"> The system property <code class="literal">broker.flowToDiskThreshold</code> sets the threshold (in bytes) for flowing transient messages to disk. Should the broker use more than direct memory it will flow incoming messages to disk. Should utilisation fall beneath the threshold it will stop flowing messages to disk. - </li></ul></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="d0e5947"></a>9.10.6.3. Formulas</h4></div></div></div><p> + </li></ul></div></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="d0e6093"></a>9.10.6.3. Formulas</h4></div></div></div><p> We developed a simple formula which estimates the <span class="emphasis"><em>minimum</em></span> memory usage of the broker under certain usage. These are rough estimate so we strongly recommend testing your configuration extensively. Also, if your machine has more memory available by all means use more memory as it can only improve the performance and stability of your broker. @@ -223,12 +223,12 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> memory<sub>direct</sub> = 2 MB + (200 B + averageSize<sub>msg</sub> *2)* N<sub>messages</sub> + 512 kB * N<sub>connections</sub> </span> Where <span class="mathphrase">N</span> denotes the total number of connections/sessions/messages on the broker. Furthermore, for direct memory only the messages that have not been flown to disk are relevant. - </p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="d0e5990"></a>9.10.6.4. Things to Consider</h4></div></div></div><div class="section"><div class="titlepage"><div><div><h5 class="title"><a id="d0e5993"></a>Performance</h5></div></div></div><p> + </p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="d0e6136"></a>9.10.6.4. Things to Consider</h4></div></div></div><div class="section"><div class="titlepage"><div><div><h5 class="title"><a id="d0e6139"></a>Performance</h5></div></div></div><p> Choosing a smaller direct memory size will lower the threshold for flowing transient messages to disk when messages accumulate on a queue. This can have impact on performance in the transient case where otherwise no disk I/O would be involved. </p><p> Having to little heap memory will result in poor performance due to frequent garbage collection events. See <a class="xref" href="Java-Broker-Runtime-Memory.html#Java-Broker-Runtime-Memory-Low-Memory" title="9.10.4. Low Memory Conditions">Section 9.10.4, “Low Memory Conditions”</a> for more details. - </p></div><div class="section"><div class="titlepage"><div><div><h5 class="title"><a id="d0e6002"></a>OutOfMemoryError</h5></div></div></div><p> + </p></div><div class="section"><div class="titlepage"><div><div><h5 class="title"><a id="d0e6148"></a>OutOfMemoryError</h5></div></div></div><p> Choosing too low heap memory can cause an OutOfMemoryError which will force the broker to shut down. In this sense the available heap memory puts a hard limit on the number of messages you can have in the broker at the same time. </p><p>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/18ab1b17/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Runtime-Message-Compression.html ---------------------------------------------------------------------- diff --git a/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Runtime-Message-Compression.html b/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Runtime-Message-Compression.html index d2b1788..de72d56 100644 --- a/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Runtime-Message-Compression.html +++ b/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Runtime-Message-Compression.html @@ -83,7 +83,7 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> <h3>Servers and tools</h3> <ul> - <li><a href="/components/java-broker/index.html">Java broker</a></li> + <li><a href="/components/java-broker/index.html">Broker for Java</a></li> <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> </ul> @@ -111,10 +111,10 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> </div> <div id="-middle" class="panel"> - <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-java-trunk/index.html">Qpid Java Trunk</a></li><li><a href="/releases/qpid-java-trunk/java-broker/book/index.html">AMQP Messaging Broker (Java)</a></li><li>9.8. Message Compression</li></ul> + <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-java-trunk/index.html">Qpid for Java Trunk</a></li><li><a href="/releases/qpid-java-trunk/java-broker/book/index.html">Apache Qpid Broker for Java</a></li><li>9.8. Message Compression</li></ul> <div id="-middle-content"> - <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">9.8. Message Compression</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Runtime-Background-Recovery.html">Prev</a> </td><th align="center" width="60%">Chapter 9. Runtime</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Runtime-Connection-Limit.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Runtime-Message-Compression"></a>9.8. Message Compression</h2></div></div></div><p>The Java Broker supports<a class="footnote" href="#ftn.d0e5714" id="d0e5714"><sup class="footnote">[13]</sup></a> message compression. This feature works in co-operation with Qpid + <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">9.8. Message Compression</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Runtime-Background-Recovery.html">Prev</a> </td><th align="center" width="60%">Chapter 9. Runtime</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Runtime-Connection-Limit.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Runtime-Message-Compression"></a>9.8. Message Compression</h2></div></div></div><p>The Apache Qpid Broker for Java supports<a class="footnote" href="#ftn.d0e5860" id="d0e5860"><sup class="footnote">[13]</sup></a> message compression. This feature works in co-operation with Qpid Clients implementing the same feature.</p><p>Once the feature is enabled (using Broker context variable <span class="emphasis"><em>broker.messageCompressionEnabled</em></span>), the Broker will advertise support for the message compression feature to the client at connection time. This allows clients to opt to turn @@ -127,7 +127,7 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> memory.</p></li></ul></div><p>Of course, compression and decompression is computationally expensive. Turning on the feature may have a negative impact on CPU utilization on Broker and/or Client. Also for small messages payloads, message compression may increase the message size. It is recommended to test the feature - with representative data.</p><div class="footnotes"><br /><hr style="width:100; text-align:left;margin-left: 0" /><div class="footnote" id="ftn.d0e5714"><p><a class="para" href="#d0e5714"><sup class="para">[13] </sup></a>Message compression is not yet supported for the 1.0 + with representative data.</p><div class="footnotes"><br /><hr style="width:100; text-align:left;margin-left: 0" /><div class="footnote" id="ftn.d0e5860"><p><a class="para" href="#d0e5860"><sup class="para">[13] </sup></a>Message compression is not yet supported for the 1.0 protocol.</p></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Runtime-Background-Recovery.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Runtime.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Runtime-Connection-Limit.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">9.7. Background Recovery </td><td align="center" width="20%"><a accesskey="h" href="AMQP-Messaging-Broker-Java-Book.html">Home</a></td><td align="right" valign="top" width="40%"> 9.9. Connection Limits</td></tr></table></div></div> <hr/> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/18ab1b17/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Runtime-Producer-Transaction-Timeout.html ---------------------------------------------------------------------- diff --git a/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Runtime-Producer-Transaction-Timeout.html b/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Runtime-Producer-Transaction-Timeout.html index d0c4f81..d631e59 100644 --- a/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Runtime-Producer-Transaction-Timeout.html +++ b/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Runtime-Producer-Transaction-Timeout.html @@ -83,7 +83,7 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> <h3>Servers and tools</h3> <ul> - <li><a href="/components/java-broker/index.html">Java broker</a></li> + <li><a href="/components/java-broker/index.html">Broker for Java</a></li> <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> </ul> @@ -111,7 +111,7 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> </div> <div id="-middle" class="panel"> - <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-java-trunk/index.html">Qpid Java Trunk</a></li><li><a href="/releases/qpid-java-trunk/java-broker/book/index.html">AMQP Messaging Broker (Java)</a></li><li>9.3. Producer Transaction Timeout</li></ul> + <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-java-trunk/index.html">Qpid for Java Trunk</a></li><li><a href="/releases/qpid-java-trunk/java-broker/book/index.html">Apache Qpid Broker for Java</a></li><li>9.3. Producer Transaction Timeout</li></ul> <div id="-middle-content"> <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">9.3. Producer Transaction Timeout</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Runtime-Disk-Space-Management.html">Prev</a> </td><th align="center" width="60%">Chapter 9. Runtime</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Runtime-Handling-Undeliverable-Messages.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Runtime-Producer-Transaction-Timeout"></a>9.3. Producer Transaction Timeout</h2></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Runtime-Producer-Transaction-Timeout-GeneralInformation"></a>9.3.1. General Information</h3></div></div></div><p> The transaction timeout mechanism is used to c ontrol broker resources when clients http://git-wip-us.apache.org/repos/asf/qpid-site/blob/18ab1b17/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Runtime.html ---------------------------------------------------------------------- diff --git a/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Runtime.html b/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Runtime.html index 6f87d64..2bc402b 100644 --- a/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Runtime.html +++ b/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Runtime.html @@ -83,7 +83,7 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> <h3>Servers and tools</h3> <ul> - <li><a href="/components/java-broker/index.html">Java broker</a></li> + <li><a href="/components/java-broker/index.html">Broker for Java</a></li> <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> </ul> @@ -111,10 +111,10 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> </div> <div id="-middle" class="panel"> - <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-java-trunk/index.html">Qpid Java Trunk</a></li><li><a href="/releases/qpid-java-trunk/java-broker/book/index.html">AMQP Messaging Broker (Java)</a></li><li>Chapter 9. Runtime</li></ul> + <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-java-trunk/index.html">Qpid for Java Trunk</a></li><li><a href="/releases/qpid-java-trunk/java-broker/book/index.html">Apache Qpid Broker for Java</a></li><li>Chapter 9. Runtime</li></ul> <div id="-middle-content"> - <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">Chapter 9. Runtime</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security-Configuration-Encryption.html">Prev</a> </td><th align="center" width="60%"> </th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Runtime-Disk-Space-Management.html">Next</a></td></tr></table><hr /></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a id="Java-Broker-Runtime"></a>Chapter 9. Runtime</h1></div></div></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="Java-Broker-Runtime.html#Java-Broker-Runtime-Logging">9.1. Logging</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Runtime.html#Java-Broker-Runtime-Logging-Concepts">9.1.1. Concepts</a></span></dt><dt><span class="section" ><a >href="Java-Broker-Runtime.html#Java-Broker-Runtime-Logging-Default-Configuration">9.1.2. > Default Configuration</a></span></dt><dt><span class="section"><a >href="Java-Broker-Runtime.html#Java-Broker-Runtime-Logging-Loggers">9.1.3. >Loggers</a></span></dt><dt><span class="section"><a >href="Java-Broker-Runtime.html#Java-Broker-Runtime-Logging-InclusionRules">9.1.4. > Inclusion Rules</a></span></dt><dt><span class="section"><a >href="Java-Broker-Runtime.html#Java-Broker-Runtime-Logging-Management">9.1.5. >Logging Management</a></span></dt></dl></dd><dt><span class="section"><a >href="Java-Broker-Runtime-Disk-Space-Management.html">9.2. Disk Space >Management</a></span></dt><dd><dl><dt><span class="section"><a >href="Java-Broker-Runtime-Disk-Space-Management.html#Qpid-Producer-Flow-Control">9.2.1. > Producer Flow Control</a></span></dt></dl></dd><dt><span class="section"><a >href="Java-Broker-Runtime-Producer-Transaction-Timeout.html">9.3. Producer >Transaction Timeout</a></span></dt><dd><dl><dt ><span class="section"><a >href="Java-Broker-Runtime-Producer-Transaction-Timeout.html#Java-Broker-Runtime-Producer-Transaction-Timeout-GeneralInformation">9.3.1. > General Information</a></span></dt><dt><span class="section"><a >href="Java-Broker-Runtime-Producer-Transaction-Timeout.html#Java-Broker-Runtime-Producer-Transaction-Timeout-Purpose">9.3.2. > Purpose</a></span></dt><dt><span class="section"><a >href="Java-Broker-Runtime-Producer-Transaction-Timeout.html#Java-Broker-Runtime-Producer-Transaction-Timeout-Scope">9.3.3. > Scope</a></span></dt><dt><span class="section"><a >href="Java-Broker-Runtime-Producer-Transaction-Timeout.html#Java-Broker-Runtime-Producer-Transaction-Timeout-Effect">9.3.4. > Effect</a></span></dt><dt><span class="section"><a >href="Java-Broker-Runtime-Producer-Transaction-Timeout.html#Java-Broker-Runtime-Producer-Transaction-Timeout-Configuration">9.3.5. > Configuration</a></span></dt></dl></dd><dt><span class="section"><a >href="Java-Broker-Runtime-Handling-Undeliverabl e-Messages.html">9.4. Handing Undeliverable Messages</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Runtime-Handling-Undeliverable-Messages.html#Java-Broker-Runtime-Handling-Undeliverable-Messages-Introduction">9.4.1. Introduction</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Handling-Undeliverable-Messages.html#Java-Broker-Runtime-Handling-Undeliverable-Messages-Maximum-Delivery-Count">9.4.2. Maximum Delivery Count</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Handling-Undeliverable-Messages.html#Java-Broker-Runtime-Handling-Undeliverable-Messages-Dead-Letter-Queues">9.4.3. Dead Letter Queues (DLQ)</a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Runtime-Close-Connection-When-No-Route.html">9.5. Closing client connections on unroutable mandatory messages</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Runtime-Close-Connection-When-No-Route.html#Java-Broker-Runtime-Clo se-Connection-When-No-Route-Summary">9.5.1. Summary</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Close-Connection-When-No-Route.html#Java-Broker-Runtime-Close-Connection-When-No-Route-Configuration">9.5.2. Configuring <span class="emphasis"><em>closeWhenNoRoute</em></span></a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Runtime-Flow-To-Disk.html">9.6. Flow to Disk</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Background-Recovery.html">9.7. Background Recovery</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Message-Compression.html">9.8. Message Compression</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Connection-Limit.html">9.9. Connection Limits</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html">9.10. Memory</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html#Java-Broker-Runtime-Memory-Introducti on">9.10.1. Introduction</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html#Java-Broker-Runtime-Memory-Types">9.10.2. Types of Memory</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html#Java-Broker-Runtime-Memory-Usage">9.10.3. Memory Usage in the Broker</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html#Java-Broker-Runtime-Memory-Low-Memory">9.10.4. Low Memory Conditions</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html#Java-Broker-Runtime-Memory-Defaults">9.10.5. Defaults</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html#Java-Broker-Runtime-Memory-Tuning">9.10.6. Memory Tuning the Broker</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Runtime-Logging"></a>9.1. Logging</h2></div></div></div><p>This section describes the flexib le logging capabilities of the Java Broker.</p><p> + <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">Chapter 9. Runtime</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security-Configuration-Encryption.html">Prev</a> </td><th align="center" width="60%"> </th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Runtime-Disk-Space-Management.html">Next</a></td></tr></table><hr /></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a id="Java-Broker-Runtime"></a>Chapter 9. Runtime</h1></div></div></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="Java-Broker-Runtime.html#Java-Broker-Runtime-Logging">9.1. Logging</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Runtime.html#Java-Broker-Runtime-Logging-Concepts">9.1.1. Concepts</a></span></dt><dt><span class="section" ><a >href="Java-Broker-Runtime.html#Java-Broker-Runtime-Logging-Default-Configuration">9.1.2. > Default Configuration</a></span></dt><dt><span class="section"><a >href="Java-Broker-Runtime.html#Java-Broker-Runtime-Logging-Loggers">9.1.3. >Loggers</a></span></dt><dt><span class="section"><a >href="Java-Broker-Runtime.html#Java-Broker-Runtime-Logging-InclusionRules">9.1.4. > Inclusion Rules</a></span></dt><dt><span class="section"><a >href="Java-Broker-Runtime.html#Java-Broker-Runtime-Logging-Management">9.1.5. >Logging Management</a></span></dt></dl></dd><dt><span class="section"><a >href="Java-Broker-Runtime-Disk-Space-Management.html">9.2. Disk Space >Management</a></span></dt><dd><dl><dt><span class="section"><a >href="Java-Broker-Runtime-Disk-Space-Management.html#Qpid-Producer-Flow-Control">9.2.1. > Producer Flow Control</a></span></dt></dl></dd><dt><span class="section"><a >href="Java-Broker-Runtime-Producer-Transaction-Timeout.html">9.3. Producer >Transaction Timeout</a></span></dt><dd><dl><dt ><span class="section"><a >href="Java-Broker-Runtime-Producer-Transaction-Timeout.html#Java-Broker-Runtime-Producer-Transaction-Timeout-GeneralInformation">9.3.1. > General Information</a></span></dt><dt><span class="section"><a >href="Java-Broker-Runtime-Producer-Transaction-Timeout.html#Java-Broker-Runtime-Producer-Transaction-Timeout-Purpose">9.3.2. > Purpose</a></span></dt><dt><span class="section"><a >href="Java-Broker-Runtime-Producer-Transaction-Timeout.html#Java-Broker-Runtime-Producer-Transaction-Timeout-Scope">9.3.3. > Scope</a></span></dt><dt><span class="section"><a >href="Java-Broker-Runtime-Producer-Transaction-Timeout.html#Java-Broker-Runtime-Producer-Transaction-Timeout-Effect">9.3.4. > Effect</a></span></dt><dt><span class="section"><a >href="Java-Broker-Runtime-Producer-Transaction-Timeout.html#Java-Broker-Runtime-Producer-Transaction-Timeout-Configuration">9.3.5. > Configuration</a></span></dt></dl></dd><dt><span class="section"><a >href="Java-Broker-Runtime-Handling-Undeliverabl e-Messages.html">9.4. Handing Undeliverable Messages</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Runtime-Handling-Undeliverable-Messages.html#Java-Broker-Runtime-Handling-Undeliverable-Messages-Introduction">9.4.1. Introduction</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Handling-Undeliverable-Messages.html#Java-Broker-Runtime-Handling-Undeliverable-Messages-Maximum-Delivery-Count">9.4.2. Maximum Delivery Count</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Handling-Undeliverable-Messages.html#Java-Broker-Runtime-Handling-Undeliverable-Messages-Dead-Letter-Queues">9.4.3. Dead Letter Queues (DLQ)</a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Runtime-Close-Connection-When-No-Route.html">9.5. Closing client connections on unroutable mandatory messages</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Runtime-Close-Connection-When-No-Route.html#Java-Broker-Runtime-Clo se-Connection-When-No-Route-Summary">9.5.1. Summary</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Close-Connection-When-No-Route.html#Java-Broker-Runtime-Close-Connection-When-No-Route-Configuration">9.5.2. Configuring <span class="emphasis"><em>closeWhenNoRoute</em></span></a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Runtime-Flow-To-Disk.html">9.6. Flow to Disk</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Background-Recovery.html">9.7. Background Recovery</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Message-Compression.html">9.8. Message Compression</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Connection-Limit.html">9.9. Connection Limits</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html">9.10. Memory</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html#Java-Broker-Runtime-Memory-Introducti on">9.10.1. Introduction</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html#Java-Broker-Runtime-Memory-Types">9.10.2. Types of Memory</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html#Java-Broker-Runtime-Memory-Usage">9.10.3. Memory Usage in the Broker</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html#Java-Broker-Runtime-Memory-Low-Memory">9.10.4. Low Memory Conditions</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html#Java-Broker-Runtime-Memory-Defaults">9.10.5. Defaults</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html#Java-Broker-Runtime-Memory-Tuning">9.10.6. Memory Tuning the Broker</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Runtime-Logging"></a>9.1. Logging</h2></div></div></div><p>This section describes the flexib le logging capabilities of the Apache Qpid Broker for Java.</p><p> </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>The Broker is capable of sending logging events to a variety of destinations including plain files, remote syslog daemons, and an in-memory buffer (viewable from Management). The system is also open for extension meaning it is possible to produce a plugin to log to http://git-wip-us.apache.org/repos/asf/qpid-site/blob/18ab1b17/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security-ACLs.html ---------------------------------------------------------------------- diff --git a/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security-ACLs.html b/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security-ACLs.html index df370c4..37cfe0f 100644 --- a/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security-ACLs.html +++ b/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security-ACLs.html @@ -83,7 +83,7 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> <h3>Servers and tools</h3> <ul> - <li><a href="/components/java-broker/index.html">Java broker</a></li> + <li><a href="/components/java-broker/index.html">Broker for Java</a></li> <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> </ul> @@ -111,7 +111,7 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> </div> <div id="-middle" class="panel"> - <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-java-trunk/index.html">Qpid Java Trunk</a></li><li><a href="/releases/qpid-java-trunk/java-broker/book/index.html">AMQP Messaging Broker (Java)</a></li><li>8.3. Access Control Lists</li></ul> + <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-java-trunk/index.html">Qpid for Java Trunk</a></li><li><a href="/releases/qpid-java-trunk/java-broker/book/index.html">Apache Qpid Broker for Java</a></li><li>8.3. Access Control Lists</li></ul> <div id="-middle-content"> <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">8.3. Access Control Lists</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security-Group-Providers.html">Prev</a> </td><th align="center" width="60%">Chapter 8. Security</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Security-Configuration-Encryption.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Security-ACLs"></a>8.3. Access Control Lists</h2></div></div></div><p> @@ -173,7 +173,7 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> at a certain level of abstraction (e.g. QUEUE) and apply them consistently across the whole system. </p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p> Some rules can be restricted to the virtual host if property virtualhost_name is specified. - </p><div class="example"><a id="d0e4235"></a><p class="title"><strong>Example 8.1. Restrict rules to specific virtual hosts</strong></p><div class="example-contents"><pre class="programlisting"> + </p><div class="example"><a id="d0e4381"></a><p class="title"><strong>Example 8.1. Restrict rules to specific virtual hosts</strong></p><div class="example-contents"><pre class="programlisting"> ACL ALLOW bob CREATE QUEUE virtualhost_name="test" ACL ALLOW bob ALL EXCHANGE virtualhost_name="prod" </pre></div></div><p><br class="example-break" /> @@ -243,7 +243,7 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> Worked Examples </h3></div></div></div><p> Here are some example ACLs illustrating common use cases. - In addition, note that the Java broker provides a complete example ACL file, located at etc/broker_example.acl. + In addition, note that the Broker provides a complete example ACL file, located at etc/broker_example.acl. </p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-ACLs-WorkedExample1"></a>8.3.3.1.  Worked example 1 - Management rights </h4></div></div></div><p> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/18ab1b17/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security-Configuration-Encryption.html ---------------------------------------------------------------------- diff --git a/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security-Configuration-Encryption.html b/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security-Configuration-Encryption.html index d1739ff..9eae5d7 100644 --- a/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security-Configuration-Encryption.html +++ b/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security-Configuration-Encryption.html @@ -83,7 +83,7 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> <h3>Servers and tools</h3> <ul> - <li><a href="/components/java-broker/index.html">Java broker</a></li> + <li><a href="/components/java-broker/index.html">Broker for Java</a></li> <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> </ul> @@ -111,20 +111,20 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> </div> <div id="-middle" class="panel"> - <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-java-trunk/index.html">Qpid Java Trunk</a></li><li><a href="/releases/qpid-java-trunk/java-broker/book/index.html">AMQP Messaging Broker (Java)</a></li><li>8.4. Configuration Encryption</li></ul> + <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-java-trunk/index.html">Qpid for Java Trunk</a></li><li><a href="/releases/qpid-java-trunk/java-broker/book/index.html">Apache Qpid Broker for Java</a></li><li>8.4. Configuration Encryption</li></ul> <div id="-middle-content"> <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">8.4. Configuration Encryption</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security-ACLs.html">Prev</a> </td><th align="center" width="60%">Chapter 8. Security</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Runtime.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Security-Configuration-Encryption"></a>8.4. Configuration Encryption</h2></div></div></div><p> The Broker is capable of encrypting passwords and other security items stored in the Broker's configuration. This is means that items such as keystore/truststore passwords, JDBC passwords, and LDAP passwords can be stored in the configure in a form that is difficult to read.</p><p>The Broker ships with an encryptor implementation called <code class="literal">AESKeyFile</code>. This - uses a securely generated random key of 256bit<a class="footnote" href="#ftn.d0e4993" id="d0e4993"><sup class="footnote">[12]</sup></a> to encrypt the secrets stored within a key + uses a securely generated random key of 256bit<a class="footnote" href="#ftn.d0e5139" id="d0e5139"><sup class="footnote">[12]</sup></a> to encrypt the secrets stored within a key file. Of course, the key itself must be guarded carefully, otherwise the passwords encrypted with it may be compromised. For this reason, the Broker ensures that the file's permissions allow the file to be read exclusively by the user account used for running the Broker.</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>If the keyfile is lost or corrupted, the secrets will be irrecoverable.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Configuration-Encryption-Configuration"></a>8.4.1. Configuration</h3></div></div></div><p>The <code class="literal">AESKeyFile</code> encyptor provider is enabled/disabled via the <a class="link" href="Java-Broker-Management-Managing-Broker.html" title="7.3. Broker">Broker attributes</a> within the Web Management Console. On enabling the provider, any existing passwords within the - configuration will be automatically rewritten in the encrypted form.</p><p>Note that passwords stored by the Authentication Providers <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-PlainPasswordFile-Provider" title="8.1.7. Plain Password File (Deprecated)">PlainPasswordFile</a> and. - <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-Base64MD5PasswordFile-Provider" title="8.1.9. Base64MD5 Password File (Deprecated)">PlainPasswordFile</a> + configuration will be automatically rewritten in the encrypted form.</p><p>Note that passwords stored by the Authentication Providers <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-PlainPasswordFile-Provider" title="8.1.8. Plain Password File (Deprecated)">PlainPasswordFile</a> and. + <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-Base64MD5PasswordFile-Provider" title="8.1.10. Base64MD5 Password File (Deprecated)">PlainPasswordFile</a> with the external password files are <span class="emphasis"><em>not</em></span> encrypted by the key. Use the Scram Authentication Managers instead; these make use of the Configuration Encryption when storing the users' passwords. </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Configuration-Encryption-Alternate-Implementations"></a>8.4.2. Alternate Implementations</h3></div></div></div><p>If the <code class="literal">AESKeyFile</code> encryptor implementation does not meet the needs of @@ -132,7 +132,7 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> <code class="literal">ConfigurationSecretEncrypter</code> interface is designed as an extension point. Users may implement their own implementation of ConfigurationSecretEncrypter perhaps to employ stronger encryption or delegating the storage of the key to an Enterprise Password - Safe.</p></div><div class="footnotes"><br /><hr style="width:100; text-align:left;margin-left: 0" /><div class="footnote" id="ftn.d0e4993"><p><a class="para" href="#d0e4993"><sup class="para">[12] </sup></a>Java Cryptography Extension (JCE) + Safe.</p></div><div class="footnotes"><br /><hr style="width:100; text-align:left;margin-left: 0" /><div class="footnote" id="ftn.d0e5139"><p><a class="para" href="#d0e5139"><sup class="para">[12] </sup></a>Java Cryptography Extension (JCE) Unlimited Strength required</p></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security-ACLs.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Runtime.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">8.3. Access Control Lists </td><td align="center" width="20%"><a accesskey="h" href="AMQP-Messaging-Broker-Java-Book.html">Home</a></td><td align="right" valign="top" width="40%"> Chapter 9. Runtime</td></tr></table></div></div> <hr/> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/18ab1b17/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security-Group-Providers.html ---------------------------------------------------------------------- diff --git a/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security-Group-Providers.html b/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security-Group-Providers.html index 2e2f16b..55036bb 100644 --- a/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security-Group-Providers.html +++ b/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security-Group-Providers.html @@ -83,7 +83,7 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> <h3>Servers and tools</h3> <ul> - <li><a href="/components/java-broker/index.html">Java broker</a></li> + <li><a href="/components/java-broker/index.html">Broker for Java</a></li> <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> </ul> @@ -111,11 +111,11 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> </div> <div id="-middle" class="panel"> - <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-java-trunk/index.html">Qpid Java Trunk</a></li><li><a href="/releases/qpid-java-trunk/java-broker/book/index.html">AMQP Messaging Broker (Java)</a></li><li>8.2. Group Providers</li></ul> + <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-java-trunk/index.html">Qpid for Java Trunk</a></li><li><a href="/releases/qpid-java-trunk/java-broker/book/index.html">Apache Qpid Broker for Java</a></li><li>8.2. Group Providers</li></ul> <div id="-middle-content"> <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">8.2. Group Providers</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security.html">Prev</a> </td><th align="center" width="60%">Chapter 8. Security</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Security-ACLs.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Security-Group-Providers"></a>8.2. Group Providers</h2></div></div></div><p> - The Java broker utilises GroupProviders to allow assigning users to groups for use in <a class="link" href="Java-Broker-Security-ACLs.html" title="8.3. Access Control Lists">ACLs</a>. + The Apache Qpid Broker for Java utilises GroupProviders to allow assigning users to groups for use in <a class="link" href="Java-Broker-Security-ACLs.html" title="8.3. Access Control Lists">ACLs</a>. Following authentication by a given <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-Authentication-Providers" title="8.1. Authentication Providers">Authentication Provider</a>, the configured Group Providers are consulted allowing the assignment of GroupPrincipals for a given authenticated user. Any number of Group Providers can be added into the Broker. All of them will be checked for the presence of the groups for a given authenticated user. @@ -140,6 +140,15 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> </p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Group-Providers-ManagedGroupProvider"></a>8.2.2. ManagedGroupProvider</h3></div></div></div><p> The <span class="emphasis"><em>ManagedGroupProvider</em></span> allows specifying group membership as part of broker configuration. In future version of Brokers GroupFile Provider will be replaced by this one. + </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Group-Providers-CloudFoundry"></a>8.2.3. CloudFoundryDashboardManagementGroupProvider</h3></div></div></div><p> + The <span class="emphasis"><em>CloudFoundryDashboardManagementGroupProvider</em></span> + allows mapping of service instance ids to qpid management groups. + </p><p> + One use case is restricting management capabilities of a OAuth2 authenticated user to certain virtual + hosts. For this, one would associate a cloudfoundry service id with each virtual host and have an ACL with a + separate management group for each virtual host. Given the correct service instance id to + management group mapping the GroupProvider will then associate the user with each management group the user + is provisioned to manage the associated service instance in the <a class="link" href="http://docs.cloudfoundry.org/services/dashboard-sso.html#checking-user-permissions"; target="_top">CloudFoundry dashboard</a>. </p></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Security-ACLs.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">Chapter 8. Security </td><td align="center" width="20%"><a accesskey="h" href="AMQP-Messaging-Broker-Java-Book.html">Home</a></td><td align="right" valign="top" width="40%"> 8.3. Access Control Lists</td></tr></table></div></div> <hr/> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/18ab1b17/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security.html ---------------------------------------------------------------------- diff --git a/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security.html b/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security.html index 1ff715e..f30f36e 100644 --- a/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security.html +++ b/content/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security.html @@ -83,7 +83,7 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> <h3>Servers and tools</h3> <ul> - <li><a href="/components/java-broker/index.html">Java broker</a></li> + <li><a href="/components/java-broker/index.html">Broker for Java</a></li> <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> </ul> @@ -111,17 +111,17 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> </div> <div id="-middle" class="panel"> - <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-java-trunk/index.html">Qpid Java Trunk</a></li><li><a href="/releases/qpid-java-trunk/java-broker/book/index.html">AMQP Messaging Broker (Java)</a></li><li>Chapter 8. Security</li></ul> + <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-java-trunk/index.html">Qpid for Java Trunk</a></li><li><a href="/releases/qpid-java-trunk/java-broker/book/index.html">Apache Qpid Broker for Java</a></li><li>Chapter 8. Security</li></ul> <div id="-middle-content"> - <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">Chapter 8. Security</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Management-Managing-Plugin-HTTP.html">Prev</a> </td><th align="center" width="60%"> </th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Security-Group-Providers.html">Next</a></td></tr></table><hr /></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a id="Java-Broker-Security"></a>Chapter 8. Security</h1></div></div></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Authentication-Providers">8.1. Authentication Providers</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-LDAP-Provider">8.1.1. Simple LDAP</a></s pan></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Kerberos-Provider">8.1.2. Kerberos</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-External-Provider">8.1.3. External (SSL Client Certificates)</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Anonymous-Provider">8.1.4. Anonymous</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-ScramSha-Providers">8.1.5. SCRAM SHA</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Plain-Provider">8.1.6. Plain</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-PlainPasswordFile-Provider">8.1.7. Plain Password File <span class="emphasis"><em>(Deprecated)</em></span></a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-MD5-Provider">8.1. 8. MD5 Provider</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Base64MD5PasswordFile-Provider">8.1.9. Base64MD5 Password File <span class="emphasis"><em>(Deprecated)</em></span></a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Security-Group-Providers.html">8.2. Group Providers</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security-Group-Providers.html#File-Group-Manager">8.2.1. GroupFile Provider</a></span></dt><dt><span class="section"><a href="Java-Broker-Security-Group-Providers.html#Java-Broker-Security-Group-Providers-ManagedGroupProvider">8.2.2. ManagedGroupProvider</a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Security-ACLs.html">8.3. Access Control Lists</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security-ACLs.html#Java-Broker-Security-ACLs-WriteACL">8.3.1. + <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">Chapter 8. Security</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Management-Managing-Plugin-HTTP.html">Prev</a> </td><th align="center" width="60%"> </th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Security-Group-Providers.html">Next</a></td></tr></table><hr /></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a id="Java-Broker-Security"></a>Chapter 8. Security</h1></div></div></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Authentication-Providers">8.1. Authentication Providers</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-LDAP-Provider">8.1.1. Simple LDAP</a></s pan></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Kerberos-Provider">8.1.2. Kerberos</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-OAuth2-Provider">8.1.3. OAuth2</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-External-Provider">8.1.4. External (SSL Client Certificates)</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Anonymous-Provider">8.1.5. Anonymous</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-ScramSha-Providers">8.1.6. SCRAM SHA</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Plain-Provider">8.1.7. Plain</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-PlainPasswordFile-Provider">8.1.8. Plain Password File <span class="emphasis"><em>(Deprecated) </em></span></a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-MD5-Provider">8.1.9. MD5 Provider</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Base64MD5PasswordFile-Provider">8.1.10. Base64MD5 Password File <span class="emphasis"><em>(Deprecated)</em></span></a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Security-Group-Providers.html">8.2. Group Providers</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security-Group-Providers.html#File-Group-Manager">8.2.1. GroupFile Provider</a></span></dt><dt><span class="section"><a href="Java-Broker-Security-Group-Providers.html#Java-Broker-Security-Group-Providers-ManagedGroupProvider">8.2.2. ManagedGroupProvider</a></span></dt><dt><span class="section"><a href="Java-Broker-Security-Group-Providers.html#Java-Broker-Security-Group-Providers-CloudFoundry">8.2.3. CloudFoundryDashboardManagementGroupProvi der</a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Security-ACLs.html">8.3. Access Control Lists</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security-ACLs.html#Java-Broker-Security-ACLs-WriteACL">8.3.1. Writing .acl files </a></span></dt><dt><span class="section"><a href="Java-Broker-Security-ACLs.html#Java-Broker-Security-ACLs-Syntax">8.3.2. Syntax </a></span></dt><dt><span class="section"><a href="Java-Broker-Security-ACLs.html#Java-Broker-Security-ACLs-WorkedExamples">8.3.3. Worked Examples - </a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Security-Configuration-Encryption.html">8.4. Configuration Encryption</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security-Configuration-Encryption.html#Java-Broker-Security-Configuration-Encryption-Configuration">8.4.1. Configuration</a></span></dt><dt><span class="section"><a href="Java-Broker-Security-Configuration-Encryption.html#Java-Broker-Security-Configuration-Encryption-Alternate-Implementations">8.4.2. Alternate Implementations</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Security-Authentication-Providers"></a>8.1. Authentication Providers</h2></div></div></div><p> In order to successfully establish a connection to the Java Broker, the connection must be - authenticated. The Java Broker supports a number of different authentication schemes, each with + </a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Security-Configuration-Encryption.html">8.4. Configuration Encryption</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security-Configuration-Encryption.html#Java-Broker-Security-Configuration-Encryption-Configuration">8.4.1. Configuration</a></span></dt><dt><span class="section"><a href="Java-Broker-Security-Configuration-Encryption.html#Java-Broker-Security-Configuration-Encryption-Alternate-Implementations">8.4.2. Alternate Implementations</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Security-Authentication-Providers"></a>8.1. Authentication Providers</h2></div></div></div><p> In order to successfully establish a connection to the Broker, the connection must be + authenticated. The Broker supports a number of different authentication schemes, each with its own "authentication provider". Any number of Authentication Providers can be configured on the Broker at the same time. </p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p> Only unused Authentication Provider can be deleted. For delete requests attempting to delete Authentication Provider associated with the Ports, the errors will be returned and @@ -150,7 +150,18 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> be used for both searches and authentications.</p></li><li class="listitem"><p><span class="emphasis"><em>Truststore name</em></span> is a name of <a class="link" href="Java-Broker-Management-Managing-Truststores.html#Java-Broker-Management-Managing-Truststores-Attributes" title="7.13.2. Attributes">configured truststore</a>. Use this if connecting to a Directory over SSL (i.e. ldaps://) which is protected by a certificate signed by a private CA (or utilising a self-signed - certificate).</p></li></ul></div><p> + certificate).</p></li><li class="listitem"><p>Additional group information can be obtained from LDAP. + There are two common ways of representing group membership in LDAP. + </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; "><li class="listitem"> + User entries can hold membership information as attribute. + To use this the <span class="emphasis"><em>attribute name</em></span> that holds the group information must be specified. + </li><li class="listitem"> + Group entries can hold a list of their members as attribute. + This can be used by specifying a <span class="emphasis"><em>search context</em></span> and <span class="emphasis"><em>search filter</em></span> to find all groups that the user should be considered a member of. + Typically this involves filtering groups by looking for the user's DN on a group attribute. + The <span class="emphasis"><em>subtree search scope</em></span> determines whether the search should include the subtree extending from the <span class="emphasis"><em>search context</em></span>. + </li></ul></div><p> + </p></li></ul></div><p> </p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>In order to protect the security of the user's password, when using LDAP authentication, you must: </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Use SSL on the broker's AMQP and HTTP ports to protect the password during transmission to the Broker. The Broker enforces this restriction automatically on AMQP @@ -163,7 +174,14 @@ https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> beneath it. </p><p> If the search returns a match, or is configured in <code class="literal">bind without search</code> mode, the Authentication Provider then attempts to bind to the LDAP server with the given name and the password. Note that <a class="link" href="http://docs.oracle.com/javase/7/docs/api/javax/naming/Context.html#SECURITY_AUTHENTICATION"; target="_top">simple security - authentication</a> is used so the Directory receives the password in the clear. </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Kerberos-Provider"></a>8.1.2. Kerberos</h3></div></div></div><p> Kereberos Authentication Provider uses java GSS-API SASL mechanism to authenticate the + authentication</a> is used so the Directory receives the password in the clear. + </p><p> + By default, this authentication provider caches the result of an authentication for a short period of time. This + reduces the load on the Directory service if the same credentials are presented frequently within a short + period of time. The length of time a result will be cached is defined by context variable + <code class="literal">qpid.auth.cache.expiration_time</code> (default to 600 seconds). The cache can be disabled by + setting the context variable <code class="literal">qpid.auth.cache.size</code> to 0. + </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Kerberos-Provider"></a>8.1.2. Kerberos</h3></div></div></div><p> Kereberos Authentication Provider uses java GSS-API SASL mechanism to authenticate the connections. </p><p> Configuration of kerberos is done through system properties (there doesn't seem to be a way around this unfortunately). </p><pre class="programlisting"> export JAVA_OPTS=-Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=qpid.conf @@ -182,7 +200,19 @@ com.sun.security.jgss.accept { };</pre><p> Where realm, kdc, keyTab and principal should obviously be set correctly for the environment where you are running (see the existing documentation for the C++ broker about creating a keytab file). </p><p> Note: You may need to install the "Java Cryptography Extension (JCE) Unlimited Strength - Jurisdiction Policy Files" appropriate for your JDK in order to get Kerberos support working. </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-External-Provider"></a>8.1.3. External (SSL Client Certificates)</h3></div></div></div><p> When <a class="link" href="Java-Broker-Management-Managing-Truststores.html" title="7.13. Truststores"> requiring SSL Client + Jurisdiction Policy Files" appropriate for your JDK in order to get Kerberos support working. </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-OAuth2-Provider"></a>8.1.3. OAuth2</h3></div></div></div><p> This authentication provider allows users to login to the broker using credentials from a different service supporting OAuth2. + Unfortunately, the <a class="link" href="https://www.rfc-editor.org/rfc/rfc6749.txt"; target="_top">OAuth2 specification</a> does not define a standard why to get the identity of a subject from an access token. + However, most OAuth2 implementations provide such functionality, although in different ways. Qpid handles this by providing so called IdentityResolvers. + Currently the following services are supported: + </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>CloudFoundry</p></li><li class="listitem"><p>Facebook</p></li><li class="listitem"><p>GitHub</p></li><li class="listitem"><p>Google</p></li><li class="listitem"><p>Microsoft Live</p></li></ul></div><p> + Since all of these, with the exception of CloudFoundry, are tied to a specific service they come with defaults for the Scope, Authorization-, Token-, and IdentityResolverEndpoint. + </p><p> + By default, this authentication provider caches the result of an authentication for a short period of time. This + reduces the load on the OAuth2 service if the same token is presented frequently within a short + period of time. The length of time a result will be cached is defined by context variable + <code class="literal">qpid.auth.cache.expiration_time</code> (default to 600 seconds). The cache can be disabled by + setting the context variable <code class="literal">qpid.auth.cache.size</code> to 0. + </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-External-Provider"></a>8.1.4. External (SSL Client Certificates)</h3></div></div></div><p> When <a class="link" href="Java-Broker-Management-Managing-Truststores.html" title="7.13. Truststores"> requiring SSL Client Certificates</a> be presented the External Authentication Provider can be used, such that the user is authenticated based on trust of their certificate alone, and the X500Principal from the SSL session is then used as the username for the connection, instead of also @@ -196,44 +226,44 @@ com.sun.security.jgss.accept { used as an authenticated principal name. If attribute "Use the full DN as the Username" is set to "false" the user name CN part is used as the authenticated principal name. Setting the field to "false" is particular useful when <a class="link" href="Java-Broker-Security-ACLs.html" title="8.3. Access Control Lists">ACL</a> is required, as at the moment, ACL does not support commas in the user name. - </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Anonymous-Provider"></a>8.1.4. Anonymous</h3></div></div></div><p> The Anonymous Authentication Provider will allow users to connect with or without + </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Anonymous-Provider"></a>8.1.5. Anonymous</h3></div></div></div><p> The Anonymous Authentication Provider will allow users to connect with or without credentials and result in their identification on the broker as the user ANONYMOUS. This - Provider does not require specification of any additional attributes on creation. </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-ScramSha-Providers"></a>8.1.5. SCRAM SHA</h3></div></div></div><p>The SCRAM SHA Providers uses the Broker configuration itself to store the database of + Provider does not require specification of any additional attributes on creation. </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-ScramSha-Providers"></a>8.1.6. SCRAM SHA</h3></div></div></div><p>The SCRAM SHA Providers uses the Broker configuration itself to store the database of users. The users' passwords are stored as salted SHA digested password. This can be further encrypted using the facilities described in <a class="xref" href="Java-Broker-Security-Configuration-Encryption.html" title="8.4. Configuration Encryption">Section 8.4, “Configuration Encryption”</a>.</p><p>There are two variants of this provider, SHA1 and SHA256. SHA256 is recommended whenever possible. SHA1 is provided with compatibility with clients utilising JDK 1.6 (which does not support SHA256).</p><p>For these providers user credentials can be added, removed or changed using - Management.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Plain-Provider"></a>8.1.6. Plain</h3></div></div></div><p>The Plain Provider uses the Broker configuration itself to store the database of users - (unlike the <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-PlainPasswordFile-Provider" title="8.1.7. Plain Password File (Deprecated)">PlainPasswordFile</a>, there is no separate password file). As the name suggests, + Management.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Plain-Provider"></a>8.1.7. Plain</h3></div></div></div><p>The Plain Provider uses the Broker configuration itself to store the database of users + (unlike the <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-PlainPasswordFile-Provider" title="8.1.8. Plain Password File (Deprecated)">PlainPasswordFile</a>, there is no separate password file). As the name suggests, the user data (including password) is not hashed in any way. In order to provide encryption, the facilities described in <a class="xref" href="Java-Broker-Security-Configuration-Encryption.html" title="8.4. Configuration Encryption">Section 8.4, “Configuration Encryption”</a> must be used.</p><p>For this provider user credentials can be added, removed or changed using - Management.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-PlainPasswordFile-Provider"></a>8.1.7. Plain Password File <span class="emphasis"><em>(Deprecated)</em></span></h3></div></div></div><p><span class="emphasis"><em>This provider is deprecated and will be removed in a future release. The <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-Plain-Provider" title="8.1.6. Plain">Plain</a> provider should be used + Management.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-PlainPasswordFile-Provider"></a>8.1.8. Plain Password File <span class="emphasis"><em>(Deprecated)</em></span></h3></div></div></div><p><span class="emphasis"><em>This provider is deprecated and will be removed in a future release. The <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-Plain-Provider" title="8.1.7. Plain">Plain</a> provider should be used instead.</em></span></p><p> The PlainPasswordFile Provider uses local file to store and manage user credentials. When creating an authentication provider the path to the file needs to be specified. If specified file does not exist an empty file is created automatically on Authentication Provider creation. On Provider deletion the password file is deleted as well.</p><p>For this provider user credentials can be added, removed or changed using - Management.</p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="d0e4066"></a>8.1.7.1. Plain Password File Format</h4></div></div></div><p> The user credentials are stored on the single file line as user name and user + Management.</p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="d0e4199"></a>8.1.8.1. Plain Password File Format</h4></div></div></div><p> The user credentials are stored on the single file line as user name and user password pairs separated by colon character. This file must not be modified externally whilst the Broker is running.</p><pre class="programlisting"> # password file format # <user name>: <user password> guest:guest - </pre></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-MD5-Provider"></a>8.1.8. MD5 Provider</h3></div></div></div><p> MD5 Provider uses the Broker configuration itself to store the database of - users (unlike the <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-Base64MD5PasswordFile-Provider" title="8.1.9. Base64MD5 Password File (Deprecated)">Base64MD5 Password File</a>, there is no separate password file). Rather than store the + </pre></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-MD5-Provider"></a>8.1.9. MD5 Provider</h3></div></div></div><p> MD5 Provider uses the Broker configuration itself to store the database of + users (unlike the <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-Base64MD5PasswordFile-Provider" title="8.1.10. Base64MD5 Password File (Deprecated)">Base64MD5 Password File</a>, there is no separate password file). Rather than store the unencrypted user password (as the Plain provider does) it instead stores the MD5 password digest. This can be further encrypted using the facilities described in <a class="xref" href="Java-Broker-Security-Configuration-Encryption.html" title="8.4. Configuration Encryption">Section 8.4, “Configuration Encryption”</a>.</p><p>For this provider user credentials can be added, removed or changed using - Management.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Base64MD5PasswordFile-Provider"></a>8.1.9. Base64MD5 Password File <span class="emphasis"><em>(Deprecated)</em></span></h3></div></div></div><p><span class="emphasis"><em>This provider is deprecated and will be removed in a future release. The - <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-MD5-Provider" title="8.1.8. MD5 Provider">MD5</a> provider should be used + Management.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Base64MD5PasswordFile-Provider"></a>8.1.10. Base64MD5 Password File <span class="emphasis"><em>(Deprecated)</em></span></h3></div></div></div><p><span class="emphasis"><em>This provider is deprecated and will be removed in a future release. The + <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-MD5-Provider" title="8.1.9. MD5 Provider">MD5</a> provider should be used instead.</em></span></p><p> Base64MD5PasswordFile Provider uses local file to store and manage user credentials similar to PlainPasswordFile but instead of storing a password the MD5 password digest encoded with Base64 encoding is stored in the file. When creating an authentication provider the path to the file needs to be specified. If specified file does not exist an empty file is created automatically on Authentication Provider creation. On Base64MD5PasswordFile Provider deletion the password file is deleted as well.</p><p>For this provider user credentials can be added, removed or changed using - Management.</p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="d0e4102"></a>8.1.9.1. Base64MD5 File Format</h4></div></div></div><p> The user credentials are stored on the single file line as user name and user password + Management.</p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="d0e4235"></a>8.1.10.1. Base64MD5 File Format</h4></div></div></div><p> The user credentials are stored on the single file line as user name and user password pairs separated by colon character. The password is stored MD5 digest/Base64 encoded. This file must not be modified externally whilst the Broker is running.</p></div></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Management-Managing-Plugin-HTTP.html">Prev</a> </td><td align="center" width="20%"> </td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Security-Group-Providers.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">7.16. HTTP Plugin </td><td align="center" width="20%"><a accesskey="h" href="AMQP-Messaging-Broker-Java-Book.html">Home</a></td><td align="right" valign="top" width="40%"> 8.2. Group Providers</td></tr></table></div></div> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
