http://git-wip-us.apache.org/repos/asf/qpid-site/blob/a39b425b/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-ACLs.html ---------------------------------------------------------------------- diff --git a/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-ACLs.html b/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-ACLs.html deleted file mode 100644 index 3848721..0000000 --- a/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-ACLs.html +++ /dev/null @@ -1,411 +0,0 @@ -<!DOCTYPE html> -<!-- - - - - Licensed to the Apache Software Foundation (ASF) under one - - or more contributor license agreements. See the NOTICE file - - distributed with this work for additional information - - regarding copyright ownership. The ASF licenses this file - - to you under the Apache License, Version 2.0 (the - - "License"); you may not use this file except in compliance - - with the License. You may obtain a copy of the License at - - - - http://www.apache.org/licenses/LICENSE-2.0 - - - - Unless required by applicable law or agreed to in writing, - - software distributed under the License is distributed on an - - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - - KIND, either express or implied. See the License for the - - specific language governing permissions and limitations - - under the License. - - ---> -<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en"> - <head> - <title>11.3. Access Control Lists - Apache Qpid™</title> - <meta http-equiv="X-UA-Compatible" content="IE=edge"/> - <meta name="viewport" content="width=device-width, initial-scale=1.0"/> - <link rel="stylesheet" href="/site.css" type="text/css" async="async"/> - <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/> - <script type="text/javascript">var _deferredFunctions = [];</script> - <script type="text/javascript" src="/deferred.js" defer="defer"></script> - <!--[if lte IE 8]> - <link rel="stylesheet" href="/ie.css" type="text/css"/> - <script type="text/javascript" src="/html5shiv.js"></script> - <![endif]--> - - <!-- Redirects for `go get` and godoc.org --> - <meta name="go-import" - content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/> - <meta name="go-source" - content="qpid.apache.org -https://github.com/apache/qpid-proton/blob/go1/README.md -https://github.com/apache/qpid-proton/tree/go1{/dir} -https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> - </head> - <body> - <div id="-content"> - <div id="-top" class="panel"> - <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a> - - <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a> - - <ul id="-global-navigation"> - <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li> - <li><a href="/documentation.html">Documentation</a></li> - <li><a href="/download.html">Download</a></li> - <li><a href="/discussion.html">Discussion</a></li> - </ul> - </div> - - <div id="-menu" class="panel" style="display: none;"> - <div class="flex"> - <section> - <h3>Project</h3> - - <ul> - <li><a href="/overview.html">Overview</a></li> - <li><a href="/components/index.html">Components</a></li> - <li><a href="/releases/index.html">Releases</a></li> - </ul> - </section> - - <section> - <h3>Messaging APIs</h3> - - <ul> - <li><a href="/proton/index.html">Qpid Proton</a></li> - <li><a href="/components/jms/index.html">Qpid JMS</a></li> - <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li> - </ul> - </section> - - <section> - <h3>Servers and tools</h3> - - <ul> - <li><a href="/components/java-broker/index.html">Broker for Java</a></li> - <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> - <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> - </ul> - </section> - - <section> - <h3>Resources</h3> - - <ul> - <li><a href="/dashboard.html">Dashboard</a></li> - <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index";>Wiki</a></li> - <li><a href="/resources.html">More resources</a></li> - </ul> - </section> - </div> - </div> - - <div id="-search" class="panel" style="display: none;"> - <form action="http://www.google.com/search"; method="get"> - <input type="hidden" name="sitesearch" value="qpid.apache.org"/> - <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/> - <button type="submit">Search</button> - <a href="/search.html">More ways to search</a> - </form> - </div> - - <div id="-middle" class="panel"> - <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-0.26/index.html">Qpid 0.26</a></li><li><a href="/releases/qpid-0.26/java-broker/book/index.html">AMQP Messaging Broker (Java)</a></li><li>11.3. Access Control Lists</li></ul> - - <div id="-middle-content"> - <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">11.3. Access Control Lists</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security-Group-Providers.html">Prev</a> </td><th align="center" width="60%">Chapter 11. Security</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Security-SSL.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title"><a id="Java-Broker-Security-ACLs"></a>11.3. Access Control Lists</h2></div></div></div><p> - In Qpid, Access Control Lists (ACLs) specify which actions can be performed by each authenticated user. - To enable, an <span class="emphasis"><em>Access Control Provider</em></span> needs to be configured on the <span class="emphasis"><em>Broker</em></span> - level or/and ACL configuration should be provided on a <span class="emphasis"><em>Virtual Host</em></span> level. - The first imposes the ACL broker wide, and the second is applied to individual virtual hosts. - The <span class="emphasis"><em>Access Control Provider</em></span> of type "AclFile" uses local file to specify the ACL rules. - By convention, this file should have a .acl extension. - </p><p> - A Group Provider can be configured with ACL to define the user groups which can be used in ACL - to determine the ACL rules applicable to the entire group. The configuration details for the Group Providers are described in - <a class="xref" href="Java-Broker-Security-Group-Providers.html" title="11.2. Group Providers">Section 11.2, “Group Providers”</a>. On creation of ACL Provider with group rules, - the Group Provider should be added first. Otherwise, if the individual ACL rules are not defined for the logged principal - the following invocation of management operations could be denied due to absence of the required groups.</p><p>Only one <span class="emphasis"><em>Access Control Provider</em></span> can be used by the Broker. - If several <span class="emphasis"><em>Access Control Providers</em></span> are configured on Broker level - only one of them will be used (the latest one). <a class="xref" href="Java-Broker-Virtual-Hosts-Configuration-File-ACL.html" title="14.2. Configuring ACL">Section 14.2, “Configuring ACL”</a> - shows how to configure ACL on <span class="emphasis"><em>Virtual Host</em></span> using virtual host configuration xml. - If both Broker <span class="emphasis"><em>Access Control Provider</em></span> and <span class="emphasis"><em>Virtual Host</em></span> ACL are configured, - the <span class="emphasis"><em>Virtual Host</em></span> ACL is used for authorization of operations on <span class="emphasis"><em>Virtual Host</em></span> and - Virtual Host objects and Broker level ACL is used to authorization of operations on Broker and Broker children - (excluding Virtual Hosts having ACL configured). - </p><p> - The ACL Providers can be configured using <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-REST-API" title="5.2.4. REST API">REST Management interfaces</a> - and <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-Web-Console" title="5.2.2. Web Management Console">Web Management Console</a>. - </p><p>The following ACL Provider managing operations are available from Web Management Console: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A new ACL Provider can be added by clicking onto "Add Access Control Provider" on the Broker tab.</p></li><li class="listitem"><p>An ACL Provider details can be viewed on the Access Control Provider tab. - The tab is shown after clicking onto ACL Provider name in the Broker object tree or after clicking - onto ACL Provider row in ACL Providers grid on the Broker tab.</p></li><li class="listitem"><p>An existing ACL Provider can be deleted by clicking onto buttons "Delete Access Control Provider" - on the Broker tab or Access Control Provider tab.</p></li></ul></div><p> - </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-ACLs-WriteACL"></a>11.3.1.  - Writing .acl files - </h3></div></div></div><p> - The ACL file consists of a series of rules associating behaviour for a user or group. Use of groups can serve to make the ACL file more concise. See <a class="link" href="Java-Broker-Security-Group-Providers.html" title="11.2. Group Providers">Configuring Group Providers</a> for more information on defining groups. - </p><p> - Each ACL rule grants or denies a particular action on an object to a user/group. The rule may be augmented with one or more properties, restricting - the rule's applicability. - </p><pre class="programlisting"> - ACL ALLOW alice CREATE QUEUE # Grants alice permission to create all queues. - ACL DENY bob CREATE QUEUE name="myqueue" # Denies bob permission to create a queue called "myqueue" - </pre><p> - The ACL is considered in strict line order with the first matching rule taking precedence over all those that follow. In the following - example, if the user bob tries to create an exchange "myexch", the operation will be allowed by the first rule. The second rule will - never be considered. - </p><pre class="programlisting"> - ACL ALLOW bob ALL EXCHANGE - ACL DENY bob CREATE EXCHANGE name="myexch" # Dead rule - </pre><p> - If the desire is to allow bob to create all exchanges except "myexch", order of the rules must be reversed: - </p><pre class="programlisting"> - ACL DENY bob CREATE EXCHANGE name="myexch" - ACL ALLOW bob ALL EXCHANGE - </pre><p> - All ACL files end with an implict rule denying all operations to all users. It is as if each file ends with - </p><pre class="programlisting">ACL DENY ALL ALL </pre><p> - If instead you wish to <span class="emphasis"><em>allow</em></span> all operations other than those controlled by earlier rules, - add </p><pre class="programlisting">ACL ALLOW ALL ALL</pre><p> to the bottom of the ACL file. - </p><p> - When writing a new ACL, a good approach is to begin with an .acl file containing only </p><pre class="programlisting">ACL DENY-LOG ALL ALL</pre><p> - which will cause the Broker to deny all operations with details of the denial logged to the Qpid log file. Build up the ACL rule by rule, - gradually working through the use-cases of your system. Once the ACL is complete, consider switching the DENY-LOG actions to DENY - to improve performamce and reduce log noise. - </p><p> - ACL rules are very powerful: it is possible to write very granular rules specifying many broker objects and their - properties. Most projects probably won't need this degree of flexibility. A reasonable approach is to choose to apply permissions - at a certain level of abstraction (e.g. QUEUE) and apply them consistently across the whole system. - </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-ACLs-Syntax"></a>11.3.2.  - Syntax - </h3></div></div></div><p> - ACL rules follow this syntax: - </p><pre class="programlisting"> - ACL {permission} {<group-name>|<user-name>>|ALL} {action|ALL} [object|ALL] [property="<property-value>"] - </pre><p> - Comments may be introduced with the hash (#) character and are ignored. Long lines can be broken with the slash (\) character. - </p><pre class="programlisting"> - # A comment - ACL ALLOW admin CREATE ALL # Also a comment - ACL DENY guest \ - ALL ALL # A broken line - </pre></div><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_permissions"></a><p class="title"><strong>Table 11.1. List of ACL permission</strong></p><div class="table-contents"><table border="1" summary="List of ACL permission"><colgroup><col /><col /></colgroup><tbody><tr><td><span class="command"><strong>ALLOW</strong></span></td><td><p>Allow the action</p></td></tr><tr><td><span class="command"><strong>ALLOW-LOG</strong></span></td><td><p> Allow the action and log the action in the log </p></td></tr><tr><td><span class="command"><strong>DENY</strong></span></td><td><p> Deny the action</p></td></tr><tr><td><span class="command"><strong>DENY-LOG</strong></span></td><td><p> Deny the action and log the action in the log</p></td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_actions"></a><p class="title"><strong>Table 11.2. List of ACL actions</strong></p><div class="t able-contents"><table border="1" summary="List of ACL actions"><colgroup><col /><col /></colgroup><tbody><tr><td> <span class="command"><strong>CONSUME</strong></span> </td><td> <p> Applied when subscriptions are created </p> </td></tr><tr><td> <span class="command"><strong>PUBLISH</strong></span> </td><td> <p> Applied on a per message basis on publish message transfers</p> </td></tr><tr><td> <span class="command"><strong>CREATE</strong></span> </td><td> <p> Applied when an object is created, such as bindings, queues, exchanges</p> </td></tr><tr><td> <span class="command"><strong>ACCESS</strong></span> </td><td> <p> Applied when an object is read or accessed</p> </td></tr><tr><td> <span class="command"><strong>BIND</strong></span> </td><td> <p> Applied when queues are bound to exchanges</p> </td></tr><tr><td> <span class="command"><strong>UNBIND</strong></span> </td><td> <p> Applied when queues are unbound from exchanges</p> </td></tr><tr><td> <span class="command"><strong>DELETE</s trong></span> </td><td> <p> Applied when objects are deleted </p> </td></tr><tr><td> <span class="command"><strong>PURGE</strong></span> </td><td> - <p>Applied when purge the contents of a queue</p> </td></tr><tr><td> <span class="command"><strong>UPDATE</strong></span> </td><td> <p> Applied when an object is updated </p> </td></tr><tr><td> <span class="command"><strong>CONFIGURE</strong></span> </td><td> <p> Applied when an object is configured via REST management interfaces(Java Broker only).</p> </td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_objects"></a><p class="title"><strong>Table 11.3. List of ACL objects</strong></p><div class="table-contents"><table border="1" summary="List of ACL objects"><colgroup><col /><col /></colgroup><tbody><tr><td> <span class="command"><strong>VIRTUALHOST</strong></span> </td><td> <p>A virtualhost (Java Broker only)</p> </td></tr><tr><td> <span class="command"><strong>MANAGEMENT </strong></span> </td><td> <p>Management - for web and JMX (Java Broker only)</p> </td></tr><tr><td> <span class="co mmand"><strong>QUEUE</strong></span> </td><td> <p>A queue </p> </td></tr><tr><td> <span class="command"><strong>EXCHANGE</strong></span> </td><td> <p>An exchange </p> </td></tr><tr><td> <span class="command"><strong>USER</strong></span> </td><td> <p>A user (Java Broker only)</p> </td></tr><tr><td> <span class="command"><strong>GROUP</strong></span> </td><td> <p>A group (Java Broker only)</p> </td></tr><tr><td> <span class="command"><strong>METHOD</strong></span> </td><td> <p>Management or agent or broker method (Java Broker only)</p> </td></tr><tr><td> <span class="command"><strong>LINK</strong></span> </td><td> <p>A federation or inter-broker link (not currently used in Java Broker)</p> </td></tr><tr><td> <span class="command"><strong>BROKER</strong></span> </td><td> <p>The broker</p> </td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_properties"></a><p class="title"><strong>Table 11.4. List of ACL properties</strong></p><div class="table-contents"><table border="1" summary="List of ACL properties"><colgroup><col /><col /></colgroup><tbody><tr><td><span class="command"><strong>name</strong></span> </td><td> <p> String. Object name, such as a queue name, exchange name or JMX method name. </p> </td></tr><tr><td> <span class="command"><strong>durable</strong></span> </td><td> <p> Boolean. Indicates the object is durable </p> </td></tr><tr><td> <span class="command"><strong>routingkey</strong></span> </td><td> <p> String. Specifies routing key </p> </td></tr><tr><td> <span class="command"><strong>passive</strong></span> </td><td> <p> Boolean. Indicates the presence of a <em class="parameter"><code>passive</code></em> flag </p> </td></tr><tr><td> <span class="command"><strong>autodelete</strong></span> </td><td> <p> Boolean. Indicates whether or not the object gets deleted when the connection is closed </p> </td></tr><tr><td> <span class="command"><strong>exclusive</strong></s pan> </td><td> <p> Boolean. Indicates the presence of an <em class="parameter"><code>exclusive</code></em> flag </p> </td></tr><tr><td> <span class="command"><strong>temporary</strong></span> </td><td> <p> Boolean. Indicates the presence of an <em class="parameter"><code>temporary</code></em> flag </p> </td></tr><tr><td> <span class="command"><strong>type</strong></span> </td><td> <p> String. Type of object, such as topic, fanout, or xml </p> </td></tr><tr><td> <span class="command"><strong>alternate</strong></span> </td><td> <p> String. Name of the alternate exchange </p> </td></tr><tr><td> <span class="command"><strong>queuename</strong></span> </td><td> <p> String. Name of the queue (used only when the object is something other than <em class="parameter"><code>queue</code></em> </p> </td></tr><tr><td> <span class="command"><strong>component</strong></span> </td><td> <p> String. JMX component name (Java Broker only)</p> </td></tr><tr><td> <span class="command"><strong>schemapackag e</strong></span> </td><td> <p> String. QMF schema package name (Not used in Java Broker)</p> </td></tr><tr><td> <span class="command"><strong>schemaclass</strong></span> </td><td> <p> String. QMF schema class name (Not used in Java Broker)</p> </td></tr><tr><td> <span class="command"><strong>from_network</strong></span> </td><td> - <p> - Comma-separated strings representing IPv4 address ranges. - </p> - <p> - Intended for use in ACCESS VIRTUALHOST rules to apply firewall-like restrictions. - </p> - <p> - The rule matches if any of the address ranges match the IPv4 address of the messaging client. - The address ranges are specified using either Classless Inter-Domain Routing notation - (e.g. 192.168.1.0/24; see <a class="ulink" href="http://tools.ietf.org/html/rfc4632"; target="_top">RFC 4632</a>) - or wildcards (e.g. 192.169.1.*). - </p> - <p> - Java Broker only. - </p> - </td></tr><tr><td> <span class="command"><strong>from_hostname</strong></span> </td><td> - <p> - Comma-separated strings representing hostnames, specified using Perl-style regular - expressions, e.g. .*\.example\.company\.com - </p> - <p> - Intended for use in ACCESS VIRTUALHOST rules to apply firewall-like restrictions. - </p> - <p> - The rule matches if any of the patterns match the hostname of the messaging client. - </p> - <p> - To look up the client's hostname, Qpid uses Java's DNS support, which internally caches its results. - </p> - <p> - You can modify the time-to-live of cached results using the *.ttl properties described on the - Java <a class="ulink" href="http://docs.oracle.com/javase/6/docs/technotes/guides/net/properties.html"; target="_top">Networking - Properties</a> page. - </p> - <p> - For example, you can either set system property sun.net.inetaddr.ttl from the command line - (e.g. export QPID_OPTS="-Dsun.net.inetaddr.ttl=0") or networkaddress.cache.ttl in - $JAVA_HOME/lib/security/java.security. The latter is preferred because it is JVM - vendor-independent. - </p> - <p> - Java Broker only. - </p> - </td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_javacomponents"></a><p class="title"><strong>Table 11.5. List of ACL rules</strong></p><div class="table-contents"><table border="1" summary="List of ACL rules"><colgroup><col /><col /><col /></colgroup><tbody><tr><td> <span class="command"><strong>UserManagement</strong></span> </td><td> <p>User maintainance; create/delete/view users, change passwords etc</p> </td><td> <p>permissionable at broker level only</p> </td></tr><tr><td> <span class="command"><strong>ConfigurationManagement</strong></span> </td><td> <p>Dynammically reload configuration from disk.</p> </td><td> <p>permissionable at broker level only</p> </td></tr><tr><td> <span class="command"><strong>LoggingManagement</strong></span> </td><td> <p>Dynammically control Qpid logging level</p> </td><td> <p>permissionable at broker level only</p> </td></tr><tr><td> <span class="com mand"><strong>ServerInformation</strong></span> </td><td> <p>Read-only information regarding the Qpid: version number etc</p> </td><td> <p>permissionable at broker level only</p> </td></tr><tr><td> <span class="command"><strong>VirtualHost.Queue</strong></span> </td><td> <p>Queue maintainance; copy/move/purge/view etc</p> </td><td class="auto-generated"> </td></tr><tr><td> <span class="command"><strong>VirtualHost.Exchange</strong></span> </td><td> <p>Exchange maintenance; bind/unbind queues to exchanges</p> </td><td class="auto-generated"> </td></tr><tr><td> <span class="command"><strong>VirtualHost.VirtualHost</strong></span> </td><td> <p>Virtual host maintainace; create/delete exchanges, queues etc</p> </td><td class="auto-generated"> </td></tr></tbody></table></div></div><br class="table-break" /><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-ACLs-WorkedExamples"></a>11.3.3.  - Worked Examples - </h3></div></div></div><p> - Here are some example ACLs illustrating common use cases. - In addition, note that the Java broker provides a complete example ACL file, located at etc/broker_example.acl. - </p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-ACLs-WorkedExample1"></a>11.3.3.1.  - Worked example 1 - Management rights - </h4></div></div></div><p> - Suppose you wish to permission two users: a user 'operator' must be able to perform all Management operations, and - a user 'readonly' must be enable to perform only read-only functions. Neither 'operator' nor 'readonly' - should be allowed to connect clients for messaging. - </p><pre class="programlisting"> -# Deny (loggged) operator/readonly permission to connect messaging clients. -ACL DENY-LOG operator ACCESS VIRTUALHOST -ACL DENY-LOG readonly ACCESS VIRTUALHOST -# Give operator permission to perfom all other actions -ACL ALLOW operator ALL ALL -# Give readonly permission to execute only read-only actions -ACL ALLOW readonly ACCESS ALL -... -... rules for other users -... -# Explicitly deny all (log) to eveyone -ACL DENY-LOG ALL ALL - </pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-ACLs-WorkedExample2"></a>11.3.3.2.  - Worked example 2 - User maintainer group - </h4></div></div></div><p> - Suppose you wish to restrict User Management operations to users belonging to a - <a class="link" href="Java-Broker-Security-Group-Providers.html" title="11.2. Group Providers">group</a> 'usermaint'. No other user - is allowed to perform user maintainence This example illustrates the permissioning of an individual component. - </p><pre class="programlisting"> -# Give usermaint access to management and permission to execute all JMX Methods on the -# UserManagement MBean and perform all actions for USER objects -ACL ALLOW usermaint ACCESS MANAGEMENT -ACL ALLOW usermaint ALL METHOD component="UserManagement" -ACL ALLOW usermaint ALL USER -ACL DENY ALL ALL METHOD component="UserManagement" -ACL DENY ALL ALL USER -... -... rules for other users -... -ACL DENY-LOG ALL ALL - </pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-ACLs-WorkedExample3"></a>11.3.3.3.  - Worked example 3 - Request/Response messaging - </h4></div></div></div><p> - Suppose you wish to permission a system using a request/response paradigm. Two users: 'client' publishes requests; - 'server' consumes the requests and generates a response. This example illustrates the permissioning of AMQP exchanges - and queues. - </p><pre class="programlisting"> -# Allow client and server to connect to the virtual host. -ACL ALLOW client ACCESS VIRTUALHOST -ACL ALLOW server ACCESS VIRTUALHOST - -# Client side -# Allow the 'client' user to publish requests to the request queue. As is the norm for the request/response paradigm, the client -# is required to create a temporary queue on which the server will respond. Consequently, there are rules to allow the creation -# of the temporary queues and consumption of messages from it. -ACL ALLOW client CREATE QUEUE temporary="true" -ACL ALLOW client CONSUME QUEUE temporary="true" -ACL ALLOW client DELETE QUEUE temporary="true" -ACL ALLOW client BIND EXCHANGE name="amq.direct" temporary="true" -ACL ALLOW client UNBIND EXCHANGE name="amq.direct" temporary="true" -ACL ALLOW client PUBLISH EXCHANGE name="amq.direct" routingKey="example.RequestQueue" - -# Server side -# Allow the 'server' user to consume from the request queue and publish a response to the temporary response queue created by -# client. We also allow the server to create the request queue. -ACL ALLOW server CREATE QUEUE name="example.RequestQueue" -ACL ALLOW server CONSUME QUEUE name="example.RequestQueue" -ACL ALLOW server BIND EXCHANGE -ACL ALLOW server PUBLISH EXCHANGE name="amq.direct" routingKey="TempQueue*" - -ACL DENY-LOG all all - </pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-ACLs-WorkedExample4"></a>11.3.3.4.  - Worked example 4 - firewall-like access control - </h4></div></div></div><p> - This example illustrates how to set up an ACL that restricts the IP addresses and hostnames - of messaging clients that can access a virtual host. - </p><pre class="programlisting"> -################ -# Hostname rules -################ - -# Allow messaging clients from company1.com and company1.co.uk to connect -ACL ALLOW all ACCESS VIRTUALHOST from_hostname=".*\.company1\.com,.*\.company1\.co\.uk" - -# Deny messaging clients from hosts within the dev subdomain -ACL DENY-LOG all ACCESS VIRTUALHOST from_hostname=".*\.dev\.company1\.com" - -################## -# IP address rules -################## - -# Deny access to all users in the IP ranges 192.168.1.0-192.168.1.255 and 192.168.2.0-192.168.2.255, -# using the notation specified in RFC 4632, "Classless Inter-domain Routing (CIDR)" -ACL DENY-LOG messaging-users ACCESS VIRTUALHOST \ - from_network="192.168.1.0/24,192.168.2.0/24" - -# Deny access to all users in the IP ranges 192.169.1.0-192.169.1.255 and 192.169.2.0-192.169.2.255, -# using wildcard notation. -ACL DENY-LOG messaging-users ACCESS VIRTUALHOST \ - from_network="192.169.1.*,192.169.2.*" - -ACL DENY-LOG all all - </pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-ACLs-WorkedExample5"></a>11.3.3.5.  - Worked example 5 - REST management ACL example - </h4></div></div></div><p> - This example illustrates how to set up an ACL that restricts usage of REST management interfaces. - </p><pre class="programlisting"> -# allow to the users from webadmins group to change broker model -# this rule allows adding/removing/editing of Broker level objects: -# Broker, Virtual Host, Group Provider, Authentication Provider, Port, Access Control Provider etc -ACL ALLOW-LOG webadmins CONFIGURE BROKER - -# allow to the users from webadmins group to perform -# create/update/delete on Virtual Host children -ACL ALLOW-LOG webadmins CREATE QUEUE -ACL ALLOW-LOG webadmins UPDATE QUEUE -ACL ALLOW-LOG webadmins DELETE QUEUE -ACL ALLOW-LOG webadmins PURGE QUEUE -ACL ALLOW-LOG webadmins CREATE EXCHANGE -ACL ALLOW-LOG webadmins DELETE EXCHANGE -ACL ALLOW-LOG webadmins BIND EXCHANGE -ACL ALLOW-LOG webadmins UNBIND EXCHANGE - -# allow to the users from webadmins group to create/update/delete groups on Group Providers -ACL ALLOW-LOG webadmins CREATE GROUP -ACL ALLOW-LOG webadmins DELETE GROUP -ACL ALLOW-LOG webadmins UPDATE GROUP - -# allow to the users from webadmins group to create/update/delete users for Authentication Providers -ACL ALLOW-LOG webadmins CREATE USER -ACL ALLOW-LOG webadmins DELETE USER -ACL ALLOW-LOG webadmins UPDATE USER - -# allow to the users from webadmins group to move, copy and delete messagaes -# using REST management interfaces -ACL ALLOW-LOG webadmins UPDATE METHOD - -# at the moment only the following UPDATE METHOD rules are supported by web management console -#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="moveMessages" -#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="copyMessages" -#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="deleteMessages" - -ACL DENY-LOG all all - </pre></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security-Group-Providers.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Security-SSL.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">11.2. Group Providers </td><td align="center" width="20%"><a accesskey="h" href="index.html">Home</a></td><td align="right" valign="top" width="40%"> 11.4. SSL</td></tr></table></div></div> - - <hr/> - - <ul id="-apache-navigation"> - <li><a href="http://www.apache.org/";>Apache</a></li> - <li><a href="http://www.apache.org/licenses/";>License</a></li> - <li><a href="http://www.apache.org/foundation/sponsorship.html";>Sponsorship</a></li> - <li><a href="http://www.apache.org/foundation/thanks.html";>Thanks!</a></li> - <li><a href="/security.html">Security</a></li> - <li><a href="http://www.apache.org/";><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li> - </ul> - - <p id="-legal"> - Apache Qpid, Messaging built on AMQP; Copyright © 2015 - The Apache Software Foundation; Licensed under - the <a href="http://www.apache.org/licenses/LICENSE-2.0";>Apache - License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton, - Proton, Apache, the Apache feather logo, and the Apache Qpid - project logo are trademarks of The Apache Software - Foundation; All other marks mentioned may be trademarks or - registered trademarks of their respective owners - </p> - </div> - </div> - </div> - </body> -</html>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/a39b425b/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-Group-Providers.html ---------------------------------------------------------------------- diff --git a/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-Group-Providers.html b/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-Group-Providers.html deleted file mode 100644 index 3cb6d67..0000000 --- a/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-Group-Providers.html +++ /dev/null @@ -1,174 +0,0 @@ -<!DOCTYPE html> -<!-- - - - - Licensed to the Apache Software Foundation (ASF) under one - - or more contributor license agreements. See the NOTICE file - - distributed with this work for additional information - - regarding copyright ownership. The ASF licenses this file - - to you under the Apache License, Version 2.0 (the - - "License"); you may not use this file except in compliance - - with the License. You may obtain a copy of the License at - - - - http://www.apache.org/licenses/LICENSE-2.0 - - - - Unless required by applicable law or agreed to in writing, - - software distributed under the License is distributed on an - - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - - KIND, either express or implied. See the License for the - - specific language governing permissions and limitations - - under the License. - - ---> -<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en"> - <head> - <title>11.2. Group Providers - Apache Qpid™</title> - <meta http-equiv="X-UA-Compatible" content="IE=edge"/> - <meta name="viewport" content="width=device-width, initial-scale=1.0"/> - <link rel="stylesheet" href="/site.css" type="text/css" async="async"/> - <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/> - <script type="text/javascript">var _deferredFunctions = [];</script> - <script type="text/javascript" src="/deferred.js" defer="defer"></script> - <!--[if lte IE 8]> - <link rel="stylesheet" href="/ie.css" type="text/css"/> - <script type="text/javascript" src="/html5shiv.js"></script> - <![endif]--> - - <!-- Redirects for `go get` and godoc.org --> - <meta name="go-import" - content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/> - <meta name="go-source" - content="qpid.apache.org -https://github.com/apache/qpid-proton/blob/go1/README.md -https://github.com/apache/qpid-proton/tree/go1{/dir} -https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> - </head> - <body> - <div id="-content"> - <div id="-top" class="panel"> - <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a> - - <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a> - - <ul id="-global-navigation"> - <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li> - <li><a href="/documentation.html">Documentation</a></li> - <li><a href="/download.html">Download</a></li> - <li><a href="/discussion.html">Discussion</a></li> - </ul> - </div> - - <div id="-menu" class="panel" style="display: none;"> - <div class="flex"> - <section> - <h3>Project</h3> - - <ul> - <li><a href="/overview.html">Overview</a></li> - <li><a href="/components/index.html">Components</a></li> - <li><a href="/releases/index.html">Releases</a></li> - </ul> - </section> - - <section> - <h3>Messaging APIs</h3> - - <ul> - <li><a href="/proton/index.html">Qpid Proton</a></li> - <li><a href="/components/jms/index.html">Qpid JMS</a></li> - <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li> - </ul> - </section> - - <section> - <h3>Servers and tools</h3> - - <ul> - <li><a href="/components/java-broker/index.html">Broker for Java</a></li> - <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> - <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> - </ul> - </section> - - <section> - <h3>Resources</h3> - - <ul> - <li><a href="/dashboard.html">Dashboard</a></li> - <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index";>Wiki</a></li> - <li><a href="/resources.html">More resources</a></li> - </ul> - </section> - </div> - </div> - - <div id="-search" class="panel" style="display: none;"> - <form action="http://www.google.com/search"; method="get"> - <input type="hidden" name="sitesearch" value="qpid.apache.org"/> - <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/> - <button type="submit">Search</button> - <a href="/search.html">More ways to search</a> - </form> - </div> - - <div id="-middle" class="panel"> - <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-0.26/index.html">Qpid 0.26</a></li><li><a href="/releases/qpid-0.26/java-broker/book/index.html">AMQP Messaging Broker (Java)</a></li><li>11.2. Group Providers</li></ul> - - <div id="-middle-content"> - <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">11.2. Group Providers</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security.html">Prev</a> </td><th align="center" width="60%">Chapter 11. Security</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Security-ACLs.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title"><a id="Java-Broker-Security-Group-Providers"></a>11.2. Group Providers</h2></div></div></div><p> - The Java broker utilises GroupProviders to allow assigning users to groups for use in <a class="link" href="Java-Broker-Security-ACLs.html" title="11.3. Access Control Lists">ACLs</a>. - Following authentication by a given <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-Authentication-Providers" title="11.1. Authentication Providers">Authentication Provider</a>, - the configured Group Providers are consulted allowing the assignment of GroupPrincipals for a given authenticated user. Any number of - Group Providers can be added into the Broker. All of them will be checked for the presence of the groups for a given authenticated user. - </p><p>The <span class="emphasis"><em>Group Provider</em></span> can be configured using <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-REST-API" title="5.2.4. REST API"> - REST Management interfaces</a> and <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-Web-Console" title="5.2.2. Web Management Console">Web Management Console</a>.</p><p>The following <span class="emphasis"><em>Group Provider</em></span> managing operations are available from Web Management Console: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A new Group Provider can be added by clicking onto "Add Group Provider" button on a Broker tab.</p></li><li class="listitem"><p>An existing providers can be removed by pressing "Delete Group Provider" button - on Broker tab or Group Provider tab.</p></li><li class="listitem"><p>On clicking onto provider name in the Group Providers grid or Broker object tree, - the tab for the Group Provider is displayed.</p></li><li class="listitem"><p>A new group can be added into the Group Provider by clicking onto "Add Group" button on provider tab.</p></li><li class="listitem"><p>An existing group can be deleted from the Group Provider by clicking onto "Delete Group" button on provider tab.</p></li><li class="listitem"><p>On clicking onto group name in the groups grid, the tab with the list of existing - group members is displayed for the Group.</p></li><li class="listitem"><p>From the Group tab a new member can be added into a group or existing members can be deleted - from a group by clicking on "Add Group Member" or "Remove Group Members" accordingly.</p></li></ul></div><p> - </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="File-Group-Manager"></a>11.2.1. GroupFile Provider</h3></div></div></div><p> - The <span class="emphasis"><em>GroupFile</em></span> Provider allows specifying group membership in a flat file on disk. - On adding a new GroupFile Provider the path to the groups file is required to be specified. - If file does not exist an empty file is created automatically. On deletion of GroupFile Provider - the groups file is deleted as well. Only one instance of "GroupFile" Provider per groups file location can be created. - On attempt to create another GroupFile Provider pointing to the same location the error will be displayed and - the creation will be aborted. - </p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="File-Group-Manager-FileFormat"></a>11.2.1.1. File Format</h4></div></div></div><p> - The groups file has the following format: - </p><pre class="programlisting"> - # <GroupName>.users = <comma deliminated user list> - # For example: - - administrators.users = admin,manager -</pre><p> - Only users can be added to a group currently, not other groups. Usernames can't contain commas. - </p><p> - Lines starting with a '#' are treated as comments when opening the file, but these are not preserved when the broker updates the file due to changes made through the management interface. - </p></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Security-ACLs.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">Chapter 11. Security </td><td align="center" width="20%"><a accesskey="h" href="index.html">Home</a></td><td align="right" valign="top" width="40%"> 11.3. Access Control Lists</td></tr></table></div></div> - - <hr/> - - <ul id="-apache-navigation"> - <li><a href="http://www.apache.org/";>Apache</a></li> - <li><a href="http://www.apache.org/licenses/";>License</a></li> - <li><a href="http://www.apache.org/foundation/sponsorship.html";>Sponsorship</a></li> - <li><a href="http://www.apache.org/foundation/thanks.html";>Thanks!</a></li> - <li><a href="/security.html">Security</a></li> - <li><a href="http://www.apache.org/";><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li> - </ul> - - <p id="-legal"> - Apache Qpid, Messaging built on AMQP; Copyright © 2015 - The Apache Software Foundation; Licensed under - the <a href="http://www.apache.org/licenses/LICENSE-2.0";>Apache - License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton, - Proton, Apache, the Apache feather logo, and the Apache Qpid - project logo are trademarks of The Apache Software - Foundation; All other marks mentioned may be trademarks or - registered trademarks of their respective owners - </p> - </div> - </div> - </div> - </body> -</html> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/a39b425b/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-SSL.html ---------------------------------------------------------------------- diff --git a/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-SSL.html b/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-SSL.html deleted file mode 100644 index 286a2cc..0000000 --- a/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-SSL.html +++ /dev/null @@ -1,190 +0,0 @@ -<!DOCTYPE html> -<!-- - - - - Licensed to the Apache Software Foundation (ASF) under one - - or more contributor license agreements. See the NOTICE file - - distributed with this work for additional information - - regarding copyright ownership. The ASF licenses this file - - to you under the Apache License, Version 2.0 (the - - "License"); you may not use this file except in compliance - - with the License. You may obtain a copy of the License at - - - - http://www.apache.org/licenses/LICENSE-2.0 - - - - Unless required by applicable law or agreed to in writing, - - software distributed under the License is distributed on an - - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - - KIND, either express or implied. See the License for the - - specific language governing permissions and limitations - - under the License. - - ---> -<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en"> - <head> - <title>11.4. SSL - Apache Qpid™</title> - <meta http-equiv="X-UA-Compatible" content="IE=edge"/> - <meta name="viewport" content="width=device-width, initial-scale=1.0"/> - <link rel="stylesheet" href="/site.css" type="text/css" async="async"/> - <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/> - <script type="text/javascript">var _deferredFunctions = [];</script> - <script type="text/javascript" src="/deferred.js" defer="defer"></script> - <!--[if lte IE 8]> - <link rel="stylesheet" href="/ie.css" type="text/css"/> - <script type="text/javascript" src="/html5shiv.js"></script> - <![endif]--> - - <!-- Redirects for `go get` and godoc.org --> - <meta name="go-import" - content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/> - <meta name="go-source" - content="qpid.apache.org -https://github.com/apache/qpid-proton/blob/go1/README.md -https://github.com/apache/qpid-proton/tree/go1{/dir} -https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> - </head> - <body> - <div id="-content"> - <div id="-top" class="panel"> - <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a> - - <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a> - - <ul id="-global-navigation"> - <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li> - <li><a href="/documentation.html">Documentation</a></li> - <li><a href="/download.html">Download</a></li> - <li><a href="/discussion.html">Discussion</a></li> - </ul> - </div> - - <div id="-menu" class="panel" style="display: none;"> - <div class="flex"> - <section> - <h3>Project</h3> - - <ul> - <li><a href="/overview.html">Overview</a></li> - <li><a href="/components/index.html">Components</a></li> - <li><a href="/releases/index.html">Releases</a></li> - </ul> - </section> - - <section> - <h3>Messaging APIs</h3> - - <ul> - <li><a href="/proton/index.html">Qpid Proton</a></li> - <li><a href="/components/jms/index.html">Qpid JMS</a></li> - <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li> - </ul> - </section> - - <section> - <h3>Servers and tools</h3> - - <ul> - <li><a href="/components/java-broker/index.html">Broker for Java</a></li> - <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> - <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> - </ul> - </section> - - <section> - <h3>Resources</h3> - - <ul> - <li><a href="/dashboard.html">Dashboard</a></li> - <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index";>Wiki</a></li> - <li><a href="/resources.html">More resources</a></li> - </ul> - </section> - </div> - </div> - - <div id="-search" class="panel" style="display: none;"> - <form action="http://www.google.com/search"; method="get"> - <input type="hidden" name="sitesearch" value="qpid.apache.org"/> - <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/> - <button type="submit">Search</button> - <a href="/search.html">More ways to search</a> - </form> - </div> - - <div id="-middle" class="panel"> - <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-0.26/index.html">Qpid 0.26</a></li><li><a href="/releases/qpid-0.26/java-broker/book/index.html">AMQP Messaging Broker (Java)</a></li><li>11.4. SSL</li></ul> - - <div id="-middle-content"> - <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">11.4. SSL</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security-ACLs.html">Prev</a> </td><th align="center" width="60%">Chapter 11. Security</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Runtime.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title"><a id="Java-Broker-Security-SSL"></a>11.4. SSL</h2></div></div></div><p> - This section guides through the details of configuration of Keystores and Trsustores - required for enabling of SSL transport and Client Certificate Authentication on Broker ports. - The details how to configure SSL on Broker ports are provided in <a class="xref" href="Java-Broker-Ports.html" title="Chapter 6. Broker Ports">Chapter 6, <em>Broker Ports</em></a>. - </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-SSL-Keystore"></a>11.4.1. Keystore Configuration</h3></div></div></div><p> - A Keystore can be added/deleted/edited using <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-REST-API" title="5.2.4. REST API"> - REST Management interfaces</a> and <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-Web-Console" title="5.2.2. Web Management Console"> - Web Management Console</a>. Any number of Keystores can be configured on the Broker. - SSL ports can be configured with different Keystores. - </p><p>The following Keystore managing operations are available from - <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-Web-Console" title="5.2.2. Web Management Console">Web Management Console</a>: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A new Keystore can be added by clicking on "Add Key Store" button on the Broker tab.</p></li><li class="listitem"><p>Keystore details can be viewed on the Keystore tab which is displayed after clicking - on Keystore name in the Broker object tree or after clicking on Keystore row in Keystores grid on the Broker tab.</p></li><li class="listitem"><p>Editing of Keystore can be performed by clicking on "Edit" button on the Keystore tab. - Changing of Keystore name is unsupported at the moment. If changed Keystore is used by the Port - the changes on Port object will take effect after Broker restart.</p></li><li class="listitem"><p>An existing Keystore can be deleted by clicking on "Delete Key Store" button on Broker tab - or hitting "Delete" button on the Keystore tab. Only unused Keystores can be deleted. - The deletion of the Keystore configured on any Broker Port is not allowed.</p></li></ul></div><p> - </p><p> - The "Keystore certificate alias" field is an optional way of specifying which certificate the broker should use - if the keystore contains multiple entries. Optionally "Key manager factory algorithm" and "Key store type" can - be specified on Keystore creation. - </p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p> - The password of the certificate used by the Broker <span class="bold"><strong>must</strong></span> - match the password of the keystore itself. This is a restriction of the Qpid Broker - implementation. If using the <a class="ulink" href="http://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html"; target="_top">keytool</a> utility, - note that this means the argument to the <code class="option">-keypass</code> option must match - the <code class="option">-storepass</code> option. - </p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="SSL-Truststore-ClientCertificate"></a>11.4.2. Truststore / Client Certificate Authentication</h3></div></div></div><p> - The SSL trustore and related Client Certificate Authentication behaviour can be configured - by adding a Trustore configured object and associating it with the SSL port. - A Truststore can be added/deleted/edited using <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-REST-API" title="5.2.4. REST API"> - REST Management interfaces</a> and <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-Web-Console" title="5.2.2. Web Management Console"> - Web Management Console</a>. Any number of Trustores can be configured on the Broker. - Multiple Trustores can be configured on Broker SSL Ports. - </p><p>The following Truststore managing operations are available from - <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-Web-Console" title="5.2.2. Web Management Console">Web Management Console</a>: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A new Truststore can be added by clicking on "Add Trust Store" button on the Broker tab.</p></li><li class="listitem"><p>Truststore details can be viewed on the Truststore tab which is displayed after clicking - onto Truststore name in the Broker object tree or after clicking onto Truststore row in Truststores grid on the Broker tab.</p></li><li class="listitem"><p>Trustore can be edited by clicking onto "Edit" button on the Trustore tab. - Changing of Trustore name is unsupported at the moment.</p></li><li class="listitem"><p>An existing Trustore can be deleted by clicking onto "Delete Trust Store" button - on Broker tab or "Delete" button on the Truststore tab. Only unused Truststores can be deleted. - The deletion of the Truststore configured on any Broker Port is not allowed.</p></li></ul></div><p> - </p><p>When "Peers Only" option is selected for the Truststore it will allow logging in for the clients - with the certificate exactly matching the certificate loaded in the Truststore database, - thus, authenticating the connections with self signed certificates not nessesary signed by CA. - </p><p>"Trust manager factory algorithm" and "Trust store type" can - be optionally specified for the Trustore. - </p></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security-ACLs.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Runtime.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">11.3. Access Control Lists </td><td align="center" width="20%"><a accesskey="h" href="index.html">Home</a></td><td align="right" valign="top" width="40%"> Chapter 12. Runtime</td></tr></table></div></div> - - <hr/> - - <ul id="-apache-navigation"> - <li><a href="http://www.apache.org/";>Apache</a></li> - <li><a href="http://www.apache.org/licenses/";>License</a></li> - <li><a href="http://www.apache.org/foundation/sponsorship.html";>Sponsorship</a></li> - <li><a href="http://www.apache.org/foundation/thanks.html";>Thanks!</a></li> - <li><a href="/security.html">Security</a></li> - <li><a href="http://www.apache.org/";><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li> - </ul> - - <p id="-legal"> - Apache Qpid, Messaging built on AMQP; Copyright © 2015 - The Apache Software Foundation; Licensed under - the <a href="http://www.apache.org/licenses/LICENSE-2.0";>Apache - License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton, - Proton, Apache, the Apache feather logo, and the Apache Qpid - project logo are trademarks of The Apache Software - Foundation; All other marks mentioned may be trademarks or - registered trademarks of their respective owners - </p> - </div> - </div> - </div> - </body> -</html> http://git-wip-us.apache.org/repos/asf/qpid-site/blob/a39b425b/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security.html ---------------------------------------------------------------------- diff --git a/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security.html b/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security.html deleted file mode 100644 index 4ef9aca..0000000 --- a/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security.html +++ /dev/null @@ -1,280 +0,0 @@ -<!DOCTYPE html> -<!-- - - - - Licensed to the Apache Software Foundation (ASF) under one - - or more contributor license agreements. See the NOTICE file - - distributed with this work for additional information - - regarding copyright ownership. The ASF licenses this file - - to you under the Apache License, Version 2.0 (the - - "License"); you may not use this file except in compliance - - with the License. You may obtain a copy of the License at - - - - http://www.apache.org/licenses/LICENSE-2.0 - - - - Unless required by applicable law or agreed to in writing, - - software distributed under the License is distributed on an - - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY - - KIND, either express or implied. See the License for the - - specific language governing permissions and limitations - - under the License. - - ---> -<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en"> - <head> - <title>Chapter 11. Security - Apache Qpid™</title> - <meta http-equiv="X-UA-Compatible" content="IE=edge"/> - <meta name="viewport" content="width=device-width, initial-scale=1.0"/> - <link rel="stylesheet" href="/site.css" type="text/css" async="async"/> - <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/> - <script type="text/javascript">var _deferredFunctions = [];</script> - <script type="text/javascript" src="/deferred.js" defer="defer"></script> - <!--[if lte IE 8]> - <link rel="stylesheet" href="/ie.css" type="text/css"/> - <script type="text/javascript" src="/html5shiv.js"></script> - <![endif]--> - - <!-- Redirects for `go get` and godoc.org --> - <meta name="go-import" - content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/> - <meta name="go-source" - content="qpid.apache.org -https://github.com/apache/qpid-proton/blob/go1/README.md -https://github.com/apache/qpid-proton/tree/go1{/dir} -https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/> - </head> - <body> - <div id="-content"> - <div id="-top" class="panel"> - <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a> - - <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a> - - <ul id="-global-navigation"> - <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li> - <li><a href="/documentation.html">Documentation</a></li> - <li><a href="/download.html">Download</a></li> - <li><a href="/discussion.html">Discussion</a></li> - </ul> - </div> - - <div id="-menu" class="panel" style="display: none;"> - <div class="flex"> - <section> - <h3>Project</h3> - - <ul> - <li><a href="/overview.html">Overview</a></li> - <li><a href="/components/index.html">Components</a></li> - <li><a href="/releases/index.html">Releases</a></li> - </ul> - </section> - - <section> - <h3>Messaging APIs</h3> - - <ul> - <li><a href="/proton/index.html">Qpid Proton</a></li> - <li><a href="/components/jms/index.html">Qpid JMS</a></li> - <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li> - </ul> - </section> - - <section> - <h3>Servers and tools</h3> - - <ul> - <li><a href="/components/java-broker/index.html">Broker for Java</a></li> - <li><a href="/components/cpp-broker/index.html">C++ broker</a></li> - <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li> - </ul> - </section> - - <section> - <h3>Resources</h3> - - <ul> - <li><a href="/dashboard.html">Dashboard</a></li> - <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index";>Wiki</a></li> - <li><a href="/resources.html">More resources</a></li> - </ul> - </section> - </div> - </div> - - <div id="-search" class="panel" style="display: none;"> - <form action="http://www.google.com/search"; method="get"> - <input type="hidden" name="sitesearch" value="qpid.apache.org"/> - <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/> - <button type="submit">Search</button> - <a href="/search.html">More ways to search</a> - </form> - </div> - - <div id="-middle" class="panel"> - <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-0.26/index.html">Qpid 0.26</a></li><li><a href="/releases/qpid-0.26/java-broker/book/index.html">AMQP Messaging Broker (Java)</a></li><li>Chapter 11. Security</li></ul> - - <div id="-middle-content"> - <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">Chapter 11. Security</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Stores-HA-BDB-Store.html">Prev</a> </td><th align="center" width="60%"> </th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Security-Group-Providers.html">Next</a></td></tr></table><hr /></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a id="Java-Broker-Security"></a>Chapter 11. Security</h1></div></div></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Authentication-Providers">11.1. Authentication Providers</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-LDAP-Provider">11.1.1. Simple LDAP Authentication Provider</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Kerberos-Provider">11.1.2. Kerberos</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-External-Provider">11.1.3. External (SSL Client Certificates)</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Anonymous-Provider">11.1.4. Anonymous</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-PlainPasswordFile-Provider">11.1.5. Plain Password File</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Base64MD5PasswordFile-Provider">11.1.6. Base64MD5 Password File</a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Security-Group-Providers.html">11.2. Group Providers</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security-Group-Providers.html#File-Group-Manager">1 1.2.1. GroupFile Provider</a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Security-ACLs.html">11.3. Access Control Lists</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security-ACLs.html#Java-Broker-Security-ACLs-WriteACL">11.3.1. - Writing .acl files - </a></span></dt><dt><span class="section"><a href="Java-Broker-Security-ACLs.html#Java-Broker-Security-ACLs-Syntax">11.3.2. - Syntax - </a></span></dt><dt><span class="section"><a href="Java-Broker-Security-ACLs.html#Java-Broker-Security-ACLs-WorkedExamples">11.3.3. - Worked Examples - </a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Security-SSL.html">11.4. SSL</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security-SSL.html#Java-Broker-SSL-Keystore">11.4.1. Keystore Configuration</a></span></dt><dt><span class="section"><a href="Java-Broker-Security-SSL.html#SSL-Truststore-ClientCertificate">11.4.2. Truststore / Client Certificate Authentication</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title"><a id="Java-Broker-Security-Authentication-Providers"></a>11.1. Authentication Providers</h2></div></div></div><p> - In order to successfully establish a connection to the Java Broker, the connection must be - authenticated. The Java Broker supports a number of different authentication schemes, each - with its own "authentication provider". Any number of Authentication Providers can be configured - on the Broker at the same time. - </p><p> - The Authentication Providers can be configured using <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-REST-API" title="5.2.4. REST API">REST Management interfaces</a> - and <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-Web-Console" title="5.2.2. Web Management Console">Web Management Console</a>. - </p><p>The following Authentication Provider managing operations are available from Web Management Console: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A new Authentication Provider can be added by clicking onto "Add Provider" on the Broker tab.</p></li><li class="listitem"><p>An Authentication Provider details can be viewed on the Authentication Provider tab. - The tab is displayed after clicking onto Authentication Provider name in the Broker object tree or after clicking - onto Authentication Provider row in Authentication Providers grid on the Broker tab.</p></li><li class="listitem"><p>Editing of Authentication Provider can be performed by clicking on "Edit" button - on Authentication Provider tab.</p></li><li class="listitem"><p>An existing Authentication Provider can be deleted by clicking on "Delete Provider" button - on Broker tab or "Delete" button on the Authentication Provider tab.</p></li></ul></div><p> - The Authentication Provider type and name cannot be changed for existing providers as editing of name and type - is unsupported at the moment. Only provider specific attributes can be modified in the editing dialog - and stored in the broker configuration store. - </p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3> - Only unused Authentication Provider can be deleted. For delete requests attempting to delete Authentication Provider - associated with the Ports, the errors will be returned and delete operations will be aborted. It is possible to change - the Authentication Provider on Port at runtime. However, the Broker restart is required for changes on Port to take effect. - </div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-LDAP-Provider"></a>11.1.1. Simple LDAP Authentication Provider</h3></div></div></div><p> - SimpleLDAPAuthenticationProvider authenticates connections against a Directory (LDAP). - </p><p> - To create a SimpleLDAPAuthenticationProvider the following mandatory fields are required: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><span class="emphasis"><em>LDAP server URL</em></span> is the URL of the server, for example, <code class="literal">ldaps://example.com:636</code></p></li><li class="listitem"><p><span class="emphasis"><em>Search context</em></span> is the distinguished name of the search base object. It defines the location from which - the search for users begins, for example, <code class="literal">dc=users,dc=example,dc=com</code></p></li><li class="listitem"><p><span class="emphasis"><em>Search filter</em></span> is a DN template to find an LDAP user entry by provided user name, for example, <code class="literal">(uid={0})</code></p></li></ul></div><p> - Additionally, the following optional fields can be specified: - </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><span class="emphasis"><em>LDAP context factory</em></span> is a fully qualified class name for the JNDI LDAP context factory. - This class must implement the <a class="ulink" href="http://docs.oracle.com/javase/6/docs/api/javax/naming/spi/InitialContextFactory.html"; target="_top">InitialContextFactory</a> - interface and produce instances of <a class="ulink" href="http://docs.oracle.com/javase/6/docs/api/javax/naming/directory/DirContext.html"; target="_top">DirContext</a>. - If not specified a default value of <code class="literal">com.sun.jndi.ldap.LdapCtxFactory</code> is used.</p></li><li class="listitem"><p><span class="emphasis"><em>LDAP authentication URL</em></span> is the URL of LDAP server for performing "ldap bind". If not - specified, the <span class="emphasis"><em>LDAP server URL</em></span> will be used for both searches and authentications.</p></li><li class="listitem"><p><span class="emphasis"><em>Truststore name</em></span> is a name of <a class="link" href="Java-Broker-Security-SSL.html#SSL-Truststore-ClientCertificate" title="11.4.2. Truststore / Client Certificate Authentication">configured truststore</a>. - Use this if connecting to a Directory over SSL (i.e. ldaps://) which is protected by a certificate signed by a private CA (or - utilising a self-signed certificate).</p></li></ul></div><p> - </p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3> - In order to protect the security of the user's password, when using LDAP authentication, you must: - <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Use SSL on the broker's AMQP, JMX, and HTTP ports to protect the password during - transmission to the Broker.</p></li><li class="listitem"><p>Authenticate to the Directory using SSL (i.e. ldaps://) to protect the password - during transmission from the Broker to the Directory.</p></li></ul></div></div><p> - The LDAP Authentication Provider works in the following manner. It first connects to the Directory anonymously - and searches for the ldap entity which is identified by the username. The search begins at the distinguished name - identified by <code class="literal">Search Context</code> and uses the username as a filter. The search scope is sub-tree - meaning the search will include the base object and the subtree extending beneath it. - </p><p> - If the search returns a match, the Authentication Provider then attempts to bind to the LDAP server with the given - name and the password. Note that - <a class="ulink" href="http://docs.oracle.com/javase/6/docs/api/javax/naming/Context.html#SECURITY_AUTHENTICATION"; target="_top">simple security authentication</a> - is used so the Directory receives the password in the clear. - </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Kerberos-Provider"></a>11.1.2. Kerberos</h3></div></div></div><p> - Kereberos Authentication Provider uses java GSS-API SASL mechanism to authenticate the connections. - </p><p> - Configuration of kerberos is done through system properties (there doesn't seem to be a way - around this unfortunately). - </p><pre class="programlisting"> - export JAVA_OPTS=-Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=qpid.conf - ${QPID_HOME}/bin/qpid-server - </pre><p>Where qpid.conf would look something like this:</p><pre class="programlisting"> -com.sun.security.jgss.accept { - com.sun.security.auth.module.Krb5LoginModule required - useKeyTab=true - storeKey=true - doNotPrompt=true - realm="EXAMPLE.COM" - useSubjectCredsOnly=false - kdc="kerberos.example.com" - keyTab="/path/to/keytab-file" - principal="<name>/<host>"; -};</pre><p> - Where realm, kdc, keyTab and principal should obviously be set correctly for the environment - where you are running (see the existing documentation for the C++ broker about creating a keytab - file). - </p><p> - Note: You may need to install the "Java Cryptography Extension (JCE) Unlimited Strength - Jurisdiction Policy Files" appropriate for your JDK in order to get Kerberos support working. - </p><p> - Since Kerberos support only works where SASL authentication is available (e.g. not for JMX - authentication) you may wish to also include an alternative Authentication Provider - configuration, and use this for JMX and HTTP ports. - </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-External-Provider"></a>11.1.3. External (SSL Client Certificates)</h3></div></div></div><p> - When <a class="link" href="Java-Broker-Security-SSL.html#SSL-Truststore-ClientCertificate" title="11.4.2. Truststore / Client Certificate Authentication"> requiring SSL Client Certificates</a> be - presented the External Authentication Provider can be used, such that the user is authenticated based on - trust of their certificate alone, and the X500Principal from the SSL session is then used as the username - for the connection, instead of also requiring the user to present a valid username and password. - </p><p> - <span class="bold"><strong>Note:</strong></span> The External Authentication Provider should typically only be used on the - AMQP ports, in conjunction with <a class="link" href="Java-Broker-Security-SSL.html#SSL-Truststore-ClientCertificate" title="11.4.2. Truststore / Client Certificate Authentication">SSL client certificate - authentication</a>. It is not intended for other uses such as the JMX management port and will treat any - non-sasl authentication processes on these ports as successful with the given username. As such you should - configure another Authentication Provider for use on non-AMQP ports. Perhaps the only exception to this - would be where the broker is embedded in a container that is itself externally protecting the HTTP interface - and then providing the remote users name. - </p><p>On creation of External Provider the use of full DN or username CN as a principal name can be configured. - If field "Use the full DN as the Username" is set to "true" the full DN is used as an authenticated principal name. - If field "Use the full DN as the Username" is set to "false" the user name CN part is used as the authenticated principal name. - Setting the field to "false" is particular useful when <a class="link" href="Java-Broker-Security-ACLs.html" title="11.3. Access Control Lists">ACL</a> is required, - as at the moment, ACL does not support commas in the user name. - </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Anonymous-Provider"></a>11.1.4. Anonymous</h3></div></div></div><p> - The Anonymous Authentication Provider will allow users to connect with or without credentials and result - in their identification on the broker as the user ANONYMOUS. This Provider does not require specification - of any additional fields on creation. - </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-PlainPasswordFile-Provider"></a>11.1.5. Plain Password File</h3></div></div></div><p> - The PlainPasswordFile Provider uses local file to store and manage user credentials. - When creating an authentication provider the path to the file needs to be specified. - If specified file does not exist an empty file is created automatically on Authentication Provider creation. - On Provider deletion the password file is deleted as well. For this Provider - user credentials can be added, removed or changed using REST management interfaces and web management console. - </p><p> - On navigating to the Plain Password File Provider tab (by clicking onto provider name from Broker tree or provider - row in providers grid on Broker tab) the list of existing credentials is displayed on the tab with the buttons "Add User" - and "Delete Users" to add new user credentials and delete the existing user credentials respectively. - On clicking into user name on Users grid the pop-up dialog to change the password is displayed. - </p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="idm140218886937008"></a>11.1.5.1. Plain Password File Format</h4></div></div></div><p> - The user credentials are stored on the single file line as user name and user password pairs separated by colon character. - </p><pre class="programlisting"> -# password file format -# <user name>: <user password> -guest:guest - </pre></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Base64MD5PasswordFile-Provider"></a>11.1.6. Base64MD5 Password File</h3></div></div></div><p> - Base64MD5PasswordFile Provider uses local file to store and manage user credentials similar to Similar to PlainPasswordFile - but instead of storing a password the MD5 password digest encoded with Base64 encoding is stored in the file. - When creating an authentication provider the path to the file needs to be specified. - If specified file does not exist an empty file is created automatically on Authentication Provider creation. - On Base64MD5PasswordFile Provider deletion the password file is deleted as well. For this Provider - user credentials can be added, removed or changed using REST management interfaces and web management console. - </p><p> - On navigating to the Base64MD5PasswordFile Provider tab (by clicking onto provider name from Broker tree or provider - row in providers grid on Broker tab) the list of existing credentials is displayed on the tab with the buttons "Add User" - and "Delete Users" to add new user credentials and delete the existing user credentials respectively. - On clicking into user name on Users grid the pop-up dialog to change the password is displayed. - </p></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Stores-HA-BDB-Store.html">Prev</a> </td><td align="center" width="20%"> </td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Security-Group-Providers.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">10.5. High Availability BDB Message Store </td><td align="center" width="20%"><a accesskey="h" href="index.html">Home</a></td><td align="right" valign="top" width="40%"> 11.2. Group Providers</td></tr></table></div></div> - - <hr/> - - <ul id="-apache-navigation"> - <li><a href="http://www.apache.org/";>Apache</a></li> - <li><a href="http://www.apache.org/licenses/";>License</a></li> - <li><a href="http://www.apache.org/foundation/sponsorship.html";>Sponsorship</a></li> - <li><a href="http://www.apache.org/foundation/thanks.html";>Thanks!</a></li> - <li><a href="/security.html">Security</a></li> - <li><a href="http://www.apache.org/";><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li> - </ul> - - <p id="-legal"> - Apache Qpid, Messaging built on AMQP; Copyright © 2015 - The Apache Software Foundation; Licensed under - the <a href="http://www.apache.org/licenses/LICENSE-2.0";>Apache - License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton, - Proton, Apache, the Apache feather logo, and the Apache Qpid - project logo are trademarks of The Apache Software - Foundation; All other marks mentioned may be trademarks or - registered trademarks of their respective owners - </p> - </div> - </div> - </div> - </body> -</html> --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org For additional commands, e-mail: commits-h...@qpid.apache.org
