JDBC Security Plugin For ActiveMQ User Guide - IBM

cuttlefishblueData Management

Dec 16, 2012 (4 years and 8 months ago)

339 views

JDBC Security Plugin
For
ActiveMQ
User Guide

Dejan Bosanac
Total Transaction Management, LLC
An Open Source Solutions Company
570 Rancheros Drive, Suite 140
San Marcos, CA 92069
760-591-0273
www.ttmsolutions.com

Copyright 2008, Total Transaction Management

www.ttmsolutions.com
JDBC Security Plugin for ActiveMQ

Table of Contents
1INTRODUCTION



.......................................................................................................................................................

2

2INSTALLATION AND CONFIGURATION



.........................................................................................................

3

2.1Installation



...........................................................................................................................................................

3

2.2ActiveMQ Configuration File



...............................................................................................................................

3

2.3Configuring Database Access



.................................................................................................................................

4

2.3.1Oracle



.............................................................................................................................................................

5

2.3.2MySQL



............................................................................................................................................................

5

2.3.3PostgreSQL



.....................................................................................................................................................

6

2.3.4Derby



..............................................................................................................................................................

6

2.4Starting



...................................................................................................................................................................

7

2.5Security Plugin Bean Definition



..........................................................................................................................

8

2.6SQL Map



................................................................................................................................................................

9

2.6.1Configuration file



.........................................................................................................................................

10

2.6.2Authentication Resource



...............................................................................................................................

10

2.6.3Authorization Resource



................................................................................................................................

11

2.7Logging



................................................................................................................................................................

12

3AUTHENTICATION



...............................................................................................................................................

12

4AUTHORIZATION



.................................................................................................................................................

13

4.1Controlling Access to Temporary Resources (Destinations)



................................................................................

14

4.2Wildcards



..............................................................................................................................................................

15

5CAMEL



......................................................................................................................................................................

16

6AUTHENTICATION AND AUTHORIZATION BETWEEN MESSAGE BROKERS



....................................

16

7JMX MBEAN



............................................................................................................................................................

17

8ABBREVIATIONS AND ACRONYMS



.................................................................................................................

20


Copyright 2008, Total Transaction Management

www.ttmsolutions.com
i
LDAP Security Plugin for ActiveMQ

1
Introduction
TTM’s JDBC Security Plugin (SP) is an ActiveMQ plugin module that uses a relational database

(DB) to provide dynamically reconfigurable authentication and authorization (A&A) security

services.
The primary benefit of using a JDBC DB is that all A&A information, which pertains to

ActiveMQ clients and resources (i.e., topics and queues), is centrally and securely stored and

managed. This is especially attractive for large enterprise class environments that employ 10’s if

not 100’s of ActiveMQ message brokers. The combination of SP and DB also provides for

dynamic runtime configuration. This feature allows you to make modifications to the A&A

information in the DB and not have to stop and restart the ActiveMQ message broker(s) to have

those modifications take effect.
ActiveMQ is both a message oriented middleware (MOM) system and an extensible messaging

framework. One method of extending ActiveMQ’s functionality is through its
plugin

architecture, which allows you to extend the core messaging engine’s functionality. This plugin

architecture is similar, in concept, to the plugin architecture found in the Apache web server.

That is, you develop a plugin module that adheres to a defined interface, which then allows the

plugin to be included in the core engine’s main event processing chain. The SP adheres to

ActiveMQ’s plugin interface, and by doing so is able to intercept those client-related events (i.e.,

connect, read/receive, write/send, admin/create/remove) that require authentication and/or

authorization. For example, when a messaging client establishes a connection with the broker,

the SP intercepts the connection request event and uses the connection’s username and password

properties to authenticate the client against the DB. The SP will also authorize clients to ensure

they have been issued the proper access rights for the corresponding broker’s resources (i.e.,

queues and topics).
The SP connects to a central database to:
1.
Authenticate clients
2.
Retrieve clients’ security credentials
3.
Retrieve the access control lists (ACLs) assigned to a broker’s resources (destinations).
This package has been certified for the officially released version of ActiveMQ 5.1. It has not

been certified with prior releases or SNAPSHOT versions of 5.1.
The package also includes an
administrative JMX MBean
. Through this JMX MBean, you can

view the SP’s properties and issue commands to the SP.

Copyright 2008, Total Transaction Management

www.ttmsolutions.com
2
LDAP Security Plugin for ActiveMQ

2
Installation and Configuration
2.1
Installation
It is very easy to install the SP:

Extract the ttm-jdbcsecurity-<
version
>.zip file to the ${ACTIVEMQ_HOME} folder.

Put the appropriate JDBC driver in the ${ACTIVEMQ_HOME}/lib/ folder. JDBC

drivers for various databases are found at:

Mysql -
http://dev.mysql.com/downloads/connector/j/5.1.html

Postgres -
http://jdbc.postgresql.org/download.html

Oracle -
http://www.oracle.com/technology/software/tech/java/sqlj_jdbc/index.html

2.2
ActiveMQ Configuration File
To have the ActiveMQ message broker load the SP on startup, you must define a SP bean within

the message broker’s Spring XML configuration file (ACTIVEMQ_HOME/conf/activemq.xml).

There are two options you can take with the first being depicted in the XML listing below, which

is a snippet of a message broker’s XML configuration file. Note how the SP bean, with an id of

“jdbcSecurityPlugin”, is defined outside the <broker> element and is referenced via the

<broker> element’s “plugins” attribute.

<!-- ActiveMQ Broker Configuration File -->
<beans
xmlns="http://www.springframework.org/schema/beans"
xmlns:amq="http://activemq.org/config/1.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://activemq.org/config/1.0 http://activemq.apache.org/schema/activemq-core.xsd
http://activemq.apache.org/camel/schema/spring http://activemq.apache.org/camel/schema/spring/camel-
spring.xsd">
<!-- Allows us to use system properties as variables in this configuration file -->
<bean class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer" />
<broker xmlns="http://activemq.org/config/1.0" brokerName="secprototype"
dataDirectory="${activemq.base}/data"
plugins="#jdbcSecurityPlugin
">

<transportConnectors>
<transportConnector name="openwire"
uri="tcp://localhost:61616" />
</transportConnectors>


</broker>

Copyright 2008, Total Transaction Management

www.ttmsolutions.com
3
LDAP Security Plugin for ActiveMQ


<bean id="jdbcSecurityPlugin"
class="com.atomicmq.security.jdbc.JdbcSecurityPlugin">
<property name="sqlMap">
<ref bean="sqlMap" />
</property>
</bean>
<!-- SqlMap used by plugin. Default preset with MySQL datasource.
For configuration of other datasources, please look below
-->
<bean id="sqlMap"
class="org.springframework.orm.ibatis.SqlMapClientFactoryBean">
<property name="configLocation">
<value>file:${activemq.base}/conf/jdbcSecurityPlugin.xml</value>
</property>
<property name="dataSource" ref="derby-ds" />
</bean>
<!—define a datasource -->
<bean id="derby-ds" class="org.apache.derby.jdbc.EmbeddedDataSource">
<property name="databaseName" value="data/atomicmq"/>
</bean>
</beans>
There are three important components of the SP that have to be configured in the activemq.xml

file. The first is the plugin itself, which is defined via the bean called, “jdbcSecurityPlugin”.

Second, the SP uses iBatis (
http://ibatis.apache.org/
) as its object-relational (OR) mapping library,

so you have to configure the appropriate SQL map. In this example, it’s done with the “sqlMap”

bean and a detailed explanation of how to configure and customize the SQL maps can be found

in
Section 2.6, SQL Map
. And finally, the SQL map must be provided with a data source, which

contains configuration data for the particular database connections the SP will use. In the above

example, it is configured to use the Derby database (the SP comes with a preinstalled Derby

database in the …/data/atomicmq folder).
The SP is certified for the following databases:

Oracle

MySQL

PostgreSQL

Derby
Details on how to initialize a particular database and configure appropriate data sources can be

found in the following sections.
2.3
Configuring Database Access
In order for the SP to operate correctly, you have to initialize the database and configure the data

source bean. In the SP’s distribution archive, you can find the …/conf/init.sql file, which which


Copyright 2008, Total Transaction Management

www.ttmsolutions.com
4
LDAP Security Plugin for ActiveMQ

you should have extracted to the ${ACTIVEMQ_HOME}/conf folder. This file contains the

SQL script that is used to initialize the appropriate database tables. Also, the sample

.../conf/activemq.xml file that comes with the SP distribution contains examples of configured

data sources for all the certified databases.
In the following sections, we will walk through the configuration steps for all the certified

databases
2.3.1
Oracle
Use your favorite administration tool to create the atomicmq database and initialize the tables

via the …/conf/init.sql file.
In the …/conf/activemq.xml file, configure the Oracle data source as follows.

<bean id="oracle-ds" class="org.apache.commons.dbcp.BasicDataSource" destroy-
method="close">
<property name="driverClassName" value="oracle.jdbc.driver.OracleDriver"/>
<property name="url" value="jdbc:oracle:thin:@194.247.196.1:1521:dev"/>
<property name="username" value="dejan"/>
<property name="password" value="bosanac"/>
<property name="maxActive" value="200"/>
</bean>
Finally, reference this bean from dataSource property of the sqlMap bean.
2.3.2
MySQL
Assuming that your MySql server is located on the same host as ActiveMQ, do the following:

Run mysql client
$ mysql –u root

Create the atomicmq database
$mysql > CREATE DATABASE atomicmq;
$mysql> exit;

Run the init script
$ mysql –u root atomicmq < ${ACTIVEMQ_HOME}/conf/init.sql
In …/conf/activemq.xml file configure the MySQL data source as follows
<bean id="mysql-ds" class="org.apache.commons.dbcp.BasicDataSource"
destroy-method="close">
<property name="driverClassName" value="com.mysql.jdbc.Driver" />
<property name="url"

Copyright 2008, Total Transaction Management

www.ttmsolutions.com
5
LDAP Security Plugin for ActiveMQ

value="jdbc:mysql://localhost/atomicmq?relaxAutoCommit=true" />
<property name="username" value="root" />
<property name="password" value="" />
<property name="maxActive" value="200" />
<property name="poolPreparedStatements" value="true" />
</bean>
Finally, reference this bean from the dataSource property of the sqlMap bean.
2.3.3
PostgreSQL
Assuming that your PostgreSQL server is located on the same host as ActiveMQ, do the

following:

Run psql client
$ psql –Upostgres

Create atomicmq database
$mysql > CREATE DATABASE atomicmq;
$mysql> \q

Run init script
$ psql –Upostgres atomicmq < ${ACTIVEMQ_HOME}/conf/init.sql
In the …/conf/activemq.xml file configure the PostgreSQL data source as follows
<bean id="postgres-ds" class="org.postgresql.ds.PGPoolingDataSource">
<property name="serverName" value="loclahost"/>
<property name="databaseName" value="atomicmq"/>
<property name="portNumber" value="5433"/>
<property name="user" value="postgres"/>
<property name="password" value=""/>
<property name="dataSourceName" value="postgres"/>
<property name="initialConnections" value="1"/>
<property name="maxConnections" value="10"/>
</bean>
Finally, reference this bean from dataSource property of the sqlMap bean.
2.3.4
Derby
The SP comes preinstalled with the Derby database, which is located in the …/data/atomicmq

folder. However, if you wish to initialize it on your own, here are the steps. Assuming that your

Derby server is properly installed, do the following:

Copyright 2008, Total Transaction Management

www.ttmsolutions.com
6
LDAP Security Plugin for ActiveMQ


Run derby client
${DERBY_HOME}/bin/ij

Create database
ij> CONNECT 'jdbc:derby:data/atomicmq;create=true';

Run init.sql script
ij>RUN 'init.sql'
ij>exit;
In the …/conf/activemq.xml file configure the Derby data source as follows
<bean id="derby-ds" class="org.apache.derby.jdbc.EmbeddedDataSource">
<property name="databaseName" value="data/atomicmq"/>
</bean>
Finally, reference this bean from the dataSource property of the sqlMap bean.
2.4
Starting
After completing all the previous steps, you are ready to start the broker. Assuming that the

database was correctly initialized and the SP installed and configured, you’ll note the following

INFO statements being put out during the broker’s startup phase.
INFO JdbcSecurityBroker - Started
INFO JdbcSecurityBroker - Authorization map successfully populated
If the database is not available during the broker’s startup phase, you can expect to see an error

statement similar to the following:
WARN JdbcSecurityBroker - Communication with database failed during populating authorization map,

reason: org.apache.commons.dbcp.SQLNestedException: Cannot create PoolableConnectionFactory

(Communications link failure Last packet sent to the server was 1 ms ago.)
During its lifetime, the SP attempts to connect to the database during these events:
1. During its startup as described above
2. Whenever a client connects to the broker
3. When it is time to refresh its access control lists. More on this in the next section.


Copyright 2008, Total Transaction Management

www.ttmsolutions.com
7
LDAP Security Plugin for ActiveMQ

2.5
Security Plugin Bean Definition
The configuration examples in the previous section do not describe all of the SP bean’s

properties; there are just two of them so let’s take a closer look. The example SP bean definition

and subsequent table below lists all the properties, their default values, and a brief description.
<bean id="jdbcSecurityPlugin" class="com.atomicmq.security.jdbc.JdbcSecurityPlugin">
<property name="sqlMap">
<ref bean="sqlMap" />
</property>
<property name="aclRefreshInterval">

<value>-1</value>
</property>
</bean>
Property Name
Default Value
Description
sqlMap
This property references the iBatis SQL Map

configuration, which is used to configure the object-
relational mapping used by the SP. SQL Maps will

be covered, in detail, in the following section.
aclRefreshInterval
1
This property specifies the frequency at which the

SP will connect to the database in order to refresh its

in-memory ACLs. During startup, the SP will

connect to the database to initialize its ACLs. Then

during runtime, it will connect to the database to

refresh the ACLs at the frequency specified by this

property. The default is once every 60 seconds. You

may want to override the default value according to

how often access control information will change for

your particular environment. Through the SP’s JMX

MBean, you can also force an immediate refresh of

the ACLs or modify the property’s value. Please note

that the new value entered through the MBean will

not be persisted out to the broker’s XML file. If you

want to turn ACL refreshing off, you can set this

property’s value to any negative value.
If you do not require any modifications to the SP bean’s default property values, you simply add

one of the following statements, as described in the previous section, to the broker’s XML

configuration file.

<bean id="jdbcSecurityPlugin" class="
com.atomicmq.security.jdbc.JdbcSecurityPlugin
"
>
<property name="sqlMap">
<ref bean="sqlMap" />

Copyright 2008, Total Transaction Management

www.ttmsolutions.com
8
LDAP Security Plugin for ActiveMQ

</property>
</bean>
<bean id="jdbcSecurityPlugin" class="
com.atomicmq.security.jdbc.JdbcSecurityPlugin
"
xmlns="http://www.springframework.org/schema/beans">
<property name="sqlMap">
<ref bean="sqlMap" />
</property>
</bean>
2.6
SQL Map

The Sql Map is an important part of the SP’s configuration, because it defines its relationship to

the database. As we have seen in the example configuration, the SQL Map is configured using

the following bean definition
<bean id="sqlMap"
class="org.springframework.orm.ibatis.SqlMapClientFactoryBean">
<property name="configLocation">
<value>file:${activemq.base}/conf/jdbcSecurityPlugin.xml</value>
</property>
<property name="dataSource" ref="mysql-ds" />
</bean>
The properties and their description are listed in the following table.
Property Name
Default Value
Description
configLocation
This property specifies the name and

location of the iBatis SQL Map XML

configuration file. It is common that

this file be located in the .../conf folder

of your ActiveMQ distribution. The

content of this and the related

configuration files are described in the

following section.
dataSource
Specifies the data source configuration

bean to use with this SQL Map. Data

sources contain all the configuration

properties for the databases you want to


Copyright 2008, Total Transaction Management

www.ttmsolutions.com
9
LDAP Security Plugin for ActiveMQ

use, such as JDBC driver, URL,

username and password. They are

explained in detail in section
2.3

Configuring database access
2.6.1
Configuration file
The default SQL Map configuration file looks like this (…/conf/jdbcSecurityPlugin.xml)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE sqlMapConfig PUBLIC "-//iBATIS.com//DTD SQL MAP Config 2.0//EN"
"http://www.ibatis.com/dtd/sql-map-config-2.dtd">
<!-- iBatis configuration file -->
<sqlMapConfig>
<settings useStatementNamespaces="true" />
<!-- Use custom handler to convert boolean to Y/N char values -->

<typeHandler javaType="boolean"
callback="com.atomicmq.util.YNBooleanTypeHandler"/>
<!-- Include sql maps for authentication and authorization purposes -->
<sqlMap resource=”Authentication.xml"/>
<sqlMap resource="Authorization.xml"/>
</sqlMapConfig>
This is a typical example of the iBatis SQL Map configuration file, which defines how we will

use namespaces for maps defined in different resources (Authentication and Authorization in

this case), a type handler that converts between Java booleans and database char type (see

database scheme in
section 4, Authorization
), and finally includes two resources: one we will use

for authentication purposes and one we will use for authorization. The following sections will

describe these two resources.
2.6.2
Authentication Resource
The authentication resource configures mapping of relational database data to the

com.atomicmq.security.jdbc.User class. This class contains basic information about users

(clients) wanting to connect to the ActiveMQ broker (username, password, status and groups it

belongs to). In the following listing you can find a default configuration used by this plugin:
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE sqlMap
PUBLIC "-//ibatis.apache.org//DTD SQL Map 2.0//EN"
"http://ibatis.apache.org/dtd/sql-map-2.dtd">
<sqlMap namespace="Authentication">
<!-- Maps result sets to user bean -->
<resultMap id="userMap" class="com.atomicmq.security.jdbc.User"
groupBy="username">

Copyright 2008, Total Transaction Management

www.ttmsolutions.com
10
LDAP Security Plugin for ActiveMQ

<result property="username"/>
<result property="password"/>
<result property="enabled"/>
<result property="authorities"
resultMap="Authentication.authorityMap"/>
</resultMap>
<!-- Helper map for handling groups -->
<resultMap id="authorityMap" class="com.atomicmq.security.jdbc.Authority">
<result property="username"/>
<result property="authority" column="principal"/>
</resultMap>
<!-- selects user details (with its groups) by username -->
<select id="getUser" resultMap="userMap">
SELECT users.username, password, authority as principal
FROM users, authorities
WHERE users.username = #value# AND enabled = 'Y'
AND users.username = authorities.username
</select>
</sqlMap>
There are two important result maps defined here: userMap and authorityMap. These are used to

map database rows to user and authority (group) Java beans. Also, the getUser query specifies

how to retrieve user data. If you don’t plan to use a default database scheme for storing user

details, you have to make appropriate modifications to this file.
2.6.3
Authorization Resource
Similar to the authentication resource, the authorization resource defines mappings between

relational database and the com.atomicmq.security.jdbc.Permission class that holds ACL entries.

The following is a
default configuration for the authorization resource.
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE sqlMap
PUBLIC "-//ibatis.apache.org//DTD SQL Map 2.0//EN"
"http://ibatis.apache.org/dtd/sql-map-2.dtd">
<sqlMap namespace="Authorization">
<!-- Maps results to permission bean -->
<resultMap id="permissionMap"
class="com.atomicmq.security.jdbc.Permission">
<result property="destination"/>
<result property="authority"/>
<result property="readPermission" column="is_read"
javaType="boolean" />

Copyright 2008, Total Transaction Management

www.ttmsolutions.com
11
LDAP Security Plugin for ActiveMQ

<result property="writePermission" column="is_write"
javaType="boolean" />
<result property="adminPermission" column="is_admin"
javaType="boolean" />
</resultMap>
<!-- Gets all permissions -->
<select id="getPermissions" resultMap="permissionMap">
SELECT destination, authority, is_read, is_write, is_admin
FROM permissions
</select>
</sqlMap>
We have defined one result map for the Permission class and a query that gets all permissions

defined in a database. If you don’t plan to use a default database scheme for storing permission

details, you have to make the appropriate modifications to this file.
2.7
Logging
To turn on the SP’s trace logging, locate the ACTIVME_HOME/conf/ log4j.properties file and

change the root logger’s debug level from INFO to TRACE as this line illustrates.
log4j.rootLogger=TRACE, stdout, out
Please note that the SP’s trace level logging will produce a substantial amount of trace

statements to both stdout and the ACTIVEMQ_HOME/data/activemq.log file.
3
Authentication
The SP authenticates an ActiveMQ client while the broker is processing the client’s connection

request. The client’s connection request must provide a username and password; if not, the

plugin throws an exception and disallows the connection request. The plugin will first use

Authentication.getUser query (defined in Authentication.xml) to search for a database row that

matches the connection’s username property value. If the search is not successful, the plugin will

throw an exception and disallows the client’s connection request. If the search is successful, the

plugin will check the supplied password against the one stored in the database. If they match, the

user is authenticated; else the connection request is disallowed.
The User class instance also contains a set of groups a user belongs to. The client’s security

credentials (username, groups) are collectively referred to as a security context. Every time an

ActiveMQ client connects to the broker, the SP will query the database to authenticate the client.

If the client is authenticated, the SP then creates a security context for the client and binds the

context to the client’s connection object. Therefore, subsequent operations (e.g., read, write)


Copyright 2008, Total Transaction Management

www.ttmsolutions.com
12
LDAP Security Plugin for ActiveMQ

made through that particular connection will not require the SP to re-authenticate against the

database. This helps maintain an acceptable level of performance during the connection’s

lifecycle. The connection’s security context is dissolved when the connection is closed.
The following listing contains a database scheme used for authentication purposes and several

test data sets.

CREATE TABLE users (
username VARCHAR(50) NOT NULL,
password VARCHAR(50) NOT NULL,
enabled CHAR(1) DEFAULT 'Y' NOT NULL
);
ALTER TABLE users ADD CONSTRAINT pk_users primary key (username);

CREATE TABLE authorities (
username VARCHAR(50) NOT NULL,
authority VARCHAR(50) NOT NULL
);
ALTER TABLE authorities ADD CONSTRAINT pk_authorities primary key (username,

authority);
ALTER TABLE authorities ADD CONSTRAINT fk_authorities_users foreign key (username)

REFERENCES users(username);
INSERT INTO users VALUES ('system', 'manager', 'Y');
INSERT INTO users VALUES ('user', 'password', 'Y');
INSERT INTO users VALUES ('guest', 'password', 'Y');
INSERT INTO users VALUES ('dejanb', 'test123', 'N');
INSERT INTO authorities VALUES ('system', 'users');
INSERT INTO authorities VALUES ('system', 'admins');
INSERT INTO authorities VALUES ('user', 'users');
INSERT INTO authorities VALUES ('user', 'tempDestAdmins');
INSERT INTO authorities VALUES ('guest', 'guests');
4
Authorization
When a client sends a request to the broker to perform an operation (read, write, admin) on a

resource (topic, queue), the plugin intercepts the operation request and ensures that the client

has been authenticated and that it has also been granted the proper access rights to perform the


Copyright 2008, Total Transaction Management

www.ttmsolutions.com
13
LDAP Security Plugin for ActiveMQ

operation on the destination. The plugin uses the AuthorizationMap obtained from the database

to determine if the user belongs to a group that has been granted the appropriate permission to

perform the given operation.
The ‘read’ and ‘write’ access rights are given to a client to read and write to a particular

destination. The ‘admin’ access right is assigned to a client so that it can create and remove a

destination.
The following listing contains a database scheme used for authorization purposes and several

test data.
CREATE TABLE permissions (
destination VARCHAR(50) NOT NULL,
authority VARCHAR(50) NOT NULL,
is_read CHAR(1) DEFAULT 'N' NOT NULL,
is_write CHAR(1) DEFAULT 'N' NOT NULL,
is_admin CHAR(1) DEFAULT 'N' NOT NULL
);
ALTER TABLE permissions ADD CONSTRAINT pk_permissions primary key (destination,

authority);
INSERT INTO permissions VALUES ('queue://>', 'admins', 'Y', 'Y', 'Y');
INSERT INTO permissions VALUES ('queue://USERS.>', 'users', 'Y', 'Y', 'Y');
INSERT INTO permissions VALUES ('queue://GUEST.>', 'guests', 'Y', 'Y', 'Y');
INSERT INTO permissions VALUES ('queue://GUEST.>', 'users', 'N', 'Y', 'Y');
INSERT INTO permissions VALUES ('topic://>', 'admins', 'Y', 'Y', 'Y');
INSERT INTO permissions VALUES ('topic://USERS.>', 'users', 'Y', 'Y', 'Y');
INSERT INTO permissions VALUES ('topic://GUEST.>', 'guests', 'Y', 'Y', 'Y');
INSERT INTO permissions VALUES ('topic://GUEST.>', 'users', 'N', 'Y', 'Y');

INSERT INTO permissions VALUES ('topic://ActiveMQ.Advisory.>', 'users', 'Y', 'Y', 'Y');
INSERT INTO permissions VALUES ('topic://ActiveMQ.Advisory.>', 'guests', 'Y', 'Y', 'Y');
4.1
Controlling Access to Temporary Resources (Destinations)
To enable access control to all temporary destinations you must insert a special entry into the

permissions table. Similar to the following example:
INSERT INTO permissions VALUES ('
temp-queue://TEST
', 'tempDestAdmins', 'Y', 'Y', 'Y');

Copyright 2008, Total Transaction Management

www.ttmsolutions.com
14
LDAP Security Plugin for ActiveMQ

Note that you can use both ‘temp-queue’ and ‘temp-topic’ prefixes to configure access to

temporary destinations. Also, the particular name of a destination does not matter, because the

SP will use a similar configuration to control access to all temporary destinations. Finally, you

can have multiple temporary configuration entries, but only the last one picked up by SP will be

valid. Therefore, we advise that you have only one such entry.
If you do not define a temporary access entry, everyone will have ‘read’, ‘write’, and ‘admin’

privileges for all temporary resources.
4.2
Wildcards
The SP suppports destination name wildcards, which are an ActiveMQ-specific convenience

mechanism used to refer to multiple destinations within a destination name hierarchy. A

previous section, illustrated the use of the the ‘>’ wildcard character whenassigning access rights

to all advisory topics.
Here’s another wildcard example. Suppose your client is publishing price messages from a stock

exchange feed. You might use some kind of destination naming format such as
PRICE.STOCK.NASDAQ.JAVA to publish Sun’s price on NASDAQ and
PRICE.STOCK.NYSE.IBM to publish IBM’s price on the New York Stock Exchange
A subscriber could then use exact destinations to subscribe to exactly the prices it requires. Or it

could use wildcards to define hierarchical pattern matches to the destinations to subscribe from.
ActiveMQ supports the following wildcards, which are not part of the JMS specification.

The ‘.’ character is used to separate names in a path.

The ‘*’ character is used to match any name in a path

The ‘>’ character is used to recursively match any destination starting from this name
Using the example above, these subscriptions are possible and the subscription names can also

be reflected in access control entries.
Subscription
Meaning
PRICE.>
Any price for any product on any exchange
PRICE.STOCK.>
Any price for a stock on any exchange
PRICE.STOCK.NASDAQ.*
Any stock price on NASDAQ
PRICE.STOCK.*.IBM
Any IBM stock price on any exchange

Copyright 2008, Total Transaction Management

www.ttmsolutions.com
15
LDAP Security Plugin for ActiveMQ

5
Camel
You’ll notice that the default ActiveMQ XML broker configuration file (activemq.xml) may

come with the following sample Camel XML configuration.
<camelContext id="camel" xmlns="http://activemq.apache.org/camel/schema/spring">

<package>org.foo.bar</package>

<route>
<from uri="activemq:example.A"/>
<to uri="activemq:example.B"/>
</route>
</camelContext>
The above configuration is not set up to work within a secure environment. That is, Camel

establishes a connection with ActiveMQ, but does not provide a username and password.

Therefore, when ActiveMQ security is enabled, the above configuration results in a security

exception. The exception will be thrown multiple times, because Camel will continue to retry

the connection. If you’re not using Camel, comment out the above XML code. If you are using

Camel, consult the Camel web site for information on how to configure Camel to establish

ActiveMQ connections that provide a username and password.
http://activemq.apache.org/camel/
6
Authentication and Authorization between Message

Brokers
If you have enabled authentication for a particular message broker, then other brokers that wish

to connect to that broker must provide the proper authentication credentials via their

<networkConnector> element.
For example, let’s suppose that we have a network of brokers (NoB) with the following

configuration:

The NoB comprises two brokers (BrokerA and BrokerB)

We have enabled authentication for BrokerA via the SP.

Authentication for BrokerB has
not
been enabled.

Copyright 2008, Total Transaction Management

www.ttmsolutions.com
16
LDAP Security Plugin for ActiveMQ


BrokerA only listens for connections. In other words, BrokerA has a <transportConnector>

element, but no <networkConnector> elements.
In order for BrokerB to connect to BrokerA, the corresponding <networkConnector> element in

BrokerB’s XML configuration file must be set up as follows.
<networkConnectors>
<!-- A connector used for connecting to brokerA -->
<networkConnector name="brokerAbridge"
userName="user"
password="password"
uri="static://(tcp://brokerA:61616)"/>

</networkConnectors>
Note how BrokerB’s <networkConnector> element must provide the proper authentication

credentials in order to connect to BrokerA. The userName assigned to that <networkConnector>

element must also have the proper ‘authorization’ credentials if ‘authorization’ has been enabled

on BrokerA. Messages cannot be forwarded from BrokerB to BrokerA if BrokerA has

authorization enabled and BrokerB’s corresponding <networkConnector> element’s userName

has not been given the proper authorization credentials.
Also, if BrokerA is given a <networkConnector> element so that it can initiate a connection to

BrokerB, then that <networkConnector> must also be given a userName/password combination

that is defined in BrokerA’s SP security configuration file; this is required even though BrokerB

does not have security services enabled.
7
JMX MBean
The SP includes an administrative MBean that displays a running SP’s properties. The MBean

also accepts the following commands.

stop/start
: The ‘stop’ and ‘start’ commands disable and enable the SP security, respectively.

When the plugin is disabled, authentication and authorization services are no longer active

and the plugin stops checking the database for authorization updates.

stopAuthorization/startAuthorization
: The ‘stopAuthorization’ and ‘startAuthorization’

commands disable and enable authorization, respectively. Please note that authorization is

dependent on authentication being enabled.

refreshAcl
: Forces the SP to immediately connect to the database and refresh its in-memory

ACLs.
The following are a series of images that illustrate the SP’s MBean from within a JConsole

session.

Copyright 2008, Total Transaction Management

www.ttmsolutions.com
17
LDAP Security Plugin for ActiveMQ

The image below illustrates the SP’s MBean, which is listed as “TTM-LDAP Security-Plugin”.
The image below illustrates how the SP’s properties are displayed, via a Name-Value table,

when the SP MBean is selected. The AclRefreshInterval property’s value is mutable (that is why

the “60” string is blue), but please note that any new value entered will not be persisted out to

the broker’s XML configuration file.

Copyright 2008, Total Transaction Management

www.ttmsolutions.com
18
LDAP Security Plugin for ActiveMQ

This last image illustrates the plugin operations that can be performed via the MBean.

Copyright 2008, Total Transaction Management

www.ttmsolutions.com
19
LDAP Security Plugin for ActiveMQ

8
Abbreviations and Acronyms
ACL
Access Control List
DB
Database
SP
Security Plugin

Copyright 2008, Total Transaction Management

www.ttmsolutions.com
20