To build upon authentication, consider a use case requiring more fine-grained control over clients to authorize certain tasks. ActiveMQ provides two levels of authorization: operation-level authorization and message-level authorization. These two types of authorization provide a more detailed level of control than simple authentication. This section discusses these two types of authorization and walks through some examples to demonstrate each.

There are three types of user-level operations with JMS destinations:

  • Read — The ability to receive messages from the destination
  • Write — The ability to send messages to the destination
  • Admin — The ability to administer the destination

Through these well-known operations, you can control the ability to perform the operations. Using the ActiveMQ XML configuration file, such authorization can be easily defined. Take a look at the following listing to add some operation-specific authorization to some destinations.

...
<plugins>
<plugins>
<jaasAuthenticationPlugin configuration="activemq-domain"/>
</plugins>
<authorizationPlugin>
<map>
<authorizationMap>
<authorizationEntries>
<authorizationEntry queue=">" read="admins" write="admins" admin="admins"/>
<authorizationEntry queue="EXAMPLE.>" read="consumers" write="producers" admin="producers"/>
<authorizationEntry queue="EXAMPLE.HelloQueue" read="guests"/>
<authorizationEntry topic="ActiveMQ.Advisory.>"
read="admins,producers,consumers,guests"
write="admins,producers,consumers,guests"
admin="admins,producers,consumers,guests"/>
</authorizationEntries>
</authorizationMap>
</map>
</authorizationPlugin>
</plugins>
...

In the listing, the JAAS authorization plug-in has been defined and pointed at the activemq-domain configuration in the login.config file. It has also been provided with a map of authorization entries. When configuring the map of authorization entries, the first task is to define the destination to be secured. This is achieved through the use of either a topic or a queue attribute on the entry. The next task is to declare which users and/or groups have privileges for operations on that destination.

A handy feature is the ability to define the destination value using wildcards. For example, EXAMPLE.> means the entry applies to all destinations in the EXAMPLE path recursively. Also, the authorization operations will accept either a single group or a comma-separated list of groups as a value.

Considering this explanation, the configuration used in the previous example can be translated as follows:

  • Users from the admins group have full access to all queues
  • Consumers can consume and producers can send messages to the destinations in the EXAMPLE path
  • Guests can only consume from the EXAMPLE.HelloQueue queue

ActiveMQ(5.10.0) - Destination-level authorization的更多相关文章

  1. ActiveMQ 5.10.0 安装与配置

    先在官网下载activeMQ,我这里是5.10.0. 然后在解压在一个文件夹下即可. 我这里是:D:\apache-activemq-5.10.0-bin 然后进入bin目录:D:\apache-ac ...

  2. ActiveMQ(5.10.0) - Configuring the JAAS Authentication Plug-in

    JAAS provides pluggable authentication, which means ActiveMQ will use the same authentication API re ...

  3. ActiveMQ(5.10.0) - Spring Support

    Maven Dependency: <dependencies> <dependency> <groupId>org.apache.activemq</gro ...

  4. ActiveMQ(5.10.0) - 删除闲置的队列或主题

    方法一 通过 ActiveMQ Web 控制台删除. 方法二 通过 Java 代码删除. ActiveMQConnection.destroyDestination(ActiveMQDestinati ...

  5. ActiveMQ(5.10.0) - hello world

    Sending a JMS message public class MyMessageProducer { ... // 创建连接工厂实例 ConnectionFactory connFactory ...

  6. ActiveMQ(5.10.0) - Connection Configuration URI

    An Apache ActiveMQ connection can be configured by explicitly setting properties on the ActiveMQConn ...

  7. ActiveMQ(5.10.0) - Configuring the Simple Authentication Plug-in

    The easiest way to secure the broker is through the use of authentication credentials placed directl ...

  8. ActiveMQ(5.10.0) - Building a custom security plug-in

    If none of any built-in security mechanisms works for you, you can always build your own. Though the ...

  9. ActiveMQ(5.10.0) - JNDI Support

    1. Place the jndi.properties file on the classpath. java.naming.factory.initial = org.apache.activem ...

随机推荐

  1. JQuery学习使用笔记 -- JQuery插件开发

    内容转载自 http://www.css88.com/archives/4821 扩展jQuery插件和方法的作用是非常强大的,它可以节省大量开发时间.这篇文章将概述jQuery插件开发的基本知识,最 ...

  2. QString 与 QByteArray笔记

    程序中在于外设打交到是常常会用到读硬件显示到控件,或是读控件写到硬件的情况,操作的最多的是字节流,所以肯定会用到QString 和QByteArray,下面测试一些常用的转换: #include &l ...

  3. C#学习笔记(五):泛型

    认识泛型 泛型使类型参数化,从而实现了算法上的代码重用. 同时由于去掉了转换中装箱和拆箱的操作,使用泛型还可以提高程序的运行速度. 我们先看看C#自带的使用了泛型的类: using System.Co ...

  4. ORA-01033: ORACLE initialization or shutdown in progress 实用的处理方法

    ORA-01033: ORACLE initialization or shutdown in progress 实用的处理方法,此问题通常是由于电脑非正常关机造成的,我们可以用下面的方法查找出是那个 ...

  5. 简单http笔记

    https是以安全为目的的网络传输协议,可以认为是http的安全版,https使用ssl协议保证安全传输.https位于网络模型的应用层,使用默认端口443进行通信,URL以https开头是https ...

  6. vs2012下安装VisualHG

    好久没写东西了.懒了.最近开发用到HG,记录一下.希望对用这个的有用 http://visualhg.codeplex.com/ 这里下载 VisualHG 安装完默认情况下 源代码管理出不来Visu ...

  7. usr/bin/ld: cannot find 错误解决方法

    参考:http://blog.siyebocai.cn/20100324_5p424qs7.html 通常在软件编译时出现的usr/bin/ld: cannot find -lxxx的错误,主要的原因 ...

  8. [C#]匿名类型的深拷贝

    .net Framework 3.5 + C# 3 发布了包括LinQ等一系列功能,其中包括了匿名类型,而我们在升级到.net4后,发现原来写好的用于POCO的深拷贝方法 static object ...

  9. 解决ccSvcHst.exe CPU占用超50%的问题,及其缘由

    无意中发现任务管理器中一个非常奇特的进程,迅速吃掉了我50%的cpu资源,并且是持续性的,于是上google一番查找,终于有了新的发现. 非常多问答产品所有都是清一色的 错误解决方式: 正常情况下,系 ...

  10. 让WPS支持VHDL的关键词加粗

    WPS的VBA在这里下载:http://bbs.wps.cn/forum.php?mod=viewthread&tid=22347925 语法高亮是参考Word的,这篇文章:http://bl ...