To build upon authentication, consider a use case requiring more fine-grained control over clients to authorize certain tasks. ActiveMQ provides two levels of authorization: operation-level authorization and message-level authorization. These two types of authorization provide a more detailed level of control than simple authentication. This section discusses these two types of authorization and walks through some examples to demonstrate each.

There are three types of user-level operations with JMS destinations:

  • Read — The ability to receive messages from the destination
  • Write — The ability to send messages to the destination
  • Admin — The ability to administer the destination

Through these well-known operations, you can control the ability to perform the operations. Using the ActiveMQ XML configuration file, such authorization can be easily defined. Take a look at the following listing to add some operation-specific authorization to some destinations.

...

<plugins>

    <plugins>

        <jaasAuthenticationPlugin configuration="activemq-domain"/>

    </plugins>

    <authorizationPlugin>

        <map>

            <authorizationMap>

                <authorizationEntries>

                    <authorizationEntry queue=">" read="admins" write="admins" admin="admins"/>

                    <authorizationEntry queue="EXAMPLE.>" read="consumers" write="producers" admin="producers"/>

                    <authorizationEntry queue="EXAMPLE.HelloQueue" read="guests"/>

                    <authorizationEntry topic="ActiveMQ.Advisory.>"

                        read="admins,producers,consumers,guests"

                        write="admins,producers,consumers,guests"

                        admin="admins,producers,consumers,guests"/>

                </authorizationEntries>

            </authorizationMap>

        </map>

    </authorizationPlugin>

</plugins>

...

In the listing, the JAAS authorization plug-in has been defined and pointed at the activemq-domain configuration in the login.config file. It has also been provided with a map of authorization entries. When configuring the map of authorization entries, the first task is to define the destination to be secured. This is achieved through the use of either a topic or a queue attribute on the entry. The next task is to declare which users and/or groups have privileges for operations on that destination.

A handy feature is the ability to define the destination value using wildcards. For example, EXAMPLE.> means the entry applies to all destinations in the EXAMPLE path recursively. Also, the authorization operations will accept either a single group or a comma-separated list of groups as a value.

Considering this explanation, the configuration used in the previous example can be translated as follows:

  • Users from the admins group have full access to all queues
  • Consumers can consume and producers can send messages to the destinations in the EXAMPLE path
  • Guests can only consume from the EXAMPLE.HelloQueue queue

ActiveMQ(5.10.0) - Destination-level authorization的更多相关文章

  1. ActiveMQ 5.10.0 安装与配置

    先在官网下载activeMQ,我这里是5.10.0. 然后在解压在一个文件夹下即可. 我这里是:D:\apache-activemq-5.10.0-bin 然后进入bin目录:D:\apache-ac ...

  2. ActiveMQ(5.10.0) - Configuring the JAAS Authentication Plug-in

    JAAS provides pluggable authentication, which means ActiveMQ will use the same authentication API re ...

  3. ActiveMQ(5.10.0) - Spring Support

    Maven Dependency: <dependencies> <dependency> <groupId>org.apache.activemq</gro ...

  4. ActiveMQ(5.10.0) - 删除闲置的队列或主题

    方法一 通过 ActiveMQ Web 控制台删除. 方法二 通过 Java 代码删除. ActiveMQConnection.destroyDestination(ActiveMQDestinati ...

  5. ActiveMQ(5.10.0) - hello world

    Sending a JMS message public class MyMessageProducer { ... // 创建连接工厂实例 ConnectionFactory connFactory ...

  6. ActiveMQ(5.10.0) - Connection Configuration URI

    An Apache ActiveMQ connection can be configured by explicitly setting properties on the ActiveMQConn ...

  7. ActiveMQ(5.10.0) - Configuring the Simple Authentication Plug-in

    The easiest way to secure the broker is through the use of authentication credentials placed directl ...

  8. ActiveMQ(5.10.0) - Building a custom security plug-in

    If none of any built-in security mechanisms works for you, you can always build your own. Though the ...

  9. ActiveMQ(5.10.0) - JNDI Support

    1. Place the jndi.properties file on the classpath. java.naming.factory.initial = org.apache.activem ...

随机推荐

  1. C#中托管与非托管

    在.net 编程环境中,系统的资源分为托管资源和非托管资源. 对于托管的资源的回收工作,是不需要人工干预回收的,而且你也无法干预他们的回收,所能够做的 只是了解.net CLR如何做这些操作.也就是说 ...

  2. Oracle数据库文件恢复与备份思路

    怎样才能对Oracle数据库进行备份?如何才能对删除的数据再进行恢复?这是困扰着很多人的问题.大家都知道,任何数据库在长期使用过程中,都会存在一定的安全隐患.对于数据库管理员来说不能仅寄希望于计算机操 ...

  3. Converting a .jks Key Store to a .pem Key Store

    In order to convert a Java key store into a Privacy Enhanced Mail Certificate, you will need to use ...

  4. 很值得学习的java 画图板源码

    很值得学习的java 画图板源码下载地址:http://download.csdn.net/source/2371150 package minidrawpad; import java.awt.*; ...

  5. 从零开始学android开发-布局中 layout_gravity、gravity、orientation、layout_weight

    线性布局中,有 4 个及其重要的参数,直接决定元素的布局和位置,这四个参数是 android:layout_gravity ( 是本元素相对于父元素的重力方向 ) android:gravity (是 ...

  6. 从零开始学android开发-View的setOnClickListener的添加方法

    1)第一种,也是最长见的添加方法(一下都以Button为例) Button btn = (Button) findViewById(R.id.myButton); btn .setOnClickLis ...

  7. BZOJ 1013: [JSOI2008]球形空间产生器sphere 高斯消元

    1013: [JSOI2008]球形空间产生器sphere Time Limit: 20 Sec Memory Limit: 256 MB 题目连接 http://www.lydsy.com/Judg ...

  8. [ES6] 18. Map

    ES6 provides Map, it is a set of k-v pair. Key can be number, string, object, function and even unde ...

  9. android应用程序ANR定义

    在Android上,如果你的应用程序有一段时间响应不够灵敏,系统会向用户显示一个对话框,这个对话框称作应用程序无响应(ANR:Application Not Responding)对话框.用户可以选择 ...

  10. java spring 使用注解来实现缓存

    这里举例使用spring3.1.4 + ehcache 注解的方式使用cache 是在spring3.1加入的 使用方法: 1.ehcache依赖+spring依赖 <!-- ehcache依赖 ...