You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by kw...@apache.org on 2014/10/31 00:37:04 UTC
svn commit: r1635639 - in /qpid/trunk/qpid/doc/book/src/java-broker: ./
security/
Author: kwall
Date: Thu Oct 30 23:37:03 2014
New Revision: 1635639
URL: http://svn.apache.org/r1635639
Log:
QPID-6108: [Java Documentation] Refactor security/auth providers section into separate files to allow for convenient re-purposing of the document
Added:
qpid/trunk/qpid/doc/book/src/java-broker/security/
qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-ACLs.xml
- copied, changed from r1635548, qpid/trunk/qpid/doc/book/src/java-broker/Java-Broker-Security-ACLs.xml
qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-Anonymous.xml
- copied, changed from r1635548, qpid/trunk/qpid/doc/book/src/java-broker/Java-Broker-Security.xml
qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-Base64MD5PasswordFile.xml
qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-External.xml
qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-Kerberos.xml
qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-LDAP.xml
qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-MD5.xml
qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-MD5PasswordFile.xml
qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-Plain.xml
qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-PlainPasswordFile.xml
qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-ScramSha.xml
qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers.xml
qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Configuration-Encryption.xml
- copied, changed from r1635548, qpid/trunk/qpid/doc/book/src/java-broker/Java-Broker-Security-Configuration-Encryption.xml
qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Group-Providers.xml
- copied, changed from r1635548, qpid/trunk/qpid/doc/book/src/java-broker/Java-Broker-Security-Group-Providers.xml
Removed:
qpid/trunk/qpid/doc/book/src/java-broker/Java-Broker-Security-ACLs.xml
qpid/trunk/qpid/doc/book/src/java-broker/Java-Broker-Security-Authentication-Providers.xml
qpid/trunk/qpid/doc/book/src/java-broker/Java-Broker-Security-Configuration-Encryption.xml
qpid/trunk/qpid/doc/book/src/java-broker/Java-Broker-Security-Group-Providers.xml
Modified:
qpid/trunk/qpid/doc/book/src/java-broker/Java-Broker-Runtime-Disk-Space-Management-Producer-Flow-Control.xml
qpid/trunk/qpid/doc/book/src/java-broker/Java-Broker-Security.xml
Modified: qpid/trunk/qpid/doc/book/src/java-broker/Java-Broker-Runtime-Disk-Space-Management-Producer-Flow-Control.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/doc/book/src/java-broker/Java-Broker-Runtime-Disk-Space-Management-Producer-Flow-Control.xml?rev=1635639&r1=1635638&r2=1635639&view=diff
==============================================================================
--- qpid/trunk/qpid/doc/book/src/java-broker/Java-Broker-Runtime-Disk-Space-Management-Producer-Flow-Control.xml (original)
+++ qpid/trunk/qpid/doc/book/src/java-broker/Java-Broker-Runtime-Disk-Space-Management-Producer-Flow-Control.xml Thu Oct 30 23:37:03 2014
@@ -172,11 +172,5 @@ WARN Message send delayed by 10s due t
-Dqpid.flow_control_wait_failure=60000
-Dqpid.flow_control_wait_notify_period=10000
</programlisting>
- <section role="h3">
- <title>Older Clients</title>
- <para>
- The flow control feature was first added to the Java broker/client in the 0.6 release. If an older client connects to the broker then the flow control commands will be ignored by it and it will not be blocked. So to fully benefit from this feature both Client and Broker need to be at least version 0.6.
- </para>
- </section>
</section> <!-- Client impact and configuration -->
</section>
Modified: qpid/trunk/qpid/doc/book/src/java-broker/Java-Broker-Security.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/doc/book/src/java-broker/Java-Broker-Security.xml?rev=1635639&r1=1635638&r2=1635639&view=diff
==============================================================================
--- qpid/trunk/qpid/doc/book/src/java-broker/Java-Broker-Security.xml (original)
+++ qpid/trunk/qpid/doc/book/src/java-broker/Java-Broker-Security.xml Thu Oct 30 23:37:03 2014
@@ -22,8 +22,8 @@
<chapter id="Java-Broker-Security">
<title>Security</title>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Security-Authentication-Providers.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Security-Group-Providers.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Security-ACLs.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Security-Configuration-Encryption.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="security/Java-Broker-Security-Authentication-Providers.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="security/Java-Broker-Security-Group-Providers.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="security/Java-Broker-Security-ACLs.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="security/Java-Broker-Security-Configuration-Encryption.xml"/>
</chapter>
Copied: qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-ACLs.xml (from r1635548, qpid/trunk/qpid/doc/book/src/java-broker/Java-Broker-Security-ACLs.xml)
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-ACLs.xml?p2=qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-ACLs.xml&p1=qpid/trunk/qpid/doc/book/src/java-broker/Java-Broker-Security-ACLs.xml&r1=1635548&r2=1635639&rev=1635639&view=diff
==============================================================================
(empty)
Copied: qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-Anonymous.xml (from r1635548, qpid/trunk/qpid/doc/book/src/java-broker/Java-Broker-Security.xml)
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-Anonymous.xml?p2=qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-Anonymous.xml&p1=qpid/trunk/qpid/doc/book/src/java-broker/Java-Broker-Security.xml&r1=1635548&r2=1635639&rev=1635639&view=diff
==============================================================================
--- qpid/trunk/qpid/doc/book/src/java-broker/Java-Broker-Security.xml (original)
+++ qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-Anonymous.xml Thu Oct 30 23:37:03 2014
@@ -1,4 +1,6 @@
-<?xml version="1.0"?>
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
<!--
Licensed to the Apache Software Foundation (ASF) under one
@@ -19,11 +21,10 @@
under the License.
-->
+<section id="Java-Broker-Security-Anonymous-Provider">
+ <title>Anonymous</title>
-<chapter id="Java-Broker-Security">
- <title>Security</title>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Security-Authentication-Providers.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Security-Group-Providers.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Security-ACLs.xml"/>
- <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Security-Configuration-Encryption.xml"/>
-</chapter>
+ <para> The Anonymous Authentication Provider will allow users to connect with or without
+ credentials and result in their identification on the broker as the user ANONYMOUS. This
+ Provider does not require specification of any additional attributes on creation. </para>
+</section>
Added: qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-Base64MD5PasswordFile.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-Base64MD5PasswordFile.xml?rev=1635639&view=auto
==============================================================================
--- qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-Base64MD5PasswordFile.xml (added)
+++ qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-Base64MD5PasswordFile.xml Thu Oct 30 23:37:03 2014
@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+-->
+<section id="Java-Broker-Security-Base64MD5PasswordFile-Provider">
+ <title>Base64MD5 Password File <emphasis>(Deprecated)</emphasis></title>
+ <para><emphasis>This provider is deprecated and will be removed in a future release. The
+ <link linkend="Java-Broker-Security-MD5-Provider">MD5</link> provider should be used
+ instead.</emphasis></para>
+ <para> Base64MD5PasswordFile Provider uses local file to store and manage user credentials
+ similar to PlainPasswordFile but instead of storing a password the MD5 password digest encoded
+ with Base64 encoding is stored in the file. When creating an authentication provider the path
+ to the file needs to be specified. If specified file does not exist an empty file is created
+ automatically on Authentication Provider creation. On Base64MD5PasswordFile Provider deletion
+ the password file is deleted as well.</para>
+ <para>For this provider user credentials can be added, removed or changed using
+ Management.</para>
+ <section>
+ <title>Base64MD5 File Format</title>
+ <para> The user credentials are stored on the single file line as user name and user password
+ pairs separated by colon character. The password is stored MD5 digest/Base64 encoded. This
+ file must not be modified externally whilst the Broker is running.</para>
+ </section>
+</section>
\ No newline at end of file
Added: qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-External.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-External.xml?rev=1635639&view=auto
==============================================================================
--- qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-External.xml (added)
+++ qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-External.xml Thu Oct 30 23:37:03 2014
@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+-->
+<section id="Java-Broker-Security-External-Provider">
+ <title>External (SSL Client Certificates)</title>
+
+ <para> When <link linkend="Java-Broker-Management-Managing-Truststores"> requiring SSL Client
+ Certificates</link> be presented the External Authentication Provider can be used, such that
+ the user is authenticated based on trust of their certificate alone, and the X500Principal
+ from the SSL session is then used as the username for the connection, instead of also
+ requiring the user to present a valid username and password. </para>
+
+ <para>
+ <emphasis role="bold">Note:</emphasis> The External Authentication Provider should typically
+ only be used on the AMQP/HTTP ports, in conjunction with <link
+ linkend="Java-Broker-Management-Managing-Ports">SSL client certificate
+ authentication</link>. It is not intended for other uses such as the JMX management port and
+ will treat any non-sasl authentication processes on these ports as successful with the given
+ username. As such you should configure another Authentication Provider for use on JMX
+ ports.</para>
+
+ <para>On creation of External Provider the use of full DN or username CN as a principal name can
+ be configured. If attribute "Use the full DN as the Username" is set to "true" the full DN is
+ used as an authenticated principal name. If attribute "Use the full DN as the Username" is set
+ to "false" the user name CN part is used as the authenticated principal name. Setting the
+ field to "false" is particular useful when <link linkend="Java-Broker-Security-ACLs"
+ >ACL</link> is required, as at the moment, ACL does not support commas in the user name.
+ </para>
+</section>
+
Added: qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-Kerberos.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-Kerberos.xml?rev=1635639&view=auto
==============================================================================
--- qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-Kerberos.xml (added)
+++ qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-Kerberos.xml Thu Oct 30 23:37:03 2014
@@ -0,0 +1,64 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+-->
+<section id="Java-Broker-Security-Kerberos-Provider">
+ <title>Kerberos</title>
+
+ <para> Kereberos Authentication Provider uses java GSS-API SASL mechanism to authenticate the
+ connections. </para>
+
+ <para> Configuration of kerberos is done through system properties (there doesn't seem to be a
+ way around this unfortunately). </para>
+
+ <programlisting>
+ export JAVA_OPTS=-Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=qpid.conf
+ ${QPID_HOME}/bin/qpid-server
+ </programlisting>
+
+ <para>Where qpid.conf would look something like this:</para>
+
+ <programlisting><![CDATA[
+com.sun.security.jgss.accept {
+ com.sun.security.auth.module.Krb5LoginModule required
+ useKeyTab=true
+ storeKey=true
+ doNotPrompt=true
+ realm="EXAMPLE.COM"
+ useSubjectCredsOnly=false
+ kdc="kerberos.example.com"
+ keyTab="/path/to/keytab-file"
+ principal="<name>/<host>";
+};]]></programlisting>
+
+ <para> Where realm, kdc, keyTab and principal should obviously be set correctly for the
+ environment where you are running (see the existing documentation for the C++ broker about
+ creating a keytab file). </para>
+
+ <para> Note: You may need to install the "Java Cryptography Extension (JCE) Unlimited Strength
+ Jurisdiction Policy Files" appropriate for your JDK in order to get Kerberos support working. </para>
+
+ <para> Since Kerberos support only works where SASL authentication is available (e.g. not for
+ JMX authentication) you may wish to also include an alternative Authentication Provider
+ configuration, and use this for JMX and HTTP ports. </para>
+
+</section>
Added: qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-LDAP.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-LDAP.xml?rev=1635639&view=auto
==============================================================================
--- qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-LDAP.xml (added)
+++ qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-LDAP.xml Thu Oct 30 23:37:03 2014
@@ -0,0 +1,99 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd"
+[
+<!ENTITY % entities SYSTEM "../commonEntities.xml">
+%entities;
+]>
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+-->
+<section id="Java-Broker-Security-LDAP-Provider">
+ <title>Simple LDAP</title>
+
+ <para> The Simple LDAP authenticates connections against a Directory (LDAP). </para>
+ <para> To create a SimpleLDAPAuthenticationProvider the following mandatory fields are required: <itemizedlist>
+ <listitem>
+ <para><emphasis>LDAP server URL</emphasis> is the URL of the server, for example,
+ <literal>ldaps://example.com:636</literal></para>
+ </listitem>
+ <listitem>
+ <para><emphasis>Search context</emphasis> is the distinguished name of the search base
+ object. It defines the location from which the search for users begins, for example,
+ <literal>dc=users,dc=example,dc=com</literal></para>
+ </listitem>
+ <listitem>
+ <para><emphasis>Search filter</emphasis> is a DN template to find an LDAP user entry by
+ provided user name, for example, <literal>(uid={0})</literal></para>
+ </listitem>
+ </itemizedlist> Additionally, the following optional fields can be specified: <itemizedlist>
+ <listitem>
+ <para><emphasis>LDAP context factory</emphasis> is a fully qualified class name for the
+ JNDI LDAP context factory. This class must implement the <ulink
+ url="&oracleJdkDocUrl;javax/naming/spi/InitialContextFactory.html"
+ >InitialContextFactory</ulink> interface and produce instances of <ulink
+ url="&oracleJdkDocUrl;javax/naming/directory/DirContext.html">DirContext</ulink>. If
+ not specified a default value of <literal>com.sun.jndi.ldap.LdapCtxFactory</literal> is
+ used.</para>
+ </listitem>
+ <listitem>
+ <para><emphasis>LDAP authentication URL</emphasis> is the URL of LDAP server for
+ performing "ldap bind". If not specified, the <emphasis>LDAP server URL</emphasis> will
+ be used for both searches and authentications.</para>
+ </listitem>
+ <listitem>
+ <para><emphasis>Truststore name</emphasis> is a name of <link
+ linkend="Java-Broker-Management-Managing-Truststores-Attributes">configured
+ truststore</link>. Use this if connecting to a Directory over SSL (i.e. ldaps://)
+ which is protected by a certificate signed by a private CA (or utilising a self-signed
+ certificate).</para>
+ </listitem>
+ </itemizedlist>
+ </para>
+
+ <important>
+ <para>In order to protect the security of the user's password, when using LDAP authentication,
+ you must: </para>
+ <itemizedlist>
+ <listitem>
+ <para>Use SSL on the broker's AMQP, HTTP and JMX ports to protect the password during
+ transmission to the Broker. The Broker enforces this restriction automatically on AMQP
+ and HTTP ports.</para>
+ </listitem>
+ <listitem>
+ <para>Authenticate to the Directory using SSL (i.e. ldaps://) to protect the password
+ during transmission from the Broker to the Directory.</para>
+ </listitem>
+ </itemizedlist>
+ </important>
+
+ <para> The LDAP Authentication Provider works in the following manner. If not in <literal>bind
+ without search</literal> mode, it first connects to the Directory and searches for the ldap
+ entity which is identified by the username. The search begins at the distinguished name
+ identified by <literal>Search Context</literal> and uses the username as a filter. The search
+ scope is sub-tree meaning the search will include the base object and the subtree extending
+ beneath it. </para>
+
+ <para> If the search returns a match, or is configured in <literal>bind without search</literal>
+ mode, the Authentication Provider then attempts to bind to the LDAP server with the given name
+ and the password. Note that <ulink
+ url="&oracleJdkDocUrl;javax/naming/Context.html#SECURITY_AUTHENTICATION">simple security
+ authentication</ulink> is used so the Directory receives the password in the clear. </para>
+</section>
Added: qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-MD5.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-MD5.xml?rev=1635639&view=auto
==============================================================================
--- qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-MD5.xml (added)
+++ qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-MD5.xml Thu Oct 30 23:37:03 2014
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+-->
+<section id="Java-Broker-Security-MD5-Provider">
+ <title>MD5 Provider</title>
+
+ <para> MD5 Provider uses the Broker configuration itself to store the database of
+ users (unlike the <link linkend="Java-Broker-Security-Base64MD5PasswordFile-Provider"
+ >Base64MD5 Password File</link>, there is no separate password file). Rather than store the
+ unencrypted user password (as the Plain provider does) it instead stores the MD5 password
+ digest. This can be further encrypted using the
+ facilities described in <xref linkend="Java-Broker-Security-Configuration-Encryption"
+ />.</para>
+ <para>For this provider user credentials can be added, removed or changed using
+ Management.</para>
+</section>
\ No newline at end of file
Added: qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-MD5PasswordFile.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-MD5PasswordFile.xml?rev=1635639&view=auto
==============================================================================
--- qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-MD5PasswordFile.xml (added)
+++ qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-MD5PasswordFile.xml Thu Oct 30 23:37:03 2014
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+ "http://docbook.org/xml/4.5/docbookx.dtd"
+[ <!ENTITY % xinclude SYSTEM "internal/xinclude.mod">
+%xinclude;
+]>
+<book>
+ <bookinfo>
+ <title>Book with XInclude Template Title</title>
+ <author>
+ <firstname>Author First Name</firstname>
+ <surname>Author Last Name</surname>
+ </author>
+ </bookinfo>
+ <part>
+ <title>First Part </title>
+ <chapter>
+ <title>Chapter Title</title>
+ <sect1>
+ <title>Section1 Title</title>
+ <para>Text</para>
+ </sect1>
+ </chapter>
+ </part>
+</book>
Added: qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-Plain.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-Plain.xml?rev=1635639&view=auto
==============================================================================
--- qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-Plain.xml (added)
+++ qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-Plain.xml Thu Oct 30 23:37:03 2014
@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+-->
+<section id="Java-Broker-Security-Plain-Provider">
+ <title>Plain</title>
+ <para>The Plain Provider uses the Broker configuration itself to store the database of users
+ (unlike the <link linkend="Java-Broker-Security-PlainPasswordFile-Provider"
+ >PlainPasswordFile</link>, there is no separate password file). As the name suggests,
+ the user data (including password) is not hashed in any way. In order to provide encryption,
+ the facilities described in <xref linkend="Java-Broker-Security-Configuration-Encryption"/>
+ must be used.</para>
+ <para>For this provider user credentials can be added, removed or changed using
+ Management.</para>
+</section>
Added: qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-PlainPasswordFile.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-PlainPasswordFile.xml?rev=1635639&view=auto
==============================================================================
--- qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-PlainPasswordFile.xml (added)
+++ qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-PlainPasswordFile.xml Thu Oct 30 23:37:03 2014
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+-->
+<section id="Java-Broker-Security-PlainPasswordFile-Provider">
+ <title>Plain Password File <emphasis>(Deprecated)</emphasis></title>
+ <para><emphasis>This provider is deprecated and will be removed in a future release. The <link
+ linkend="Java-Broker-Security-Plain-Provider">Plain</link> provider should be used
+ instead.</emphasis></para>
+ <para> The PlainPasswordFile Provider uses local file to store and manage user credentials. When
+ creating an authentication provider the path to the file needs to be specified. If specified
+ file does not exist an empty file is created automatically on Authentication Provider
+ creation. On Provider deletion the password file is deleted as well.</para>
+ <para>For this provider user credentials can be added, removed or changed using
+ Management.</para>
+
+ <section>
+ <title>Plain Password File Format</title>
+ <para> The user credentials are stored on the single file line as user name and user
+ password pairs separated by colon character. This file must not be modified externally
+ whilst the Broker is running.</para>
+ <programlisting>
+# password file format
+# <user name>: <user password>
+guest:guest
+ </programlisting>
+ </section>
+</section>
Added: qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-ScramSha.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-ScramSha.xml?rev=1635639&view=auto
==============================================================================
--- qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-ScramSha.xml (added)
+++ qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers-ScramSha.xml Thu Oct 30 23:37:03 2014
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+-->
+<section id="Java-Broker-Security-ScramSha-Providers">
+ <title>SCRAM SHA</title>
+ <para>The SCRAM SHA Providers uses the Broker configuration itself to store the database of
+ users. The users'
+ passwords are stored as salted SHA digested password. This can be further encrypted using the
+ facilities described in <xref linkend="Java-Broker-Security-Configuration-Encryption"
+ />.</para>
+ <para>There are two variants of this provider, SHA1 and SHA256. SHA256 is recommended whenever
+ possible. SHA1 is provided with compatibility with clients utilising JDK 1.6 (which does not
+ support SHA256).</para>
+ <para>For these providers user credentials can be added, removed or changed using
+ Management.</para>
+</section>
Added: qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers.xml
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers.xml?rev=1635639&view=auto
==============================================================================
--- qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers.xml (added)
+++ qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Authentication-Providers.xml Thu Oct 30 23:37:03 2014
@@ -0,0 +1,51 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!DOCTYPE section PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+ "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
+<!--
+
+ Licensed to the Apache Software Foundation (ASF) under one
+ or more contributor license agreements. See the NOTICE file
+ distributed with this work for additional information
+ regarding copyright ownership. The ASF licenses this file
+ to you under the Apache License, Version 2.0 (the
+ "License"); you may not use this file except in compliance
+ with the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing,
+ software distributed under the License is distributed on an
+ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ KIND, either express or implied. See the License for the
+ specific language governing permissions and limitations
+ under the License.
+
+-->
+
+<section id="Java-Broker-Security-Authentication-Providers">
+ <title>Authentication Providers</title>
+
+ <para> In order to successfully establish a connection to the Java Broker, the connection must be
+ authenticated. The Java Broker supports a number of different authentication schemes, each with
+ its own "authentication provider". Any number of Authentication Providers can be configured on
+ the Broker at the same time. </para>
+
+ <important>
+ <para> Only unused Authentication Provider can be deleted. For delete requests attempting to
+ delete Authentication Provider associated with the Ports, the errors will be returned and
+ delete operations will be aborted. It is possible to change the Authentication Provider on
+ Port at runtime. However, the Broker restart is required for changes on Port to take effect.
+ </para>
+ </important>
+
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Security-Authentication-Providers-LDAP.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Security-Authentication-Providers-Kerberos.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Security-Authentication-Providers-External.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Security-Authentication-Providers-Anonymous.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Security-Authentication-Providers-ScramSha.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Security-Authentication-Providers-Plain.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Security-Authentication-Providers-PlainPasswordFile.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Security-Authentication-Providers-MD5.xml"/>
+ <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="Java-Broker-Security-Authentication-Providers-Base64MD5PasswordFile.xml"/>
+ </section>
+
Copied: qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Configuration-Encryption.xml (from r1635548, qpid/trunk/qpid/doc/book/src/java-broker/Java-Broker-Security-Configuration-Encryption.xml)
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Configuration-Encryption.xml?p2=qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Configuration-Encryption.xml&p1=qpid/trunk/qpid/doc/book/src/java-broker/Java-Broker-Security-Configuration-Encryption.xml&r1=1635548&r2=1635639&rev=1635639&view=diff
==============================================================================
(empty)
Copied: qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Group-Providers.xml (from r1635548, qpid/trunk/qpid/doc/book/src/java-broker/Java-Broker-Security-Group-Providers.xml)
URL: http://svn.apache.org/viewvc/qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Group-Providers.xml?p2=qpid/trunk/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Group-Providers.xml&p1=qpid/trunk/qpid/doc/book/src/java-broker/Java-Broker-Security-Group-Providers.xml&r1=1635548&r2=1635639&rev=1635639&view=diff
==============================================================================
(empty)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org