You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by kw...@apache.org on 2016/01/16 13:17:04 UTC
svn commit: r1724964 [10/19] - in /qpid/site/input/releases/qpid-java-trunk:
java-broker/ java-broker/book/ java-broker/book/css/
java-broker/book/images/ jms-client-0-8/ jms-client-0-8/book/
jms-client-0-8/book/images/
Modified: qpid/site/input/releases/qpid-java-trunk/java-broker/book/Java-Broker-Runtime.html.in
URL: http://svn.apache.org/viewvc/qpid/site/input/releases/qpid-java-trunk/java-broker/book/Java-Broker-Runtime.html.in?rev=1724964&r1=1724963&r2=1724964&view=diff
==============================================================================
--- qpid/site/input/releases/qpid-java-trunk/java-broker/book/Java-Broker-Runtime.html.in (original)
+++ qpid/site/input/releases/qpid-java-trunk/java-broker/book/Java-Broker-Runtime.html.in Sat Jan 16 12:17:02 2016
@@ -1,20 +1,95 @@
-<div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">Chapter 9. Runtime</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security-Configuration-Encryption.html">Prev</a> </td><th align="center" width="60%"> </th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Runtime-Disk-Space-Management.html">Next</a></td></tr></table><hr /></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a id="Java-Broker-Runtime"></a>Chapter 9. Runtime</h1></div></div></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="Java-Broker-Runtime.html#Java-Broker-Runtime-Log-Files">9.1. Log Files</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Runtime.html#Java-Broker-Runtime-Log-Files-Enable-Debug">9.1.1. Enabling Debug</a></span></dt></dl></dd><dt><span
class="section"><a href="Java-Broker-Runtime-Disk-Space-Management.html">9.2. Disk Space Management</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Runtime-Disk-Space-Management.html#Qpid-Producer-Flow-Control">9.2.1. Producer Flow Control</a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Runtime-Producer-Transaction-Timeout.html">9.3. Producer Transaction Timeout</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Runtime-Producer-Transaction-Timeout.html#Java-Broker-Runtime-Producer-Transaction-Timeout-GeneralInformation">9.3.1. General Information</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Producer-Transaction-Timeout.html#Java-Broker-Runtime-Producer-Transaction-Timeout-Purpose">9.3.2. Purpose</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Producer-Transaction-Timeout.html#Java-Broker-Runtime-Producer-Transaction-Timeout-Scope">9.3.3. Scope</a></span></dt><dt><span cl
ass="section"><a href="Java-Broker-Runtime-Producer-Transaction-Timeout.html#Java-Broker-Runtime-Producer-Transaction-Timeout-Effect">9.3.4. Effect</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Producer-Transaction-Timeout.html#Java-Broker-Runtime-Producer-Transaction-Timeout-Configuration">9.3.5. Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Runtime-Handling-Undeliverable-Messages.html">9.4. Handing Undeliverable Messages</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Runtime-Handling-Undeliverable-Messages.html#Java-Broker-Runtime-Handling-Undeliverable-Messages-Introduction">9.4.1. Introduction</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Handling-Undeliverable-Messages.html#Java-Broker-Runtime-Handling-Undeliverable-Messages-Maximum-Delivery-Count">9.4.2. Maximum Delivery Count</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Handling-Undeliverable
-Messages.html#Java-Broker-Runtime-Handling-Undeliverable-Messages-Dead-Letter-Queues">9.4.3. Dead Letter Queues (DLQ)</a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Close-Connection-When-No-Route.html">9.5. Closing client connections on unroutable mandatory messages</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Close-Connection-When-No-Route.html#Java-Broker-Close-Connection-When-No-Route-Summary">9.5.1. Summary</a></span></dt><dt><span class="section"><a href="Java-Broker-Close-Connection-When-No-Route.html#Java-Broker-Close-Connection-When-No-Route-Configuration">9.5.2. Configuring <span class="emphasis"><em>closeWhenNoRoute</em></span></a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Runtime-Flow-To-Disk.html">9.6. Flow to Disk</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Background-Recovery.html">9.7. Background Recovery</a></span></dt><dt><span class="section"><a href="Java-Broker-
Runtime-Message-Compression.html">9.8. Message Compression</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Connection-Limit.html">9.9. Connection Limits</a></span></dt></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title"><a id="Java-Broker-Runtime-Log-Files"></a>9.1. Log Files</h2></div></div></div><p> The Broker uses the <a class="ulink" href="http://logging.apache.org/log4j/1.2/" target="_top">Apache Log4J</a>
- Logging Framework for all logging activity. </p><p> In the Broker's shipped configuration, all logging is directed to log file <code class="literal"><a class="link" href="Java-Broker-Appendix-Environment-Variables.html#Java-Broker-Appendix-Environment-Variables-Qpid-Work">${QPID_WORK}</a>/log/qpid.log</code>. The log file is not rotated and will be overwritten
- when the Broker restarts. Logging levels are configured in such a way that the log will comprise
- of:</p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Opertional Log Events. These report key events in the lifecycle of objects (Broker
- start-up, Queue creation, Queue deletion etc) within the Broker. See <a class="xref" href="Java-Broker-Appendix-Operation-Logging.html" title="Appendix C. Operational Logging">Appendix C, <em>Operational Logging</em></a> for details of the formation of these
- messages.</p></li><li class="listitem"><p>Queue Alert Events. These report when the queue thresholds have been breached. See <a class="xref" href="Java-Broker-Appendix-Queue-Alerts.html" title="Appendix D. Queue Alerts">Appendix D, <em>Queue Alerts</em></a> for details.</p></li><li class="listitem"><p>Any Error and Warning conditions.</p></li></ul></div><p>Logging can be reconfigured either by changing the logging configuration file <code class="literal"><a class="link" href="Java-Broker-Appendix-Environment-Variables.html#Java-Broker-Appendix-Environment-Variables-Qpid-Home">${QPID_HOME}</a>/etc/log4j.xml</code> or at runtime using the Logging Management MBean,
- see <a class="xref" href="Java-Broker-Management-Channel-JMX.html#Java-Broker-Management-Channel-JMX-MBeans" title="6.4.5. The MBeans">Section 6.4.5, “The MBeans”</a> for
- details.</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Runtime-Log-Files-Enable-Debug"></a>9.1.1. Enabling Debug</h3></div></div></div><p>It can be helpful to enable debug within the Broker in order to understand a problem more
- clearly. If this is required, debug can be enabled at runtime (without restarting the Broker)
- using the Logging Management MBean. The change can also be made by changing the log configuration
- file and restarting the Broker. Whichever mechanism is chosen, change the appender associated
- with <code class="literal">org.apache.qpid</code> from <code class="literal">WARN</code> to
- <code class="literal">DEBUG</code>.</p><div class="example"><a id="idm140601089133056"></a><p class="title"><strong>Example 9.1. Changing the log4j.xml configuration file to enable debug</strong></p><div class="example-contents"><pre class="screen">
-...
-<logger additivity="true" name="org.apache.qpid">
- <level value="debug"/> <!-- change the level value from warn to debug -->
-</logger>
-...</pre></div></div><br class="example-break" /><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>Running a production system at <code class="literal">DEBUG</code> level can have performance
- implications by slowing the Broker down. It can also generate large log files. Take care to
- revert the logging level back to <code class="literal">WARN</code> after the analysis is performed.</p></div></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security-Configuration-Encryption.html">Prev</a> </td><td align="center" width="20%"> </td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Runtime-Disk-Space-Management.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">8.4. Configuration Encryption </td><td align="center" width="20%"><a accesskey="h" href="index.html">Home</a></td><td align="right" valign="top" width="40%"> 9.2. Disk Space Management</td></tr></table></div></div>
\ No newline at end of file
+<div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">Chapter 9. Runtime</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security-Configuration-Encryption.html">Prev</a> </td><th align="center" width="60%"> </th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Runtime-Disk-Space-Management.html">Next</a></td></tr></table><hr /></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a id="Java-Broker-Runtime"></a>Chapter 9. Runtime</h1></div></div></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="Java-Broker-Runtime.html#Java-Broker-Runtime-Logging">9.1. Logging</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Runtime.html#Java-Broker-Runtime-Logging-Concepts">9.1.1. Concepts</a></span></dt><dt><span class="section"><a href="
Java-Broker-Runtime.html#Java-Broker-Runtime-Logging-Default-Configuration">9.1.2. Default Configuration</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime.html#Java-Broker-Runtime-Logging-Loggers">9.1.3. Loggers</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime.html#Java-Broker-Runtime-Logging-InclusionRules">9.1.4. Inclusion Rules</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime.html#Java-Broker-Runtime-Logging-Management">9.1.5. Logging Management</a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Runtime-Disk-Space-Management.html">9.2. Disk Space Management</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Runtime-Disk-Space-Management.html#Qpid-Producer-Flow-Control">9.2.1. Producer Flow Control</a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Runtime-Producer-Transaction-Timeout.html">9.3. Producer Transaction Timeout</a></span></dt><dd><dl><dt><span cla
ss="section"><a href="Java-Broker-Runtime-Producer-Transaction-Timeout.html#Java-Broker-Runtime-Producer-Transaction-Timeout-GeneralInformation">9.3.1. General Information</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Producer-Transaction-Timeout.html#Java-Broker-Runtime-Producer-Transaction-Timeout-Purpose">9.3.2. Purpose</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Producer-Transaction-Timeout.html#Java-Broker-Runtime-Producer-Transaction-Timeout-Scope">9.3.3. Scope</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Producer-Transaction-Timeout.html#Java-Broker-Runtime-Producer-Transaction-Timeout-Effect">9.3.4. Effect</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Producer-Transaction-Timeout.html#Java-Broker-Runtime-Producer-Transaction-Timeout-Configuration">9.3.5. Configuration</a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Runtime-Handling-Undeliverable-Messages
.html">9.4. Handing Undeliverable Messages</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Runtime-Handling-Undeliverable-Messages.html#Java-Broker-Runtime-Handling-Undeliverable-Messages-Introduction">9.4.1. Introduction</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Handling-Undeliverable-Messages.html#Java-Broker-Runtime-Handling-Undeliverable-Messages-Maximum-Delivery-Count">9.4.2. Maximum Delivery Count</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Handling-Undeliverable-Messages.html#Java-Broker-Runtime-Handling-Undeliverable-Messages-Dead-Letter-Queues">9.4.3. Dead Letter Queues (DLQ)</a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Runtime-Close-Connection-When-No-Route.html">9.5. Closing client connections on unroutable mandatory messages</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Runtime-Close-Connection-When-No-Route.html#Java-Broker-Runtime-Close-Connect
ion-When-No-Route-Summary">9.5.1. Summary</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Close-Connection-When-No-Route.html#Java-Broker-Runtime-Close-Connection-When-No-Route-Configuration">9.5.2. Configuring <span class="emphasis"><em>closeWhenNoRoute</em></span></a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Runtime-Flow-To-Disk.html">9.6. Flow to Disk</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Background-Recovery.html">9.7. Background Recovery</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Message-Compression.html">9.8. Message Compression</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Connection-Limit.html">9.9. Connection Limits</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html">9.10. Memory</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html#Java-Broker-Runtime-Memory-Introduction">9.10.1
. Introduction</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html#Java-Broker-Runtime-Memory-Types">9.10.2. Types of Memory</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html#Java-Broker-Runtime-Memory-Usage">9.10.3. Memory Usage in the Broker</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html#Java-Broker-Runtime-Memory-Low-Memory">9.10.4. Low Memory Conditions</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html#Java-Broker-Runtime-Memory-Defaults">9.10.5. Defaults</a></span></dt><dt><span class="section"><a href="Java-Broker-Runtime-Memory.html#Java-Broker-Runtime-Memory-Tuning">9.10.6. Memory Tuning the Broker</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Runtime-Logging"></a>9.1. Logging</h2></div></div></div><p>This section describes the flexible logging
capabilities of the Java Broker.</p><p>
+ </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>The Broker is capable of sending logging events to a variety of destinations including
+ plain files, remote syslog daemons, and an in-memory buffer (viewable from Management).
+ The system is also open for extension meaning it is possible to produce a plugin to log to
+ a bespoke destination.</p></li><li class="listitem"><p>Logging can be dynamically configured at runtime. For instance, it is possible to
+ temporarily increase the logging verbosity of the system whilst a problem is investigated
+ and then revert later, all without the need to restart the Broker.</p></li><li class="listitem"><p>Virtualhosts can be configured to generate their own separate log, and the Broker is
+ capable of generating a log either inclusive or exclusive of virtualhost events.</p></li><li class="listitem"><p>Logs are accessible over Management, removing the need for those operating the Broker
+ to have shell level access.</p></li></ul></div><p>
+ </p><p>In the remainder of this section you will first find a description of the concepts used in
+ the logging subsystem. Next, you find a description of the default configuration. The section
+ then concludes with a in-depth description of the loggers themselves and how they may be
+ configured.</p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Runtime-Logging-Concepts"></a>9.1.1. Concepts</h3></div></div></div><p>The logging subsystem uses two concepts:</p><p>
+ </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>A <span class="emphasis"><em>Logger</em></span> is responsible for production of a log. The Broker
+ ships a variety of loggers, for instance, a file logger, which is capable of writing a
+ log file to the file system, a Syslog Logger capable of writing to a remote syslog
+ daemon and console logger capable of writing to stdout or stderr.</p><p>Loggers are attached at two points within the Broker Model; the Broker itself and
+ the virtualhosts. Loggers attached at the Broker can capture log events for the system
+ as a whole, or can exclude events related to virtualhosts.</p><p>Loggers attached to a virtualhost capture log events relating to that virtualhost
+ only.</p><p>The Broker and virtualhosts can have zero or more Loggers. If no loggers are
+ configured, no logging is generated at all.</p></li><li class="listitem"><p><span class="emphasis"><em>Inclusion rules</em></span> govern what appears within a log. Inclusion
+ rules are associated with Loggers. This means it is possible for different Loggers to
+ have different contents.</p><p>A Logger with no inclusion rules will produce an empty log.</p></li></ul></div><p>
+ </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Runtime-Logging-Default-Configuration"></a>9.1.2. Default Configuration</h3></div></div></div><p>The default configuration is designed to be suitable for use without change in small
+ production environments. It has the following characteristics:</p><p>
+ </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>The Broker generates a single log file <code class="literal">qpid.log</code>. This logfile is
+ rolled automatically when the file reaches 100MB. A maximum history of one file is
+ retained. On restart the the log will be appended to.</p><p>The log contains: </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: circle; "><li class="listitem"><p>All operational logging events. See <a class="xref" href="Java-Broker-Appendix-Operation-Logging.html" title="Appendix C. Operational Logging">Appendix C, <em>Operational Logging</em></a>.</p></li><li class="listitem"><p>Log events from Qpid itself deemed informational or
+ higher.</p></li><li class="listitem"><p>Log events from Qpid's dependencies (such as Derby or Jetty) that are
+ deemed warning or higher.</p></li></ul></div><p>
+ </p><p>The default location for the log file is
+ <code class="literal">${QPID_WORK}/log/qpid.log</code>.</p></li><li class="listitem"><p>The Broker also caches the last 4096 log events in a memory cache. By default, the
+ memory logger logs the same things the file logger does.</p></li></ul></div><p>
+ </p><p>The configuration can be customised at runtime using Management. This makes it possible to
+ investigate unusual conditions <span class="emphasis"><em>without</em></span> the need to restart the Broker.
+ For instance, you may alter the logging level so that a verbose log is produced whilst an
+ investigation is in progress and revert the setting later, all without the need to restart the
+ Broker.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Runtime-Logging-Loggers"></a>9.1.3. Loggers</h3></div></div></div><p>Loggers are responsible for the writing of a log. The log includes log events that match a
+ Logger's inclusion rules.</p><p>Loggers are associated with either the Broker or a virtualhost. Virtualhost loggers write
+ only log events related to that virtualhost. Broker Loggers write log events from the Broker
+ as a whole. Optionally a Broker Logger can be configured to exclude log events coming from
+ virtualhosts. These abilities can be usefully exploited together in managed service scenarios
+ to produce separate logs for separate user groups.</p><p>Loggers can be added or removed at runtime, without restarting the Broker. However changes
+ to a Logger's configuration such as filenames and rolling options don't take effect until the
+ next restart. Changes to a Logger's inclusion rules take effect immediately.</p><p>All loggers allow the log event layout to be customised. Loggers understand <a class="link" href="http://logback.qos.ch/manual/layouts.html#ClassicPatternLayout" target="_top"> Logback Classic
+ Pattern Layouts</a>. </p><p>The following sections describes each Logger implementation in detail.</p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Runtime-Logging-Loggers-FileLogger"></a>9.1.3.1. FileLogger</h4></div></div></div><p>A <span class="emphasis"><em>FileLogger</em></span> - writes a log file to the filesystem. The name and
+ location of the log file, the rolling configuration, and compression options can be
+ configured.</p><p>The <span class="emphasis"><em>roll daily</em></span> option, if enabled, will cause the log file will be
+ rolled at midnight local time. The rolled over file will have a suffix in the form
+ <code class="literal">yyyy-mm-dd</code>. In roll daily mode, <span class="emphasis"><em>maximum number of rolled
+ files</em></span> controls the maximum number of <span class="emphasis"><em>days</em></span> to be retained.
+ Older files will be deleted.</p><p>The <span class="emphasis"><em>maximum file size</em></span> option limits the size of any one log file.
+ Once a log file reaches the given size, it will be rolled. The rolled over file will have
+ the numeric suffix, beginning at <code class="literal">1</code>. If the log file rolls again, first
+ the existing file with the suffix <code class="literal">.1</code> is renamed to <code class="literal">.2</code>
+ and so forth. If roll daily is not in use, <span class="emphasis"><em>maximum number of rolled
+ files</em></span> governs the number of rolled <span class="emphasis"><em>files</em></span> that will be
+ retained.</p><p><span class="emphasis"><em>Roll on restart</em></span> governs whether the log file is rolled when the
+ Broker is restarted. If not ticked, the Broker will append to the existing log file until it
+ needs to be rolled.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Runtime-Logging-Loggers-ConsoleLogger"></a>9.1.3.2. ConsoleLogger</h4></div></div></div><p><span class="emphasis"><em>ConsoleLogger</em></span> - writes a log file standard out or standard
+ error.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Runtime-Logging-Loggers-SyslogLogger"></a>9.1.3.3. SyslogLogger</h4></div></div></div><p><span class="emphasis"><em>SyslogLogger</em></span> - writes a log file to a syslog daemon using the
+ <code class="literal">USER</code> facility. The hostname and port number of the syslog daemon can be
+ configured.</p><p>Log entries can be prefixed with a string. This string defaults to include the word
+ <code class="literal">Qpid</code> and the name of the Broker or virtualhost. This serves to
+ distinguish the logging generated by this Qpid instance, from other Qpid instances, or other
+ applications using the <code class="literal">USER</code>.</p></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Runtime-Logging-Loggers-MemoryLogger"></a>9.1.3.4. MemoryLogger</h4></div></div></div><p><span class="emphasis"><em>MemoryLogger</em></span> - writes a log file to a circular in-memory buffer. By
+ default the circular buffer holds the last 4096 log events. The contents of the buffer can
+ be viewed via Management. See <a class="xref" href="Java-Broker-Runtime.html#Java-Broker-Runtime-Logging-Management-MemoryLogger" title="Figure 9.3. Viewing a memory logger">Figure 9.3, “Viewing a memory logger”</a></p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Runtime-Logging-InclusionRules"></a>9.1.4. Inclusion Rules</h3></div></div></div><p>A <span class="emphasis"><em>Logger</em></span> has one or more <span class="emphasis"><em>inclusion rules</em></span>. These
+ govern what appears in the log. A Logger with no inclusion rules will log nothing.</p><p>Inclusion rules can be added, removed or changed at runtime. Changes take place
+ immediately.</p><p>
+ </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>The <span class="emphasis"><em>Name And Level</em></span> inclusion rule accepts log events that match
+ a given <span class="emphasis"><em>log event source name</em></span> and have a level that equals or
+ exceeds the specified value.</p><p>The log event source name refers to the fully qualified class name from which the
+ event originates. These names permit a trailing wild card <code class="literal">.*</code>. For
+ instance a source name of <code class="literal">org.apache.qpid.*</code> will match all events
+ from classes in the package <code class="literal">org.apache.qpid</code> and any sub packages
+ beneath.</p><p>The <span class="emphasis"><em>Level</em></span> governs the level of the events that will be included
+ in the log. It may take one of the following values: ERROR, WARN, INFO, DEBUG, TRACE
+ where ERROR is considered the highest and TRACE the lowest. In addition, there are two
+ special values: OFF and ALL, the former excludes all log events whereas the latter will
+ include everything. When considering whether a logging event should be included in the
+ log, the logging event must have a level that matches that of the inclusion rule or be
+ higher, otherwise the log event will not appear in the log.</p></li></ul></div><p>
+ </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Runtime-Logging-Management"></a>9.1.5. Logging Management</h3></div></div></div><p>The logging subsystem can be completely managed from the Web Management Console or the
+ REST API. You can: </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Add, remove, or change the configuration of Loggers.</p></li><li class="listitem"><p>Add, remove, or change the Inclusion Rules.</p></li><li class="listitem"><p>For FileLoggers, download the log file and rolled log files associated with
+ the Logger.</p></li><li class="listitem"><p>For MemoryLoggers, view the last <code class="literal">n</code> log
+ events</p></li></ul></div><p>
+ </p><p> The figure that follows shows a FileLogger. The attributes area shows the configuration
+ of the Logger. The inclusion rule table shows the rules that are associated with the Logger.
+ The area towards the bottom of the tab allows the log files to be downloaded to the browser.
+ </p><div class="figure"><a id="Java-Broker-Runtime-Logging-Management-FileLogger"></a><p class="title"><strong>Figure 9.1. Viewing a file logger</strong></p><div class="figure-contents"><div class="mediaobject"><table border="0" style="cellpadding: 0; cellspacing: 0;" summary="manufactured viewport for HTML img" width="900"><tr><td><img alt="Viewing a file logger" src="images/Management-Web-Logging-FileLogger.png" width="900" /></td></tr></table></div></div></div><p><br class="figure-break" />
+ </p><p> The figure below shows the editing of the level of an inclusion rule. </p><div class="figure"><a id="Java-Broker-Runtime-Logging-Management-InclusionRule"></a><p class="title"><strong>Figure 9.2. Editing an inclusion rule</strong></p><div class="figure-contents"><div class="mediaobject"><table border="0" style="cellpadding: 0; cellspacing: 0;" summary="manufactured viewport for HTML img" width="900"><tr><td><img alt="Editing an inclusion rule" src="images/Management-Web-Logging-InclusionRule.png" width="900" /></td></tr></table></div></div></div><p><br class="figure-break" />
+ </p><p> The figure below shows a Memory Logger. Note that the Memory Logger provides access to
+ the cached message via the viewer towards the bottom on the tab. </p><div class="figure"><a id="Java-Broker-Runtime-Logging-Management-MemoryLogger"></a><p class="title"><strong>Figure 9.3. Viewing a memory logger</strong></p><div class="figure-contents"><div class="mediaobject"><table border="0" style="cellpadding: 0; cellspacing: 0;" summary="manufactured viewport for HTML img" width="900"><tr><td><img alt="Viewing a memory logger" src="images/Management-Web-Logging-MemoryLogger.png" width="900" /></td></tr></table></div></div></div><p><br class="figure-break" />
+ </p></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security-Configuration-Encryption.html">Prev</a> </td><td align="center" width="20%"> </td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Runtime-Disk-Space-Management.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">8.4. Configuration Encryption </td><td align="center" width="20%"><a accesskey="h" href="AMQP-Messaging-Broker-Java-Book.html">Home</a></td><td align="right" valign="top" width="40%"> 9.2. Disk Space Management</td></tr></table></div></div>
\ No newline at end of file
Modified: qpid/site/input/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security-ACLs.html.in
URL: http://svn.apache.org/viewvc/qpid/site/input/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security-ACLs.html.in?rev=1724964&r1=1724963&r2=1724964&view=diff
==============================================================================
--- qpid/site/input/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security-ACLs.html.in (original)
+++ qpid/site/input/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security-ACLs.html.in Sat Jan 16 12:17:02 2016
@@ -1,4 +1,4 @@
-<div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">8.3. Access Control Lists</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security-Group-Providers.html">Prev</a> </td><th align="center" width="60%">Chapter 8. Security</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Security-Configuration-Encryption.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title"><a id="Java-Broker-Security-ACLs"></a>8.3. Access Control Lists</h2></div></div></div><p>
+<div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">8.3. Access Control Lists</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security-Group-Providers.html">Prev</a> </td><th align="center" width="60%">Chapter 8. Security</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Security-Configuration-Encryption.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Security-ACLs"></a>8.3. Access Control Lists</h2></div></div></div><p>
In Qpid, Access Control Lists (ACLs) specify which actions can be performed by each authenticated user.
To enable, an <span class="emphasis"><em>Access Control Provider</em></span> needs to be configured on the <span class="emphasis"><em>Broker</em></span>.
The <span class="emphasis"><em>Access Control Provider</em></span> of type "AclFile" uses local file to specify the ACL rules.
@@ -15,7 +15,7 @@
The ACL Providers can be configured using <a class="link" href="Java-Broker-Management-Channel-REST-API.html" title="6.3. REST API">REST Management interfaces</a>
and <a class="link" href="Java-Broker-Management-Channel-Web-Console.html" title="6.2. Web Management Console">Web Management Console</a>.
</p><p>The following ACL Provider managing operations are available from Web Management Console:
- </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A new ACL Provider can be added by clicking onto "Add Access Control Provider" on the Broker tab.</p></li><li class="listitem"><p>An ACL Provider details can be viewed on the Access Control Provider tab.
+ </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>A new ACL Provider can be added by clicking onto "Add Access Control Provider" on the Broker tab.</p></li><li class="listitem"><p>An ACL Provider details can be viewed on the Access Control Provider tab.
The tab is shown after clicking onto ACL Provider name in the Broker object tree or after clicking
onto ACL Provider row in ACL Providers grid on the Broker tab.</p></li><li class="listitem"><p>An existing ACL Provider can be deleted by clicking onto buttons "Delete Access Control Provider"
on the Broker tab or Access Control Provider tab.</p></li></ul></div><p>
@@ -57,7 +57,7 @@
at a certain level of abstraction (e.g. QUEUE) and apply them consistently across the whole system.
</p><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>
Some rules can be restricted to the virtual host if property virtualhost_name is specified.
- </p><div class="example"><a id="idm140601087486448"></a><p class="title"><strong>Example 8.1. Restrict rules to specific virtual hosts</strong></p><div class="example-contents"><pre class="programlisting">
+ </p><div class="example"><a id="d0e4235"></a><p class="title"><strong>Example 8.1. Restrict rules to specific virtual hosts</strong></p><div class="example-contents"><pre class="programlisting">
ACL ALLOW bob CREATE QUEUE virtualhost_name="test"
ACL ALLOW bob ALL EXCHANGE virtualhost_name="prod"
</pre></div></div><p><br class="example-break" />
@@ -77,7 +77,7 @@
ACL DENY guest \
ALL ALL # A broken line
</pre></div><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_permissions"></a><p class="title"><strong>Table 8.1. List of ACL permission</strong></p><div class="table-contents"><table border="1" summary="List of ACL permission"><colgroup><col /><col /></colgroup><tbody><tr><td><span class="command"><strong>ALLOW</strong></span></td><td><p>Allow the action</p></td></tr><tr><td><span class="command"><strong>ALLOW-LOG</strong></span></td><td><p> Allow the action and log the action in the log </p></td></tr><tr><td><span class="command"><strong>DENY</strong></span></td><td><p> Deny the action</p></td></tr><tr><td><span class="command"><strong>DENY-LOG</strong></span></td><td><p> Deny the action and log the action in the log</p></td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_actions"></a><p class="title"><strong>Table 8.2. List of ACL actions</strong></p><div class="tab
le-contents"><table border="1" summary="List of ACL actions"><colgroup><col /><col /><col /><col /></colgroup><thead><tr><th><p>Action</p></th><th><p>Description</p></th><th><p>Supported object types</p></th><th><p>Supported properties</p></th></tr></thead><tbody><tr><td> <span class="command"><strong>CONSUME</strong></span> </td><td> <p> Applied when subscriptions are created </p> </td><td><p>QUEUE</p></td><td><p>name, autodelete, temporary, durable, exclusive, alternate, owner, virtualhost_name</p></td></tr><tr><td> <span class="command"><strong>PUBLISH</strong></span> </td><td> <p> Applied on a per message basis on publish message transfers</p> </td><td><p>EXCHANGE</p></td><td><p>name, routingkey, immediate, virtualhost_name</p></td></tr><tr><td> <span class="command"><strong>CREATE</strong></span> </td><td> <p> Applied when an object is created, such as bindings, queues, exchanges</p> </td><td><p>VIRTUALHOSTNODE, VIRTUALHOST, EXCHANGE, QUEUE, USER, GROUP</p></td><td><p>see prope
rties on the corresponding object type</p></td></tr><tr><td> <span class="command"><strong>ACCESS</strong></span> </td><td> <p> Applied when an object is read or accessed</p> </td><td><p>VIRTUALHOST, MANAGEMENT</p></td><td><p>name (for VIRTUALHOST only)</p></td></tr><tr><td> <span class="command"><strong>BIND</strong></span> </td><td> <p> Applied when queues are bound to exchanges</p> </td><td><p>EXCHANGE</p></td><td><p>name, routingKey, queuename, virtualhost_name, temporary, durable</p></td></tr><tr><td> <span class="command"><strong>UNBIND</strong></span> </td><td> <p> Applied when queues are unbound from exchanges</p> </td><td><p>EXCHANGE</p></td><td><p>name, routingKey, queuename, virtualhost_name, temporary, durable</p></td></tr><tr><td> <span class="command"><strong>DELETE</strong></span> </td><td> <p> Applied when objects are deleted </p> </td><td><p>VIRTUALHOSTNODE, VIRTUALHOST, EXCHANGE, QUEUE, USER, GROUP</p></td><td><p>see properties on the corresponding object type</p><
/td></tr><tr><td> <span class="command"><strong>PURGE</strong></span> </td><td>
- <p>Applied when purge the contents of a queue</p> </td><td><p>QUEUE</p></td><td><p> </p></td></tr><tr><td> <span class="command"><strong>UPDATE</strong></span> </td><td> <p> Applied when an object is updated </p> </td><td><p>VIRTUALHOSTNODE, VIRTUALHOST, EXCHANGE, QUEUE, USER, GROUP</p></td><td><p>see EXCHANGE and QUEUE properties</p></td></tr><tr><td> <span class="command"><strong>CONFIGURE</strong></span> </td><td> <p> Applied when an object is configured via REST management interfaces.</p> </td><td><p>BROKER</p></td><td><p> </p></td></tr><tr><td><span class="command"><strong>ACCESS_LOGS</strong></span> </td><td><p>Allows/denies to the specific user an operation to download broker log file(s) over REST interfaces</p> </td><td><p>BROKER</p></td><td><p> </p></td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_objects"></a><p class="title"><strong>Table 8.3. List of ACL objects</strong></p
><div class="table-contents"><table border="1" summary="List of ACL objects"><colgroup><col /><col /><col /><col /></colgroup><thead><tr><th><p>Object type</p></th><th><p>Description</p></th><th><p>Supported actions</p></th><th><p>Supported properties</p></th></tr></thead><tbody><tr><td> <span class="command"><strong>VIRTUALHOSTNODE</strong></span> </td><td> <p>A virtualhostnode or remote replication node</p> </td><td><p>ALL, CREATE, UPDATE, DELETE</p> </td><td><p>name</p> </td></tr><tr><td> <span class="command"><strong>VIRTUALHOST</strong></span> </td><td> <p>A virtualhost</p> </td><td><p>ALL, CREATE, UPDATE, DELETE, ACCESS</p> </td><td><p>name</p> </td></tr><tr><td> <span class="command"><strong>MANAGEMENT </strong></span> </td><td> <p>Management - for web and JMX</p> </td><td><p>ALL, ACCESS</p> </td><td><p> </p></td></tr><tr><td> <span class="command"><strong>QUEUE</strong></span> </td><td> <p>A queue </p> </td><td><p>ALL, CREATE, DELETE, PURGE, CONSUME, UPDATE</p></td><td><p>na
me, autodelete, temporary, durable, exclusive, alternate, owner, virtualhost_name</p></td></tr><tr><td> <span class="command"><strong>EXCHANGE</strong></span> </td><td><p>An exchange</p></td><td><p>ALL, ACCESS, CREATE, DELETE, BIND, UNBIND, PUBLISH, UPDATE</p></td><td><p>name, autodelete, temporary, durable, type, virtualhost_name, queuename(only for BIND and UNBIND), routingkey(only for BIND and UNBIND, PUBLISH)</p></td></tr><tr><td> <span class="command"><strong>USER</strong></span> </td><td> <p>A user</p> </td><td><p>ALL, CREATE, DELETE, UPDATE</p></td><td><p>name</p></td></tr><tr><td> <span class="command"><strong>GROUP</strong></span> </td><td> <p>A group</p> </td><td><p>ALL, CREATE, DELETE, UPDATE</p></td><td><p>name</p></td></tr><tr><td> <span class="command"><strong>METHOD</strong></span> </td><td> <p>Management or agent or broker method</p> </td><td><p>ALL, ACCESS, UPDATE</p></td><td><p>name, component, virtualhost_name</p></td></tr><tr><td> <span class="command"><strong>BR
OKER</strong></span> </td><td> <p>The broker</p> </td><td><p>ALL, CONFIGURE, ACCESS_LOGS</p></td><td><p> </p></td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_properties"></a><p class="title"><strong>Table 8.4. List of ACL properties</strong></p><div class="table-contents"><table border="1" summary="List of ACL properties"><colgroup><col /><col /></colgroup><tbody><tr><td><span class="command"><strong>name</strong></span> </td><td> <p> String. Object name, such as a queue name, exchange name or JMX method name. </p> </td></tr><tr><td> <span class="command"><strong>durable</strong></span> </td><td> <p> Boolean. Indicates the object is durable </p> </td></tr><tr><td> <span class="command"><strong>routingkey</strong></span> </td><td> <p> String. Specifies routing key </p> </td></tr><tr><td> <span class="command"><strong>autodelete</strong></span> </td><td> <p> Boolean. Indicates whether or not the
object gets deleted when the connection is closed </p> </td></tr><tr><td> <span class="command"><strong>exclusive</strong></span> </td><td> <p> Boolean. Indicates the presence of an <em class="parameter"><code>exclusive</code></em> flag </p> </td></tr><tr><td> <span class="command"><strong>temporary</strong></span> </td><td> <p> Boolean. Indicates the presence of an <em class="parameter"><code>temporary</code></em> flag </p> </td></tr><tr><td> <span class="command"><strong>type</strong></span> </td><td> <p> String. Type of object, such as topic, fanout, or xml </p> </td></tr><tr><td> <span class="command"><strong>alternate</strong></span> </td><td> <p> String. Name of the alternate exchange </p> </td></tr><tr><td> <span class="command"><strong>queuename</strong></span> </td><td> <p> String. Name of the queue (used only when the object is something other than <em class="parameter"><code>queue</code></em> </p> </td></tr><tr><td> <span class="command"><strong>component</strong></span>
</td><td> <p> String. JMX component name</p> </td></tr><tr><td> <span class="command"><strong>from_network</strong></span> </td><td>
+ <p>Applied when purge the contents of a queue</p> </td><td><p>QUEUE</p></td><td><p> </p></td></tr><tr><td> <span class="command"><strong>UPDATE</strong></span> </td><td> <p> Applied when an object is updated </p> </td><td><p>VIRTUALHOSTNODE, VIRTUALHOST, EXCHANGE, QUEUE, USER, GROUP</p></td><td><p>see EXCHANGE and QUEUE properties</p></td></tr><tr><td> <span class="command"><strong>CONFIGURE</strong></span> </td><td> <p> Applied when an object is configured via REST management interfaces.</p> </td><td><p>BROKER</p></td><td><p> </p></td></tr><tr><td><span class="command"><strong>ACCESS_LOGS</strong></span> </td><td><p>Allows/denies the specific user to download log file(s) over REST interfaces.</p> </td><td><p>BROKER, VIRTUALHOST</p></td><td><p>name (for VIRTUALHOST only)</p></td></tr><tr><td><span class="command"><strong>SHUTDOWN</strong></span> </td><td><p>Allows/denies the specific user to shutdown the Broker.</p> </td><td><p>BROKER</p></td><td><p /></td></tr></tbody></t
able></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_objects"></a><p class="title"><strong>Table 8.3. List of ACL objects</strong></p><div class="table-contents"><table border="1" summary="List of ACL objects"><colgroup><col /><col /><col /><col /></colgroup><thead><tr><th><p>Object type</p></th><th><p>Description</p></th><th><p>Supported actions</p></th><th><p>Supported properties</p></th></tr></thead><tbody><tr><td> <span class="command"><strong>VIRTUALHOSTNODE</strong></span> </td><td> <p>A virtualhostnode or remote replication node</p> </td><td><p>ALL, CREATE, UPDATE, DELETE</p> </td><td><p>name</p> </td></tr><tr><td> <span class="command"><strong>VIRTUALHOST</strong></span> </td><td> <p>A virtualhost</p> </td><td><p>ALL, CREATE, UPDATE, DELETE, ACCESS, ACCESS_LOGS</p> </td><td><p>name</p> </td></tr><tr><td> <span class="command"><strong>QUEUE</strong></span> </td><td> <p>A queue </p> </td><td><p>ALL, CREATE, DELET
E, PURGE, CONSUME, UPDATE</p></td><td><p>name, autodelete, temporary, durable, exclusive, alternate, owner, virtualhost_name</p></td></tr><tr><td> <span class="command"><strong>EXCHANGE</strong></span> </td><td><p>An exchange</p></td><td><p>ALL, ACCESS, CREATE, DELETE, BIND, UNBIND, PUBLISH, UPDATE</p></td><td><p>name, autodelete, temporary, durable, type, virtualhost_name, queuename(only for BIND and UNBIND), routingkey(only for BIND and UNBIND, PUBLISH)</p></td></tr><tr><td> <span class="command"><strong>USER</strong></span> </td><td> <p>A user</p> </td><td><p>ALL, CREATE, DELETE, UPDATE</p></td><td><p>name</p></td></tr><tr><td> <span class="command"><strong>GROUP</strong></span> </td><td> <p>A group</p> </td><td><p>ALL, CREATE, DELETE, UPDATE</p></td><td><p>name</p></td></tr><tr><td> <span class="command"><strong>METHOD</strong></span> </td><td> <p>Management or agent or broker method</p> </td><td><p>ALL, ACCESS, UPDATE</p></td><td><p>name, component, virtualhost_name</p></td></t
r><tr><td> <span class="command"><strong>BROKER</strong></span> </td><td> <p>The broker</p> </td><td><p>ALL, CONFIGURE, ACCESS_LOGS</p></td><td><p> </p></td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_properties"></a><p class="title"><strong>Table 8.4. List of ACL properties</strong></p><div class="table-contents"><table border="1" summary="List of ACL properties"><colgroup><col /><col /></colgroup><tbody><tr><td><span class="command"><strong>name</strong></span> </td><td> <p> String. Object name, such as a queue name or exchange name.</p> </td></tr><tr><td> <span class="command"><strong>durable</strong></span> </td><td> <p> Boolean. Indicates the object is durable </p> </td></tr><tr><td> <span class="command"><strong>routingkey</strong></span> </td><td> <p> String. Specifies routing key </p> </td></tr><tr><td> <span class="command"><strong>autodelete</strong></span> </td><td> <p> Boolean. Indi
cates whether or not the object gets deleted when the connection is closed </p> </td></tr><tr><td> <span class="command"><strong>exclusive</strong></span> </td><td> <p> Boolean. Indicates the presence of an <em class="parameter"><code>exclusive</code></em> flag </p> </td></tr><tr><td> <span class="command"><strong>temporary</strong></span> </td><td> <p> Boolean. Indicates the presence of an <em class="parameter"><code>temporary</code></em> flag </p> </td></tr><tr><td> <span class="command"><strong>type</strong></span> </td><td> <p> String. Type of object, such as topic, fanout, or xml </p> </td></tr><tr><td> <span class="command"><strong>alternate</strong></span> </td><td> <p> String. Name of the alternate exchange </p> </td></tr><tr><td> <span class="command"><strong>queuename</strong></span> </td><td> <p> String. Name of the queue (used only when the object is something other than <em class="parameter"><code>queue</code></em> </p> </td></tr><tr><td> <span class="command"><strong>c
omponent</strong></span> </td><td> <p> String. component name</p> </td></tr><tr><td> <span class="command"><strong>from_network</strong></span> </td><td>
<p>
Comma-separated strings representing IPv4 address ranges.
</p>
@@ -87,7 +87,7 @@
<p>
The rule matches if any of the address ranges match the IPv4 address of the messaging client.
The address ranges are specified using either Classless Inter-Domain Routing notation
- (e.g. 192.168.1.0/24; see <a class="ulink" href="http://tools.ietf.org/html/rfc4632" target="_top">RFC 4632</a>)
+ (e.g. 192.168.1.0/24; see <a class="link" href="http://tools.ietf.org/html/rfc4632" target="_top">RFC 4632</a>)
or wildcards (e.g. 192.169.1.*).
</p>
</td></tr><tr><td> <span class="command"><strong>from_hostname</strong></span> </td><td>
@@ -106,7 +106,7 @@
</p>
<p>
You can modify the time-to-live of cached results using the *.ttl properties described on the
- Java <a class="ulink" href="http://docs.oracle.com/javase/6/docs/technotes/guides/net/properties.html" target="_top">Networking
+ Java <a class="link" href="http://docs.oracle.com/javase/6/docs/technotes/guides/net/properties.html" target="_top">Networking
Properties</a> page.
</p>
<p>
@@ -123,7 +123,7 @@
<p>
Boolean. A property can be used to restrict PUBLISH action to publishing only messages with given immediate flag.
</p>
- </td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_javacomponents"></a><p class="title"><strong>Table 8.5. List of ACL JMX Components</strong></p><div class="table-contents"><table border="1" summary="List of ACL JMX Components"><colgroup><col /><col /></colgroup><tbody><tr><td> <span class="command"><strong>UserManagement</strong></span> </td><td> <p>User maintenance; create/delete/view users, change passwords etc</p> </td></tr><tr><td> <span class="command"><strong>ConfigurationManagement</strong></span> </td><td> <p>Dynamically reload configuration from disk.</p> </td></tr><tr><td> <span class="command"><strong>LoggingManagement</strong></span> </td><td> <p>Dynamically control Qpid logging level</p> </td></tr><tr><td> <span class="command"><strong>ServerInformation</strong></span> </td><td> <p>Read-only information regarding the Qpid: version number etc</p> </td></tr><tr><td> <span c
lass="command"><strong>VirtualHost.Queue</strong></span> </td><td> <p>Queue maintenance; copy/move/purge/view etc</p> </td></tr><tr><td> <span class="command"><strong>VirtualHost.Exchange</strong></span> </td><td> <p>Exchange maintenance; bind/unbind queues to exchanges</p> </td></tr><tr><td> <span class="command"><strong>VirtualHost.VirtualHost</strong></span> </td><td> <p>Virtual host maintenace; create/delete exchanges, queues etc</p> </td></tr></tbody></table></div></div><br class="table-break" /><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-ACLs-WorkedExamples"></a>8.3.3. 
+ </td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-ACLs-Queue-Exchnage-Operations"></a><p class="title"><strong>Table 8.5. ACL for Queue management operations invoked via REST interfaces</strong></p><div class="table-contents"><table border="1" summary="ACL for Queue management operations invoked via REST interfaces"><colgroup><col /><col /><col /><col /></colgroup><tbody><tr><td> <span class="command"><strong>Operation</strong></span> </td><td> <p>Component</p> </td><td> <p>Method</p> </td><td> <p>Description</p> </td></tr><tr><td> <span class="command"><strong>UPDATE</strong></span> </td><td> <p>VirtualHost.Queue</p> </td><td> <p>copyMessages</p> </td><td> <p>Copy messages</p> </td></tr><tr><td> <span class="command"><strong>UPDATE</strong></span> </td><td> <p>VirtualHost.Queue</p> </td><td> <p>moveMessages</p> </td><td> <p>Move messages</p> </td></tr><tr><td> <span class="command"><strong>UPDATE
</strong></span> </td><td> <p>VirtualHost.Queue</p> </td><td> <p>deleteMessages</p> </td><td> <p>Delete messages</p> </td></tr></tbody></table></div></div><br class="table-break" /><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-ACLs-WorkedExamples"></a>8.3.3. 
Worked Examples
</h3></div></div></div><p>
Here are some example ACLs illustrating common use cases.
@@ -154,12 +154,9 @@ ACL DENY-LOG ALL ALL
<a class="link" href="Java-Broker-Security-Group-Providers.html" title="8.2. Group Providers">group</a> 'usermaint'. No other user
is allowed to perform user maintenance This example illustrates the permissioning of an individual component.
</p><pre class="programlisting">
-# Give usermaint access to management and permission to execute all JMX Methods on the
-# UserManagement MBean and perform all actions for USER objects
-ACL ALLOW usermaint ACCESS MANAGEMENT
-ACL ALLOW usermaint ALL METHOD component="UserManagement"
+# Give usermaint access to management and permission to create
+# and delete users through management
ACL ALLOW usermaint ALL USER
-ACL DENY ALL ALL METHOD component="UserManagement"
ACL DENY ALL ALL USER
...
... rules for other users
@@ -275,4 +272,4 @@ ACL ALLOW-LOG webadmins UPDATE METHOD
#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="clearQueue"
ACL DENY-LOG all all
- </pre></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security-Group-Providers.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Security-Configuration-Encryption.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">8.2. Group Providers </td><td align="center" width="20%"><a accesskey="h" href="index.html">Home</a></td><td align="right" valign="top" width="40%"> 8.4. Configuration Encryption</td></tr></table></div></div>
\ No newline at end of file
+ </pre></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security-Group-Providers.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Security-Configuration-Encryption.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">8.2. Group Providers </td><td align="center" width="20%"><a accesskey="h" href="AMQP-Messaging-Broker-Java-Book.html">Home</a></td><td align="right" valign="top" width="40%"> 8.4. Configuration Encryption</td></tr></table></div></div>
\ No newline at end of file
Modified: qpid/site/input/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security-Configuration-Encryption.html.in
URL: http://svn.apache.org/viewvc/qpid/site/input/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security-Configuration-Encryption.html.in?rev=1724964&r1=1724963&r2=1724964&view=diff
==============================================================================
--- qpid/site/input/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security-Configuration-Encryption.html.in (original)
+++ qpid/site/input/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security-Configuration-Encryption.html.in Sat Jan 16 12:17:02 2016
@@ -1,8 +1,8 @@
-<div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">8.4. Configuration Encryption</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security-ACLs.html">Prev</a> </td><th align="center" width="60%">Chapter 8. Security</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Runtime.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title"><a id="Java-Broker-Security-Configuration-Encryption"></a>8.4. Configuration Encryption</h2></div></div></div><p> The Broker is capable of encrypting passwords and other security items stored in the
+<div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">8.4. Configuration Encryption</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security-ACLs.html">Prev</a> </td><th align="center" width="60%">Chapter 8. Security</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Runtime.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Security-Configuration-Encryption"></a>8.4. Configuration Encryption</h2></div></div></div><p> The Broker is capable of encrypting passwords and other security items stored in the
Broker's configuration. This is means that items such as keystore/truststore passwords, JDBC
passwords, and LDAP passwords can be stored in the configure in a form that is difficult to
read.</p><p>The Broker ships with an encryptor implementation called <code class="literal">AESKeyFile</code>. This
- uses a securely generated random key of 256bit<a class="footnote" href="#ftn.idm140601089198944" id="idm140601089198944"><sup class="footnote">[11]</sup></a> to encrypt the secrets stored within a key
+ uses a securely generated random key of 256bit<a class="footnote" href="#ftn.d0e4993" id="d0e4993"><sup class="footnote">[12]</sup></a> to encrypt the secrets stored within a key
file. Of course, the key itself must be guarded carefully, otherwise the passwords encrypted
with it may be compromised. For this reason, the Broker ensures that the file's permissions
allow the file to be read exclusively by the user account used for running the Broker.</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>If the keyfile is lost or corrupted, the secrets will be irrecoverable.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Configuration-Encryption-Configuration"></a>8.4.1. Configuration</h3></div></div></div><p>The <code class="literal">AESKeyFile</code> encyptor provider is enabled/disabled via the <a class="link" href="Java-Broker-Management-Managing-Broker.html" title="7.3. Broker">Broker attributes</a> within the
@@ -16,5 +16,5 @@
<code class="literal">ConfigurationSecretEncrypter</code> interface is designed as an extension point.
Users may implement their own implementation of ConfigurationSecretEncrypter perhaps to employ
stronger encryption or delegating the storage of the key to an Enterprise Password
- Safe.</p></div><div class="footnotes"><br /><hr align="left" width="100" /><div class="footnote" id="ftn.idm140601089198944"><p><a class="para" href="#idm140601089198944"><sup class="para">[11] </sup></a>Java Cryptography Extension (JCE)
- Unlimited Strength required</p></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security-ACLs.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Runtime.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">8.3. Access Control Lists </td><td align="center" width="20%"><a accesskey="h" href="index.html">Home</a></td><td align="right" valign="top" width="40%"> Chapter 9. Runtime</td></tr></table></div></div>
\ No newline at end of file
+ Safe.</p></div><div class="footnotes"><br /><hr style="width:100; text-align:left;margin-left: 0" /><div class="footnote" id="ftn.d0e4993"><p><a class="para" href="#d0e4993"><sup class="para">[12] </sup></a>Java Cryptography Extension (JCE)
+ Unlimited Strength required</p></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security-ACLs.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Runtime.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">8.3. Access Control Lists </td><td align="center" width="20%"><a accesskey="h" href="AMQP-Messaging-Broker-Java-Book.html">Home</a></td><td align="right" valign="top" width="40%"> Chapter 9. Runtime</td></tr></table></div></div>
\ No newline at end of file
Modified: qpid/site/input/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security-Group-Providers.html.in
URL: http://svn.apache.org/viewvc/qpid/site/input/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security-Group-Providers.html.in?rev=1724964&r1=1724963&r2=1724964&view=diff
==============================================================================
--- qpid/site/input/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security-Group-Providers.html.in (original)
+++ qpid/site/input/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security-Group-Providers.html.in Sat Jan 16 12:17:02 2016
@@ -1,4 +1,4 @@
-<div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">8.2. Group Providers</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security.html">Prev</a> </td><th align="center" width="60%">Chapter 8. Security</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Security-ACLs.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title"><a id="Java-Broker-Security-Group-Providers"></a>8.2. Group Providers</h2></div></div></div><p>
+<div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">8.2. Group Providers</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security.html">Prev</a> </td><th align="center" width="60%">Chapter 8. Security</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Security-ACLs.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Security-Group-Providers"></a>8.2. Group Providers</h2></div></div></div><p>
The Java broker utilises GroupProviders to allow assigning users to groups for use in <a class="link" href="Java-Broker-Security-ACLs.html" title="8.3. Access Control Lists">ACLs</a>.
Following authentication by a given <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-Authentication-Providers" title="8.1. Authentication Providers">Authentication Provider</a>,
the configured Group Providers are consulted allowing the assignment of GroupPrincipals for a given authenticated user. Any number of
@@ -21,4 +21,7 @@
Only users can be added to a group currently, not other groups. Usernames can't contain commas.
</p><p>
Lines starting with a '#' are treated as comments when opening the file, but these are not preserved when the broker updates the file due to changes made through the management interface.
- </p></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Security-ACLs.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">Chapter 8. Security </td><td align="center" width="20%"><a accesskey="h" href="index.html">Home</a></td><td align="right" valign="top" width="40%"> 8.3. Access Control Lists</td></tr></table></div></div>
\ No newline at end of file
+ </p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Group-Providers-ManagedGroupProvider"></a>8.2.2. ManagedGroupProvider</h3></div></div></div><p>
+ The <span class="emphasis"><em>ManagedGroupProvider</em></span> allows specifying group membership as part of broker configuration.
+ In future version of Brokers GroupFile Provider will be replaced by this one.
+ </p></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Security-ACLs.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">Chapter 8. Security </td><td align="center" width="20%"><a accesskey="h" href="AMQP-Messaging-Broker-Java-Book.html">Home</a></td><td align="right" valign="top" width="40%"> 8.3. Access Control Lists</td></tr></table></div></div>
\ No newline at end of file
Modified: qpid/site/input/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security.html.in
URL: http://svn.apache.org/viewvc/qpid/site/input/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security.html.in?rev=1724964&r1=1724963&r2=1724964&view=diff
==============================================================================
--- qpid/site/input/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security.html.in (original)
+++ qpid/site/input/releases/qpid-java-trunk/java-broker/book/Java-Broker-Security.html.in Sat Jan 16 12:17:02 2016
@@ -1,10 +1,10 @@
-<div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">Chapter 8. Security</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Management-Managing-Plugins-JMX.html">Prev</a> </td><th align="center" width="60%"> </th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Security-Group-Providers.html">Next</a></td></tr></table><hr /></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a id="Java-Broker-Security"></a>Chapter 8. Security</h1></div></div></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Authentication-Providers">8.1. Authentication Providers</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-LDAP-Provider">8.1.1. Simple LDAP</a></span></dt><
dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Kerberos-Provider">8.1.2. Kerberos</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-External-Provider">8.1.3. External (SSL Client Certificates)</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Anonymous-Provider">8.1.4. Anonymous</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-ScramSha-Providers">8.1.5. SCRAM SHA</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Plain-Provider">8.1.6. Plain</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-PlainPasswordFile-Provider">8.1.7. Plain Password File <span class="emphasis"><em>(Deprecated)</em></span></a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-MD5-Provider">8.1.8. MD5 Pro
vider</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Base64MD5PasswordFile-Provider">8.1.9. Base64MD5 Password File <span class="emphasis"><em>(Deprecated)</em></span></a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Security-Group-Providers.html">8.2. Group Providers</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security-Group-Providers.html#File-Group-Manager">8.2.1. GroupFile Provider</a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Security-ACLs.html">8.3. Access Control Lists</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security-ACLs.html#Java-Broker-Security-ACLs-WriteACL">8.3.1.
+<div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">Chapter 8. Security</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Management-Managing-Plugin-HTTP.html">Prev</a> </td><th align="center" width="60%"> </th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Security-Group-Providers.html">Next</a></td></tr></table><hr /></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a id="Java-Broker-Security"></a>Chapter 8. Security</h1></div></div></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Authentication-Providers">8.1. Authentication Providers</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-LDAP-Provider">8.1.1. Simple LDAP</a></span></dt><
dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Kerberos-Provider">8.1.2. Kerberos</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-External-Provider">8.1.3. External (SSL Client Certificates)</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Anonymous-Provider">8.1.4. Anonymous</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-ScramSha-Providers">8.1.5. SCRAM SHA</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Plain-Provider">8.1.6. Plain</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-PlainPasswordFile-Provider">8.1.7. Plain Password File <span class="emphasis"><em>(Deprecated)</em></span></a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-MD5-Provider">8.1.8. MD5 Pro
vider</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Base64MD5PasswordFile-Provider">8.1.9. Base64MD5 Password File <span class="emphasis"><em>(Deprecated)</em></span></a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Security-Group-Providers.html">8.2. Group Providers</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security-Group-Providers.html#File-Group-Manager">8.2.1. GroupFile Provider</a></span></dt><dt><span class="section"><a href="Java-Broker-Security-Group-Providers.html#Java-Broker-Security-Group-Providers-ManagedGroupProvider">8.2.2. ManagedGroupProvider</a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Security-ACLs.html">8.3. Access Control Lists</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security-ACLs.html#Java-Broker-Security-ACLs-WriteACL">8.3.1.
Writing .acl files
</a></span></dt><dt><span class="section"><a href="Java-Broker-Security-ACLs.html#Java-Broker-Security-ACLs-Syntax">8.3.2.
Syntax
</a></span></dt><dt><span class="section"><a href="Java-Broker-Security-ACLs.html#Java-Broker-Security-ACLs-WorkedExamples">8.3.3.
Worked Examples
- </a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Security-Configuration-Encryption.html">8.4. Configuration Encryption</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security-Configuration-Encryption.html#Java-Broker-Security-Configuration-Encryption-Configuration">8.4.1. Configuration</a></span></dt><dt><span class="section"><a href="Java-Broker-Security-Configuration-Encryption.html#Java-Broker-Security-Configuration-Encryption-Alternate-Implementations">8.4.2. Alternate Implementations</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title"><a id="Java-Broker-Security-Authentication-Providers"></a>8.1. Authentication Providers</h2></div></div></div><p> In order to successfully establish a connection to the Java Broker, the connection must be
+ </a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Security-Configuration-Encryption.html">8.4. Configuration Encryption</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security-Configuration-Encryption.html#Java-Broker-Security-Configuration-Encryption-Configuration">8.4.1. Configuration</a></span></dt><dt><span class="section"><a href="Java-Broker-Security-Configuration-Encryption.html#Java-Broker-Security-Configuration-Encryption-Alternate-Implementations">8.4.2. Alternate Implementations</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Security-Authentication-Providers"></a>8.1. Authentication Providers</h2></div></div></div><p> In order to successfully establish a connection to the Java Broker, the connection must be
authenticated. The Java Broker supports a number of different authentication schemes, each with
its own "authentication provider". Any number of Authentication Providers can be configured on
the Broker at the same time. </p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p> Only unused Authentication Provider can be deleted. For delete requests attempting to
@@ -22,21 +22,21 @@
Changing the secureOnlyMechanism is a breach of security and might cause passwords to be
transfered in the clear. Use at your own risk!
</p></div><p>
- </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-LDAP-Provider"></a>8.1.1. Simple LDAP</h3></div></div></div><p> The Simple LDAP authenticates connections against a Directory (LDAP). </p><p> To create a SimpleLDAPAuthenticationProvider the following mandatory fields are required: </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><span class="emphasis"><em>LDAP server URL</em></span> is the URL of the server, for example,
+ </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-LDAP-Provider"></a>8.1.1. Simple LDAP</h3></div></div></div><p> The Simple LDAP authenticates connections against a Directory (LDAP). </p><p> To create a SimpleLDAPAuthenticationProvider the following mandatory fields are required: </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="emphasis"><em>LDAP server URL</em></span> is the URL of the server, for example,
<code class="literal">ldaps://example.com:636</code></p></li><li class="listitem"><p><span class="emphasis"><em>Search context</em></span> is the distinguished name of the search base
object. It defines the location from which the search for users begins, for example,
<code class="literal">dc=users,dc=example,dc=com</code></p></li><li class="listitem"><p><span class="emphasis"><em>Search filter</em></span> is a DN template to find an LDAP user entry by
- provided user name, for example, <code class="literal">(uid={0})</code></p></li></ul></div><p> Additionally, the following optional fields can be specified: </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><span class="emphasis"><em>LDAP context factory</em></span> is a fully qualified class name for the
- JNDI LDAP context factory. This class must implement the <a class="ulink" href="http://docs.oracle.com/javase/7/docs/api/javax/naming/spi/InitialContextFactory.html" target="_top">InitialContextFactory</a> interface and produce instances of <a class="ulink" href="http://docs.oracle.com/javase/7/docs/api/javax/naming/directory/DirContext.html" target="_top">DirContext</a>. If
+ provided user name, for example, <code class="literal">(uid={0})</code></p></li></ul></div><p> Additionally, the following optional fields can be specified: </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p><span class="emphasis"><em>LDAP context factory</em></span> is a fully qualified class name for the
+ JNDI LDAP context factory. This class must implement the <a class="link" href="http://docs.oracle.com/javase/7/docs/api/javax/naming/spi/InitialContextFactory.html" target="_top">InitialContextFactory</a> interface and produce instances of <a class="link" href="http://docs.oracle.com/javase/7/docs/api/javax/naming/directory/DirContext.html" target="_top">DirContext</a>. If
not specified a default value of <code class="literal">com.sun.jndi.ldap.LdapCtxFactory</code> is
used.</p></li><li class="listitem"><p><span class="emphasis"><em>LDAP authentication URL</em></span> is the URL of LDAP server for
performing "ldap bind". If not specified, the <span class="emphasis"><em>LDAP server URL</em></span> will
- be used for both searches and authentications.</p></li><li class="listitem"><p><span class="emphasis"><em>Truststore name</em></span> is a name of <a class="link" href="Java-Broker-Management-Managing-Truststores.html#Java-Broker-Management-Managing-Truststores-Attributes" title="7.13.1. Attributes">configured
+ be used for both searches and authentications.</p></li><li class="listitem"><p><span class="emphasis"><em>Truststore name</em></span> is a name of <a class="link" href="Java-Broker-Management-Managing-Truststores.html#Java-Broker-Management-Managing-Truststores-Attributes" title="7.13.2. Attributes">configured
truststore</a>. Use this if connecting to a Directory over SSL (i.e. ldaps://)
which is protected by a certificate signed by a private CA (or utilising a self-signed
certificate).</p></li></ul></div><p>
</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>In order to protect the security of the user's password, when using LDAP authentication,
- you must: </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Use SSL on the broker's AMQP, HTTP and JMX ports to protect the password during
+ you must: </p><div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; "><li class="listitem"><p>Use SSL on the broker's AMQP and HTTP ports to protect the password during
transmission to the Broker. The Broker enforces this restriction automatically on AMQP
and HTTP ports.</p></li><li class="listitem"><p>Authenticate to the Directory using SSL (i.e. ldaps://) to protect the password
during transmission from the Broker to the Directory.</p></li></ul></div></div><p> The LDAP Authentication Provider works in the following manner. If not in <code class="literal">bind
@@ -46,7 +46,7 @@
scope is sub-tree meaning the search will include the base object and the subtree extending
beneath it. </p><p> If the search returns a match, or is configured in <code class="literal">bind without search</code>
mode, the Authentication Provider then attempts to bind to the LDAP server with the given name
- and the password. Note that <a class="ulink" href="http://docs.oracle.com/javase/7/docs/api/javax/naming/Context.html#SECURITY_AUTHENTICATION" target="_top">simple security
+ and the password. Note that <a class="link" href="http://docs.oracle.com/javase/7/docs/api/javax/naming/Context.html#SECURITY_AUTHENTICATION" target="_top">simple security
authentication</a> is used so the Directory receives the password in the clear. </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Kerberos-Provider"></a>8.1.2. Kerberos</h3></div></div></div><p> Kereberos Authentication Provider uses java GSS-API SASL mechanism to authenticate the
connections. </p><p> Configuration of kerberos is done through system properties (there doesn't seem to be a
way around this unfortunately). </p><pre class="programlisting">
@@ -66,19 +66,16 @@ com.sun.security.jgss.accept {
};</pre><p> Where realm, kdc, keyTab and principal should obviously be set correctly for the
environment where you are running (see the existing documentation for the C++ broker about
creating a keytab file). </p><p> Note: You may need to install the "Java Cryptography Extension (JCE) Unlimited Strength
- Jurisdiction Policy Files" appropriate for your JDK in order to get Kerberos support working. </p><p> Since Kerberos support only works where SASL authentication is available (e.g. not for
- JMX authentication) you may wish to also include an alternative Authentication Provider
- configuration, and use this for JMX and HTTP ports. </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-External-Provider"></a>8.1.3. External (SSL Client Certificates)</h3></div></div></div><p> When <a class="link" href="Java-Broker-Management-Managing-Truststores.html" title="7.13. Truststores"> requiring SSL Client
+ Jurisdiction Policy Files" appropriate for your JDK in order to get Kerberos support working. </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-External-Provider"></a>8.1.3. External (SSL Client Certificates)</h3></div></div></div><p> When <a class="link" href="Java-Broker-Management-Managing-Truststores.html" title="7.13. Truststores"> requiring SSL Client
Certificates</a> be presented the External Authentication Provider can be used, such that
the user is authenticated based on trust of their certificate alone, and the X500Principal
from the SSL session is then used as the username for the connection, instead of also
requiring the user to present a valid username and password. </p><p>
<span class="bold"><strong>Note:</strong></span> The External Authentication Provider should typically
only be used on the AMQP/HTTP ports, in conjunction with <a class="link" href="Java-Broker-Management-Managing-Ports.html" title="7.10. Ports">SSL client certificate
- authentication</a>. It is not intended for other uses such as the JMX management port and
+ authentication</a>. It is not intended for other uses and
will treat any non-sasl authentication processes on these ports as successful with the given
- username. As such you should configure another Authentication Provider for use on JMX
- ports.</p><p>On creation of External Provider the use of full DN or username CN as a principal name can
+ username.</p><p>On creation of External Provider the use of full DN or username CN as a principal name can
be configured. If attribute "Use the full DN as the Username" is set to "true" the full DN is
used as an authenticated principal name. If attribute "Use the full DN as the Username" is set
to "false" the user name CN part is used as the authenticated principal name. Setting the
@@ -101,7 +98,7 @@ com.sun.security.jgss.accept {
creating an authentication provider the path to the file needs to be specified. If specified
file does not exist an empty file is created automatically on Authentication Provider
creation. On Provider deletion the password file is deleted as well.</p><p>For this provider user credentials can be added, removed or changed using
- Management.</p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="idm140601093863232"></a>8.1.7.1. Plain Password File Format</h4></div></div></div><p> The user credentials are stored on the single file line as user name and user
+ Management.</p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="d0e4066"></a>8.1.7.1. Plain Password File Format</h4></div></div></div><p> The user credentials are stored on the single file line as user name and user
password pairs separated by colon character. This file must not be modified externally
whilst the Broker is running.</p><pre class="programlisting">
# password file format
@@ -120,6 +117,6 @@ guest:guest
to the file needs to be specified. If specified file does not exist an empty file is created
automatically on Authentication Provider creation. On Base64MD5PasswordFile Provider deletion
the password file is deleted as well.</p><p>For this provider user credentials can be added, removed or changed using
- Management.</p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="idm140601088948240"></a>8.1.9.1. Base64MD5 File Format</h4></div></div></div><p> The user credentials are stored on the single file line as user name and user password
+ Management.</p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="d0e4102"></a>8.1.9.1. Base64MD5 File Format</h4></div></div></div><p> The user credentials are stored on the single file line as user name and user password
pairs separated by colon character. The password is stored MD5 digest/Base64 encoded. This
- file must not be modified externally whilst the Broker is running.</p></div></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Management-Managing-Plugins-JMX.html">Prev</a> </td><td align="center" width="20%"> </td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Security-Group-Providers.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">7.17. JMX Plugin </td><td align="center" width="20%"><a accesskey="h" href="index.html">Home</a></td><td align="right" valign="top" width="40%"> 8.2. Group Providers</td></tr></table></div></div>
\ No newline at end of file
+ file must not be modified externally whilst the Broker is running.</p></div></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Management-Managing-Plugin-HTTP.html">Prev</a> </td><td align="center" width="20%"> </td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Security-Group-Providers.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">7.16. HTTP Plugin </td><td align="center" width="20%"><a accesskey="h" href="AMQP-Messaging-Broker-Java-Book.html">Home</a></td><td align="right" valign="top" width="40%"> 8.2. Group Providers</td></tr></table></div></div>
\ No newline at end of file
Modified: qpid/site/input/releases/qpid-java-trunk/java-broker/book/images/Broker-Model.png
URL: http://svn.apache.org/viewvc/qpid/site/input/releases/qpid-java-trunk/java-broker/book/images/Broker-Model.png?rev=1724964&r1=1724963&r2=1724964&view=diff
==============================================================================
Binary files - no diff available.
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org