You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by ro...@apache.org on 2016/10/14 15:48:21 UTC
[35/52] [partial] qpid-site git commit: scrub various older releases
from the site
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/a39b425b/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-ACLs.html
----------------------------------------------------------------------
diff --git a/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-ACLs.html b/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-ACLs.html
deleted file mode 100644
index 3848721..0000000
--- a/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-ACLs.html
+++ /dev/null
@@ -1,411 +0,0 @@
-<!DOCTYPE html>
-<!--
- -
- - Licensed to the Apache Software Foundation (ASF) under one
- - or more contributor license agreements. See the NOTICE file
- - distributed with this work for additional information
- - regarding copyright ownership. The ASF licenses this file
- - to you under the Apache License, Version 2.0 (the
- - "License"); you may not use this file except in compliance
- - with the License. You may obtain a copy of the License at
- -
- - http://www.apache.org/licenses/LICENSE-2.0
- -
- - Unless required by applicable law or agreed to in writing,
- - software distributed under the License is distributed on an
- - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- - KIND, either express or implied. See the License for the
- - specific language governing permissions and limitations
- - under the License.
- -
--->
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
- <head>
- <title>11.3. Access Control Lists - Apache Qpid™</title>
- <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
- <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
- <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
- <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
- <script type="text/javascript">var _deferredFunctions = [];</script>
- <script type="text/javascript" src="/deferred.js" defer="defer"></script>
- <!--[if lte IE 8]>
- <link rel="stylesheet" href="/ie.css" type="text/css"/>
- <script type="text/javascript" src="/html5shiv.js"></script>
- <![endif]-->
-
- <!-- Redirects for `go get` and godoc.org -->
- <meta name="go-import"
- content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
- <meta name="go-source"
- content="qpid.apache.org
-https://github.com/apache/qpid-proton/blob/go1/README.md
-https://github.com/apache/qpid-proton/tree/go1{/dir}
-https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
- </head>
- <body>
- <div id="-content">
- <div id="-top" class="panel">
- <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
-
- <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
-
- <ul id="-global-navigation">
- <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li>
- <li><a href="/documentation.html">Documentation</a></li>
- <li><a href="/download.html">Download</a></li>
- <li><a href="/discussion.html">Discussion</a></li>
- </ul>
- </div>
-
- <div id="-menu" class="panel" style="display: none;">
- <div class="flex">
- <section>
- <h3>Project</h3>
-
- <ul>
- <li><a href="/overview.html">Overview</a></li>
- <li><a href="/components/index.html">Components</a></li>
- <li><a href="/releases/index.html">Releases</a></li>
- </ul>
- </section>
-
- <section>
- <h3>Messaging APIs</h3>
-
- <ul>
- <li><a href="/proton/index.html">Qpid Proton</a></li>
- <li><a href="/components/jms/index.html">Qpid JMS</a></li>
- <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
- </ul>
- </section>
-
- <section>
- <h3>Servers and tools</h3>
-
- <ul>
- <li><a href="/components/java-broker/index.html">Broker for Java</a></li>
- <li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
- <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
- </ul>
- </section>
-
- <section>
- <h3>Resources</h3>
-
- <ul>
- <li><a href="/dashboard.html">Dashboard</a></li>
- <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
- <li><a href="/resources.html">More resources</a></li>
- </ul>
- </section>
- </div>
- </div>
-
- <div id="-search" class="panel" style="display: none;">
- <form action="http://www.google.com/search" method="get">
- <input type="hidden" name="sitesearch" value="qpid.apache.org"/>
- <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
- <button type="submit">Search</button>
- <a href="/search.html">More ways to search</a>
- </form>
- </div>
-
- <div id="-middle" class="panel">
- <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-0.26/index.html">Qpid 0.26</a></li><li><a href="/releases/qpid-0.26/java-broker/book/index.html">AMQP Messaging Broker (Java)</a></li><li>11.3. Access Control Lists</li></ul>
-
- <div id="-middle-content">
- <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">11.3. Access Control Lists</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security-Group-Providers.html">Prev</a> </td><th align="center" width="60%">Chapter 11. Security</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Security-SSL.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title"><a id="Java-Broker-Security-ACLs"></a>11.3. Access Control Lists</h2></div></div></div><p>
- In Qpid, Access Control Lists (ACLs) specify which actions can be performed by each authenticated user.
- To enable, an <span class="emphasis"><em>Access Control Provider</em></span> needs to be configured on the <span class="emphasis"><em>Broker</em></span>
- level or/and ACL configuration should be provided on a <span class="emphasis"><em>Virtual Host</em></span> level.
- The first imposes the ACL broker wide, and the second is applied to individual virtual hosts.
- The <span class="emphasis"><em>Access Control Provider</em></span> of type "AclFile" uses local file to specify the ACL rules.
- By convention, this file should have a .acl extension.
- </p><p>
- A Group Provider can be configured with ACL to define the user groups which can be used in ACL
- to determine the ACL rules applicable to the entire group. The configuration details for the Group Providers are described in
- <a class="xref" href="Java-Broker-Security-Group-Providers.html" title="11.2. Group Providers">Section 11.2, “Group Providers”</a>. On creation of ACL Provider with group rules,
- the Group Provider should be added first. Otherwise, if the individual ACL rules are not defined for the logged principal
- the following invocation of management operations could be denied due to absence of the required groups.</p><p>Only one <span class="emphasis"><em>Access Control Provider</em></span> can be used by the Broker.
- If several <span class="emphasis"><em>Access Control Providers</em></span> are configured on Broker level
- only one of them will be used (the latest one). <a class="xref" href="Java-Broker-Virtual-Hosts-Configuration-File-ACL.html" title="14.2. Configuring ACL">Section 14.2, “Configuring ACL”</a>
- shows how to configure ACL on <span class="emphasis"><em>Virtual Host</em></span> using virtual host configuration xml.
- If both Broker <span class="emphasis"><em>Access Control Provider</em></span> and <span class="emphasis"><em>Virtual Host</em></span> ACL are configured,
- the <span class="emphasis"><em>Virtual Host</em></span> ACL is used for authorization of operations on <span class="emphasis"><em>Virtual Host</em></span> and
- Virtual Host objects and Broker level ACL is used to authorization of operations on Broker and Broker children
- (excluding Virtual Hosts having ACL configured).
- </p><p>
- The ACL Providers can be configured using <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-REST-API" title="5.2.4. REST API">REST Management interfaces</a>
- and <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-Web-Console" title="5.2.2. Web Management Console">Web Management Console</a>.
- </p><p>The following ACL Provider managing operations are available from Web Management Console:
- </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A new ACL Provider can be added by clicking onto "Add Access Control Provider" on the Broker tab.</p></li><li class="listitem"><p>An ACL Provider details can be viewed on the Access Control Provider tab.
- The tab is shown after clicking onto ACL Provider name in the Broker object tree or after clicking
- onto ACL Provider row in ACL Providers grid on the Broker tab.</p></li><li class="listitem"><p>An existing ACL Provider can be deleted by clicking onto buttons "Delete Access Control Provider"
- on the Broker tab or Access Control Provider tab.</p></li></ul></div><p>
- </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-ACLs-WriteACL"></a>11.3.1. 
- Writing .acl files
- </h3></div></div></div><p>
- The ACL file consists of a series of rules associating behaviour for a user or group. Use of groups can serve to make the ACL file more concise. See <a class="link" href="Java-Broker-Security-Group-Providers.html" title="11.2. Group Providers">Configuring Group Providers</a> for more information on defining groups.
- </p><p>
- Each ACL rule grants or denies a particular action on an object to a user/group. The rule may be augmented with one or more properties, restricting
- the rule's applicability.
- </p><pre class="programlisting">
- ACL ALLOW alice CREATE QUEUE # Grants alice permission to create all queues.
- ACL DENY bob CREATE QUEUE name="myqueue" # Denies bob permission to create a queue called "myqueue"
- </pre><p>
- The ACL is considered in strict line order with the first matching rule taking precedence over all those that follow. In the following
- example, if the user bob tries to create an exchange "myexch", the operation will be allowed by the first rule. The second rule will
- never be considered.
- </p><pre class="programlisting">
- ACL ALLOW bob ALL EXCHANGE
- ACL DENY bob CREATE EXCHANGE name="myexch" # Dead rule
- </pre><p>
- If the desire is to allow bob to create all exchanges except "myexch", order of the rules must be reversed:
- </p><pre class="programlisting">
- ACL DENY bob CREATE EXCHANGE name="myexch"
- ACL ALLOW bob ALL EXCHANGE
- </pre><p>
- All ACL files end with an implict rule denying all operations to all users. It is as if each file ends with
- </p><pre class="programlisting">ACL DENY ALL ALL </pre><p>
- If instead you wish to <span class="emphasis"><em>allow</em></span> all operations other than those controlled by earlier rules,
- add </p><pre class="programlisting">ACL ALLOW ALL ALL</pre><p> to the bottom of the ACL file.
- </p><p>
- When writing a new ACL, a good approach is to begin with an .acl file containing only </p><pre class="programlisting">ACL DENY-LOG ALL ALL</pre><p>
- which will cause the Broker to deny all operations with details of the denial logged to the Qpid log file. Build up the ACL rule by rule,
- gradually working through the use-cases of your system. Once the ACL is complete, consider switching the DENY-LOG actions to DENY
- to improve performamce and reduce log noise.
- </p><p>
- ACL rules are very powerful: it is possible to write very granular rules specifying many broker objects and their
- properties. Most projects probably won't need this degree of flexibility. A reasonable approach is to choose to apply permissions
- at a certain level of abstraction (e.g. QUEUE) and apply them consistently across the whole system.
- </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-ACLs-Syntax"></a>11.3.2. 
- Syntax
- </h3></div></div></div><p>
- ACL rules follow this syntax:
- </p><pre class="programlisting">
- ACL {permission} {<group-name>|<user-name>>|ALL} {action|ALL} [object|ALL] [property="<property-value>"]
- </pre><p>
- Comments may be introduced with the hash (#) character and are ignored. Long lines can be broken with the slash (\) character.
- </p><pre class="programlisting">
- # A comment
- ACL ALLOW admin CREATE ALL # Also a comment
- ACL DENY guest \
- ALL ALL # A broken line
- </pre></div><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_permissions"></a><p class="title"><strong>Table 11.1. List of ACL permission</strong></p><div class="table-contents"><table border="1" summary="List of ACL permission"><colgroup><col /><col /></colgroup><tbody><tr><td><span class="command"><strong>ALLOW</strong></span></td><td><p>Allow the action</p></td></tr><tr><td><span class="command"><strong>ALLOW-LOG</strong></span></td><td><p> Allow the action and log the action in the log </p></td></tr><tr><td><span class="command"><strong>DENY</strong></span></td><td><p> Deny the action</p></td></tr><tr><td><span class="command"><strong>DENY-LOG</strong></span></td><td><p> Deny the action and log the action in the log</p></td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_actions"></a><p class="title"><strong>Table 11.2. List of ACL actions</strong></p><div class="t
able-contents"><table border="1" summary="List of ACL actions"><colgroup><col /><col /></colgroup><tbody><tr><td> <span class="command"><strong>CONSUME</strong></span> </td><td> <p> Applied when subscriptions are created </p> </td></tr><tr><td> <span class="command"><strong>PUBLISH</strong></span> </td><td> <p> Applied on a per message basis on publish message transfers</p> </td></tr><tr><td> <span class="command"><strong>CREATE</strong></span> </td><td> <p> Applied when an object is created, such as bindings, queues, exchanges</p> </td></tr><tr><td> <span class="command"><strong>ACCESS</strong></span> </td><td> <p> Applied when an object is read or accessed</p> </td></tr><tr><td> <span class="command"><strong>BIND</strong></span> </td><td> <p> Applied when queues are bound to exchanges</p> </td></tr><tr><td> <span class="command"><strong>UNBIND</strong></span> </td><td> <p> Applied when queues are unbound from exchanges</p> </td></tr><tr><td> <span class="command"><strong>DELETE</s
trong></span> </td><td> <p> Applied when objects are deleted </p> </td></tr><tr><td> <span class="command"><strong>PURGE</strong></span> </td><td>
- <p>Applied when purge the contents of a queue</p> </td></tr><tr><td> <span class="command"><strong>UPDATE</strong></span> </td><td> <p> Applied when an object is updated </p> </td></tr><tr><td> <span class="command"><strong>CONFIGURE</strong></span> </td><td> <p> Applied when an object is configured via REST management interfaces(Java Broker only).</p> </td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_objects"></a><p class="title"><strong>Table 11.3. List of ACL objects</strong></p><div class="table-contents"><table border="1" summary="List of ACL objects"><colgroup><col /><col /></colgroup><tbody><tr><td> <span class="command"><strong>VIRTUALHOST</strong></span> </td><td> <p>A virtualhost (Java Broker only)</p> </td></tr><tr><td> <span class="command"><strong>MANAGEMENT </strong></span> </td><td> <p>Management - for web and JMX (Java Broker only)</p> </td></tr><tr><td> <span class="co
mmand"><strong>QUEUE</strong></span> </td><td> <p>A queue </p> </td></tr><tr><td> <span class="command"><strong>EXCHANGE</strong></span> </td><td> <p>An exchange </p> </td></tr><tr><td> <span class="command"><strong>USER</strong></span> </td><td> <p>A user (Java Broker only)</p> </td></tr><tr><td> <span class="command"><strong>GROUP</strong></span> </td><td> <p>A group (Java Broker only)</p> </td></tr><tr><td> <span class="command"><strong>METHOD</strong></span> </td><td> <p>Management or agent or broker method (Java Broker only)</p> </td></tr><tr><td> <span class="command"><strong>LINK</strong></span> </td><td> <p>A federation or inter-broker link (not currently used in Java Broker)</p> </td></tr><tr><td> <span class="command"><strong>BROKER</strong></span> </td><td> <p>The broker</p> </td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_properties"></a><p class="title"><strong>Table 11.4. List of
ACL properties</strong></p><div class="table-contents"><table border="1" summary="List of ACL properties"><colgroup><col /><col /></colgroup><tbody><tr><td><span class="command"><strong>name</strong></span> </td><td> <p> String. Object name, such as a queue name, exchange name or JMX method name. </p> </td></tr><tr><td> <span class="command"><strong>durable</strong></span> </td><td> <p> Boolean. Indicates the object is durable </p> </td></tr><tr><td> <span class="command"><strong>routingkey</strong></span> </td><td> <p> String. Specifies routing key </p> </td></tr><tr><td> <span class="command"><strong>passive</strong></span> </td><td> <p> Boolean. Indicates the presence of a <em class="parameter"><code>passive</code></em> flag </p> </td></tr><tr><td> <span class="command"><strong>autodelete</strong></span> </td><td> <p> Boolean. Indicates whether or not the object gets deleted when the connection is closed </p> </td></tr><tr><td> <span class="command"><strong>exclusive</strong></s
pan> </td><td> <p> Boolean. Indicates the presence of an <em class="parameter"><code>exclusive</code></em> flag </p> </td></tr><tr><td> <span class="command"><strong>temporary</strong></span> </td><td> <p> Boolean. Indicates the presence of an <em class="parameter"><code>temporary</code></em> flag </p> </td></tr><tr><td> <span class="command"><strong>type</strong></span> </td><td> <p> String. Type of object, such as topic, fanout, or xml </p> </td></tr><tr><td> <span class="command"><strong>alternate</strong></span> </td><td> <p> String. Name of the alternate exchange </p> </td></tr><tr><td> <span class="command"><strong>queuename</strong></span> </td><td> <p> String. Name of the queue (used only when the object is something other than <em class="parameter"><code>queue</code></em> </p> </td></tr><tr><td> <span class="command"><strong>component</strong></span> </td><td> <p> String. JMX component name (Java Broker only)</p> </td></tr><tr><td> <span class="command"><strong>schemapackag
e</strong></span> </td><td> <p> String. QMF schema package name (Not used in Java Broker)</p> </td></tr><tr><td> <span class="command"><strong>schemaclass</strong></span> </td><td> <p> String. QMF schema class name (Not used in Java Broker)</p> </td></tr><tr><td> <span class="command"><strong>from_network</strong></span> </td><td>
- <p>
- Comma-separated strings representing IPv4 address ranges.
- </p>
- <p>
- Intended for use in ACCESS VIRTUALHOST rules to apply firewall-like restrictions.
- </p>
- <p>
- The rule matches if any of the address ranges match the IPv4 address of the messaging client.
- The address ranges are specified using either Classless Inter-Domain Routing notation
- (e.g. 192.168.1.0/24; see <a class="ulink" href="http://tools.ietf.org/html/rfc4632" target="_top">RFC 4632</a>)
- or wildcards (e.g. 192.169.1.*).
- </p>
- <p>
- Java Broker only.
- </p>
- </td></tr><tr><td> <span class="command"><strong>from_hostname</strong></span> </td><td>
- <p>
- Comma-separated strings representing hostnames, specified using Perl-style regular
- expressions, e.g. .*\.example\.company\.com
- </p>
- <p>
- Intended for use in ACCESS VIRTUALHOST rules to apply firewall-like restrictions.
- </p>
- <p>
- The rule matches if any of the patterns match the hostname of the messaging client.
- </p>
- <p>
- To look up the client's hostname, Qpid uses Java's DNS support, which internally caches its results.
- </p>
- <p>
- You can modify the time-to-live of cached results using the *.ttl properties described on the
- Java <a class="ulink" href="http://docs.oracle.com/javase/6/docs/technotes/guides/net/properties.html" target="_top">Networking
- Properties</a> page.
- </p>
- <p>
- For example, you can either set system property sun.net.inetaddr.ttl from the command line
- (e.g. export QPID_OPTS="-Dsun.net.inetaddr.ttl=0") or networkaddress.cache.ttl in
- $JAVA_HOME/lib/security/java.security. The latter is preferred because it is JVM
- vendor-independent.
- </p>
- <p>
- Java Broker only.
- </p>
- </td></tr></tbody></table></div></div><br class="table-break" /><div class="table"><a id="table-Java-Broker-Security-ACLs-Syntax_javacomponents"></a><p class="title"><strong>Table 11.5. List of ACL rules</strong></p><div class="table-contents"><table border="1" summary="List of ACL rules"><colgroup><col /><col /><col /></colgroup><tbody><tr><td> <span class="command"><strong>UserManagement</strong></span> </td><td> <p>User maintainance; create/delete/view users, change passwords etc</p> </td><td> <p>permissionable at broker level only</p> </td></tr><tr><td> <span class="command"><strong>ConfigurationManagement</strong></span> </td><td> <p>Dynammically reload configuration from disk.</p> </td><td> <p>permissionable at broker level only</p> </td></tr><tr><td> <span class="command"><strong>LoggingManagement</strong></span> </td><td> <p>Dynammically control Qpid logging level</p> </td><td> <p>permissionable at broker level only</p> </td></tr><tr><td> <span class="com
mand"><strong>ServerInformation</strong></span> </td><td> <p>Read-only information regarding the Qpid: version number etc</p> </td><td> <p>permissionable at broker level only</p> </td></tr><tr><td> <span class="command"><strong>VirtualHost.Queue</strong></span> </td><td> <p>Queue maintainance; copy/move/purge/view etc</p> </td><td class="auto-generated"> </td></tr><tr><td> <span class="command"><strong>VirtualHost.Exchange</strong></span> </td><td> <p>Exchange maintenance; bind/unbind queues to exchanges</p> </td><td class="auto-generated"> </td></tr><tr><td> <span class="command"><strong>VirtualHost.VirtualHost</strong></span> </td><td> <p>Virtual host maintainace; create/delete exchanges, queues etc</p> </td><td class="auto-generated"> </td></tr></tbody></table></div></div><br class="table-break" /><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-ACLs-WorkedExamples"></a>11.3.3. 
- Worked Examples
- </h3></div></div></div><p>
- Here are some example ACLs illustrating common use cases.
- In addition, note that the Java broker provides a complete example ACL file, located at etc/broker_example.acl.
- </p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-ACLs-WorkedExample1"></a>11.3.3.1. 
- Worked example 1 - Management rights
- </h4></div></div></div><p>
- Suppose you wish to permission two users: a user 'operator' must be able to perform all Management operations, and
- a user 'readonly' must be enable to perform only read-only functions. Neither 'operator' nor 'readonly'
- should be allowed to connect clients for messaging.
- </p><pre class="programlisting">
-# Deny (loggged) operator/readonly permission to connect messaging clients.
-ACL DENY-LOG operator ACCESS VIRTUALHOST
-ACL DENY-LOG readonly ACCESS VIRTUALHOST
-# Give operator permission to perfom all other actions
-ACL ALLOW operator ALL ALL
-# Give readonly permission to execute only read-only actions
-ACL ALLOW readonly ACCESS ALL
-...
-... rules for other users
-...
-# Explicitly deny all (log) to eveyone
-ACL DENY-LOG ALL ALL
- </pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-ACLs-WorkedExample2"></a>11.3.3.2. 
- Worked example 2 - User maintainer group
- </h4></div></div></div><p>
- Suppose you wish to restrict User Management operations to users belonging to a
- <a class="link" href="Java-Broker-Security-Group-Providers.html" title="11.2. Group Providers">group</a> 'usermaint'. No other user
- is allowed to perform user maintainence This example illustrates the permissioning of an individual component.
- </p><pre class="programlisting">
-# Give usermaint access to management and permission to execute all JMX Methods on the
-# UserManagement MBean and perform all actions for USER objects
-ACL ALLOW usermaint ACCESS MANAGEMENT
-ACL ALLOW usermaint ALL METHOD component="UserManagement"
-ACL ALLOW usermaint ALL USER
-ACL DENY ALL ALL METHOD component="UserManagement"
-ACL DENY ALL ALL USER
-...
-... rules for other users
-...
-ACL DENY-LOG ALL ALL
- </pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-ACLs-WorkedExample3"></a>11.3.3.3. 
- Worked example 3 - Request/Response messaging
- </h4></div></div></div><p>
- Suppose you wish to permission a system using a request/response paradigm. Two users: 'client' publishes requests;
- 'server' consumes the requests and generates a response. This example illustrates the permissioning of AMQP exchanges
- and queues.
- </p><pre class="programlisting">
-# Allow client and server to connect to the virtual host.
-ACL ALLOW client ACCESS VIRTUALHOST
-ACL ALLOW server ACCESS VIRTUALHOST
-
-# Client side
-# Allow the 'client' user to publish requests to the request queue. As is the norm for the request/response paradigm, the client
-# is required to create a temporary queue on which the server will respond. Consequently, there are rules to allow the creation
-# of the temporary queues and consumption of messages from it.
-ACL ALLOW client CREATE QUEUE temporary="true"
-ACL ALLOW client CONSUME QUEUE temporary="true"
-ACL ALLOW client DELETE QUEUE temporary="true"
-ACL ALLOW client BIND EXCHANGE name="amq.direct" temporary="true"
-ACL ALLOW client UNBIND EXCHANGE name="amq.direct" temporary="true"
-ACL ALLOW client PUBLISH EXCHANGE name="amq.direct" routingKey="example.RequestQueue"
-
-# Server side
-# Allow the 'server' user to consume from the request queue and publish a response to the temporary response queue created by
-# client. We also allow the server to create the request queue.
-ACL ALLOW server CREATE QUEUE name="example.RequestQueue"
-ACL ALLOW server CONSUME QUEUE name="example.RequestQueue"
-ACL ALLOW server BIND EXCHANGE
-ACL ALLOW server PUBLISH EXCHANGE name="amq.direct" routingKey="TempQueue*"
-
-ACL DENY-LOG all all
- </pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-ACLs-WorkedExample4"></a>11.3.3.4. 
- Worked example 4 - firewall-like access control
- </h4></div></div></div><p>
- This example illustrates how to set up an ACL that restricts the IP addresses and hostnames
- of messaging clients that can access a virtual host.
- </p><pre class="programlisting">
-################
-# Hostname rules
-################
-
-# Allow messaging clients from company1.com and company1.co.uk to connect
-ACL ALLOW all ACCESS VIRTUALHOST from_hostname=".*\.company1\.com,.*\.company1\.co\.uk"
-
-# Deny messaging clients from hosts within the dev subdomain
-ACL DENY-LOG all ACCESS VIRTUALHOST from_hostname=".*\.dev\.company1\.com"
-
-##################
-# IP address rules
-##################
-
-# Deny access to all users in the IP ranges 192.168.1.0-192.168.1.255 and 192.168.2.0-192.168.2.255,
-# using the notation specified in RFC 4632, "Classless Inter-domain Routing (CIDR)"
-ACL DENY-LOG messaging-users ACCESS VIRTUALHOST \
- from_network="192.168.1.0/24,192.168.2.0/24"
-
-# Deny access to all users in the IP ranges 192.169.1.0-192.169.1.255 and 192.169.2.0-192.169.2.255,
-# using wildcard notation.
-ACL DENY-LOG messaging-users ACCESS VIRTUALHOST \
- from_network="192.169.1.*,192.169.2.*"
-
-ACL DENY-LOG all all
- </pre></div><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="Java-Broker-Security-ACLs-WorkedExample5"></a>11.3.3.5. 
- Worked example 5 - REST management ACL example
- </h4></div></div></div><p>
- This example illustrates how to set up an ACL that restricts usage of REST management interfaces.
- </p><pre class="programlisting">
-# allow to the users from webadmins group to change broker model
-# this rule allows adding/removing/editing of Broker level objects:
-# Broker, Virtual Host, Group Provider, Authentication Provider, Port, Access Control Provider etc
-ACL ALLOW-LOG webadmins CONFIGURE BROKER
-
-# allow to the users from webadmins group to perform
-# create/update/delete on Virtual Host children
-ACL ALLOW-LOG webadmins CREATE QUEUE
-ACL ALLOW-LOG webadmins UPDATE QUEUE
-ACL ALLOW-LOG webadmins DELETE QUEUE
-ACL ALLOW-LOG webadmins PURGE QUEUE
-ACL ALLOW-LOG webadmins CREATE EXCHANGE
-ACL ALLOW-LOG webadmins DELETE EXCHANGE
-ACL ALLOW-LOG webadmins BIND EXCHANGE
-ACL ALLOW-LOG webadmins UNBIND EXCHANGE
-
-# allow to the users from webadmins group to create/update/delete groups on Group Providers
-ACL ALLOW-LOG webadmins CREATE GROUP
-ACL ALLOW-LOG webadmins DELETE GROUP
-ACL ALLOW-LOG webadmins UPDATE GROUP
-
-# allow to the users from webadmins group to create/update/delete users for Authentication Providers
-ACL ALLOW-LOG webadmins CREATE USER
-ACL ALLOW-LOG webadmins DELETE USER
-ACL ALLOW-LOG webadmins UPDATE USER
-
-# allow to the users from webadmins group to move, copy and delete messagaes
-# using REST management interfaces
-ACL ALLOW-LOG webadmins UPDATE METHOD
-
-# at the moment only the following UPDATE METHOD rules are supported by web management console
-#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="moveMessages"
-#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="copyMessages"
-#ACL ALLOW-LOG webadmins UPDATE METHOD component="VirtualHost.Queue" name="deleteMessages"
-
-ACL DENY-LOG all all
- </pre></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security-Group-Providers.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Security-SSL.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">11.2. Group Providers </td><td align="center" width="20%"><a accesskey="h" href="index.html">Home</a></td><td align="right" valign="top" width="40%"> 11.4. SSL</td></tr></table></div></div>
-
- <hr/>
-
- <ul id="-apache-navigation">
- <li><a href="http://www.apache.org/">Apache</a></li>
- <li><a href="http://www.apache.org/licenses/">License</a></li>
- <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
- <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
- <li><a href="/security.html">Security</a></li>
- <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
- </ul>
-
- <p id="-legal">
- Apache Qpid, Messaging built on AMQP; Copyright © 2015
- The Apache Software Foundation; Licensed under
- the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
- License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
- Proton, Apache, the Apache feather logo, and the Apache Qpid
- project logo are trademarks of The Apache Software
- Foundation; All other marks mentioned may be trademarks or
- registered trademarks of their respective owners
- </p>
- </div>
- </div>
- </div>
- </body>
-</html>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/a39b425b/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-Group-Providers.html
----------------------------------------------------------------------
diff --git a/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-Group-Providers.html b/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-Group-Providers.html
deleted file mode 100644
index 3cb6d67..0000000
--- a/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-Group-Providers.html
+++ /dev/null
@@ -1,174 +0,0 @@
-<!DOCTYPE html>
-<!--
- -
- - Licensed to the Apache Software Foundation (ASF) under one
- - or more contributor license agreements. See the NOTICE file
- - distributed with this work for additional information
- - regarding copyright ownership. The ASF licenses this file
- - to you under the Apache License, Version 2.0 (the
- - "License"); you may not use this file except in compliance
- - with the License. You may obtain a copy of the License at
- -
- - http://www.apache.org/licenses/LICENSE-2.0
- -
- - Unless required by applicable law or agreed to in writing,
- - software distributed under the License is distributed on an
- - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- - KIND, either express or implied. See the License for the
- - specific language governing permissions and limitations
- - under the License.
- -
--->
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
- <head>
- <title>11.2. Group Providers - Apache Qpid™</title>
- <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
- <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
- <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
- <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
- <script type="text/javascript">var _deferredFunctions = [];</script>
- <script type="text/javascript" src="/deferred.js" defer="defer"></script>
- <!--[if lte IE 8]>
- <link rel="stylesheet" href="/ie.css" type="text/css"/>
- <script type="text/javascript" src="/html5shiv.js"></script>
- <![endif]-->
-
- <!-- Redirects for `go get` and godoc.org -->
- <meta name="go-import"
- content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
- <meta name="go-source"
- content="qpid.apache.org
-https://github.com/apache/qpid-proton/blob/go1/README.md
-https://github.com/apache/qpid-proton/tree/go1{/dir}
-https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
- </head>
- <body>
- <div id="-content">
- <div id="-top" class="panel">
- <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
-
- <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
-
- <ul id="-global-navigation">
- <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li>
- <li><a href="/documentation.html">Documentation</a></li>
- <li><a href="/download.html">Download</a></li>
- <li><a href="/discussion.html">Discussion</a></li>
- </ul>
- </div>
-
- <div id="-menu" class="panel" style="display: none;">
- <div class="flex">
- <section>
- <h3>Project</h3>
-
- <ul>
- <li><a href="/overview.html">Overview</a></li>
- <li><a href="/components/index.html">Components</a></li>
- <li><a href="/releases/index.html">Releases</a></li>
- </ul>
- </section>
-
- <section>
- <h3>Messaging APIs</h3>
-
- <ul>
- <li><a href="/proton/index.html">Qpid Proton</a></li>
- <li><a href="/components/jms/index.html">Qpid JMS</a></li>
- <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
- </ul>
- </section>
-
- <section>
- <h3>Servers and tools</h3>
-
- <ul>
- <li><a href="/components/java-broker/index.html">Broker for Java</a></li>
- <li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
- <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
- </ul>
- </section>
-
- <section>
- <h3>Resources</h3>
-
- <ul>
- <li><a href="/dashboard.html">Dashboard</a></li>
- <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
- <li><a href="/resources.html">More resources</a></li>
- </ul>
- </section>
- </div>
- </div>
-
- <div id="-search" class="panel" style="display: none;">
- <form action="http://www.google.com/search" method="get">
- <input type="hidden" name="sitesearch" value="qpid.apache.org"/>
- <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
- <button type="submit">Search</button>
- <a href="/search.html">More ways to search</a>
- </form>
- </div>
-
- <div id="-middle" class="panel">
- <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-0.26/index.html">Qpid 0.26</a></li><li><a href="/releases/qpid-0.26/java-broker/book/index.html">AMQP Messaging Broker (Java)</a></li><li>11.2. Group Providers</li></ul>
-
- <div id="-middle-content">
- <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">11.2. Group Providers</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security.html">Prev</a> </td><th align="center" width="60%">Chapter 11. Security</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Security-ACLs.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title"><a id="Java-Broker-Security-Group-Providers"></a>11.2. Group Providers</h2></div></div></div><p>
- The Java broker utilises GroupProviders to allow assigning users to groups for use in <a class="link" href="Java-Broker-Security-ACLs.html" title="11.3. Access Control Lists">ACLs</a>.
- Following authentication by a given <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-Authentication-Providers" title="11.1. Authentication Providers">Authentication Provider</a>,
- the configured Group Providers are consulted allowing the assignment of GroupPrincipals for a given authenticated user. Any number of
- Group Providers can be added into the Broker. All of them will be checked for the presence of the groups for a given authenticated user.
- </p><p>The <span class="emphasis"><em>Group Provider</em></span> can be configured using <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-REST-API" title="5.2.4. REST API">
- REST Management interfaces</a> and <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-Web-Console" title="5.2.2. Web Management Console">Web Management Console</a>.</p><p>The following <span class="emphasis"><em>Group Provider</em></span> managing operations are available from Web Management Console:
- </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A new Group Provider can be added by clicking onto "Add Group Provider" button on a Broker tab.</p></li><li class="listitem"><p>An existing providers can be removed by pressing "Delete Group Provider" button
- on Broker tab or Group Provider tab.</p></li><li class="listitem"><p>On clicking onto provider name in the Group Providers grid or Broker object tree,
- the tab for the Group Provider is displayed.</p></li><li class="listitem"><p>A new group can be added into the Group Provider by clicking onto "Add Group" button on provider tab.</p></li><li class="listitem"><p>An existing group can be deleted from the Group Provider by clicking onto "Delete Group" button on provider tab.</p></li><li class="listitem"><p>On clicking onto group name in the groups grid, the tab with the list of existing
- group members is displayed for the Group.</p></li><li class="listitem"><p>From the Group tab a new member can be added into a group or existing members can be deleted
- from a group by clicking on "Add Group Member" or "Remove Group Members" accordingly.</p></li></ul></div><p>
- </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="File-Group-Manager"></a>11.2.1. GroupFile Provider</h3></div></div></div><p>
- The <span class="emphasis"><em>GroupFile</em></span> Provider allows specifying group membership in a flat file on disk.
- On adding a new GroupFile Provider the path to the groups file is required to be specified.
- If file does not exist an empty file is created automatically. On deletion of GroupFile Provider
- the groups file is deleted as well. Only one instance of "GroupFile" Provider per groups file location can be created.
- On attempt to create another GroupFile Provider pointing to the same location the error will be displayed and
- the creation will be aborted.
- </p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="File-Group-Manager-FileFormat"></a>11.2.1.1. File Format</h4></div></div></div><p>
- The groups file has the following format:
- </p><pre class="programlisting">
- # <GroupName>.users = <comma deliminated user list>
- # For example:
-
- administrators.users = admin,manager
-</pre><p>
- Only users can be added to a group currently, not other groups. Usernames can't contain commas.
- </p><p>
- Lines starting with a '#' are treated as comments when opening the file, but these are not preserved when the broker updates the file due to changes made through the management interface.
- </p></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Security-ACLs.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">Chapter 11. Security </td><td align="center" width="20%"><a accesskey="h" href="index.html">Home</a></td><td align="right" valign="top" width="40%"> 11.3. Access Control Lists</td></tr></table></div></div>
-
- <hr/>
-
- <ul id="-apache-navigation">
- <li><a href="http://www.apache.org/">Apache</a></li>
- <li><a href="http://www.apache.org/licenses/">License</a></li>
- <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
- <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
- <li><a href="/security.html">Security</a></li>
- <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
- </ul>
-
- <p id="-legal">
- Apache Qpid, Messaging built on AMQP; Copyright © 2015
- The Apache Software Foundation; Licensed under
- the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
- License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
- Proton, Apache, the Apache feather logo, and the Apache Qpid
- project logo are trademarks of The Apache Software
- Foundation; All other marks mentioned may be trademarks or
- registered trademarks of their respective owners
- </p>
- </div>
- </div>
- </div>
- </body>
-</html>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/a39b425b/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-SSL.html
----------------------------------------------------------------------
diff --git a/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-SSL.html b/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-SSL.html
deleted file mode 100644
index 286a2cc..0000000
--- a/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security-SSL.html
+++ /dev/null
@@ -1,190 +0,0 @@
-<!DOCTYPE html>
-<!--
- -
- - Licensed to the Apache Software Foundation (ASF) under one
- - or more contributor license agreements. See the NOTICE file
- - distributed with this work for additional information
- - regarding copyright ownership. The ASF licenses this file
- - to you under the Apache License, Version 2.0 (the
- - "License"); you may not use this file except in compliance
- - with the License. You may obtain a copy of the License at
- -
- - http://www.apache.org/licenses/LICENSE-2.0
- -
- - Unless required by applicable law or agreed to in writing,
- - software distributed under the License is distributed on an
- - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- - KIND, either express or implied. See the License for the
- - specific language governing permissions and limitations
- - under the License.
- -
--->
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
- <head>
- <title>11.4. SSL - Apache Qpid™</title>
- <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
- <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
- <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
- <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
- <script type="text/javascript">var _deferredFunctions = [];</script>
- <script type="text/javascript" src="/deferred.js" defer="defer"></script>
- <!--[if lte IE 8]>
- <link rel="stylesheet" href="/ie.css" type="text/css"/>
- <script type="text/javascript" src="/html5shiv.js"></script>
- <![endif]-->
-
- <!-- Redirects for `go get` and godoc.org -->
- <meta name="go-import"
- content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
- <meta name="go-source"
- content="qpid.apache.org
-https://github.com/apache/qpid-proton/blob/go1/README.md
-https://github.com/apache/qpid-proton/tree/go1{/dir}
-https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
- </head>
- <body>
- <div id="-content">
- <div id="-top" class="panel">
- <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
-
- <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
-
- <ul id="-global-navigation">
- <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li>
- <li><a href="/documentation.html">Documentation</a></li>
- <li><a href="/download.html">Download</a></li>
- <li><a href="/discussion.html">Discussion</a></li>
- </ul>
- </div>
-
- <div id="-menu" class="panel" style="display: none;">
- <div class="flex">
- <section>
- <h3>Project</h3>
-
- <ul>
- <li><a href="/overview.html">Overview</a></li>
- <li><a href="/components/index.html">Components</a></li>
- <li><a href="/releases/index.html">Releases</a></li>
- </ul>
- </section>
-
- <section>
- <h3>Messaging APIs</h3>
-
- <ul>
- <li><a href="/proton/index.html">Qpid Proton</a></li>
- <li><a href="/components/jms/index.html">Qpid JMS</a></li>
- <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
- </ul>
- </section>
-
- <section>
- <h3>Servers and tools</h3>
-
- <ul>
- <li><a href="/components/java-broker/index.html">Broker for Java</a></li>
- <li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
- <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
- </ul>
- </section>
-
- <section>
- <h3>Resources</h3>
-
- <ul>
- <li><a href="/dashboard.html">Dashboard</a></li>
- <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
- <li><a href="/resources.html">More resources</a></li>
- </ul>
- </section>
- </div>
- </div>
-
- <div id="-search" class="panel" style="display: none;">
- <form action="http://www.google.com/search" method="get">
- <input type="hidden" name="sitesearch" value="qpid.apache.org"/>
- <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
- <button type="submit">Search</button>
- <a href="/search.html">More ways to search</a>
- </form>
- </div>
-
- <div id="-middle" class="panel">
- <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-0.26/index.html">Qpid 0.26</a></li><li><a href="/releases/qpid-0.26/java-broker/book/index.html">AMQP Messaging Broker (Java)</a></li><li>11.4. SSL</li></ul>
-
- <div id="-middle-content">
- <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">11.4. SSL</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security-ACLs.html">Prev</a> </td><th align="center" width="60%">Chapter 11. Security</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Runtime.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title"><a id="Java-Broker-Security-SSL"></a>11.4. SSL</h2></div></div></div><p>
- This section guides through the details of configuration of Keystores and Trsustores
- required for enabling of SSL transport and Client Certificate Authentication on Broker ports.
- The details how to configure SSL on Broker ports are provided in <a class="xref" href="Java-Broker-Ports.html" title="Chapter 6. Broker Ports">Chapter 6, <em>Broker Ports</em></a>.
- </p><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-SSL-Keystore"></a>11.4.1. Keystore Configuration</h3></div></div></div><p>
- A Keystore can be added/deleted/edited using <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-REST-API" title="5.2.4. REST API">
- REST Management interfaces</a> and <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-Web-Console" title="5.2.2. Web Management Console">
- Web Management Console</a>. Any number of Keystores can be configured on the Broker.
- SSL ports can be configured with different Keystores.
- </p><p>The following Keystore managing operations are available from
- <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-Web-Console" title="5.2.2. Web Management Console">Web Management Console</a>:
- </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A new Keystore can be added by clicking on "Add Key Store" button on the Broker tab.</p></li><li class="listitem"><p>Keystore details can be viewed on the Keystore tab which is displayed after clicking
- on Keystore name in the Broker object tree or after clicking on Keystore row in Keystores grid on the Broker tab.</p></li><li class="listitem"><p>Editing of Keystore can be performed by clicking on "Edit" button on the Keystore tab.
- Changing of Keystore name is unsupported at the moment. If changed Keystore is used by the Port
- the changes on Port object will take effect after Broker restart.</p></li><li class="listitem"><p>An existing Keystore can be deleted by clicking on "Delete Key Store" button on Broker tab
- or hitting "Delete" button on the Keystore tab. Only unused Keystores can be deleted.
- The deletion of the Keystore configured on any Broker Port is not allowed.</p></li></ul></div><p>
- </p><p>
- The "Keystore certificate alias" field is an optional way of specifying which certificate the broker should use
- if the keystore contains multiple entries. Optionally "Key manager factory algorithm" and "Key store type" can
- be specified on Keystore creation.
- </p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>
- The password of the certificate used by the Broker <span class="bold"><strong>must</strong></span>
- match the password of the keystore itself. This is a restriction of the Qpid Broker
- implementation. If using the <a class="ulink" href="http://docs.oracle.com/javase/6/docs/technotes/tools/solaris/keytool.html" target="_top">keytool</a> utility,
- note that this means the argument to the <code class="option">-keypass</code> option must match
- the <code class="option">-storepass</code> option.
- </p></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="SSL-Truststore-ClientCertificate"></a>11.4.2. Truststore / Client Certificate Authentication</h3></div></div></div><p>
- The SSL trustore and related Client Certificate Authentication behaviour can be configured
- by adding a Trustore configured object and associating it with the SSL port.
- A Truststore can be added/deleted/edited using <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-REST-API" title="5.2.4. REST API">
- REST Management interfaces</a> and <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-Web-Console" title="5.2.2. Web Management Console">
- Web Management Console</a>. Any number of Trustores can be configured on the Broker.
- Multiple Trustores can be configured on Broker SSL Ports.
- </p><p>The following Truststore managing operations are available from
- <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-Web-Console" title="5.2.2. Web Management Console">Web Management Console</a>:
- </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A new Truststore can be added by clicking on "Add Trust Store" button on the Broker tab.</p></li><li class="listitem"><p>Truststore details can be viewed on the Truststore tab which is displayed after clicking
- onto Truststore name in the Broker object tree or after clicking onto Truststore row in Truststores grid on the Broker tab.</p></li><li class="listitem"><p>Trustore can be edited by clicking onto "Edit" button on the Trustore tab.
- Changing of Trustore name is unsupported at the moment.</p></li><li class="listitem"><p>An existing Trustore can be deleted by clicking onto "Delete Trust Store" button
- on Broker tab or "Delete" button on the Truststore tab. Only unused Truststores can be deleted.
- The deletion of the Truststore configured on any Broker Port is not allowed.</p></li></ul></div><p>
- </p><p>When "Peers Only" option is selected for the Truststore it will allow logging in for the clients
- with the certificate exactly matching the certificate loaded in the Truststore database,
- thus, authenticating the connections with self signed certificates not nessesary signed by CA.
- </p><p>"Trust manager factory algorithm" and "Trust store type" can
- be optionally specified for the Trustore.
- </p></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security-ACLs.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Runtime.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">11.3. Access Control Lists </td><td align="center" width="20%"><a accesskey="h" href="index.html">Home</a></td><td align="right" valign="top" width="40%"> Chapter 12. Runtime</td></tr></table></div></div>
-
- <hr/>
-
- <ul id="-apache-navigation">
- <li><a href="http://www.apache.org/">Apache</a></li>
- <li><a href="http://www.apache.org/licenses/">License</a></li>
- <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
- <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
- <li><a href="/security.html">Security</a></li>
- <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
- </ul>
-
- <p id="-legal">
- Apache Qpid, Messaging built on AMQP; Copyright © 2015
- The Apache Software Foundation; Licensed under
- the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
- License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
- Proton, Apache, the Apache feather logo, and the Apache Qpid
- project logo are trademarks of The Apache Software
- Foundation; All other marks mentioned may be trademarks or
- registered trademarks of their respective owners
- </p>
- </div>
- </div>
- </div>
- </body>
-</html>
http://git-wip-us.apache.org/repos/asf/qpid-site/blob/a39b425b/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security.html
----------------------------------------------------------------------
diff --git a/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security.html b/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security.html
deleted file mode 100644
index 4ef9aca..0000000
--- a/content/releases/qpid-0.26/java-broker/book/Java-Broker-Security.html
+++ /dev/null
@@ -1,280 +0,0 @@
-<!DOCTYPE html>
-<!--
- -
- - Licensed to the Apache Software Foundation (ASF) under one
- - or more contributor license agreements. See the NOTICE file
- - distributed with this work for additional information
- - regarding copyright ownership. The ASF licenses this file
- - to you under the Apache License, Version 2.0 (the
- - "License"); you may not use this file except in compliance
- - with the License. You may obtain a copy of the License at
- -
- - http://www.apache.org/licenses/LICENSE-2.0
- -
- - Unless required by applicable law or agreed to in writing,
- - software distributed under the License is distributed on an
- - "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- - KIND, either express or implied. See the License for the
- - specific language governing permissions and limitations
- - under the License.
- -
--->
-<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
- <head>
- <title>Chapter 11. Security - Apache Qpid™</title>
- <meta http-equiv="X-UA-Compatible" content="IE=edge"/>
- <meta name="viewport" content="width=device-width, initial-scale=1.0"/>
- <link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
- <link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
- <script type="text/javascript">var _deferredFunctions = [];</script>
- <script type="text/javascript" src="/deferred.js" defer="defer"></script>
- <!--[if lte IE 8]>
- <link rel="stylesheet" href="/ie.css" type="text/css"/>
- <script type="text/javascript" src="/html5shiv.js"></script>
- <![endif]-->
-
- <!-- Redirects for `go get` and godoc.org -->
- <meta name="go-import"
- content="qpid.apache.org git https://git-wip-us.apache.org/repos/asf/qpid-proton.git"/>
- <meta name="go-source"
- content="qpid.apache.org
-https://github.com/apache/qpid-proton/blob/go1/README.md
-https://github.com/apache/qpid-proton/tree/go1{/dir}
-https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
- </head>
- <body>
- <div id="-content">
- <div id="-top" class="panel">
- <a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
-
- <a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
-
- <ul id="-global-navigation">
- <li><a id="-logotype" href="/index.html">Apache Qpid<sup>™</sup></a></li>
- <li><a href="/documentation.html">Documentation</a></li>
- <li><a href="/download.html">Download</a></li>
- <li><a href="/discussion.html">Discussion</a></li>
- </ul>
- </div>
-
- <div id="-menu" class="panel" style="display: none;">
- <div class="flex">
- <section>
- <h3>Project</h3>
-
- <ul>
- <li><a href="/overview.html">Overview</a></li>
- <li><a href="/components/index.html">Components</a></li>
- <li><a href="/releases/index.html">Releases</a></li>
- </ul>
- </section>
-
- <section>
- <h3>Messaging APIs</h3>
-
- <ul>
- <li><a href="/proton/index.html">Qpid Proton</a></li>
- <li><a href="/components/jms/index.html">Qpid JMS</a></li>
- <li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
- </ul>
- </section>
-
- <section>
- <h3>Servers and tools</h3>
-
- <ul>
- <li><a href="/components/java-broker/index.html">Broker for Java</a></li>
- <li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
- <li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
- </ul>
- </section>
-
- <section>
- <h3>Resources</h3>
-
- <ul>
- <li><a href="/dashboard.html">Dashboard</a></li>
- <li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
- <li><a href="/resources.html">More resources</a></li>
- </ul>
- </section>
- </div>
- </div>
-
- <div id="-search" class="panel" style="display: none;">
- <form action="http://www.google.com/search" method="get">
- <input type="hidden" name="sitesearch" value="qpid.apache.org"/>
- <input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
- <button type="submit">Search</button>
- <a href="/search.html">More ways to search</a>
- </form>
- </div>
-
- <div id="-middle" class="panel">
- <ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-0.26/index.html">Qpid 0.26</a></li><li><a href="/releases/qpid-0.26/java-broker/book/index.html">AMQP Messaging Broker (Java)</a></li><li>Chapter 11. Security</li></ul>
-
- <div id="-middle-content">
- <div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">Chapter 11. Security</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Stores-HA-BDB-Store.html">Prev</a> </td><th align="center" width="60%"> </th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Security-Group-Providers.html">Next</a></td></tr></table><hr /></div><div class="chapter"><div class="titlepage"><div><div><h1 class="title"><a id="Java-Broker-Security"></a>Chapter 11. Security</h1></div></div></div><div class="toc"><p><strong>Table of Contents</strong></p><dl class="toc"><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Authentication-Providers">11.1. Authentication Providers</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-LDAP-Provider">11.1.1. Simple LDAP Authentication
Provider</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Kerberos-Provider">11.1.2. Kerberos</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-External-Provider">11.1.3. External (SSL Client Certificates)</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Anonymous-Provider">11.1.4. Anonymous</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-PlainPasswordFile-Provider">11.1.5. Plain Password File</a></span></dt><dt><span class="section"><a href="Java-Broker-Security.html#Java-Broker-Security-Base64MD5PasswordFile-Provider">11.1.6. Base64MD5 Password File</a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Security-Group-Providers.html">11.2. Group Providers</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security-Group-Providers.html#File-Group-Manager">1
1.2.1. GroupFile Provider</a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Security-ACLs.html">11.3. Access Control Lists</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security-ACLs.html#Java-Broker-Security-ACLs-WriteACL">11.3.1.
- Writing .acl files
- </a></span></dt><dt><span class="section"><a href="Java-Broker-Security-ACLs.html#Java-Broker-Security-ACLs-Syntax">11.3.2.
- Syntax
- </a></span></dt><dt><span class="section"><a href="Java-Broker-Security-ACLs.html#Java-Broker-Security-ACLs-WorkedExamples">11.3.3.
- Worked Examples
- </a></span></dt></dl></dd><dt><span class="section"><a href="Java-Broker-Security-SSL.html">11.4. SSL</a></span></dt><dd><dl><dt><span class="section"><a href="Java-Broker-Security-SSL.html#Java-Broker-SSL-Keystore">11.4.1. Keystore Configuration</a></span></dt><dt><span class="section"><a href="Java-Broker-Security-SSL.html#SSL-Truststore-ClientCertificate">11.4.2. Truststore / Client Certificate Authentication</a></span></dt></dl></dd></dl></div><div class="section"><div class="titlepage"><div><div><h2 class="title"><a id="Java-Broker-Security-Authentication-Providers"></a>11.1. Authentication Providers</h2></div></div></div><p>
- In order to successfully establish a connection to the Java Broker, the connection must be
- authenticated. The Java Broker supports a number of different authentication schemes, each
- with its own "authentication provider". Any number of Authentication Providers can be configured
- on the Broker at the same time.
- </p><p>
- The Authentication Providers can be configured using <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-REST-API" title="5.2.4. REST API">REST Management interfaces</a>
- and <a class="link" href="Java-Broker-Configuring-And-Managing-HTTP-Management.html#Java-Broker-Configuring-And-Managing-Web-Console" title="5.2.2. Web Management Console">Web Management Console</a>.
- </p><p>The following Authentication Provider managing operations are available from Web Management Console:
- </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>A new Authentication Provider can be added by clicking onto "Add Provider" on the Broker tab.</p></li><li class="listitem"><p>An Authentication Provider details can be viewed on the Authentication Provider tab.
- The tab is displayed after clicking onto Authentication Provider name in the Broker object tree or after clicking
- onto Authentication Provider row in Authentication Providers grid on the Broker tab.</p></li><li class="listitem"><p>Editing of Authentication Provider can be performed by clicking on "Edit" button
- on Authentication Provider tab.</p></li><li class="listitem"><p>An existing Authentication Provider can be deleted by clicking on "Delete Provider" button
- on Broker tab or "Delete" button on the Authentication Provider tab.</p></li></ul></div><p>
- The Authentication Provider type and name cannot be changed for existing providers as editing of name and type
- is unsupported at the moment. Only provider specific attributes can be modified in the editing dialog
- and stored in the broker configuration store.
- </p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3>
- Only unused Authentication Provider can be deleted. For delete requests attempting to delete Authentication Provider
- associated with the Ports, the errors will be returned and delete operations will be aborted. It is possible to change
- the Authentication Provider on Port at runtime. However, the Broker restart is required for changes on Port to take effect.
- </div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-LDAP-Provider"></a>11.1.1. Simple LDAP Authentication Provider</h3></div></div></div><p>
- SimpleLDAPAuthenticationProvider authenticates connections against a Directory (LDAP).
- </p><p>
- To create a SimpleLDAPAuthenticationProvider the following mandatory fields are required:
- </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><span class="emphasis"><em>LDAP server URL</em></span> is the URL of the server, for example, <code class="literal">ldaps://example.com:636</code></p></li><li class="listitem"><p><span class="emphasis"><em>Search context</em></span> is the distinguished name of the search base object. It defines the location from which
- the search for users begins, for example, <code class="literal">dc=users,dc=example,dc=com</code></p></li><li class="listitem"><p><span class="emphasis"><em>Search filter</em></span> is a DN template to find an LDAP user entry by provided user name, for example, <code class="literal">(uid={0})</code></p></li></ul></div><p>
- Additionally, the following optional fields can be specified:
- </p><div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p><span class="emphasis"><em>LDAP context factory</em></span> is a fully qualified class name for the JNDI LDAP context factory.
- This class must implement the <a class="ulink" href="http://docs.oracle.com/javase/6/docs/api/javax/naming/spi/InitialContextFactory.html" target="_top">InitialContextFactory</a>
- interface and produce instances of <a class="ulink" href="http://docs.oracle.com/javase/6/docs/api/javax/naming/directory/DirContext.html" target="_top">DirContext</a>.
- If not specified a default value of <code class="literal">com.sun.jndi.ldap.LdapCtxFactory</code> is used.</p></li><li class="listitem"><p><span class="emphasis"><em>LDAP authentication URL</em></span> is the URL of LDAP server for performing "ldap bind". If not
- specified, the <span class="emphasis"><em>LDAP server URL</em></span> will be used for both searches and authentications.</p></li><li class="listitem"><p><span class="emphasis"><em>Truststore name</em></span> is a name of <a class="link" href="Java-Broker-Security-SSL.html#SSL-Truststore-ClientCertificate" title="11.4.2. Truststore / Client Certificate Authentication">configured truststore</a>.
- Use this if connecting to a Directory over SSL (i.e. ldaps://) which is protected by a certificate signed by a private CA (or
- utilising a self-signed certificate).</p></li></ul></div><p>
- </p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3>
- In order to protect the security of the user's password, when using LDAP authentication, you must:
- <div class="itemizedlist"><ul class="itemizedlist" type="disc"><li class="listitem"><p>Use SSL on the broker's AMQP, JMX, and HTTP ports to protect the password during
- transmission to the Broker.</p></li><li class="listitem"><p>Authenticate to the Directory using SSL (i.e. ldaps://) to protect the password
- during transmission from the Broker to the Directory.</p></li></ul></div></div><p>
- The LDAP Authentication Provider works in the following manner. It first connects to the Directory anonymously
- and searches for the ldap entity which is identified by the username. The search begins at the distinguished name
- identified by <code class="literal">Search Context</code> and uses the username as a filter. The search scope is sub-tree
- meaning the search will include the base object and the subtree extending beneath it.
- </p><p>
- If the search returns a match, the Authentication Provider then attempts to bind to the LDAP server with the given
- name and the password. Note that
- <a class="ulink" href="http://docs.oracle.com/javase/6/docs/api/javax/naming/Context.html#SECURITY_AUTHENTICATION" target="_top">simple security authentication</a>
- is used so the Directory receives the password in the clear.
- </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Kerberos-Provider"></a>11.1.2. Kerberos</h3></div></div></div><p>
- Kereberos Authentication Provider uses java GSS-API SASL mechanism to authenticate the connections.
- </p><p>
- Configuration of kerberos is done through system properties (there doesn't seem to be a way
- around this unfortunately).
- </p><pre class="programlisting">
- export JAVA_OPTS=-Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.auth.login.config=qpid.conf
- ${QPID_HOME}/bin/qpid-server
- </pre><p>Where qpid.conf would look something like this:</p><pre class="programlisting">
-com.sun.security.jgss.accept {
- com.sun.security.auth.module.Krb5LoginModule required
- useKeyTab=true
- storeKey=true
- doNotPrompt=true
- realm="EXAMPLE.COM"
- useSubjectCredsOnly=false
- kdc="kerberos.example.com"
- keyTab="/path/to/keytab-file"
- principal="<name>/<host>";
-};</pre><p>
- Where realm, kdc, keyTab and principal should obviously be set correctly for the environment
- where you are running (see the existing documentation for the C++ broker about creating a keytab
- file).
- </p><p>
- Note: You may need to install the "Java Cryptography Extension (JCE) Unlimited Strength
- Jurisdiction Policy Files" appropriate for your JDK in order to get Kerberos support working.
- </p><p>
- Since Kerberos support only works where SASL authentication is available (e.g. not for JMX
- authentication) you may wish to also include an alternative Authentication Provider
- configuration, and use this for JMX and HTTP ports.
- </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-External-Provider"></a>11.1.3. External (SSL Client Certificates)</h3></div></div></div><p>
- When <a class="link" href="Java-Broker-Security-SSL.html#SSL-Truststore-ClientCertificate" title="11.4.2. Truststore / Client Certificate Authentication"> requiring SSL Client Certificates</a> be
- presented the External Authentication Provider can be used, such that the user is authenticated based on
- trust of their certificate alone, and the X500Principal from the SSL session is then used as the username
- for the connection, instead of also requiring the user to present a valid username and password.
- </p><p>
- <span class="bold"><strong>Note:</strong></span> The External Authentication Provider should typically only be used on the
- AMQP ports, in conjunction with <a class="link" href="Java-Broker-Security-SSL.html#SSL-Truststore-ClientCertificate" title="11.4.2. Truststore / Client Certificate Authentication">SSL client certificate
- authentication</a>. It is not intended for other uses such as the JMX management port and will treat any
- non-sasl authentication processes on these ports as successful with the given username. As such you should
- configure another Authentication Provider for use on non-AMQP ports. Perhaps the only exception to this
- would be where the broker is embedded in a container that is itself externally protecting the HTTP interface
- and then providing the remote users name.
- </p><p>On creation of External Provider the use of full DN or username CN as a principal name can be configured.
- If field "Use the full DN as the Username" is set to "true" the full DN is used as an authenticated principal name.
- If field "Use the full DN as the Username" is set to "false" the user name CN part is used as the authenticated principal name.
- Setting the field to "false" is particular useful when <a class="link" href="Java-Broker-Security-ACLs.html" title="11.3. Access Control Lists">ACL</a> is required,
- as at the moment, ACL does not support commas in the user name.
- </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Anonymous-Provider"></a>11.1.4. Anonymous</h3></div></div></div><p>
- The Anonymous Authentication Provider will allow users to connect with or without credentials and result
- in their identification on the broker as the user ANONYMOUS. This Provider does not require specification
- of any additional fields on creation.
- </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-PlainPasswordFile-Provider"></a>11.1.5. Plain Password File</h3></div></div></div><p>
- The PlainPasswordFile Provider uses local file to store and manage user credentials.
- When creating an authentication provider the path to the file needs to be specified.
- If specified file does not exist an empty file is created automatically on Authentication Provider creation.
- On Provider deletion the password file is deleted as well. For this Provider
- user credentials can be added, removed or changed using REST management interfaces and web management console.
- </p><p>
- On navigating to the Plain Password File Provider tab (by clicking onto provider name from Broker tree or provider
- row in providers grid on Broker tab) the list of existing credentials is displayed on the tab with the buttons "Add User"
- and "Delete Users" to add new user credentials and delete the existing user credentials respectively.
- On clicking into user name on Users grid the pop-up dialog to change the password is displayed.
- </p><div class="section"><div class="titlepage"><div><div><h4 class="title"><a id="idm140218886937008"></a>11.1.5.1. Plain Password File Format</h4></div></div></div><p>
- The user credentials are stored on the single file line as user name and user password pairs separated by colon character.
- </p><pre class="programlisting">
-# password file format
-# <user name>: <user password>
-guest:guest
- </pre></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Base64MD5PasswordFile-Provider"></a>11.1.6. Base64MD5 Password File</h3></div></div></div><p>
- Base64MD5PasswordFile Provider uses local file to store and manage user credentials similar to Similar to PlainPasswordFile
- but instead of storing a password the MD5 password digest encoded with Base64 encoding is stored in the file.
- When creating an authentication provider the path to the file needs to be specified.
- If specified file does not exist an empty file is created automatically on Authentication Provider creation.
- On Base64MD5PasswordFile Provider deletion the password file is deleted as well. For this Provider
- user credentials can be added, removed or changed using REST management interfaces and web management console.
- </p><p>
- On navigating to the Base64MD5PasswordFile Provider tab (by clicking onto provider name from Broker tree or provider
- row in providers grid on Broker tab) the list of existing credentials is displayed on the tab with the buttons "Add User"
- and "Delete Users" to add new user credentials and delete the existing user credentials respectively.
- On clicking into user name on Users grid the pop-up dialog to change the password is displayed.
- </p></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Stores-HA-BDB-Store.html">Prev</a> </td><td align="center" width="20%"> </td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Security-Group-Providers.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">10.5. High Availability BDB Message Store </td><td align="center" width="20%"><a accesskey="h" href="index.html">Home</a></td><td align="right" valign="top" width="40%"> 11.2. Group Providers</td></tr></table></div></div>
-
- <hr/>
-
- <ul id="-apache-navigation">
- <li><a href="http://www.apache.org/">Apache</a></li>
- <li><a href="http://www.apache.org/licenses/">License</a></li>
- <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
- <li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
- <li><a href="/security.html">Security</a></li>
- <li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
- </ul>
-
- <p id="-legal">
- Apache Qpid, Messaging built on AMQP; Copyright © 2015
- The Apache Software Foundation; Licensed under
- the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
- License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
- Proton, Apache, the Apache feather logo, and the Apache Qpid
- project logo are trademarks of The Apache Software
- Foundation; All other marks mentioned may be trademarks or
- registered trademarks of their respective owners
- </p>
- </div>
- </div>
- </div>
- </body>
-</html>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org