You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@activemq.apache.org by bu...@apache.org on 2013/06/16 10:21:37 UTC
svn commit: r865809 - in /websites/production/activemq/content:
cache/main.pageCache shiro.html
Author: buildbot
Date: Sun Jun 16 08:21:37 2013
New Revision: 865809
Log:
Production update by buildbot for activemq
Modified:
websites/production/activemq/content/cache/main.pageCache
websites/production/activemq/content/shiro.html
Modified: websites/production/activemq/content/cache/main.pageCache
==============================================================================
Binary files - no diff available.
Modified: websites/production/activemq/content/shiro.html
==============================================================================
--- websites/production/activemq/content/shiro.html (original)
+++ websites/production/activemq/content/shiro.html Sun Jun 16 08:21:37 2013
@@ -76,23 +76,76 @@
<p>The ActiveMQ Shiro plugin can secure all aspects of ActiveMQ, from authenticating transport connections to authorizing behavior with topics and queues and everything in between.</p>
-<h2><a shape="rect" name="Shiro-Overview"></a>Overview</h2>
+<h2><a shape="rect" name="Shiro-Usage"></a>Usage</h2>
-<p>The Shiro plugin is a <a shape="rect" class="external-link" href="http://activemq.apache.org/maven/apidocs/org/apache/activemq/broker/BrokerPlugin.html">BrokerPlugin</a> that inserts 3 <a shape="rect" class="external-link" href="http://activemq.apache.org/maven/apidocs/org/apache/activemq/broker/BrokerFilter.html">BrokerFilter</a>s in the broker filter chain: the <tt>SubjectFilter</tt>, the <tt>AuthenticationFilter</tt> and the <tt>AuthorizationFilter</tt></p>
-
-<p><b>SubjectFilter</b></p>
+<p>The fastest/simplest way to enable the ShiroPlugin is to define it as a Spring bean in the <tt>broker</tt> <tt>plugins</tt> section and use Shiro's <a shape="rect" class="external-link" href="http://shiro.apache.org/configuration.html">ini configuration</a>:</p>
-<p>The <tt>SubjectFilter</tt> exists before all other Shiro-related broker filters in the broker filter chain. It constructs a Shiro <a shape="rect" class="external-link" href="http://shiro.apache.org/subject.html">Subject</a> instance reflecting the broker client and ensures the <tt>Subject</tt> instance is available for all downstream broker filters that may need to use the <tt>Subject</tt> to perform security operations.</p>
+<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
+<pre class="code-java">
+<beans xmlns=<span class="code-quote">"http:<span class="code-comment">//www.springframework.org/schema/beans"</span>
+</span> xmlns:amq=<span class="code-quote">"http:<span class="code-comment">//activemq.apache.org/schema/core"</span>
+</span> xmlns:xsi=<span class="code-quote">"http:<span class="code-comment">//www.w3.org/2001/XMLSchema-instance"</span>
+</span> xsi:schemaLocation="
+ http:<span class="code-comment">//www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
+</span> http:<span class="code-comment">//activemq.apache.org/schema/core http://activemq.apache.org/schema/core/activemq-core.xsd">
+</span>
+ <broker xmlns=<span class="code-quote">"http:<span class="code-comment">//activemq.apache.org/schema/core"</span> ... other attributes here ...>
+</span> <plugins>
+ <bean id=<span class="code-quote">"shiroPlugin"</span> class=<span class="code-quote">"org.apache.activemq.shiro.ShiroPlugin"</span> xmlns=<span class="code-quote">"http:<span class="code-comment">//www.springframework.org/schema/beans"</span>>
+</span> <property name=<span class="code-quote">"iniConfig"</span>><value>
-<p><b>AuthenticationFilter</b></p>
+ [main]
+ # Shiro object graph configuration here <span class="code-keyword">if</span> desired/necessary
-<p>The <tt>AuthenticationFilter</tt> exists immediately after the <tt>SubjectFilter</tt> in the broker filter chain. It ensures that the broker client <tt>Subject</tt> is authenticated if necessary before allowing the chain to continue. If authentication is required and the <tt>Subject</tt> is not authenticated, the broker filter chain will not be executed, ensuring only verified identities may perform further behavior.</p>
+ [users]
+ # users section format:
+ #
+ # username = password [, assignedRole1, assignedRole2, ..., assignedRoleN]
+ #
+ # <span class="code-keyword">for</span> example:
+ #
+ # scott = tiger, advisory, users, administrators
+ #
+ # Roles and permissions assigned to roles are defined in the [roles] section
+ # below. By transitive association, any user assigned a role is granted the
+ # role's permissions.
+
+ # ActiveMQ <span class="code-object">System</span> User
+ # needed <span class="code-keyword">for</span> in-VM/local connections when authentication is enabled:
+ system = manager, system
+
+ [roles]
+ # roles section format:
+ #
+ # roleName = wildcardPermission1, wildcardPermission2, ..., wildcardPermissionN
+ #
+ # The 'system' role is assigned all permissions (*). Be careful when assigning
+ # <span class="code-keyword">this</span> to actual users other than then system user:
+ system = *
+
+ # Full access rights should generally be given to the ActiveMQ.Advisory.*
+ # destinations because by <span class="code-keyword">default</span> an ActiveMQConnection uses advisory topics to
+ # get early knowledge of temp destination creation and deletion. For more info:
+ #
+ # http:<span class="code-comment">//activemq.apache.org/security.html
+</span> #
+ # So we create an 'advisory' role here with a wildcard/<span class="code-keyword">catch</span>-all permissions
+ # <span class="code-keyword">for</span> all advisory topics. To make your life easy, ensure you assign <span class="code-keyword">this</span> to
+ # any/all users in the [users] section above, e.g.
+ #
+ # jsmith = jsmithsPassword, advisory, ...
-<p><b>AuthorizationFilter</b></p>
+ advisory = topic:ActiveMQ.Advisory*
-<p>The <tt>AuthorizationFilter</tt> exists immediately after the <tt>AuthenticationFilter</tt> in the broker filter chain. It ensures that the <tt>Subject</tt> associated with the filter chain is authorized (permitted) to perform the action being attempted before allowing the action to execute. </p>
+ </value></property>
+ </bean>
+ </plugins>
+ </broker>
+</beans>
+</pre>
+</div></div>
-<p>For example, it would ensure that the <tt>Subject</tt> is allowed to send a message to a particular topic before allowing the send operation to execute. If authorization is enabled and the <tt>Subject</tt> is not authorized to perform the desired action, the broker filter chain will not be executed.</p>
+<p>This config assumes you have a simple/small set of static users that access your ActiveMQ broker. We'll cover enabling more advanced user repositories later.</p>
<h2><a shape="rect" name="Shiro-Configuration"></a>Configuration</h2>
@@ -296,6 +349,24 @@ broker.setPlugins(<span class="code-keyw
</pre>
</div></div>
+<h2><a shape="rect" name="Shiro-Design"></a>Design</h2>
+
+<p>The Shiro plugin is a <a shape="rect" class="external-link" href="http://activemq.apache.org/maven/apidocs/org/apache/activemq/broker/BrokerPlugin.html">BrokerPlugin</a> that inserts 3 <a shape="rect" class="external-link" href="http://activemq.apache.org/maven/apidocs/org/apache/activemq/broker/BrokerFilter.html">BrokerFilter</a>s in the broker filter chain: the <tt>SubjectFilter</tt>, the <tt>AuthenticationFilter</tt> and the <tt>AuthorizationFilter</tt></p>
+
+<p><b>SubjectFilter</b></p>
+
+<p>The <tt>SubjectFilter</tt> exists before all other Shiro-related broker filters in the broker filter chain. It constructs a Shiro <a shape="rect" class="external-link" href="http://shiro.apache.org/subject.html">Subject</a> instance reflecting the broker client and ensures the <tt>Subject</tt> instance is available for all downstream broker filters that may need to use the <tt>Subject</tt> to perform security operations.</p>
+
+<p><b>AuthenticationFilter</b></p>
+
+<p>The <tt>AuthenticationFilter</tt> exists immediately after the <tt>SubjectFilter</tt> in the broker filter chain. It ensures that the broker client <tt>Subject</tt> is authenticated if necessary before allowing the chain to continue. If authentication is required and the <tt>Subject</tt> is not authenticated, the broker filter chain will not be executed, ensuring only verified identities may perform further behavior.</p>
+
+<p><b>AuthorizationFilter</b></p>
+
+<p>The <tt>AuthorizationFilter</tt> exists immediately after the <tt>AuthenticationFilter</tt> in the broker filter chain. It ensures that the <tt>Subject</tt> associated with the filter chain is authorized (permitted) to perform the action being attempted before allowing the action to execute. </p>
+
+<p>For example, it would ensure that the <tt>Subject</tt> is allowed to send a message to a particular topic before allowing the send operation to execute. If authorization is enabled and the <tt>Subject</tt> is not authorized to perform the desired action, the broker filter chain will not be executed.</p>
+
<h2><a shape="rect" name="Shiro-SubjectFilter"></a>SubjectFilter</h2>
<p>The ShiroPlugin installs and executes the <tt>SubjectFilter</tt> before all other Shiro-related broker filters in the broker filter chain. The <tt>SubjectFilter</tt> constructs a Shiro <a shape="rect" class="external-link" href="http://shiro.apache.org/subject.html">Subject</a> instance reflecting the broker client and ensures the <tt>Subject</tt> instance is available for all downstream broker filters that may need to use the <tt>Subject</tt> to perform security operations.</p>