You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by gui pei <gu...@gmail.com> on 2008/10/16 05:46:11 UTC
use AMQ to transfer, about Security problem
Hi, all
Here is a problem, does anyone know how to resolve it?
I have two ActiveMQ broker, A and B, A has authorization, But B don't has.
and A has a connection to B. the configuration is this:
<networkConnector name="amq_B" uri="static://(tcp://server_B:61616)"
userName="user" password="password" duplex="true">
</networkConnector>
according to Active mq document, you must add authorization info.
this test is ok.
but if B has authorization too, and it is different with A.
I know this connection need authorization A and authorization B, I think
it's no use authorization info connect itself. How should I config this
connection?
Thanks in advance.
--
It's winter now, let's hibernate.
Re: use AMQ to transfer, about Security problem
Posted by jfcharles <jo...@ttmsolutions.com>.
Dave Stanley wrote:
>
> Hi Gui,
> The attached file seems to work ok. Can you copy out the relevant parts
> and
> give it a try.
>
> /Dave
>
>
> On Thu, Oct 16, 2008 at 10:15 PM, gui pei <gu...@gmail.com> wrote:
>
>> Hi, Stanley
>>
>> I think that is not true.
>>
>> the duplex option is use to indicate message transfer direction, though
>> broker A connect with broker B, if you set it, the message can transfer
>> from
>> B to A.
>>
>> my understand is 'networkConnector' need to connect two broker, such as A
>> and B, but you can only input one authentication info, if the broker A
>> and
>> B
>> have different authentication, you will fail it.
>>
>> here I have tow suggestion:a) AMQ should this network connector to
>> authenticate remote broker, if connect itself, don't need authentication
>> info.
>> b) AMQ should provide two authentication info, to use connect two broker,
>> itself and remote broker.
>>
>>
>> how do u think this?
>>
>>
>>
>>
>> On Thu, Oct 16, 2008 at 11:18 PM, Dave Stanley <ds...@gmail.com>
>> wrote:
>>
>> > If the authorization is different for both ends of the network
>> connector,
>> I
>> > think you would need to remove the duplex="true"
>> >
>> > On Wed, Oct 15, 2008 at 11:46 PM, gui pei <gu...@gmail.com>
>> wrote:
>> >
>> > > Hi, all
>> > > Here is a problem, does anyone know how to resolve it?
>> > >
>> > > I have two ActiveMQ broker, A and B, A has authorization, But B
>> don't
>> > has.
>> > >
>> > > and A has a connection to B. the configuration is this:
>> > >
>> > > <networkConnector name="amq_B"
>> > uri="static://(tcp://server_B:61616)"
>> > > userName="user" password="password" duplex="true">
>> > > </networkConnector>
>> > >
>> > > according to Active mq document, you must add authorization info.
>> > >
>> > > this test is ok.
>> > >
>> > > but if B has authorization too, and it is different with A.
>> > >
>> > > I know this connection need authorization A and authorization B, I
>> think
>> > > it's no use authorization info connect itself. How should I config
>> this
>> > > connection?
>> > >
>> > >
>> > > Thanks in advance.
>> > >
>> > > --
>> > > It's winter now, let's hibernate.
>> > >
>> >
>>
>>
>>
>> --
>> It's winter now, let's hibernate.
>>
>
> <?xml version="1.0" encoding="UTF-8"?>
> <!--
> http://activemq.org/config/1.0
> http://activemq.apache.org/snapshot-schema/activemq-core-5.0-SNAPSHOT.xsd"
> -->
>
>
> <beans
> xmlns="http://www.springframework.org/schema/beans"
> xmlns:amq="http://activemq.org/config/1.0"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> xsi:schemaLocation="http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
>
> <bean
> class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer">
>
> </bean>
>
>
> <!-- Broker1 -->
> <amq:broker brokerName="broker1" id="broker1" useJmx="true"
> persistent="true" start="true">
>
> <amq:transportConnectors>
> <amq:transportConnector uri="tcp://localhost:61616" />
> </amq:transportConnectors>
>
>
>
> <amq:persistenceAdapter>
> <amq:amqPersistenceAdapter directory="file:broker1/data"
> syncOnWrite="false"/>
> </amq:persistenceAdapter>
>
> <amq:plugins>
> <amq:simpleAuthenticationPlugin>
> <amq:users>
> <amq:authenticationUser username="broker1sa" password="manager"
> groups="producers,consumers,admins" />
> <amq:authenticationUser username="broker1frontend"
> password="broker1frontendpwd" groups="producers,consumers" />
> <amq:authenticationUser username="broker1networkconnector"
> password="broker1ncpwd" groups="consumers,producers,admins" />
> <amq:authenticationUser username="broker2networkconnector"
> password="broker1ncpwd" groups="consumers,producers,admins" />
>
> <!-- this is our password to to broker2 -->
> <amq:authenticationUser username="broker2networkconnector"
> password="broker2ncpwd" groups="consumers,producers,admins" />
> </amq:users>
> </amq:simpleAuthenticationPlugin>
> <amq:authorizationPlugin>
> <amq:map>
> <amq:authorizationMap>
> <amq:authorizationEntries>
> <amq:authorizationEntry queue=">" write="producers"
> read="consumers" admin="admins" />
> <amq:authorizationEntry topic=">" write="producers"
> read="consumers" admin="admins" />
> </amq:authorizationEntries>
> </amq:authorizationMap>
> </amq:map>
> </amq:authorizationPlugin>
> </amq:plugins>
>
> <amq:managementContext>
> <amq:managementContext connectorPort="1100"
> jmxDomainName="org.apache.activemq"/>
> </amq:managementContext>
>
> <amq:networkConnectors>
> <amq:networkConnector name="broker1tobroker2"
> userName="broker2networkconnector" password="broker2ncpwd"
> uri="static://(tcp://localhost:62616)" duplex="false"
> />
> </amq:networkConnectors>
>
>
> </amq:broker>
>
>
> <!-- Broker2 -->
> <amq:broker brokerName="broker2" id="broker2" useJmx="true"
> persistent="true" start="true" xmlns="http://activemq.org/config/1.0">
>
> <amq:transportConnectors>
> <amq:transportConnector uri="tcp://localhost:62616" />
> </amq:transportConnectors>
>
>
>
> <amq:persistenceAdapter>
> <amq:amqPersistenceAdapter directory="file:broker2/data"
> syncOnWrite="false" />
> </amq:persistenceAdapter>
>
> <amq:plugins>
> <amq:simpleAuthenticationPlugin>
> <amq:users>
> <amq:authenticationUser username="broker2sa" password="manager"
> groups="producers,consumers,admins" />
> <amq:authenticationUser username="broker2frontend"
> password="broker2frontendpwd" groups="producers,consumers" />
> <amq:authenticationUser username="broker2networkconnector"
> password="broker2ncpwd" groups="consumers,producers,admins" />
>
> <!-- this is our password to connect back to broker1 -->
> <amq:authenticationUser username="broker1networkconnector"
> password="broker1ncpwd" groups="consumers,producers,admins" />
>
> </amq:users>
> </amq:simpleAuthenticationPlugin>
> <amq:authorizationPlugin>
> <amq:map>
> <amq:authorizationMap>
> <amq:authorizationEntries>
> <amq:authorizationEntry queue=">" write="producers"
> read="consumers" admin="admins" />
> <amq:authorizationEntry topic=">" write="producers"
> read="consumers" admin="admins" />
> </amq:authorizationEntries>
> </amq:authorizationMap>
> </amq:map>
> </amq:authorizationPlugin>
> </amq:plugins>
>
> <amq:managementContext>
> <amq:managementContext connectorPort="1099"
> jmxDomainName="org.apache.activemq"/>
> </amq:managementContext>
>
> <amq:networkConnectors>
> <amq:networkConnector name="broker2tobroker1"
> userName="broker1networkconnector"
> password="broker1ncpwd"
> uri="static://(tcp://localhost:61616)"
> duplex="false"/>
> </amq:networkConnectors>
>
> </amq:broker>
>
>
> </beans>
>
>
I don't believe it's necessary to add broker1's authentication details to
broker2 and vice-versa, within the broker simpleAuthenticationPlugin
element, in addition to adding their username/password combination to the
networkConnector . Simply add it to the networkConnector element as
attributes. When one broker connects to another, the network connector
passes authentication attributes to the target broker and it authenticates
the connection using the passed-in credentials against the target brokers
authorised users list.
John Charles - For a more detailed free AMQ 5.1 User Guide see
www.ttmsolutions.com
--
View this message in context: http://www.nabble.com/use-AMQ-to-transfer%2C-about-Security-problem-tp20006596p20124075.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: use AMQ to transfer, about Security problem
Posted by Bipin Jethwani <je...@gmail.com>.
I am stuck in the same situation.
http://activemq.2283324.n4.nabble.com/How-to-set-network-connector-between-to-secure-activemq-broker-td4664874.html
The two broker in my case use jaas auth plugin and the users can never be
same in two brokers.
And I have to use duplex network connection.
Did anyone find a solution or workaround for this?
Thanks
-Bipin
--
View this message in context: http://activemq.2283324.n4.nabble.com/use-AMQ-to-transfer-about-Security-problem-tp2361322p4666152.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Re: use AMQ to transfer, about Security problem
Posted by Dave Stanley <ds...@gmail.com>.
Hi Gui,
The attached file seems to work ok. Can you copy out the relevant parts and
give it a try.
/Dave
On Thu, Oct 16, 2008 at 10:15 PM, gui pei <gu...@gmail.com> wrote:
> Hi, Stanley
>
> I think that is not true.
>
> the duplex option is use to indicate message transfer direction, though
> broker A connect with broker B, if you set it, the message can transfer
> from
> B to A.
>
> my understand is 'networkConnector' need to connect two broker, such as A
> and B, but you can only input one authentication info, if the broker A and
> B
> have different authentication, you will fail it.
>
> here I have tow suggestion:a) AMQ should this network connector to
> authenticate remote broker, if connect itself, don't need authentication
> info.
> b) AMQ should provide two authentication info, to use connect two broker,
> itself and remote broker.
>
>
> how do u think this?
>
>
>
>
> On Thu, Oct 16, 2008 at 11:18 PM, Dave Stanley <ds...@gmail.com>
> wrote:
>
> > If the authorization is different for both ends of the network connector,
> I
> > think you would need to remove the duplex="true"
> >
> > On Wed, Oct 15, 2008 at 11:46 PM, gui pei <gu...@gmail.com> wrote:
> >
> > > Hi, all
> > > Here is a problem, does anyone know how to resolve it?
> > >
> > > I have two ActiveMQ broker, A and B, A has authorization, But B don't
> > has.
> > >
> > > and A has a connection to B. the configuration is this:
> > >
> > > <networkConnector name="amq_B"
> > uri="static://(tcp://server_B:61616)"
> > > userName="user" password="password" duplex="true">
> > > </networkConnector>
> > >
> > > according to Active mq document, you must add authorization info.
> > >
> > > this test is ok.
> > >
> > > but if B has authorization too, and it is different with A.
> > >
> > > I know this connection need authorization A and authorization B, I
> think
> > > it's no use authorization info connect itself. How should I config this
> > > connection?
> > >
> > >
> > > Thanks in advance.
> > >
> > > --
> > > It's winter now, let's hibernate.
> > >
> >
>
>
>
> --
> It's winter now, let's hibernate.
>
Re: use AMQ to transfer, about Security problem
Posted by gui pei <gu...@gmail.com>.
Hi, Stanley
I think that is not true.
the duplex option is use to indicate message transfer direction, though
broker A connect with broker B, if you set it, the message can transfer from
B to A.
my understand is 'networkConnector' need to connect two broker, such as A
and B, but you can only input one authentication info, if the broker A and B
have different authentication, you will fail it.
here I have tow suggestion:a) AMQ should this network connector to
authenticate remote broker, if connect itself, don't need authentication
info.
b) AMQ should provide two authentication info, to use connect two broker,
itself and remote broker.
how do u think this?
On Thu, Oct 16, 2008 at 11:18 PM, Dave Stanley <ds...@gmail.com> wrote:
> If the authorization is different for both ends of the network connector, I
> think you would need to remove the duplex="true"
>
> On Wed, Oct 15, 2008 at 11:46 PM, gui pei <gu...@gmail.com> wrote:
>
> > Hi, all
> > Here is a problem, does anyone know how to resolve it?
> >
> > I have two ActiveMQ broker, A and B, A has authorization, But B don't
> has.
> >
> > and A has a connection to B. the configuration is this:
> >
> > <networkConnector name="amq_B"
> uri="static://(tcp://server_B:61616)"
> > userName="user" password="password" duplex="true">
> > </networkConnector>
> >
> > according to Active mq document, you must add authorization info.
> >
> > this test is ok.
> >
> > but if B has authorization too, and it is different with A.
> >
> > I know this connection need authorization A and authorization B, I think
> > it's no use authorization info connect itself. How should I config this
> > connection?
> >
> >
> > Thanks in advance.
> >
> > --
> > It's winter now, let's hibernate.
> >
>
--
It's winter now, let's hibernate.
Re: use AMQ to transfer, about Security problem
Posted by Dave Stanley <ds...@gmail.com>.
If the authorization is different for both ends of the network connector, I
think you would need to remove the duplex="true"
On Wed, Oct 15, 2008 at 11:46 PM, gui pei <gu...@gmail.com> wrote:
> Hi, all
> Here is a problem, does anyone know how to resolve it?
>
> I have two ActiveMQ broker, A and B, A has authorization, But B don't has.
>
> and A has a connection to B. the configuration is this:
>
> <networkConnector name="amq_B" uri="static://(tcp://server_B:61616)"
> userName="user" password="password" duplex="true">
> </networkConnector>
>
> according to Active mq document, you must add authorization info.
>
> this test is ok.
>
> but if B has authorization too, and it is different with A.
>
> I know this connection need authorization A and authorization B, I think
> it's no use authorization info connect itself. How should I config this
> connection?
>
>
> Thanks in advance.
>
> --
> It's winter now, let's hibernate.
>