ARTEMIS-352 security examples readme fix

This commit is contained in:
jbertram 2016-01-19 10:01:47 -06:00 committed by Clebert Suconic
parent 1dc7a8946a
commit c2be2d452c
3 changed files with 90 additions and 66 deletions

View File

@ -25,12 +25,12 @@ under the License.
<script type="text/javascript" src="../../../common/prettify.js"></script> <script type="text/javascript" src="../../../common/prettify.js"></script>
</head> </head>
<body onload="prettyPrint()"> <body onload="prettyPrint()">
<h1>JMS Security Example</h1> <h1>JMS Security LDAP Example</h1>
<pre>To run the example, simply type <b>mvn verify</b> from this directory, <br>or <b>mvn -PnoServer verify</b> if you want to start and create the server manually.</pre> <pre>To run the example, simply type <b>mvn verify</b> from this directory, <br>or <b>mvn -PnoServer verify</b> if you want to start and create the server manually.</pre>
<p>This example shows how to configure and use security using ActiveMQ Artemis with LDAP.</p> <p>This example shows how to configure and use security using ActiveMQ Artemis and the Apache DS LDAP server.</p>
<p>With security properly configured, ActiveMQ Artemis can restrict client access to its resources, including <p>With security properly configured, ActiveMQ Artemis can restrict client access to its resources, including
connection creation, message sending/receiving, etc. This is done by configuring users and roles as well as permissions in connection creation, message sending/receiving, etc. This is done by configuring users and roles as well as permissions in
@ -42,41 +42,81 @@ under the License.
<p>For a full description of how to configure security with ActiveMQ Artemis, please consult the user <p>For a full description of how to configure security with ActiveMQ Artemis, please consult the user
manual.</p> manual.</p>
<p>This example demonstrates how to configure users/roles, how to configure topics with proper permissions using wild-card <p>This example demonstrates how to configure users/roles in the Apache DS LDAP server, how to configure topics with
expressions, and how they take effects in a simple program. </p> proper permissions using wild-card expressions, and how they take effects in a simple program.</p>
<p>First we need to configure users with roles. Users and Roles are configured in <code>activemq-users.xml</code>. This example has four users <p>Users and roles are configured in Apache DS. The SecurityExample class will start an embedded version of Apache
configured as below </p> DS and load the contents of example.ldif which contains the users and passwords for this example.</p>
<pre class="prettyprint"> <pre class="prettyprint">
<code> <code>
&lt;user name=&quot;bill&quot; password=&quot;activemq&quot;&gt; dn: dc=activemq,dc=org
&lt;role name=&quot;user&quot;/&gt; dc: activemq
&lt;/user&gt; objectClass: top
objectClass: domain
&lt;user name=&quot;andrew&quot; password=&quot;activemq1&quot;&gt; dn: uid=bill,dc=activemq,dc=org
&lt;role name=&quot;europe-user&quot;/&gt; uid: bill
&lt;role name=&quot;user&quot;/&gt; userPassword: activemq
&lt;/user&gt; objectClass: account
objectClass: simpleSecurityObject
objectClass: top
&lt;user name=&quot;frank&quot; password=&quot;activemq2&quot;&gt; dn: uid=andrew,dc=activemq,dc=org
&lt;role name=&quot;us-user&quot;/&gt; uid: andrew
&lt;role name=&quot;news-user&quot;/&gt; userPassword: activemq1
&lt;role name=&quot;user&quot;/&gt; objectClass: account
&lt;/user&gt; objectClass: simpleSecurityObject
objectClass: top
&lt;user name=&quot;sam&quot; password=&quot;activemq3&quot;&gt; dn: uid=frank,dc=activemq,dc=org
&lt;role name=&quot;news-user&quot;/&gt; uid: frank
&lt;role name=&quot;user&quot;/&gt; userPassword: activemq2
&lt;/user&gt; objectClass: account
objectClass: simpleSecurityObject
objectClass: top
dn: uid=sam,dc=activemq,dc=org
uid: sam
userPassword: activemq3
objectClass: account
objectClass: simpleSecurityObject
objectClass: top
###################
## Define roles ##
###################
dn: cn=user,dc=activemq,dc=org
cn: user
member: uid=bill,dc=activemq,dc=org
member: uid=andrew,dc=activemq,dc=org
member: uid=frank,dc=activemq,dc=org
member: uid=sam,dc=activemq,dc=org
objectClass: groupOfNames
objectClass: top
dn: cn=europe-user,dc=activemq,dc=org
cn: europe-user
member: uid=andrew,dc=activemq,dc=org
objectClass: groupOfNames
objectClass: top
dn: cn=news-user,dc=activemq,dc=org
cn: news-user
member: uid=frank,dc=activemq,dc=org
member: uid=sam,dc=activemq,dc=org
objectClass: groupOfNames
objectClass: top
dn: cn=us-user,dc=activemq,dc=org
cn: us-user
member: uid=frank,dc=activemq,dc=org
objectClass: groupOfNames
objectClass: top
</code> </code>
</pre> </pre>
<p>
Each user has three properties available: user name, password, and roles it belongs to. It should be noted that
a user can belong to more than one role. In the above configuration, all users belong to role 'user'. User 'andrew' also
belongs to role 'europe-user', user 'frank' also belongs to 'us-user' and 'news-user' and user 'sam' also belongs to 'news-user'.
</p>
<p> <p>
User name and password consists of a valid account that can be used to establish connections to a ActiveMQ Artemis server, while User name and password consists of a valid account that can be used to establish connections to a ActiveMQ Artemis server, while
roles are used in controlling the access privileges against ActiveMQ Artemis topics and queues. You can achieve this control by roles are used in controlling the access privileges against ActiveMQ Artemis topics and queues. You can achieve this control by
@ -129,13 +169,8 @@ under the License.
<p>To illustrate the effect of permissions, three topics are deployed. Topic 'genericTopic' matches 'jms.topic.#' wild-card, topic 'news.europe.europeTopic' matches <p>To illustrate the effect of permissions, three topics are deployed. Topic 'genericTopic' matches 'jms.topic.#' wild-card, topic 'news.europe.europeTopic' matches
jms.topic.news.europe.#' wild-cards, and topic 'news.us.usTopic' matches 'jms.topic.news.us.#'.</p> jms.topic.news.europe.#' wild-cards, and topic 'news.us.usTopic' matches 'jms.topic.news.us.#'.</p>
<p>With ActiveMQ Artemis, the security manager is also configurable. You can use JAASSecurityManager or JBossASSecurityManager based on you need. Please
check out the activemq-beans.xml for how to do. In this example we just use the basic ActiveMQSecurityManagerImpl which reads users/roles/passwords from the xml
file <code>activemq-users.xml</code>.
<h2>Example step-by-step</h2> <h2>Example step-by-step</h2>
<p><i>To run the example, simply type <code>mvn verify -Pexample</code> from this directory</i></p> <p><i>To run the example, simply type <code>mvn verify</code> from this directory</i></p>
<ol> <ol>
<li>First we need to get an initial context so we can look-up the JMS connection factory and destination objects from JNDI. This initial context will get it's properties from the <code>client-jndi.properties</code> file in the directory <code>../common/config</code></li> <li>First we need to get an initial context so we can look-up the JMS connection factory and destination objects from JNDI. This initial context will get it's properties from the <code>client-jndi.properties</code> file in the directory <code>../common/config</code></li>

View File

@ -49,7 +49,7 @@ objectClass: simpleSecurityObject
objectClass: top objectClass: top
################### ###################
## Define groups ## ## Define roles ##
################### ###################
dn: cn=user,dc=activemq,dc=org dn: cn=user,dc=activemq,dc=org

View File

@ -45,38 +45,32 @@ under the License.
<p>This example demonstrates how to configure users/roles, how to configure topics with proper permissions using wild-card <p>This example demonstrates how to configure users/roles, how to configure topics with proper permissions using wild-card
expressions, and how they take effects in a simple program. </p> expressions, and how they take effects in a simple program. </p>
<p>First we need to configure users with roles. Users and Roles are configured in <code>activemq-users.xml</code>. This example has four users <p>First we need to configure users with roles. For this example, users and roles are configured in <code>artemis-users.properties</code>
configured as below </p> and <code>artemis-roles.properties</code>. The <code>artemis-users.properties</code> file follows the syntax of
&lt;user>=&lt;password>. This example has four users configured as below </p>
<pre class="prettyprint"> <pre class="prettyprint">
<code> <code>
&lt;user name=&quot;bill&quot; password=&quot;activemq&quot;&gt; bill=activemq
&lt;role name=&quot;user&quot;/&gt; andrew=activemq1
&lt;/user&gt; frank=activemq2
sam=activemq3
&lt;user name=&quot;andrew&quot; password=&quot;activemq1&quot;&gt; </code>
&lt;role name=&quot;europe-user&quot;/&gt; </pre>
&lt;role name=&quot;user&quot;/&gt;
&lt;/user&gt; <p>The <code>artemis-roles.properties</code> file follows the syntax of &lt;role>=&lt;users> where &lt;users> can be
a comma-separated list of users from <code>artemis-users.properties</code> (since more than one user can belong in a
&lt;user name=&quot;frank&quot; password=&quot;activemq2&quot;&gt; particular role). This example has four roles configured as below </p>
&lt;role name=&quot;us-user&quot;/&gt;
&lt;role name=&quot;news-user&quot;/&gt; <pre class="prettyprint">
&lt;role name=&quot;user&quot;/&gt; <code>
&lt;/user&gt; user=bill,andrew,frank,sam
europe-user=andrew
&lt;user name=&quot;sam&quot; password=&quot;activemq3&quot;&gt; news-user=frank,sam
&lt;role name=&quot;news-user&quot;/&gt; us-user=frank
&lt;role name=&quot;user&quot;/&gt;
&lt;/user&gt;
</code> </code>
</pre> </pre>
<p>
Each user has three properties available: user name, password, and roles it belongs to. It should be noted that
a user can belong to more than one role. In the above configuration, all users belong to role 'user'. User 'andrew' also
belongs to role 'europe-user', user 'frank' also belongs to 'us-user' and 'news-user' and user 'sam' also belongs to 'news-user'.
</p>
<p> <p>
User name and password consists of a valid account that can be used to establish connections to a ActiveMQ Artemis server, while User name and password consists of a valid account that can be used to establish connections to a ActiveMQ Artemis server, while
roles are used in controlling the access privileges against ActiveMQ Artemis topics and queues. You can achieve this control by roles are used in controlling the access privileges against ActiveMQ Artemis topics and queues. You can achieve this control by
@ -129,13 +123,8 @@ under the License.
<p>To illustrate the effect of permissions, three topics are deployed. Topic 'genericTopic' matches 'jms.topic.#' wild-card, topic 'news.europe.europeTopic' matches <p>To illustrate the effect of permissions, three topics are deployed. Topic 'genericTopic' matches 'jms.topic.#' wild-card, topic 'news.europe.europeTopic' matches
jms.topic.news.europe.#' wild-cards, and topic 'news.us.usTopic' matches 'jms.topic.news.us.#'.</p> jms.topic.news.europe.#' wild-cards, and topic 'news.us.usTopic' matches 'jms.topic.news.us.#'.</p>
<p>With ActiveMQ Artemis, the security manager is also configurable. You can use JAASSecurityManager or JBossASSecurityManager based on you need. Please
check out the activemq-beans.xml for how to do. In this example we just use the basic ActiveMQSecurityManagerImpl which reads users/roles/passwords from the xml
file <code>activemq-users.xml</code>.
<h2>Example step-by-step</h2> <h2>Example step-by-step</h2>
<p><i>To run the example, simply type <code>mvn verify -Pexample</code> from this directory</i></p> <p><i>To run the example, simply type <code>mvn verify</code> from this directory</i></p>
<ol> <ol>
<li>First we need to get an initial context so we can look-up the JMS connection factory and destination objects from JNDI. This initial context will get it's properties from the <code>client-jndi.properties</code> file in the directory <code>../common/config</code></li> <li>First we need to get an initial context so we can look-up the JMS connection factory and destination objects from JNDI. This initial context will get it's properties from the <code>client-jndi.properties</code> file in the directory <code>../common/config</code></li>