JAAS provides pluggable authentication, which means ActiveMQ will use the same authentication API regardless of the technique used to verify user credentials (a text file, a relational database, LDAP, and so on). All that’s required is an implementation
of the javax.security.auth.spi.LoginModule interface and a configuration change to ActiveMQ. Fortunately, ActiveMQ comes with implementations of some modules that can authenticate users using properties files, LDAP, and SSL certificates, which will be enough for many use cases. Because JAAS login modules follow a specification, one advantage of them is that they’re relatively straightforward to configure. The best way to understand a login module is by walking through a configuration. For this task, the login module that works with properties files will be used.
The first step in this task is to identify the PropertiesLoginModule so that ActiveMQ is made aware of it. To do so, you must create a file named login.config that contains a standardized format for configuring JAAS users and groups. Here are the contents of the file:
activemq-domain {
org.apache.activemq.jaas.PropertiesLoginModule required
org.apache.activemq.jaas.properties.user="users.properties"
org.apache.activemq.jaas.properties.group="groups.properties";
};
The login.config file shown here contains a few different items for configuring a JAAS module. The activemq-domain is the predominant item in this file and it contains all the configuration for the login module. First is the fully qualified name of the PropertiesLoginModule and the trailing notation identifying it as required. This means that the authentication can’t continue without this login module. Second is a line to enable debug logging for the login module; this is optional. Third is the org.apache.activemq.jaas.properties.user property, which points to the users.properties file. Fourth is the org.apache.activemq.jaas.properties.group property, which points to the groups.properties file. Once this is all defined, the two properties files must be created.
NOTE: The PropertiesLoginModule used in this section is an implementation of a JAAS login module, and it comes with ActiveMQ.
Defining user credentials in the properties files is simple. The users.properties file defines each user in a line-delimited manner along with its password, as shown:
admin=admin
producer=producer
consumer=consumer
guest=guest
The groups.properties file defines group names in a line-delimited manner as well. But each group contains a comma-separated list of its users as shown:
admins=admin
producers=admin,producer
consumers=admin,producer,consumer
guests=guest
Once these files are created, the JAAS plug-in must be defined in the ActiveMQ XML configuration file. The following is an example of this necessary change:
...
<plugins>
<jaasAuthenticationPlugin configuration="activemq-domain" />
</plugins>
...
The example is shortened for readability and only shows the necessary change to enable the JAAS login module. As you can see, the JAAS plug-in only needs the name of the JAAS domain in the login.config file. ActiveMQ will locate the login.config file on the classpath (an alternative to this is to use the java.security.auth.login.config system property for the location of the login.config file). To test out the JAAS login module that was just created, start up ActiveMQ using these changes. Here’s the command to use:
${ACTIVEMQ_HOME}/bin/activemq start -Djava.security.auth.login.config=/home/ucm/activemq/apache-activemq-5.10.2/conf/login.config
You can also set the environment variable:
export ACTIVEMQ_OPTS=-Djava.security.auth.login.config=/home/ucm/activemq/apache-activemq-5.10.2/conf/login.config
The JAAS plug-in provides exactly the same functionality as the simple authentication plug-in. But it does so using the standardized Java mechanism, meaning you can use it to plug in any existing security policies you use inside your organization.