I'm new to ActiveMQ so please bear with me if my question seem dumb :D
I have installed activemq on a CentOS machine and I'm connecting to it for writing to the qeueue and consuming from the queue through the admin user (which I dont think its the ideal way). I'm wondering if I can create a user for read only to read (consume) from the queue and another user for write only or just a single user who has read/write privileges only so this user wont be able to delete the queue or do anything that its not supposed to do.
I tried youtube and checked out activemq security documentation which talks about simple plugin and tried it but I'm not sure if I'm doing the right thing or reading the right resource?
Thanks in advance!
ActiveMQ works on different login and authorization modules , by default it picks up the PropertyLoginModule in the karaf realm. This is the admin user you are talking about. /etc/users.properties file contains these users and groups.
For Authorization you have plugins in the activemq.xml which can provide fine grained control on the Queues , Topics , Advisories and temporary queues.
The idea is to group users and provide them with read / write /admin access to Queues , you can specify all the queues your application has one by one , group them with wildchars ( as per AMQ doc ).
You can edit the users.properties file and add a few more users and tie up these users in authentication and authorization sections.
Also there are LDAP and SSL modules available for authorization and authentication.
Related
Is it possible to disallow topic subscriptions to wildcards in ActiveMQ 5 (classic)?
E.g. subscribing to > will broadcast all messages to all consumers even if a consumer should not be able to subscribe to all topics (and isn't even aware of all topics).
I already tried to create <authorizationEntries> with the <authorizationPlugin>, but wasn't able to prohibit wildcard subscription.
Do you have any ideas how to completely wildcard subscription or message forwarding to wildcards for specific / all users?
As hashed out in the comments you are approaching this problem from the wrong direction. Rather than trying to disable wildcard subscriptions the correct approach is to limit what topics will actually be delivered regardless of what is subscribed to.
This is done by setting an appropriate ACL for each user (reusing the same credentials for 500k clients is a REALLY bad idea).
ActiveMQ uses a plugin based system to supply Authentication and Authorisation control based on the Java standard called JAAS. With JAAS you can plug nearly any storage mechanism (e.g. database, LDAP,...) into ActiveMQ to store your user/password details and the ACL of what topics they can access. Details of how to use JAAS with ActiveMQ can be found here
I read some blogs about the LDAP integration in liferay and understood that LDAP is a Lightweight Directory Access Protocol for accessing and maintaining distributed directory information services over an Internet Protocol (IP) network.
Also it is mainly for user authentication.
Still I am blind in my mind where exactly and in which scenarios do we need to use the LDAP?
Can anyone please explain this in brief with simple real time example.
Liferay as a portal platform also keeps track of user identity. If you have your existing user database already in LDAP (because that's what has been established as a standard) you probably don't want to recreate it in the portal. In fact, many other applications might need this data as well and they all connect to LDAP (again, because that's the standard format).
Thus Liferay allows you to tap into the standard as well.
If you don't have your users in LDAP yet, you might not need to bother. If you start with the user database in Liferay and it grows large, needing to be shared with many other applications, you might want to migrate to LDAP later. And, funny enough, there's also a plugin (EE only) to Liferay that publishes Liferay's user database in the LDAP format. But now we're going quite meta.
After authentication and synchronization on alfresco whit LDAP, what role have they on Alfresco?
i.e. There is a group in LDAP for Human Resources. I want give those users Consumer role in Alfresco. Is there a way to do it during the authentication or synchronization process? Do I have to do it manually through web browser?
To be more precise Alfresco roles works on per-folder basis.
If you want to make them Consumers of some site you can follow this tutorial to make a webscript wich will apply permissions.
Since Alfresco site is just a folder, in parameter to the Webscript, suggested in tutorial, you'll need to provide the site name and group name. By default permissions are inherited from parent to a child so they will be applied for the whole document library of the site.
Another approach would be just create a Public site, so that not site members by default would be a Consumers of that site, since they will be inside EVERYONE group.
Could you please clarify if you want them to be members of some site or some space?
I got LDAP server with posix users set up, they can login using LDAP etc, but now I came across serious problem... hope it's real to implement.
I need to implement mechanism like this:
When someone logs in or tries to change the password consumer LDAP usually should redirect to producer, but if producer is offline then consumer user DB should be used, and there's no way to change password at all. How do i make it?
Maybe there's any producer on\off based switches etc.?
I am completely new to login and authentication concepts. I am working on a Glassfish web application that should present general content to any visitor, and some extra content for registered users logged in with username and password.
I have been reading the Java EE tutorial about security, and I thought that the Form-based or HTTP authentication would fulfill my needs ( the visitor is asked for credentials when trying to browse a secured content ).
However, my first guess was that the registred users should be stored in an external database along with their hashed and salted password.
The security for web application in Glassfish seems to rely on the realm populated manually directly on the application server ( defining user and groups and mapping them to the Roles in the application ).
Did I misunderstood what security on Glassfish is intented to ? Or can a realm be a external database outside the application server ? Any link to documentation on this topic would be useful to me.
Thank you in advance
Tart
It is actually possible.
In Glassfish, go to Configuration/Security/Realms, create a new realm and set the classname to com.sun.enterprise.security.auth.realm.jdbc.JDBCRealm.
Indicate the JDBC Resource bound to the database, and indicate the table and the columns where username/password are stored. The database shall also contains a table for the groups which the user must belong to be granted access. Indicate those also.
In the application, set up the web.xml and sun-web.xml with the realm name as usual.
Here is an article about jdbc realm in glassfish with scenario you described: http://java-cookbook.blogspot.com/2011/02/jdbc-security-realm-with-glassfish-and.html