Red Hat DocumentationFuse ESBToggle FramesPrintFeedback
Prev   Next

Simple Authentication Plug-In

Overview

The simple authentication plug-in provides the quickest way to enable authentication in a broker. With this approach, all of the user data is embedded in the broker configuration file. It is useful for testing purposes and for small-scale systems with relatively few users, but it does not scale well for large systems.

Broker configuration for simple authentication

Example 10 shows how to configure simple authentication by adding a simpleAuthenticationPlugin element to the list of plug-ins in the broker configuration.

Example 10. Simple Authentication Configuration

<beans>
  <broker ...>
    ...
    <plugins>
      <simpleAuthenticationPlugin>
        <users>
          <authenticationUser username="system"
                              password="manager"
                              groups="users,admins"/>
          <authenticationUser username="user"
                              password="password"
                              groups="users"/>
          <authenticationUser username="guest"
                              password="password"
                              groups="guests"/>
        </users>
      </simpleAuthenticationPlugin>
    </plugins>
    ...
  </broker>

</beans>

For each user, add an authenticationUser element as shown, setting the username, password, and groups attributes. In order to authenticate a user successfully, the username/password credentials received from a client must match the corresponding attributes in one of the authenticationUser elements. The groups attribute assigns a user to one or more groups (formatted as a comma-separated list). If authorization is enabled, the assigned groups are used to check whether a user has permission to invoke certain operations. If authorization is not enabled, the groups are ignored.

Anonymous access

By default, if a client does not provide any JMS username/password credentials, access to the broker is denied. It is possible, however, to enable anonymous access by setting the anonymousAccessAllowed attribute to true on the simpleAuthenticationPlugin element, as shown in Example 11.

Example 11. Enabling Anonymous Access

<simpleAuthenticationPlugin anonymousAccessAllowed="true">
  <users>
    <authenticationUser username="system"
                        password="manager"
                        groups="users,admins"/>
    ...
  </users>
</simpleAuthenticationPlugin>

Now, with anonymous access enabled, when a client without credentials connects to the broker, it is automatically assigned the username, anonymous, and the group ID, anonymous. When used in combination with the authorization plug-in, you can assign strictly limited privileges to the anonymous group in order to protect your system.

You can optionally change the username and group ID that gets assigned to anonymous users by setting the anonymousUser and anonymousGroup attributes—for example:

<simpleAuthenticationPlugin
    anonymousAccessAllowed="true"
    anonymousUser="JohnDoe"
    anonymousGroup="unauthenticated">
              <users>
    ...
              </users>
        </simpleAuthenticationPlugin>

Note

If you enable anonymous access, it is highly recommended that you also enable authorization, otherwise your broker would be completely exposed to all users.

Comments powered by Disqus
Prev Up Next
 Home