Fuse ESB Enterprise - Security Guide - Broker JAAS Authentication

Broker JAAS Authentication

Overview

The Java Authentication and Authorization Service (JAAS) provides a general framework for implementing authentication and authorization in Java applications. In the context of Apache ActiveMQ, the main purpose of JAAS is to implement authentication of JMS credentials (which consist of a username and a password). In contrast to SSL/TLS security, which is mainly used to verify a broker's identity, the JAAS authentication mechanism verifies client identities.

For more background information about the JAAS framework, see the JAAS Reference Guide.

JAAS is also discussed in JAAS Authentication in ActiveMQ Security Guide.

JAAS realms

A JAAS realm is essentially an instance of a login module that provides access to a repository of authentication data. Different JAAS realms provide access to different repositories of authentication data and might perform authentication in different ways.

Standalone applications typically define a JAAS realm by creating an entry in a JAAS login configuration file (as described in Introduction to JAAS in ActiveMQ Security Guide). Applications deployed in the OSGi container, on the other hand, must define a JAAS realm using a special Apache Karaf schema in a blueprint file (as described in Defining JAAS Realms).

How to define JAAS realms

If you need to define your own JAAS realm for an application deployed in the OSGi container, you must use the Apache Karaf JAAS schema, http://karaf.apache.org/xmlns/jaas/v1.0.0. For details, see JAAS Authentication.

How not to define JAAS realms

Introduction to JAAS in ActiveMQ Security Guide describes how to define JAAS realms using login configuration files. This approach must not be used with the OSGi container, however. It is only suitable for use in a standalone Apache ActiveMQ application.

The karaf realm

The OSGi container has a predefined JAAS realm, the karaf realm, which you can also use in your applications See OSGi Container Security.

Configuring JAAS authentication for JMS credentials

To authenticate JMS credentials, use Apache ActiveMQ's jaasAuthenticationPlugin plug-in, which can be configured as follows:

<beans>
  <broker ...>
    ...
    <plugins>
      <jaasAuthenticationPlugin configuration="JAASRealm" />
    </plugins>
    ...
  </broker>
</beans>

The jaasAuthenticationPlugin plug-in is intended for use with any kind of username/password credentials and can be used in combination with the pre-defined karaf realm or with a realm defined using the LDAP login module.

Configuring JAAS authentication for X.509 certificates

If the broker uses SSL/TLS, you could also authenticate the received client certificate using Apache ActiveMQ's jaasCertificateAuthenticationPlugin plug-in, which can be configured as follows:

<beans>
  <broker ...>
    ...
    <plugins>
      <jaasCertificateAuthenticationPlugin configuration="CertRealm" />
    </plugins>
    ...
  </broker>
</beans>

The jaasCertificateAuthenticationPlugin plug-in is only intended for use with X.509 certificate credentials and must be used in combination with a realm defined using the TextFileCertificateLoginModule login module. For more details, see JAAS Certificate Authentication Plug-In in ActiveMQ Security Guide.

Comments powered by Disqus