ServiceMix Security Features

Essentially, security in ServiceMix is provided on two levels:

  1. Authentication and authorization via JAAS or custom procedures.
  2. Securing the transport of messages, e.g. via SSL or WS-Security.

Authentication

JAAS authentication has to be done at the Endpoint where the message
in question entered the ESB. It is the responsibility of the Endpoint
where the message entered to set the Subject, as this will later be utilized for authorization.

In the servicemix-http component, this can be done via the
configured
AuthenticationService.
There is also a way for utilizing basic authentication via the Jakarta Commons HttpClient API.

Authorization

In order to allow for authorization, the SecuredBroker has to be configured as the Container's broker:

<sm:container id="jbi" rootDir="./target/data/smx">

<!-- Use a secured broker which will check the authenticated
         user for the needed ACLs before granting access to a given
         endpoint -->
    <sm:broker>
      <sm:securedBroker>
<!-- Can be referenced from security.xml, too -->
        <sm:authorizationMap>
  	     ...
        </sm:authorizationMap>
      </sm:securedBroker>
    </sm:broker>

    <sm:activationSpecs>
    ...
    </sm:activationSpecs>
  </sm:container>

Before routing Message Exchanges, the
SecuredBroker
checks them against access control lists generated from the AuthorizationMaps. A precondition is that the Message Exchange objects have previously been authenticated.

Securing transport

This mostly relates to securing SOAP over HTTP transports on the servicemix-http binding component. It provides both for SSL and WS-Security. At the time of writing, not all of the WS-Security features are yet supported.

Security Configuration

Below the ServiceMix root directory, one can find a directory containing configuration files:

$SERVICEMIX_HOME/conf/

This directory contains the following security-relevant files:

  • security.xml: This file manages
    AuthenticationServices,
    keystores, and
    AuthorizationMaps,
    from which the
    SecuredBroker derives acess control lists.
    <beans xmlns:sm="http://servicemix.apache.org/config/1.0">
    <!-- Authentication service -->
      <sm:authenticationService id="authenticationService"/>
    <!-- KeyStore manager -->
      <sm:keystoreManager id="keystoreManager">
        <sm:keystores>
          <sm:keystore name="default" path="classpath:keystore.jks" keystorePassword="servicemix" keyPasswords="smx=smx"/>
        </sm:keystores>
      </sm:keystoreManager>
    <!-- ServiceMix authorization map -->
      <sm:authorizationMap id="authorizationMap">
        <sm:authorizationEntries>
    <!-- Roles correspond to user groups -->
          <sm:authorizationEntry service="*:*" roles="*"/>
        </sm:authorizationEntries>
      </sm:authorizationMap>
    </beans>
    

    If this file is being imported into servicemix.xml:

    ...
    <import resource="classpath:security.xml" />
    ...
    

    ... it can be referenced when defining the SecuredBroker.

  • users-passwords.properties: A file specifying passwords for users.
    #syntax: username=password
    #users
    manager=system
    userh1.=userh1.pw
    user2=user2pw
    
  • groups.properties: A file relating users to groups.
    #syntax: groupname=membername
    admin=manager
    secure=userh1.
    
  • login.properties: A JAAS configuration file.
  • keystore.jks: A keystore.

Example

The ServiceMix source distribution (3.1) comes with the WS-Sec example, which illustrates both basic authentication and WS-Security. It can be found in:

$SERVICEMIX_HOME/samples/ws-sec